Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The point of DNS over HTTPS is enhanced privacy. Currently, DNS packets are unencrypted, but can be signed (with DNSSEC). DNSSEC does nothing to hide to content of DNS requests /responses, but makes sure that they can't be tampered with. Adoption (client side DNSSEC validation) is currently at around 14% [1], which is indeed low.

There is the DNS Privacy project, which proposes some solutions to the privacy issue [2].

The alternatives you're mentioning are really not alternatives at all (except namecoin, but only for .bit). How the other solutions (e.g. Steemit) are connected to the problem at hand is beyond me.

[1]: https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&... [2]: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Sol...



Enhanced privacy if you consider what's between your device and the DNS operator. But the DNS operator itself learns more about you. They can more accurately fingerprint your devices with DoH than regular DNS due to HTTP sessions, HTTP headers, and TLS tickets.

This concern started being addressed in the latest DoH draft.


Right now there are no benefits though. Because the browser sends the domainname you contact unencrypted via the TLS handshake due to SNI. So someone listing in to your communication will learn the hostname anyway.

I know people are working on encrypted SNI but that will take time.


Of course there are benefits.

Assume a large entity willing to do some mass surveillance (NSA, ...). Now with unencrypted DNS this entity just has to MITM a link on the last hop of a few DNS providers (Google, Cloudflare) and voila, the IP's of the clients and the domains visited are pouring in.

With encrypted DNS, for an entity to get the same amount of information they need to MITM a much larger amount of links.

Though I agree the benefits are clearly limited, the idea is to eliminate all weak links. If there are 2 broken windows in your house and you can fix one - why not do it?


> Right now there are no benefits though.

In terms of privacy, I would mostly agree. Using an authenticated channel to your resolver still protects against many common MitM vectors, so there's definitely a benefit there. Unlike DNSSEC, you're not dependent on the target domain being in the small subset of DNSSEC-enabled domains, not to mention that most client resolvers won't validate DNSSEC anyway.


Encrypted SNI will take years before it is in common usage.

If you're that concerned about privacy, you better use a VPN.


Not necessarily.

CDNs have been doing, and keep doing a great job at pushing new things forward.

Fastly, Cloudflare and Akamai already have implementations and test websites.


Unless I misunderstand how it works, DoH also provides protection against an attacker spoofing replies.

I have no clue how often this attack vector has been used in the real world, but last time I read about it, I got the impression that it would not be very hard for a skilled attacker to pull off. (DNSSEC would work, too, but as you say, most clients do not make use of it.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: