Follow

There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.

Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:

octo.sh/container-library/dns-

@sheogorath Using one under your direct control is always the best, but that still leaks DNS queries to the upstream DNS provider or, at the very least, to your connectivity provider.
And I probably trust Cloudflare (or ever Google) respect for my privacy more than my local internet provider, as being bigger they are under closer scrutiny.

@lapo Agreed. There can be situations where you don't want to run your own DNS server for individual privacy reasons. When we look at mass privacy Google and Cloudflare are a big problem. And that's what I try to help with :)

We need more diverse ecosystems for DNS as well as for the rest of the web.

@sheogorath @lapo I prefer to trust my provider, rather than Google or Cloudflare. My privider knows which servers I connect to anyway.

@cdonat @sheogorath That's very true. OTOH Italian providers have usually lousy DNSes anyways and they are subject to state-mandated censorship too. So, yeah, choices depend (very much) on use-cases.

@sheogorath yeah. And now you need to manually configure every browser on all of your devices that you use to use yours. Now lets not forget split horizon setups. And of course the architectural reasons that a BROWSER shouldn’t bypass system DNS (how many apps are going to start doing this that you will need to figure out how to undo?)

That there are ways to mitigate the horribleness of this doesn’t make it not horrible

@david I agree that it'll become quite ugly when this trend continues. But browser vendors taking a lead here has a good reason and that's the fact that the OS level doesn't seem to care. On Linux our default DNS lookup method still doesn't validate DNSSec and DNSSec exists for ages.

And from an enduser perspective (talking about individual privacy/security) DoH even when using big providers, improves things a lot!

@sheogorath it’s ugly from the first implementation. It completely breaks local dns and split-horizon dns. Additionally it nicely centralizes all of your surveillance into one spot. Not to mention redirect and capture. All from the exact same companies that brought us PRISM and friends.

As for dnssec, #FreeBSD has had dnssec validation as a single config switch for years now 😉

@david To be honest, I'm not too upset about Split-horizon setups going away. With IPv6 those should no longer be mandatory at all.

Also breaking local DNS is, given we talk about an average users in an open (unencrypted) wifi, not super bad in my opinion.

But as a sysadmin I definitely know what you mean and it has of course draw backs, but everything has that… Let's work on leading new ideas into the right direction, not deciding to stay backwards forever. 😉

@sheogorath split horizon is about so much more than v6. Its about visibility of network resources. V6 has local scope and local anonymous addresses for this reason fc::/8(rfc4193).

You talk about the ‘average’ user as a coffee shop user, and this is indeed common. But also common is the small and medium business just trying to do their job with internal apps. Which reminds me of another usecase this breaks. VPNs. And anycast/CDNs. 1/?

@sheogorath sure is convenient for (their business model) that cloudflare is pushing this.

Its a false dichotomy that this is somehow moving things forward, and that everything has negative consequences. Moving dns resolution to client apps away from the OS is not forwards, its backwards. Forwards would be to put it in system resolvers. There is still dhcp to handle, but having it their you can use the existing ‘insecure’ zone and use that to switch to trusted providers

@david I think we are on the same page when it comes to the question where the DNS resolver belongs to (same goes for things like QUIC). And that's what I mean by "moving it towards the right direction".

There are multiple areas where development is needed: For one moving the resolver into a better place, but also allow everyone to run a DoH nameserver (which is my part).

And all I said is, that browser vendors went for it, because way too many system libraries ignored DoT, DoH and DNSSec.

@sheogorath @david Yes, lead the development. Make Linux distributors switch on DNSSec checking by default. Use DoT - if you prefer them, Google and Cloudflare both provide that as well.

DoH doesn't solve the problem, that DNSSec solves, so you'll still have to make sure, that all the DoH applications have it checked - and get bug fixes, each of them. Don't use Browsers, that irgnore the system DNS setup, or you'll end up in configuration hell.

Sign in to participate in the conversation
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy