Quick question about DNS and DoH that I thought about after reading this post:

https://packmates.org/@[email protected]/111176886781705659

Wouldn’t it make sense for Firefox or another third party to bundle and transparently forward all DoH requests to cloudflare so that:

A) Cloudflare doesn’t know who made what request due to not knowing the origin

B) Firefox doesn’t know who made what request due to TLS

#Infosec #Privacy
CC: @privacyguides

  • FeelzGoodMan420@eviltoast.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Just an fyi. DoH is a fucking nightmare for network management. For example, if you use a pihole on your network, you 100% do NOT want devices using encrypted DNS.

  • phanto@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I have a mini PC that is always on that runs my NTP and DNS, and it’s upstream DNS is quad nine out of Switzerland. (9.9.9.9). I tend toward the same usage patterns daily, and about a third of my requests never leave my home DNS to get resolved.

    • peregus@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      The TTL nowadays is about 3600 seconds, so I think that at about that rate your DNS server would flush stored entries every hour one by one and ask to 9.9.9.9 an update. That’s basically how every DNS server works (and I guess that even the ones embedded in router’s works like that with caching). Is your setup different? If yes, in which way? Thanks

      • phanto@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I set it up a long time ago, so I don’t honestly remember. I followed some guide, and did a few domain redirects to point at stuff on my home network and to shut Zuck out of my life, but I didn’t do anything crazy. So, I doubt it, but I don’t know.

  • Jørn@ipv6.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    @Wander @privacyguides I think that’s what ODoH is. Apple also does something like that with their private relay service.

    However, it still allows the last DNS provider in the chain to see all queries, even if they don’t know the exact source.

    • toxicyeti
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I’ve just started using their Zero trust stuff and so far I like it. Why should I not use them? What other options are better?

      • Free Palestine 🇵🇸
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I meant Cloudflare DNS, I don’t understand why Firefox uses Cloudflare DNS when there are so many other great options like NextDNS. The reason why many people in the privacy community dislike Cloudflare or CDNs in general is because they are often hostile to VPN or TOR users, and they centralize the web.