DNS/VPN: make the unencrypted parts more clear? #1383

New Issue

jonah · 2019-10-07T13:52:16Z

Mikaela commented

2019-10-07 13:52:16 +00:00

(Migrated from github.com)

ZDNet: DNS-over-HTTPS causes more problems than it solves, experts say was linked in Nebulo's Telegram group and with it in mind, I read the two of our pages that refer to encrypted DNS:

I think we are mostly good, except that

Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.
- I would remove the emphatised (mine) part.
We don't mention OCPI (I have to read how it works) or SNI.
We don't mention how much/little help ESNI is.
In most cases, most of your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your non-DNS traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator.
- We again don't mention ESNI or OCPI

And I think we are especially good on telling people to look for anonymity with Tor instead of a VPN and "However you shouldn't use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you." as the linked article tells people to use DoH over Tor which would lead to spoiling circuits.

[ZDNet: DNS-over-HTTPS causes more problems than it solves, experts say](https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/) was linked in Nebulo's Telegram group and with it in mind, I read the two of our pages that refer to encrypted DNS: * https://www.privacytools.io/providers/dns/#icanndns * https://www.privacytools.io/providers/vpn/ I think we are mostly good, except that * > Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But it will prevent DNS hijacking, and make your DNS requests harder for third parties *to eavesdrop on and* tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. * I would remove the emphatised (mine) part. * We don't mention OCPI (I have to read how it works) or SNI. * We don't mention how much/little help ESNI is. * > In most cases, most of your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your non-DNS traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator. * We again don't mention ESNI or OCPI And I think we are especially good on telling people to look for anonymity with Tor instead of a VPN and "However you shouldn't use encrypted DNS with Tor. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you." as the linked article tells people to use DoH over Tor which would lead to spoiling circuits.

jonah commented

2019-12-02 02:51:13 +00:00

ZDNet: DNS-over-HTTPS causes more problems than it solves, experts say

Note that it is truly specifically referring to DNS-over-HTTPS and not "encrypted DNS" — I've been saying that in Matrix for a while, DNS-over-TLS is better, generally.

However, their points are still mostly fearmongering and DoH is still better than nothing at all. "DoH Helps Criminals"? That just sounds like they're repeating UK propaganda. Their other point:

Instead, experts like Zare and PowerDNS recommend that users in oppressive countries use DoH-capable apps in combination with Tor or VPNs, rather than using DoH alone. Telling people they can fully rely on DoH is just misleading.

...does not apply to us, because we don't claim that DoH is the ultimate solution to your privacy woes. Because unlike other sites, we're not hacks.

But it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with.

This is still true and understandable within context, so I don't see why it needs to be removed, necessarily.

We don't mention OCPI (I have to read how it works) or SNI.

We should mention ESNI somewhere. Also, I assume you are referring to OSCP which has nothing to do with encryption and is irrelevant here.

> ZDNet: DNS-over-HTTPS causes more problems than it solves, experts say Note that it is truly *specifically* referring to DNS-over-HTTPS and *not* "encrypted DNS" — I've been saying that in Matrix for a while, DNS-over-TLS is better, generally. However, their points are still mostly fearmongering and DoH is still better than nothing at all. "DoH Helps Criminals"? That just sounds like they're repeating UK propaganda. Their other point: > Instead, experts like Zare and PowerDNS recommend that users in oppressive countries use DoH-capable apps in combination with Tor or VPNs, rather than using DoH alone. Telling people they can fully rely on DoH is just misleading. ...does not apply to us, because we don't claim that DoH is the ultimate solution to your privacy woes. Because unlike other sites, we're not hacks. > But it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. This is still true and understandable within context, so I don't see why it needs to be removed, necessarily. > We don't mention OCPI (I have to read how it works) or SNI. We should mention ESNI somewhere. Also, I assume you are referring to OSCP which has nothing to do with encryption and is irrelevant here.

This repo is archived. You cannot comment on issues.