Comment by SchemaLoad
6 days ago
Encrypted DNS has existed for quite a while now through DNS over HTTPS, the missing link was that to connect to a website, you first had to send the server the hostname in plaintext to get the right public key for the site. So someone listening on the wire could not see your DNS requests but would effectively still get the site you connected to anyway.
The new development (encrypted client hello) is you no longer have to send the hostname. So someone listening in the middle would only see you connected to an AWS/etc IP. This will make blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.
> blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.
I see this as a very good development and a big win for privacy. I have been running my own DNS server for years to prevent passive logging, but could basically do nothing against the SNI leak.
> This will make blocking websites very difficult if they use shared services like cloudflare or cloud VPS hosting.
Until some clueless judge orders all of cloudflare to be blocked.
True!
Though I worry that instead western governments will beat the judges to the punch and start asking things like DNS providers or even HTTPS servers to keep logs that can be subpoenaed much like a telecom company keeps a log of each phone call ("metadata"), or else be blocked...
Western governments just send a court order to the hosting provider to shut the site down / revoke their domain name. Site blocking is more of a problem for small counties trying to block sites the rest of the world allows to be hosted.
In terms of privacy, your DNS history probably isn't very interesting. It's almost all going to be requests for the top social media sites. Which governments have full access to the stuff you post there.