Censorship
Petr Špaček
petr.spacek at nic.cz
Mon Jul 20 05:54:18 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 17. 07. 20 20:16, Måns Nilsson via Unbound-users wrote:
> Subject: Re: Censorship Date: Fri, Jul 17, 2020 at 09:43:58AM +0200 Quoting Ondřej Caletka via Unbound-users (unbound-users at lists.nlnetlabs.nl):
>
>> Anyway, forwarding to a trusted DoH upstream should solve the issue.
>
> This is a valid reason to use DoH, escaping commercial or well-intended
> stupid filters. Never thought I'd think there was a use for DoH, but
> here it is. Don't go around thinking DoH will hide your queries from
> more than casual blocking/inspection, though.
I think this comment needs clarification:
1) DoH protocol itself, similarly to any other DNS-only-encryption protocols, does not provide protection from determined attackers. This is not fault of DoH/DoT, it is simply property of IP protocol and current web deployment model. For more details read article Simran Patil and Nikita Borisov. 2019. What can you learn from an IP?
- - slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf
- - the article itself: https://dl.acm.org/authorize?N687437
2) DoH does not provide a lot of benefits over DoT or other DNS-encryption-protocols, unless it is co-hosted with content. Hosting DoH endpoint e.g. on a big CDN would make DoH hard to block without big "collateral damage". This is where DoH in theory has advantage in un-blockability over other protocols but centralizing DNS and everything else has its own set of problems, see article:
https://labs.ripe.net/Members/bert_hubert/centralised-doh-is-bad-for-privacy-in-2019-and-beyond
In short, if you care about privacy go for full VPN and do not waste time on DNS-only encryption.
- --
Petr Špaček @ CZ.NIC
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvibrucvgWbORDKNbzo3WoaUKIeQFAl8VMYEACgkQzo3WoaUK
IeQrFhAAtySOZrFFZshR+gWzmk6VDhjoY2DHqlIqoEV5VOY2CR447Vkt6wUWQKA+
mp7A/xyZ74nhAY9ztlsihtK/mFAgIicivmac2LdQXnQVqOR5ysjkfBWcz1fLXCiF
t2kCmaWWTg63usx0IXQbe6uERgcZmZGd+UfT5iB6KGzFxVwx85V4DZB+28hHZWEQ
hrHlkbbsVz99mN6COVsB5cP9UhmJmDyw+gc9rxwMaG4OD6ClHkGJk1m9aUvfC+dl
kg3axXzpE+lfIYzJcvL1BWqlhpXV++K/K5/NW7WfxZK0eKzxJI2ul0naSSpKCWPg
SqrROke+3bpT/c9ZdxAgpzBJUO5IzC9PirLN8IgMPVjz+2CQkVhtDNFqDEiGj8L5
u35MUWWw/YF5il630AGTqhk8V1P7MfHwxo7FMlJphKUSJ/SovGoR+8xYiamndVqd
HNyVjb+cR2GkSqMPSpiSsjiGUgAhH7nI1+DpMe3YuhCD7/GtdsAHLHeAmtfVfRAX
tTfR6JGn3Gw3TIzobj7AUcgECizRobgqX85bEnBnXoldA/BOFVBzAGAvt7hnL3bc
t5WiXnX80vsvE3m6CyZNgqI68k/9Ln8DA+vsQ2T1hohdBHGb7o1RC/iW63hVZrHD
vBpc2wNEH/fTbKoiH3uf1lMIiCBo2RbAUYcVrbHT3v1q4wQ7PiY=
=H61N
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list