[talk] DNS over TLS

George Rosamond george at ceetonetechnology.com
Wed Sep 11 21:56:00 EDT 2019


If you haven't heard, Firefox is enabling DOT by default.

I wasn't at the Vixie talk at vBSDCon on Friday, but apparently it is
worth hearing. We need to get him to speak when he's in NYC.

DOT means no more dns lookups over UDP to the locally configured
resolvers, but all straight to Cloudflare.

Of course, you have a privacy policy to trust if that's your thing:

https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

;)

I think Chrome is doing the same thing.

The OpenBSD Firefox port is turning it off by default, which I hope
other BSD projects follow that example:

https://marc.info/?t=156794163800002&r=1&w=2

This is the relevant js to change in any user.js config file to never
use DOT:

https://wiki.mozilla.org/Trusted_Recursive_Resolver

pref("network.trr.mode", 5);

I have always emphasized the difference between "privacy" and
"anonymity" as concepts for a reason.  One is about protecting content,
the other about obscuring metadata.  You can't get privacy, like
security, through obscurity.  But anonymity is all about obscurity, ie,
hiding and being lost in the larger universe. Privacy is valued by
data-mining firms to protect "their" users from others, but they want to
privacly data mine their own users.

It's great when ugly privacy-attacking practices are just knobs to
switch off, but that's not much consolation in this arms race.

Maybe high-time I do another "Run a BSD Tor Node" meeting again? ;)

g



More information about the talk mailing list