[kwlug-disc] CCC talk about DNS(ystem)

Doug Moen doug at moens.org
Fri Apr 10 11:07:50 EDT 2020 

There are two concerns with DNS, privacy and security. What you should do depends on your threat model.

Privacy seems intractible unless you use a VPN or TOR.

Security is about protecting yourself from man-in-the-middle attacks that block requests, or redirect requests to advertising sites or phishing sites. DoH and Canadian Shield are a solution for that. I trust CIRA more than I trust certain local ISPs.

I don't have any evidence that our local ISPs are modifying DNS traffic. Although this does happen in other parts of the world. All Canadian ISPs do mandatory blocking of "bad" web sites, but I think that is done by blocking based on the destination IP address.

Local ISPs do interfere with internet traffic in questionable or unethical ways. When I dropped Rogers as an ISP, they had just implemented a man-in-the-middle attack on a mail server I happened to be running at the time. This MITM disabled STARTTLS encryption. A few years ago, Telus was in the news for blocking access to the web site of a union that was attempting to organize Telus employees. So it's not totally unreasonable to protect your DNS traffic from a MITM attack by your ISP, by using Canadian Shield. I just don't have evidence that local ISPs are performing MITM attacks on *that particular internet protocol*, even though they are known to be attacking other protocols.


On Fri, Apr 10, 2020, at 5:07 AM, Chris Frey wrote:
> On Wed, Apr 08, 2020 at 11:59:26PM +0000, Doug Moen wrote:
> > By the way, what do you use for trusted DNS in your home setup? How
> > do you get trusted and private DNS service if you trust nobody outside
> > of your immediate social group?
> 
> I don't understand the value of DoH.  Or DoT for that matter.
> 
> The distributed nature of DNS is its advantage.  DoH throws that away,
> without adding anything... even with DoH *and* HTTPS, your ISP
> still knows who you're talking to.
> 
> If I don't trust my ISP, there is VPN for that.  Otherwise, my ISP knows
> where all my traffic goes, how big it is, when it happened, and how
> often it happens.  And that is *with* DoH and HTTPS.
> 
> There must some other reason people are pushing DoH so hard.
> 
> - Chris
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>

More information about the kwlug-disc mailing list