Oddbean new post about | logout
anonymous | 4 days ago (raw) | root | parent | reply | flag +1 
 dnscrypt doesn't rely on TLS.
anonymous | 4 days ago (raw) | root | parent | reply | flag 
 Also, I don't understand what you're actually commenting on with ESNI and ECH .. is it the dns query or the subsequent webserver connection?
Cyph3rp9nk | 4 days ago (raw) | root | parent | reply | flag 
 https://www.teldat.com/blog/internet-encryption-dns-https-esni-in-tls/
anonymous | 4 days ago (raw) | root | parent | reply | flag +1 
 Sure, so the passive attacker knows you connect to the DoH/DoT ip address and it leaks the fact that it is "dotprovider.secret", but not the query you send.
Indeed SNI was necessary at first for webservers that serve multiple domains. ESNI solves that.
I didn't see dnscrypt discussed while scanning the article. dnscrypt is built on plain UDP/TCP packets, very similar to original DNS, but with encryption. See spec at dnscrypt.info (Note also that there are "oblivious" querying methods that obscure the exact domain name you're querying from the nameserver. Offered by dnscrypt-proxy.)

Afaict from your post, the emphasis is predominantly on the (E)SNI issue.
Cyph3rp9nk | 4 days ago (raw) | root | parent | reply | flag 
 Dnscrypt also does not solve the sni problem.
anonymous | 4 days ago (raw) | root | parent | reply | flag +1 
 Sure, but that means we agree on that the dns methods themselves aren't a problem. I wadn't sure about that.
Have you considered the OCSP queries? Given that we all want https on all servers, now suddenly we need to query for certificate validity in every connection. 😋
Firefox allows you to use CRLite but it has to be enabled.
anonymous | 4 days ago (raw) | root | parent | reply | flag 
 (As a side-note: maybe not every connection. I haven't looked into when it is exactly invoked.)