Archiv: DoH (DNS over HTTPS)


29.04.2022 - 21:08 [ Hackaday.com ]

DNS-over-HTTPS Is The Wrong Partial Solution

(October 21, 2019)

DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application. It also doesn’t do anything to hide the IP address of the website that you just looked up — you still go to visit it, after all.

And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

02.04.2022 - 17:43 [ PrivateInternetAccess.com ]

Russia wants to outlaw TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS

(Sep 22, 2020)

The Russian Ministry of Digital Development, Communications, and Mass Media has released a draft law which outlines plans to outlaw TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS. The draft law (text in Russian) “bans the use of encryption protocols allowing for hiding the name (identifier) of a web page or Internet site on the territory of the Russian Federation.” This is supposed to help the Roskomnadzor in their job as Russia’s censor. If a site is found to be using these encryption tools, they can be blocked by the Roskmonadzor within a day. Meduza, reporting on the news noted:

04.09.2021 - 19:59 [ SimpleDNScrypt.org ]

Simple DNSCrypt

Simple DNSCrypt is a simple management tool to configure dscrypt-proxy on windows based systems.

04.09.2021 - 19:57 [ privacy-handbuch.de ]

DNS-Server

Folgende zensur-freien und vertrauenswürdigen DNS-Server mit No-Logging Policy, DNSSEC Validierung und Anti-Spoofing Schutz (Testseite) kann man als Alternative zu den Default DNS-Servern der Provider für diejenigen empfehlen, die wechseln möchten:

04.09.2021 - 19:46 [ SecurityMagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(February 6, 2020)

While both offer encryption of DNS data using the same TLS protocol, there are some very important differences:

– Protocol layering: while DoT is essentially DNS over TLS, DoH is in fact DNS over HTTP over TLS.
– Different port numbers: DoT traffic uses a dedicated port 853, and can thus be distinguished at the network layer. DoH uses port 443 (HTTPS) due to the protocol layering.
– Different capabilities: DoT is largely the same DNS as we know it, while DoH to an extent combines features of DNS and HTTP.

04.09.2021 - 19:45 [ vpn-anbieter-vergleich-test.de ]

Kostenlose DNS Server und Dienste (Übersicht & Liste, alle DNS)

Wir haben mehr als 50 DNS Server Anbieter getestet und stellen Dir diese Informationen detailliert zur Verfügung. Beachte auch unsere Tips und Hilfe bei der Verwendung.

30.07.2021 - 06:43 [ vpn-anbieter-vergleich-test.de ]

Kostenlose DNS Server und Dienste (Übersicht & Liste, alle DNS)

Wir haben mehr als 50 DNS Server Anbieter getestet und stellen Dir diese Informationen detailliert zur Verfügung. Beachte auch unsere Tips und Hilfe bei der Verwendung.

24.03.2021 - 16:22 [ SecurityMagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(February 6, 2020)

While both offer encryption of DNS data using the same TLS protocol, there are some very important differences:

– Protocol layering: while DoT is essentially DNS over TLS, DoH is in fact DNS over HTTP over TLS.
– Different port numbers: DoT traffic uses a dedicated port 853, and can thus be distinguished at the network layer. DoH uses port 443 (HTTPS) due to the protocol layering.
– Different capabilities: DoT is largely the same DNS as we know it, while DoH to an extent combines features of DNS and HTTP.

24.03.2021 - 15:19 [ HelpNetSecurity.com ]

TLS 1.3: Slow adoption of stronger web encryption is empowering the bad guys

(April 6, 2020)

Asymmetric encryption is used during the “handshake”, which takes place prior to any data being sent. The handshake determines which cipher suite to use for the session – in other words, the symmetric encryption type – so that both browser and server agree. The TLS 1.2 protocol took multiple round trips between client and server, while TLS 1.3 is a much smoother process that requires only one trip. This latency saving shaves milliseconds off each connection.

Another characteristic of TLS 1.3 is that it can operate alongside DNS over HTTPS (DoH).

18.01.2021 - 15:47 [ securitymagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(06.02.2020)

Obviously, time will tell if DoT continues to prevail or whether DoH will start to gain ground. As mentioned at the beginning of the article there is a hot debate going on right now about the direction the Internet industry should take. Suffice to say that even nation state authorities are involved in the debate, which speaks to the level and importance of the discussion.

18.01.2021 - 15:41 [ ZDNET.com ]

NSA warns against using DoH inside enterprise networks

The NSA urges companies to host their own DoH resolvers and avoid sending DNS traffic to third-parties.

18.01.2021 - 15:40 [ National Security Agency / Pentagon ]

Adopting Encrypted DNS in Enterprise Environments

Use of the Internet relies on translating domain names (like “nsa.gov”) to Internet Protocoladdresses. This is the job of the Domain Name System (DNS). In the past, DNS lookups were generally unencrypted, since they have to be handled by the network to direct traffic to the right locations. DNSover Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and “last mile” source authenticationwith a client’s DNS resolver. Itis useful to prevent eavesdropping and manipulationof DNStraffic.While DoH can help protectthe privacy of DNS requests and the integrity of responses, enterprises that use DoH will lose some of the control needed to govern DNS usage within their networksunless they allow only their chosen DoH resolver to be used.Enterprise DNS controlscan prevent numerous threat techniques used by cyber threat actors for initial access, command and control, and exfiltration.

27.11.2020 - 16:36 [ ZDNetcom ]

DNS-over-HTTPS causes more problems than it solves, experts say

(06.09.2020)

The response to DoH’s anointment as a major privacy-preserving solution has been downright acid, in some cases. Critics have taken a jab at the protocol on different plains, which we’ll try to organize and categorize below:

– DoH doesn’t actually prevent ISPs user tracking
– DoH creates havoc in the enterprise sector
– DoH weakens cyber-security
– DoH helps criminals
– DoH shouldn’t be recommended to dissidents
– DoH centralizes DNS traffic at a few DoH resolvers

27.11.2020 - 16:35 [ ZDNet.com ]

Mozilla enables DOH by default for all Firefox users in the US

(25.02.2020)

Circa 2015, engineers at Cloudflare and Mozilla joined forces to create DNS-over-HTTPS, as a way to hide DNS queries using encryption.

27.11.2020 - 16:28 [ securitymagazine.com ]

Disappearing DNS: DoT and DoH, Where one Letter Makes a Great Difference

(06.02.2020)

Obviously, time will tell if DoT continues to prevail or whether DoH will start to gain ground. As mentioned at the beginning of the article there is a hot debate going on right now about the direction the Internet industry should take. Suffice to say that even nation state authorities are involved in the debate, which speaks to the level and importance of the discussion.

12.11.2019 - 16:59 [ Techdirt ]

Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated

The effort would effectively let Chrome and Mozilla users opt in to DNS encryption — making your browser data more secure from spying and monetization — assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don’t much like that.

As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can,

01.06.2019 - 14:29 [ Paul Vixie ‏/ Twitter ]

DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

(20.10.2018)