Comment by josephcsible

1 day ago

If you're worried about IoT garbage spying on you, blocking DoH wouldn't even help. Presumably, there's something important on the Internet that they need to access (since otherwise you'd just air gap them outright), so they could exfiltrate your data through the same connection that they're using for their legitimate purpose.

7 comments

josephcsible

Reply
anonymousiam  1 day ago

But that's the game that most IoT stuff plays. They offer some utility that makes them worthwhile, but they exfiltrate your data to marketeers and even government entities (such as Ring's partnership with law enforcement).

Maybe I'm old-school, but I like to have some control over what's going in and out of my network. DoH seems to exist mainly to circumvent that control.

  • growse  21 hours ago

    > DoH seems to exist mainly to circumvent that control.

    Hate to break it to you, but if I control the client, then I'm not in any way obligated to use DNS or any other IETF-endorsed protocol to turn names into numbers when I'm running on your network.

    The idea of "controlling what's going in and out of the network" died in the 90s.

  • josephcsible  1 day ago

    > But that's the game that most IoT stuff plays. They offer some utility that makes them worthwhile, but they exfiltrate your data to marketeers and even government entities (such as Ring's partnership with law enforcement).

    Sure. My point is that blocking DoH wouldn't stop that though.

    > Maybe I'm old-school, but I like to have some control over what's going in and out of my network.

    What if you were a public Wi-Fi operator? You definitely shouldn't have control or insight into the traffic to and from other people's computers and phones.

    > DoH seems to exist mainly to circumvent that control.

    No, DoH is purely a good thing, since the evil use cases like above can happen even without it.

    • anonymousiam  1 day ago

      Sure, it's a "good thing" for the IoT garbage and the information hoarders, but it's not a "good thing" from my perspective, or from the perspective of corporate IT security.

      2 replies →

throwaway290  14 hours ago

> they could exfiltrate your data through the same connection that they're using for their legitimate purpose.

their traffic can be monitored. They can secretly exfiltrate if they hide it, use pin certs or use some custom encryption. This should be a red flag