[kwlug-disc] CCC talk about DNS(ystem)

[Chris Frey]

On Fri, Apr 10, 2020 at 10:22:45AM -0400, Mikalai Birukou via kwlug-disc wrote:
> >There must some other reason people are pushing DoH so hard.
> Here is a scenario. Computer system connects via Tor to DoH point to learn
> where update servers are. May be it checks other DoH points to see if there
> is a consensus. Then it connects via Tor to an update server.
> 
> In this setting update server has to server Bundestrojaner (
> https://en.wikipedia.org/wiki/Bundestrojaner ) to everyone, or noone. :)

Thanks to both you and Doug for the replies.  I finally watched most of
the original CCC video.  Still looks like a solution in search of a
problem.

It's a clever solution, I'll give it that.  I didn't realize at first
that the HTTPS part was actually hitching a ride on a popular port so
that encrypted DNS could not be blocked.

I like the idea that you can setup your own DoH server and direct the
browser to it.  That makes it less useless. :-)  And I suppose it adds that
little bit of extra security in case you're worried about a bad actor
hacking both your DNS and Let's Encrypt's DNS and setting up a MITM website
just to get your credentials to your bank.

If Tor is the main proof of DoH's usefulness, that's probably why some
people, like me, are confused.  It's so far from the average person's
security needs, yet they claim that DoH is targeted to the average user.
That average person is going to use all this edge-case security, not to
login to their email via Tor, but more likely to setup an Alexa spying tool
in their own home.  A total waste. :-)

But now that I understand its history a bit better, I'll expect to see
lots of DoH providers springing up, and (ahem) even ISP's themselves
offering it.

- Chris