Comment by exabrial

17 hours ago

DNS over HTTPS exclusively exists because stuff like Pi-hole started eating into Ad Revenue for Google. That's why this "feature" is so hard to disable in the browsers as well.

I hope they're forced to divest from Android and Chrome. It's absolute anti-consumer garbage.

DNSCurve exists and was a far better solution, but that in turn... you know cut into ISP spying as well.

1 comment

exabrial

Reply
nobody9999  5 hours ago

>DNS over HTTPS exclusively exists because stuff like Pi-hole started eating into Ad Revenue for Google. That's why this "feature" is so hard to disable in the browsers as well.

Exactly. Which is why I point my Pi-Hole at my own recursive resolver.

Can my ISP see those queries? Sure. Are they using transparent proxies to redirect my queries to their resolvers? No.

Is my ISP cataloguing all my recursive resolutions? Maybe. But probably not. Theoretically, they could, but mirroring all the traffic to storage for tens of millions of customers seems exorbitant, unnecessary and wasteful.

More likely, I'd expect that at some point (likely the router interface at my local head-end), they use Netflow[0] and/or something similar, to characterize the IP-based traffic being transmitted through it. The collected data wouldn't contain the DNS queries themselves, so my ISP would need to rely on just the Netflow data.

And while it is possible for ISPs to correlate DNS queries to Netflow streams[1][2], using a recursive resolver rather than their resolver makes it more cumbersome for them (or Cloudflare, or Google, etc.) to do so.

Regardless, I'd much prefer that my recursive resolver use encrypted communications, not so much between it and the root servers, but between it and authoritative servers. The former would be nice, but depending on the encryption overhead (TLS or even just TCP connections to the root servers would require significant extra resources), likely impractical.

>DNSCurve exists and was a far better solution

Is there any recent activity WRT that protocol? I found some stuff from at least a decade ago.

The IETF's DNS Private Exchange[3] (dpriv) working group has a few interesting things, but it sure would be nice to have the DNS equivalent of smtp's 'starttls'[5] feature, perhaps ala RFC9539[4]?

Perhaps one day there will be mainstream support for that.

What I do works for my use case, but likely isn't workable for many (most?) other folks.

[0] https://en.wikipedia.org/wiki/NetFlow

[1] https://arxiv.org/pdf/2211.05682

[2] https://github.com/maganiss/FlowDNS

[3] https://datatracker.ietf.org/wg/dprive/documents/

[4] https://www.rfc-editor.org/rfc/rfc9539.txt

[5] https://en.wikipedia.org/wiki/Opportunistic_TLS