[LINK] Secure DNS

Kim Holburn kim at holburn.net
Tue Jan 14 10:20:16 AEDT 2020 

Last time I looked at it, the problem I noted was that you seem to only be able to specify one server, unlike normal DNS where you can specify several.  It was a little tricky to set up.

There are public DoH servers here:
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

You have to specify a URL rather than just a host.

Google would like you to send all your DNS requests to them, but then so would your ISP and the Australian security services would prefer you use your ISP too.  Just saying.


> On 2020/Jan/14, at 9:58 am, David <dlochrin at aussiebb.com.au> wrote:
> 
> Back on-topic, I don't know whether the following is of any interest or not.
> 
> Mozilla now have a form of secure DNS in Firefox which can be enabled from Preferences > General > Network Settings.  This works by encapsulating DNS queries in HTTPS ("DOH"), and it's intended to provide privacy by making it impossible for ISPs & others to monitor and sell their customers' browsing patterns.  There's a move to make it the Firefox default.
> 
> It has three modes, mode-2 uses DOH if possible, otherwise reverting to normal DNS, and mode-3 only uses DOH.
> 
> It obviously requires a DNS server which supports DOH.  The default is one by Cloudflare in San Franscisco who are said to have an agreement with Mozilla which bans monitoring.  In mode-3 DOH also requires a "bootstrap" DNS server to look up Cloudflare.
> 
> However DOH only seems to work with the Cloudflare server, and in mode-3 it only works with a bootstrap server having the odd IP address 1.1.1.1.
> 
> Looking up 1.1.1.1 in the APNIC 'whois' reveals the subnet 1.1.1.0-255 is assigned to the "APNIC and Cloudflare DNS Resolver project"
> Routed globally by AS13335/Cloudflare
> Research prefix for APNIC Labs
> 6 Cordelia Street
> Brisbane
> 
> Does anyone know anything about this?  There are many DOH servers around the world, for example <doh.securedns.eu> so DOH isn't new, and there's also DNS-over-TLS which seems more elegant.
> 
> Do the spooks have a hand in all this?
> 
> David L.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list