On the technical standpoint, I fully agree with Giles: let the browser render pages, and OS do the resolution. This pattern of letting the browser do more and more OS tasks is awkward. It have a couple issues, as is a new protocol, not everyone agrees how things were done, Firefox forces it instead of letting the OS decide, things like that. As it is now, it's a mess.

On the other hand, I see governments fuming over DNS-over-HTTPS (DoH), and that alone makes me wonder why. The old "terrorists and pedophiles" label attached to it implies the government is losing access to something they want to have. As DoH uses the same port as HTTPS (443), it's more difficult to identify a DNS request among all HTTPS traffic, and that does not happen with DNS-over-TLS(DoT).

For people in the "Free World," there's nothing much to fear by letting the ISP know the domains you browse, except more spam and directed ads. For people on the Chinese/Russian/Muslim block, a "restricted domain" can lead to trouble. With DoH in place, and Cloudflare proxy for the "restricted domain", anyone can access anything, and the ISP/government only knows you are accessing one of the myriad of domains protected by Cloudflare. Or Akamay.

I would install a dns-proxy that receives plain old DNS queries and forwards them to a trusted DoH/DoT server somewhere else. So the OS would do the resolution, not my programs.

Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.


Em seg., 23 de dez. de 2019 às 15:37, Giles Orr via talk <talk@gtalug.org> escreveu:
On Mon, 23 Dec 2019 at 10:58, Alvin Starr via talk <talk@gtalug.org> wrote:
> On 12/23/19 10:24 AM, James Knott via talk wrote:
> > On 2019-12-23 10:19 AM, Alvin Starr via talk wrote:
> >> This will also make it harder for people who are on your wifi link to
> >> snoop on what your trying to connect to.
> >> Still any security enhancement is a security enhancement and makes it
> >> harder for others to steal your information, and generally that is a
> >> good thing.
> >
> > Some people have other ideas:
> > https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
> >
>
> Its an interesting set of issues.
>
>  From a quick browse through the URL the complains seem to break into 2
> categories.
> - it makes tracking harder
> - if not properly implemented it provides no extra security.
>
> Both things tend to be true of encryption technologies.
>
> I am not sure I would be running out to implement DoH any time soon
> because it does not seem like a great value.

I'm also not enthusiastic about taking DNS out of the hands of the
operating system: not only does this break "do one thing and do it
well" (although browsers did that long ago), it also means that if you
have name resolution problems the solution becomes split on "is this
in the browser or somewhere else?"  It seems to me that this solution
- if implemented at all, and it's sounding like a bad idea - should be
done at the OS level, not the browser.

I'm going to pass on this little development and see how it plays out ...

Thanks everyone.

--
Giles
https://www.gilesorr.com/
gilesorr@gmail.com
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk