There was recently a lot of news about DNS over HTTPS. Some people say it's bad for privacy because it centralizes the DNS requests on Google, Cloudflare and Quad9.
Time to change that and run your own DNS over HTTPS server. I spend some time today in writing, documenting and arranging a small container setup to allow you to do this:
https://octo.sh/container-library/dns-over-https/blob/master/README.md
#DNSoverHTTPS #DoH #Docker #privacy #infosec #selfHosting #DNS
@sheogorath yeah. And now you need to manually configure every browser on all of your devices that you use to use yours. Now lets not forget split horizon setups. And of course the architectural reasons that a BROWSER shouldn’t bypass system DNS (how many apps are going to start doing this that you will need to figure out how to undo?)
That there are ways to mitigate the horribleness of this doesn’t make it not horrible
@david I agree that it'll become quite ugly when this trend continues. But browser vendors taking a lead here has a good reason and that's the fact that the OS level doesn't seem to care. On Linux our default DNS lookup method still doesn't validate DNSSec and DNSSec exists for ages.
And from an enduser perspective (talking about individual privacy/security) DoH even when using big providers, improves things a lot!
@sheogorath it’s ugly from the first implementation. It completely breaks local dns and split-horizon dns. Additionally it nicely centralizes all of your surveillance into one spot. Not to mention redirect and capture. All from the exact same companies that brought us PRISM and friends.
As for dnssec, #FreeBSD has had dnssec validation as a single config switch for years now 😉
@david To be honest, I'm not too upset about Split-horizon setups going away. With IPv6 those should no longer be mandatory at all.
Also breaking local DNS is, given we talk about an average users in an open (unencrypted) wifi, not super bad in my opinion.
But as a sysadmin I definitely know what you mean and it has of course draw backs, but everything has that… Let's work on leading new ideas into the right direction, not deciding to stay backwards forever. 😉
@sheogorath split horizon is about so much more than v6. Its about visibility of network resources. V6 has local scope and local anonymous addresses for this reason fc::/8(rfc4193).
You talk about the ‘average’ user as a coffee shop user, and this is indeed common. But also common is the small and medium business just trying to do their job with internal apps. Which reminds me of another usecase this breaks. VPNs. And anycast/CDNs. 1/?
@david I think we are on the same page when it comes to the question where the DNS resolver belongs to (same goes for things like QUIC). And that's what I mean by "moving it towards the right direction".
There are multiple areas where development is needed: For one moving the resolver into a better place, but also allow everyone to run a DoH nameserver (which is my part).
And all I said is, that browser vendors went for it, because way too many system libraries ignored DoT, DoH and DNSSec.
@sheogorath sure is convenient for (their business model) that cloudflare is pushing this.
Its a false dichotomy that this is somehow moving things forward, and that everything has negative consequences. Moving dns resolution to client apps away from the OS is not forwards, its backwards. Forwards would be to put it in system resolvers. There is still dhcp to handle, but having it their you can use the existing ‘insecure’ zone and use that to switch to trusted providers