Comment by acdha

2 years ago

Just because some apps use insecure but highly identifiable DNS lookups doesn’t mean everyone does, or that DNS-over-HTTPS will never be deployed (iOS shipped support in 2020 and Android was only a couple of years later). There’s a 0% chance that anyone smart would say they should rely on that alone and not develop other sources for that information, and intelligence agencies have hired many smart technical people.

4 comments

acdha

Reply
chatmasta  2 years ago

In general, I agree DNS-over-HTTPS is a step in the right direction, in terms of eliminating the low-hanging fruit of snooping over the wire. But it's still the same major companies providing the resolvers. And if you're sending them an NSL for push notifications, you may as well send one for DNS too.

  • acdha  2 years ago

    That’s usually untrue - for example, if I’m on Comcast but I use Firefox, my DoH requests go instead to Cloudflare who don’t log IPs – but also the larger point is that DNS isn’t complete enough: sometimes it’s unique companies but a lot of the time it’s just a shared endpoint. Push notifications don’t have that problem and happen every time, not just when a cache expires.

    • chatmasta  2 years ago

      Cloudflare is one of the "major companies" I was alluding to. It's still an issue of centralized authorities that are accountable to governments. But I do trust Cloudflare more than my ISP or Apple, and in fact I route much of my traffic through them so I hope I'm right in giving them my trust.

      1 reply →