So, I read some articles on DOH and looks like the whole thing is a myth and doesn’t really help in enhancing user privacy and security. Even if the DNS requests are encrypted, the ISP will still be able to track you.
What are your thoughts?
So, I read some articles on DOH and looks like the whole thing is a myth and doesn’t really help in enhancing user privacy and security. Even if the DNS requests are encrypted, the ISP will still be able to track you.
What are your thoughts?
It does help with security, since you can trust the query wasn’t tampered with.
If you’re looking for an anti-tampering mechanism, DNSSEC signatures is what you’re looking for. DNS Over HTTPS establishes a “reasonably-secure” [1] connection to the DNS resolver. Not accounting for [1], that resolver (Cloudflare or other) can still lie to you consciously, or propagate unconsciously a malicious answer it received, because recursive resolution (i believe) still has no standard for secure transport: DNS over TLS is slowly getting traction, but it’s far from deployed on every primary nameserver.
[1] HTTPS is somewhat-secure because it’s an effective defense against script kiddies and malicious ISPs. However, it’s a very weak threat model where dozens of actors (the Certificate Authorities) can impersonate (almost) any server. And they do just that. It’s crazy how many CAs over the years have been caught misbehaving, often with little consequence except in the most egregious cases where Mozilla/Google pushed for their revocation as part of BrowserCA.
Not really. DNSSEC validation is done by the resolver, not the end device. So a malicious resolver (or a spoofed response) could still lie to you.
DoH does prevent the possibility of spoofing the response coming from the resolver, but you still have to trust the resolver not to lie to you.
It depends on your actual setup. If you operate your own network, DNSSEC validation will probably happen on your local DNS resolver (usually on your router). But also your forwarding/stub resolvers running on your own machine could (should?!) validate DNSSEC signatures… i’m not sure what the default is on most systems, though.
AFAIK this kind of setup is only used by people that use pi-hole for example. In most cases I don’t think that ISP routers have a recursive DNS resolver, I think most of the time the recursion is done by an ISP resolver outside of your LAN.