Comment by elashri
1 day ago
I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers. Put VPN in front of it and know you trust this VPN company (kudos Mullvad).
And abusing https is for a good reasons. Blocking ports 53 and 853 is easy and many ISPs will do that.
The author also make it feel like the only option is to use cloudflare DoH on Firefox while that's the first option, there is also nextdns and custom field. There are many providers I would trust more like quad9 and Mullvad DoH.
I think the reasons why not to use DoH is the same for why not using public dns from providers you don't trust anyway.
Most of the people are happily using 8.8.8.8 and handing all their dns information to the biggest advertisement company in the world. Or wosre, using their ISP provided DNS.
> The author also make it feel like the only option is to use cloudflare DoH on Firefox
In fairness, the date on the post is 2018 - when Firefox first launched this, Cloudflare was the only option
True, but at the end of the post the author also explicitly rejects the idea of the DoH protocol in general on questionable technical grounds, so clearly their objection isn't just Cloudflare. I think the argument would be a lot clearer if they didn't conflate "using Cloudflare for your DNS" with "using the DoH protocol for DNS" even if they think both of them are bad.
Now that makes more sense regarding this point. I missed the date. I think the submission title needs (2018).
Even back then, wasn't Cloudflare just the only listed option? Couldn't you still have manually entered a different DoH server that you knew of?
That’s not true. Back in 2018 firefox had the option to use cloudflare or enter another DoH server IP.
Cloudflare is still default.
> I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers
With modern recursive DNS, you don't leak much to the root servers, just the tld you're trying to resolve. And you can axfr the root zone and then the root servers only know you're a resolver. The TLD servers know a lot, by necessity, though.
I think, though, for the purposes of this argument you can lump the TLD and root servers together. Lot of people are going to know who you are and what you're looking up if you run your own recursive resolver directly against the root servers
What modern recursive DNS uses is called Query Name Minimisation, and is enabled by default by some.
If you include the TLD as part of "Lot of people are going to know who you are and what you're looking up", ignoring any mitigating effect of Query Name Minimisation, the number of people is identical to any other setup.
For ISP resolver it will be the ISP and the owner of the domain name through web logs.
For public DNS resolver it will be the public resolver and owner of the domain through web logs.
for personal recursive resolver, it will be the TLD and the owner of the domain name through dns and web logs. The TLD job in this case is to give you the authoritative name servers of the domain name that the owner of the domain has.
With Query Name Minimisation, the TLD only get the domain name without any subdomains. They can't see the distinction between a user reading hacker news, or a user going to the main page of ycombinator to read about YC invests.
The Tor daemon exposes DNS resolvers if you enable them in torrc.
You'd of course be trusting Tor nodes for your DNS at that point, as I believe the network pulls records from exit nodes' resolvers, but you sidestep the quandary of deciding who you trust to directly make requests to.
You can also have multiple resolvers in the same daemon that use their own circuits, reducing the chances of receiving forged DNS records from potentially malicious exit nodes.
Similarly, DoH and DoT work over Tor.
You don't have to use it at a system level, just point your DNS clients at the daemon.
its funny you call out Mullvad in this specific case because its the one thing i really dislike about their VPN service. It wont route DNS to the root server, or any designated server really. They redirect DNS queries to their cache indiscriminately. which actually will harm the success of setting up a recursive resolver. I get this is done to prevent leaks, i would just like the option to opt out of it. been customer for many years now though. I use unbound semi recursively resolving using a forwarder with DNS over TLS. So Mullvad is not burdened with what i resolve and the forwarder not with information on who.
You can opt out of it if you use API to register your WireGuard public key. Specifically, you pass in hijack_dns=false https://schnerring.net/blog/use-custom-dns-servers-with-mull...
I wonder if using a large number of DNS servers and picking one from the list or rotating through them would help.
If you’re going to be hacking, why not just build your own DNS?
The issue isn't trusting DNS. It's trusting my local network. DNS is unecrypted UDP traffic. There are less than 65,535 ports that my machine can use to originate that request.
The problem with the protocol is poisoning not authority.
It's crazy that OSes don't run their own recursive resolver by default or even have it as an option.
I think `systemd-resolved` provides it out-of-the-box for most distros.
AFAIK it's just a proxy to another DNS server with the added benefit of being able to resolve local domain names through mDNS.
2 replies →
I tried configuring Mullvad DNS on Firefox (last year) with DoH/DoT and it would randomly flake out and not resolve some domains (different ones each time) and the only way to fix it was restarting the browser. Cloudflare at least Just Works (tm)
Not really. If motivated, building a bespoke DNS for personal (or whatever) use is easy these days. The hard part is the infrastructure to make it reliable and maintainable.