<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Here is a good explanation of how it all works:<br class=""><br class=""><a href="https://www.netmeister.org/blog/doh-dot-dnssec.html" class="">https://www.netmeister.org/blog/doh-dot-dnssec.html</a><div class=""><br class="">christos<br class=""><br class=""><blockquote type="cite" class="">On Feb 26, 2020, at 8:26 AM, George Rosamond <<a href="mailto:george@ceetonetechnology.com" class="">george@ceetonetechnology.com</a>> wrote:<br class=""><br class=""><br class=""><br class="">On 2/25/20 11:19 AM, George Rosamond wrote:<br class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">As some of you may know, the Vixie meeting next week should raise some<br class="">interesting issues with DoH and DoT... basically DNS lookups encrypted<br class="">over https or tls instead of clear text over UDP.<br class=""><br class="">The issue is a bit more complex than it seems on the surface.<br class=""><br class="">Most broadly, of course DNS lookups should be encrypted, but what's<br class="">disturbing is that US FF will be set to go to Cloudflare, who obviously<br class="">know this is a wonderful data-mining opportunity.<br class=""><br class="">The whole issue of "privacy" gets distorted too easily. Yes, you should<br class="">have privacy in DNS lookups, but sending encrypted lookups to one<br class="">provider is a recipe for privacy from "the other" while centralizing a<br class="">few huge collectors of that data.<br class=""><br class="">Yes, more providers should be running DOT servers, but that in itself<br class="">isn't the answer.<br class=""><br class="">This link raises the issue, but misses the dangerous implications of DOH:<br class=""><br class=""><a href="https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/" class="">https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/</a><br class=""><br class=""></blockquote><br class="">This paper is an example of how centralizing DNS lookups is dangerous in<br class="">more "outlier" cases with more sophisticated adversaries on the Tor<br class="">network for anyone interested in diving deeper (the cached PDF version<br class="">should work):<br class=""><br class=""><a href="https://www.freehaven.net/anonbib/#dnstor-ndss2017" class="">https://www.freehaven.net/anonbib/#dnstor-ndss2017</a><br class=""><br class="">g<br class=""><br class="">_______________________________________________<br class="">talk mailing list<br class="">talk@lists.nycbug.org<br class="">http://lists.nycbug.org:8080/mailman/listinfo/talk<br class=""></blockquote><br class=""></div></body></html>