[Dnsmasq-discuss] Native DNS over TLS support... ?

Normen Kowalewski nbkowalewski at gmx.net
Tue Jul 30 13:17:07 BST 2019 

Hi Dominik,

If an operator you trust offers DoT with  DNSSEC validated name and pinned certificate  - would you trust this more than if all happens in the clear?
At least it allows me to make sure that there are just two places where my DNS in in the clear - on the HG and on the DNS service endpoint i trust. 


BR, 

Normen
 

> On 30. Jul 2019, at 09:03, Dominik <dl6er at dl6er.de> wrote:
> 
> Hey Normen,
> 
> What is the precise goal you want to achieve with DNS-over-TLS?
> 
> You have to connect to the host before the encryption begins. So, after the browser has the IP address for the domain it seeks, it requests that host address in clear text. If you want to give your browsing from your IDP, this is the point where you inevitably lost without a VPN. Only after a connection had been established, the TLS handshake process begins and the encryption is operational.
> 
> As such, DoH and DoT do nothing to increase your privacy against your ISP. They can still see your IP requests if they want, and a third party DNS service has your entire DNS history. You do have the benefit of authenticity, in that the DNS travels in an encrypted tunnel with protection from a third party modifying it. However, when you use DNSSEC, you already get the same security benefits.
> 
> From a privacy point of view, I typically recommend to run a local unbound instance on the same machine that does reverse lookups and DNSSEC authentication for you. By this, no single DNS provider has all your data.
> 
> Your view might differ from mine, it's always a question of whom you trust more over the others. There is no solution where you don't have to trust, e.g., either you ISP or a VPN provider. I just know that I trust my local ISP over some random large scale "for free" DNS provider which is why I have my local unbound resolver in addition to dnsmasq.
> 
> Best,
> Dominik
> 
> Am 30. Juli 2019 02:58:19 MESZ schrieb "Normen B. Kowalewski" <nbkowalewski at gmx.net>:
>> Hi Simon,
>> 
>> I would love to have my HG funnal all local LAN DNS quereis througha
>> properly TLS secured path towards my trusted DNS of choice.
>> 
>> I stumbled upon a several year old narchive thread where you were
>> considering DNS-over-TLS support:
>> https://dnsmasq-discuss.thekelleys.org.narkive.com/ID8nebif/dns-over-tls
>> 
>> Are you seeing this still as something in the future of dnsmsq native
>> implementation, without extra external proxy function like stubby?
>> 
>> BR, Normen
>> 
>> 
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list