Re: [GTALUG] CIRA officially launches free DNS firewall for consumers | IT World Canada News
On 2020-04-28 09:16, ac via talk wrote:
On Tue, 28 Apr 2020 08:13:11 -0400
How about just plain old DNSSEC? (instead of a nanny) - yay, IT Works! - and is so mature already...(without all the risks of having/using a nanny)
DNSSEC and DNS-over-HTTPS/DNS-over-TLS are not the same thing and don't protect against the same threats. DNSSEC protects against DNS cache poisoning by verifying the digital signature and therefore integrity of the zone's contents. That is, it provides authentication not encryption. DOH/DOT provides transport level encryption of the contents of the DNS packets themselves from the host to it's resolver. This provides protection against packet snooping on the wire, for example on an unsecured WiFi connection.
and using connectivity providers (instead of third parties and dns over https) -- for caching/recursive, like Bell (Bell CA actually does not track/record/monetise their users DNS querries afaik)
I would love if Bell.ca offered DOH/DOT service on their recursive/caching resolvers.
again, dnssec already protects users, it just needs wider adoption, which is the issue.. .as for "shared" domains like outlook.com - abuse management costs will increase? - which is probably why dnssec has never caught on, it is not "sexy" (like some nannies...)
DNSSEC adoption is indeed a problem. IMHO, this is because it is a pain to implement properly and provides little benefit to the user of the zone in most cases. Improperly signing a zone will result in it not resolving which is one hell of a failure mode for most people to put up with. I only recently started signing my domains again and that is only because my managed DNS provider made it very simple, as in I click a button, zone is signed and I add the ZSK digest to my domain registrar. Further reading on DOH/DOT and DNSSEC: DNS Wars by Geoff Huston https://blog.apnic.net/2019/11/04/dns-wars/ DNSSEC https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions -- Sadiq Saif https://sadiqsaif.com
On Tue, 28 Apr 2020 10:07:39 -0400 Sadiq Saif via talk <talk@gtalug.org> wrote: <snip>
DOH/DOT provides transport level encryption of the contents of the DNS packets themselves from the host to it's resolver. This provides protection against packet snooping on the wire, for example on an unsecured WiFi connection.
and this is the crux, if you are on an unsecured connection, or non tunneled connection (which is more and more rare these days?) you may be concerned that someone knew that you wanted to know where google.com is... or where pornhub.com is, i guess... but the benefit of random general dns data lookups about facebook.com, instagram,twitter and uber is hardly of much use where even new teenagers know that they have to use tunnels/vpn/tor/etc for anything that is even partially private. What is concerning is that people use such small keysizes to do their dns over https :)
and using connectivity providers (instead of third parties and dns over https) -- for caching/recursive, like Bell (Bell CA actually does not track/record/monetise their users DNS querries afaik)
I would love if Bell.ca offered DOH/DOT service on their recursive/caching resolvers.
again, why? it opens up so many bad doors for many bad things. (okay, maybe not as evil as walled gardens, but in the same neighborhood tho) for those users that are so concerned about visiting pornhub.com - use a tunnel? use a secured network? use tor? the average joe public does facebook, youtube, instagram, generic and useless data I am so very very shocked that people on mobile browsers, type EVERYTHING they want, into GOOGLE and here we are, discussing and talking about things like DNS over HTTPS...
again, dnssec already protects users, it just needs wider adoption, which is the issue.. .as for "shared" domains like outlook.com - abuse management costs will increase? - which is probably why dnssec has never caught on, it is not "sexy" (like some nannies...)
DNSSEC adoption is indeed a problem. IMHO, this is because it is a pain to implement properly and provides little benefit to the user of the zone in most cases. Improperly signing a zone will result in it
au contraire. it makes it extremely challenging to spoof you!
not resolving which is one hell of a failure mode for most people to put up with. I only recently started signing my domains again and that is only because my managed DNS provider made it very simple, as in I click a button, zone is signed and I add the ZSK digest to my domain registrar.
Further reading on DOH/DOT and DNSSEC:
DNS Wars by Geoff Huston https://blog.apnic.net/2019/11/04/dns-wars/
DNSSEC https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
| From: Sadiq Saif via talk <talk@gtalug.org> | Date: Tue, 28 Apr 2020 10:07:39 -0400 | DNS Wars by Geoff Huston | https://blog.apnic.net/2019/11/04/dns-wars/ Thanks! I just finished reading this (it was neglected in one of my browser tabs on one of my OSes on one of my computers). Very interesting. I recommend it.
participants (3)
-
ac -
D. Hugh Redelmeier -
Sadiq Saif