[LINK] This incredibly simple privacy app helps protect your phone from snoops with one click
Hamish Moffatt
hamish at moffatt.email
Wed Nov 14 14:09:42 AEDT 2018
On 13/11/18 8:42 pm, Kim Holburn wrote:
>> On 2018/Nov/13, at 5:55 pm, Hamish Moffatt <hamish at moffatt.email> wrote:
>>
>>
>>
>> DNSSEC proves that the answer has not been tampered with. It does not prevent eavesdropping, but DNS over HTTPS or DNS over TLS do.
> Yes, and neither of these have been rolled out to retail or domestic systems. They are both difficult to actually use. Also probably not everyone has a certificate for their DNS, so I'm not sure of the coverage of DNSSEC.
>
> And governments are systematically poisoning local DNS servers.
>
For clients, if you use 1.1.1.1 for your DNS servers then you have
DNSSEC validation. Easy. That same service also supports DNS over HTTPS,
but client support for that is not widespread. It's going to be in
Firefox soon though, if it isn't already.
For domains, DNSSEC seems a bit harder unfortunately because lots of the
big DNS hosts don't support it, like Amazon Route53. APNIC have some
interesting posts on the topic, including
https://blog.apnic.net/2017/06/28/isnt-everyone-using-dnssec/
https://blog.apnic.net/2017/12/06/dnssec-deployment-remains-low/
You also need encrypted SNI, which is almost non-existent so far.
https://encryptedsni.com has some interesting test tools.
Hamish
More information about the Link
mailing list