petr.spacek at nic.cz
Mon Jul 20 05:54:18 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
On 17. 07. 20 20:16, Måns Nilsson via Unbound-users wrote:
> Subject: Re: Censorship Date: Fri, Jul 17, 2020 at 09:43:58AM +0200 Quoting Ondřej Caletka via Unbound-users (unbound-users at lists.nlnetlabs.nl):
>> Anyway, forwarding to a trusted DoH upstream should solve the issue.
> This is a valid reason to use DoH, escaping commercial or well-intended
> stupid filters. Never thought I'd think there was a use for DoH, but
> here it is. Don't go around thinking DoH will hide your queries from
> more than casual blocking/inspection, though.
I think this comment needs clarification:
1) DoH protocol itself, similarly to any other DNS-only-encryption protocols, does not provide protection from determined attackers. This is not fault of DoH/DoT, it is simply property of IP protocol and current web deployment model. For more details read article Simran Patil and Nikita Borisov. 2019. What can you learn from an IP?
- - slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf
- - the article itself: https://dl.acm.org/authorize?N687437
2) DoH does not provide a lot of benefits over DoT or other DNS-encryption-protocols, unless it is co-hosted with content. Hosting DoH endpoint e.g. on a big CDN would make DoH hard to block without big "collateral damage". This is where DoH in theory has advantage in un-blockability over other protocols but centralizing DNS and everything else has its own set of problems, see article:
In short, if you care about privacy go for full VPN and do not waste time on DNS-only encryption.
Petr Špaček @ CZ.NIC
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Unbound-users