Posted: Mon Mar 16, 2020 8:21 Post subject: purpose of dns over https?
what is the purpose of dns over https? I mean this with respect to privacy from an isp (preventing them from selling my data to advertisers etc...).
I have recently added a pi-hole to my network and decided to use dns over https with cloudflare but after giving it some thought, I don't know if I see the point. My isp will still see the ip address of the websites I visit and can't they just reverse lookup the domain names?
DOH is now an optional feature in firefox+chrome and there is a bunch of information on the web about it increasing privacy. I don't see it, is there some other reason to use dns over https?
I decided to post this here because I think this is where I will likely hear a response from a real expert . Thanks in advance for any responses.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Mon Mar 16, 2020 10:34 Post subject:
Without DoH, DNS hits go in plain text.... all of them...and lives opportunities for man in the middle attacks and so...
with DoH or DoT or DNScrypt they go encrypted...and eliminate those opportunities...
DoH is a double edge dagger, as it helps to secure DNS, but DoH goes around some DNS based firewalls or host names based filters, that usually can help you with malicious activity's...
But than again you can use Adblocking and Malicious filtered DoH DNS providers...
Personally i love FFx DoH and its settings, and use it on my systems along with 9.9.9.9 DNS or Adguard DNS instead of 1.1.1.1 ...
Quad9 has strong and serious malicious packet filtering....
you can find all details for FFx DoH settings on ggl or look at FFx help all light is there...
If you decide to give a go on DoT, link is in my signature,
same for DNScrypt...tanks to mac913 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Mon Mar 16, 2020 16:01 Post subject:
I agree with all of the above. FWIW, malware-filtering DNS providers Quad9 DNS and Adguard DNS can be checked out at https://quad9.net and https://adguard.com/en/adguard-dns/overview.html respectively. I also use both, Quad9 as my primary and Adguard as a backup in case Quad9 is having issues (very, very rare). Quad9 has more servers and is faster, but of course the ad filtering by Adguard is great. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 03 Jan 2010 Posts: 7568 Location: YWG, Canada
Posted: Mon Mar 16, 2020 21:04 Post subject:
its for the security paranoid to fell a bit less paranoid
(instead, keep reducing performance and latency for "security" and lets all trust a company, reminds me of NORDVPN, lololol) _________________ LATEST FIRMWARE(S)
BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
Alozaros:
Okay thank you for all the information! Shouldn't just enabling DNSSEC be able to stop the man in the middle attacks though. I realize there are possible security advantages to using encrypted DNS but I'm more curious about the privacy at the moment. There are all kinds of information on the web about how it increases privacy but actually I don't see how it can increase privacy at all. I think an isp has access to all the ip address for websites that a person visits and they should just be able to reverse the dns, thereby getting all the names of the websites you visited, then they can just sell that to advertisers. Wouldn't this be simple for them or am I missing something.
its for the security paranoid to fell a bit less paranoid
(instead, keep reducing performance and latency for "security" and lets all trust a company, reminds me of NORDVPN, lololol)
This is basically what I'm worried about. Suppose for a minute that I believe cloudflare deletes all the information like they say they do; so what? My isp still can just log all the ip addresses to websites I visit and then sell all that information to advertisers. What will I have gained by enabling all this stuff? All I have done by switching from my isps dns to cloudflare/quad or however is potentially added another entity that sees all of my traffic.
If only care about man in the middle attacks, then I can just enable dnssec or some other type of encryption. It seems to me that the existence of DOH makes everyone less secure because you cannot filter it since it uses https. Any malicious stuff that I could have locally is free to use DOH and I have no way of preventing this, as far as I can tell.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Tue Mar 17, 2020 8:25 Post subject:
yep DNSSEC helps but in very limited scenarios...
it does not do any encryption at all ....
Encrypted DNS prevents form certain attacks and help with
hiding the DNS hits...as it moves them to an tls or https communication that looks like site to site encrypted channel,
but yep there are technologies that you can reverse and find where your clients ware...but not always works
Than if you want a real privacy than you'd need a proper VPN and use an encrypted DNS that goes into the VPN channel....or use Tor network, or use I2P, or just use a parrot with few tweaks...
I personally use PIA VPN and it helps a lot with privacy, as well its an easy to set up and works great on DDWRT routers... (just bear in mind you'd need a powerful router to run VPN) or Wireguard
also bear in mind 1.1.1.1 is not the best free DNS by far...use 9.9.9.9 instead
have a read this link that tinkeruntilitworks posted _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Mar 18, 2020 1:04; edited 2 times in total
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Mar 17, 2020 23:32 Post subject:
BretG57 wrote:
tatsuya46 wrote:
its for the security paranoid to fell a bit less paranoid
(instead, keep reducing performance and latency for "security" and lets all trust a company, reminds me of NORDVPN, lololol)
This is basically what I'm worried about. Suppose for a minute that I believe cloudflare deletes all the information like they say they do; so what? My isp still can just log all the ip addresses to websites I visit and then sell all that information to advertisers. What will I have gained by enabling all this stuff? All I have done by switching from my isps dns to cloudflare/quad or however is potentially added another entity that sees all of my traffic.
If only care about man in the middle attacks, then I can just enable dnssec or some other type of encryption. It seems to me that the existence of DOH makes everyone less secure because you cannot filter it since it uses https. Any malicious stuff that I could have locally is free to use DOH and I have no way of preventing this, as far as I can tell.
DNSSEC is basically useless, as the website provider on the other end has to be set up to use it. It's not enough for the DNS provider to use it. And almost no websites use it.
DoH with a filtering provider like Quad9 is useful, because the DoH connection gets you to Quad9, they look up the IP address of the FQDN you provided over that encrypted link, and if it's on their giant list of malware domains, they return NXDOMAIN (no such domain) across that encrypted DoH channel in response to your query. The DoH has saved you from potential MITM attacks. (Go to [urlhttps://www.dnscrypt.org/[/url] though for a nice comparison of features of DNSCrypt, DoH, and DoT.) Of course if the malware uses hard-coded IP addresses so that no DNS lookup is needed, this will not help. Nothing is perfect.
And to whoever asked - I forget - about ISPs just doing reverse lookups on the numeric IP addresses, yes, they can do that! But zero protection is obtained from encrypted DNS and even VPNs against a super competent adversary out to investigate you in particular. The purpose of the measures we take is simply to remove ourselves from the automated mass surveillance and selling of our data. That mass surveillance at the ISP level is going to use domain names, not numeric IPs, because it's easier and the data are more useful to advertisers. (And have you ever experimented with reverse lookups? Often they don't take you where you think they would.) And doing a full-out analysis to sort out which of a vpn server's 50 current users might be behind a particular packet of interest to an investigator is a big, complex deal, not something suited to automation to analyze everything coming out of the server. Again, assume that a vpn removes you from mass surveillance, not from targeted surveillance. People looking at a vpn as an excuse to do bad stuff secretly are basically fools. Just my opinion. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
i know quad9 is a favorite and have seen you also mention adguard. are there any others? would using round robbin be good for privacy so my look-ups are spread over multiple companies instead of just 1?
about round robin
it depends from your case...
for home/small office network you can use 1 or 2, this speeds up DNS, but also takes resources...and could be compromised from the LAN side in certain scenarios...very uncommon scenarious...but yep its safe to be used 1 or 2
i my case, i use 0 with lower idle_timeout 8000 and its fine, as if the first request hags, it querries the next DNS, if there are too many requests at the same time it will delay a bit, but nothing too bad...
option 1 or 2 is excellent for bigger networks with a lot of routers and clients refering to the same DNS IP running Stubby...I have to admit i sat up DDWRT router with Stubby in a quite big network for a client and so far no complains...with rd-robin 1...only....
p.s. i stay away from 1.1.1.1 or 8.8.8.8 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913