[LINK] Secure DNS
Kim Holburn
kim at holburn.net
Tue Jan 14 16:58:10 AEDT 2020
Geoff Huston has an interesting article about the subject which is worth a read:
https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/
> On 2020/Jan/14, at 4:01 pm, Christian Heinrich <christian.heinrich at cmlh.id.au> wrote:
>
> David,
>
> On Tue, 14 Jan 2020 at 10:08, David <dlochrin at aussiebb.com.au> wrote:
>>
>> Does anyone know anything about this? There are many DOH servers around the world, for example <doh.securedns.eu> so DOH isn't new, and there's also DNS-over-TLS which seems more elegant.
DOT may be more elegant, but in some countries, possibly ours, people monitoring the network would be able to block your DNS queries. DOH makes that harder to do. Ultimately DNS itself is not elegant or secure.
>> Do the spooks have a hand in all this?
Interference in DNS by governments and monitoring by ISPs set this off. In our country, I would expect that it is part of the metadata that ISPs are supposed to store for government departments and possibly even local councils to peruse. ISPs can also sell this data.
Many people don't trust local ISP DNS servers for a number of reasons. They already use remote DNS servers. That traffic is in the clear and subject to monitoring and interference. If you are already using a remote DNS server, DOH makes the traffic, unreadable and not subject to alteration.
> Paul Vixie recommends Quad9 i.e.
> https://www.cyberscoop.com/quad9-dns-service-global-cyber-alliance/
>
> He stopped using Mozillia/Firefox as a result of DOH i.e.
> https://twitter.com/paulvixie/status/1198013742493028353
Mozilla just moved first on this. Operating systems have been dragging their feet on this issue.
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list