Cloudflare and Apple made a new DNS protocol to protect your data from ISPs

Cloudflare and Apple made a new DNS protocol to protect your data from ISPs(theverge.com)

81 points by janniks 5 years ago | 24 comments

okanesen 5 years ago |

afrcnc 5 years ago | |

needs to be reposted and made a dupe 39 more times, brb

pbronez 5 years ago |

I wonder if this protocol could provide any relief to network admins trying to protect themselves from aggressive Smart TVs and other IoT devices that use DNS over HTTPS to avoid local DNS blocks. I suspect not, since anything designed to protect against ISP snooping should be available to device manufacturers to protect against local admin snooping.

skissane 5 years ago | |

I guess the only solution is to run your own MITM TLS proxy, and hope that the Smart TV or IoT device lets you install your own root certificate. (Which it quite possibly won't without jailbreaking... and even if it does, it probably isn't documented how to do it)

unixhero 5 years ago | | |

This needs a fix

michaelmior 5 years ago | |

Why is protection necessary from these devices?

p00f 5 years ago | | |

You can't use a PiHole, for example

stephenr 5 years ago | |

Seems like a pretty simple solution. Don’t connect the tv to the internet.

nora-puchreiner 5 years ago |

Since 1.1.1.1 introduction, Cloudflare is able to perform HTTPS man-in-the middle attacks even for the websites which do not use Cloudflare CDN: they could forge DNS answer and proxy HTTPS traffic of any website via their CDN, instantaneously issuing a valid HTTPS certificate, as they have root certs and could issue certs for any domain.

Since ODoH they could perform such attacks without being spotted by ISPs. Nice.

olliej 5 years ago | |

Of course intentionally issuing a fraudulent cert would get them kicked out of every root program, and given a good part of their revenue is from being an automated https CDN that would probably have a significant negative impact.

nora-puchreiner 5 years ago | | |

It is too weak a guarantee. We already have seen as risk of revenue losing did not stop Kaspersky.

crtasm 5 years ago | |

New certs have to be sent to Certificate Transparency logs, any company mis-issuing them would be taking a colossal risk.

nora-puchreiner 5 years ago | | |

A MITM-attack which starts from DNS could be narrow targeted, forged DNS responses could be sent to a single person or an organization. Certificate Transparency monitors are futile here.

Also, if the reputation risks is the only thing which could prevent them from doing so... it is not the security we expect from the cryptographic protocols. A subpoena/warrant could be a more "colossal" threat to their business.

feroz 5 years ago |

If you would like to try out an independent ODoH proxy with Cloudflare DNS, I added ODoH proxying to my DoH server last night - instructions on using it are here: https://padlock.argh.in/2020/12/08/odoh.html

INTPenis 5 years ago | |

I think this link is relevant to people who want other encrypted DNS alternatives from the big corporate ones.

https://www.privacytools.io/providers/dns/

egberts1 5 years ago |

I’m sticking with DNS over dual server/client certificate.

My home LAN gateway is blocking DoH because the hassle of issuing enterprise-based intermediate CA is not worth the effort to do a Squid TLS transparent proxy so that one can “Pi-hole” to block stray DNS/domains.

This means my own set of authoritative DNS servers.

alexpc201 5 years ago |

By now I don’t understand why DNS is not a browser functionality. Or an operating system service.

olliej 5 years ago | |

Someone has to run the DNS servers the browsers talk to - DNS data is big and can change rapidly, especially in the cloudflare and AWS type of cases