Oddbean new post about | logout
Cyph3rp9nk | 1 months ago (raw) | export | reply | flag +1 
 DoH, DoT, DNSCrypt and DoQ have been a good attempt to mitigate the privacy of DNS queries against a third party (especially the ISP), unfortunately they depend on the implementation of ESNI or ECH, otherwise when an https connection is established the SNI is transmitted in plain text and contains the domain name.

The problem is that both browser and web server must be compatible with ESNI or ECH and this is practically impossible in practice, the adoption is very slow.

I had hoped that this would go faster but given the case, the only viable option remains the use of a VPN since it encrypts both traffic and DNS queries.

#Privacy does not matter 😢 .
Arándano | 1 months ago (raw) | root | parent | reply | flag 
 Wouldn't #Invizible be a good alternative for you?

https://github.com/Gedsh/InviZible

Just curious about your PO about it
anonymous | 1 months ago (raw) | root | parent | reply | flag 
 dnscrypt doesn't rely on TLS.
anonymous | 1 months ago (raw) | root | parent | reply | flag 
 Also, I don't understand what you're actually commenting on with ESNI and ECH .. is it the dns query or the subsequent webserver connection?
Cyph3rp9nk | 1 months ago (raw) | root | parent | reply | flag 
 https://www.teldat.com/blog/internet-encryption-dns-https-esni-in-tls/
anonymous | 1 months ago (raw) | root | parent | reply | flag 
 Sure, so the passive attacker knows you connect to the DoH/DoT ip address and it leaks the fact that it is "dotprovider.secret", but not the query you send.
Indeed SNI was necessary at first for webservers that serve multiple domains. ESNI solves that.
I didn't see dnscrypt discussed while scanning the article. dnscrypt is built on plain UDP/TCP packets, very similar to original DNS, but with encryption. See spec at dnscrypt.info (Note also that there are "oblivious" querying methods that obscure the exact domain name you're querying from the nameserver. Offered by dnscrypt-proxy.)

Afaict from your post, the emphasis is predominantly on the (E)SNI issue.
Cyph3rp9nk | 1 months ago (raw) | root | parent | reply | flag 
 Dnscrypt also does not solve the sni problem.
anonymous | 1 months ago (raw) | root | parent | reply | flag 
 Sure, but that means we agree on that the dns methods themselves aren't a problem. I wadn't sure about that.
Have you considered the OCSP queries? Given that we all want https on all servers, now suddenly we need to query for certificate validity in every connection. 😋
Firefox allows you to use CRLite but it has to be enabled.
anonymous | 1 months ago (raw) | root | parent | reply | flag 
 (As a side-note: maybe not every connection. I haven't looked into when it is exactly invoked.)