[LINK] Secure DNS

[Carl Makin]

HI David,

> On 14 Jan 2020, at 9:58 am, David <dlochrin at aussiebb.com.au> wrote:
> 
> Mozilla now have a form of secure DNS in Firefox which can be enabled from Preferences > General > Network Settings.  This works by encapsulating DNS queries in HTTPS ("DOH"), and it's intended to provide privacy by making it impossible for ISPs & others to monitor and sell their customers' browsing patterns.  There's a move to make it the Firefox default.
.
.
> It obviously requires a DNS server which supports DOH.  The default is one by Cloudflare in San Franscisco who are said to have an agreement with Mozilla which bans monitoring.  In mode-3 DOH also requires a "bootstrap" DNS server to look up Cloudflare.
> 
> However DOH only seems to work with the Cloudflare server, and in mode-3 it only works with a bootstrap server having the odd IP address 1.1.1.1.

1.1.1.1 doesn’t get sent to a single location.  It’s distributed around the world and when you access 1.1.1.1 your requests are routed to the closest one (closest network wise).  In my case 1.1.1.1 is answered by a host in Sydney.

> Does anyone know anything about this?  There are many DOH servers around the world, for example <doh.securedns.eu> so DOH isn't new, and there's also DNS-over-TLS which seems more elegant.

DOH gets through most proxy servers unless they have been specifically configured to block it, DNS over TLS is often blocked by firewalls and is mainly useful for DNS server to DNS server requests.

> Do the spooks have a hand in all this?

Who knows?  The impetus for DOH is to fight against ISPs and such monitoring, logging and selling your DNS requests.  It also helps agains ISPs altering DNS responses to route your requests through their servers (perhaps to insert ads).  I doubt it will affect spooks much.


Carl.