So, I read some articles on DOH and looks like the whole thing is a myth and doesn’t really help in enhancing user privacy and security. Even if the DNS requests are encrypted, the ISP will still be able to track you.
What are your thoughts?
So, I read some articles on DOH and looks like the whole thing is a myth and doesn’t really help in enhancing user privacy and security. Even if the DNS requests are encrypted, the ISP will still be able to track you.
What are your thoughts?
If you’re looking for an anti-tampering mechanism, DNSSEC signatures is what you’re looking for. DNS Over HTTPS establishes a “reasonably-secure” [1] connection to the DNS resolver. Not accounting for [1], that resolver (Cloudflare or other) can still lie to you consciously, or propagate unconsciously a malicious answer it received, because recursive resolution (i believe) still has no standard for secure transport: DNS over TLS is slowly getting traction, but it’s far from deployed on every primary nameserver.
[1] HTTPS is somewhat-secure because it’s an effective defense against script kiddies and malicious ISPs. However, it’s a very weak threat model where dozens of actors (the Certificate Authorities) can impersonate (almost) any server. And they do just that. It’s crazy how many CAs over the years have been caught misbehaving, often with little consequence except in the most egregious cases where Mozilla/Google pushed for their revocation as part of BrowserCA.
deleted by creator
It depends on your actual setup. If you operate your own network, DNSSEC validation will probably happen on your local DNS resolver (usually on your router). But also your forwarding/stub resolvers running on your own machine could (should?!) validate DNSSEC signatures… i’m not sure what the default is on most systems, though.
deleted by creator