Comment by AnthonyMouse
1 day ago
> If you don't want Cloudflare seeing your DNS requests, then use one of them instead.
Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
> The only difference between DoT and DoH is that DoT is easier to block and force fallback to totally insecure DNS.
A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS. A corporate one that requires you to install certificates on the client so that it can, is just as able to block DoH as DoT.
And fallback isn't required in either case. If some network is blocking encrypted DNS, the client device can be configured to fail rather than use the insecure DNS, at which point the user knows that the network is adversarial and can switch to a VPN or a cellular connection etc.
> Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
This goes the other way too. Normal people don't know about DNS at all, and without DoH, are leaking all of their DNS queries to their ISP without knowing.
> A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS.
DoT uses port 853, which can just be blocked wholesale. It's not feasible to do the same for DoH since it uses port 443.
> And fallback isn't required in either case. If some network is blocking encrypted DNS, the client device can be configured to fail rather than use the insecure DNS, at which point the user knows that the network is adversarial and can switch to a VPN or a cellular connection etc.
It can be, but it's not the default on any mainstream system. Normal people won't change defaults, and they deserve privacy too.
> This goes the other way too. Normal people don't know about DNS at all, and without DoH, are leaking all of their DNS queries to their ISP without knowing.
But is this actually any better than leaking them to Cloudflare? There is at least the possibility that the ISP isn't logging them and that they only run a DNS server because their customers expect one.
It's hard to imagine any reason for Cloudflare to do it other than because they want to analyze DNS traffic, and then it's in a much more centralized location than to be distributed across every network and ISP.
> DoT uses port 853, which can just be blocked wholesale. It's not feasible to do the same for DoH since it uses port 443.
So run DoT over port 443. The benefit of DoT is removing the implementation complexity of a pointless HTTP stack.
> Normal people won't change defaults, and they deserve privacy too.
So change the system defaults to use DoT. That might even get you port 853 open, because breaking the defaults in popular devices would get the network admins off their butts to notice that a new protocol exists.
> But is this actually any better than leaking them to Cloudflare? There is at least the possibility that the ISP isn't logging them and that they only run a DNS server because their customers expect one.
> It's hard to imagine any reason for Cloudflare to do it other than because they want to analyze DNS traffic, and then it's in a much more centralized location than to be distributed across every network and ISP.
Your ISP knows your real-world identity, whereas Cloudflare just knows your IP address. And I trust most ISPs, e.g., Comcast, less than I trust Cloudflare.
> So run DoT over port 443. The benefit of DoT is removing the implementation complexity of a pointless HTTP stack.
That would be perfectly fine and address all of these problems, but it isn't how things work today, and unless/until it does happen, I think DoH is way, way better than DoT over port 853.
> So change the system defaults to use DoT. That might even get you port 853 open, because breaking the defaults in popular devices would get the network admins off their butts to notice that a new protocol exists.
That'd only be true if the system defaults prevented fallback to insecure DNS, and so far, the few systems that support any form of secure DNS all will automatically do insecure fallback.
7 replies →
> It's hard to imagine any reason for Cloudflare to do it other than because they want to analyze DNS traffic, and then it's in a much more centralized location than to be distributed across every network and ISP.
Isn't bot/DDoS protection a very obvious reason for Cloudfare to do it?
Any normal user agent will make a DNS request shortly before requesting a page from that domain. A normal user agent will also request the page from the IP returned by the DNS server.
Attempting to connect to a server IP hosted by Cloudfare from a client IP that has not recently received that server IP in a DNS response seems like an obvious signal for their bot/DDoS mitigation system.
1 reply →
Are there really public DoT servers that listen on port 443? Do you have an example? I would be interested.
2 replies →
With or without DoH you ISP knows all hosts you connect to anyway, for HTTP and similar including hostname. ECH could have been an improvement but does not get much traction.
ECH is getting deployed, and we shouldn't make it forever useless just because it's not widely deployed already.
> A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS.
You forgot the "let's intercept in a public place (e.g. public Wi-Fi hotspots)" one where blocking port 853 is super trivial while blocking port 443... is impossible. Sure, Google DNS will be blocked easily but there a lot of DoH providers!
There is no law against running DoT over port 443.
At that point you might as well use DoH. But you're also reasoning axiomatically about something we have a lot of documentary evidence for: the DNS operator community (or a big chunk of it) favors DoT and opposes DoH because they want to make it easier to block encrypted DNS; they frame this in terms of "control over their own networks".
6 replies →
There are only like 3 major ones. You can block those IPs too.
There's a ton of minor ones, it's easy to spin up your own, and the hope is that eventually, with ECH, it won't be possible to block them without blocking basically the entire Internet like North Korea does.
3 replies →
> Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
This is a complaint about Firefox's implementation, not DoH in general. Chrome will use DoH with your system dns provider, if it supports it.
I'm torn on whether using cloudflare by default was a good choice. On the one hand, having all requests going to a single provider and trusting that provider not to log anything is a potential privacy problem. And it can cause problems for people who use private DNS resolvers. On the other hand, even if you don't completely trust cloudflare, it is probably more private than a lot of people's default DNS providers that come from ISPs that are known to spy on customers either for profit or at the request of a government.