dns: document usage profiles & Android automatic mode #1242

jonah · 2019-08-30T15:24:41Z

Mikaela commented

2019-08-30 15:24:41 +00:00

(Migrated from github.com)

Description

Resolves: #1239

Check List

I have read and understand the contributing guidelines.

Netlify preview for the mainly edited page: https://deploy-preview-1242--privacytools-io.netlify.com/providers/dns/#icanndns

## Description Resolves: #1239 #### Check List  - [x] I have read and understand [the contributing guidelines](https://github.com/privacytoolsIO/privacytools.io/blob/master/.github/CONTRIBUTING.md). * Netlify preview for the mainly edited page: https://deploy-preview-1242--privacytools-io.netlify.com/providers/dns/#icanndns

dawidpotocki (Migrated from github.com) reviewed 2019-08-30 15:24:41 +00:00

jonah reviewed 2019-08-30 15:24:41 +00:00

netlify[bot] commented

2019-08-30 15:25:18 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit b9ab242203

https://deploy-preview-1242--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit b9ab2422033c76c4ba0b8cc8962716fe8a0d5bde https://deploy-preview-1242--privacytools-io.netlify.com

Mikaela commented

2019-08-30 15:28:52 +00:00

(Migrated from github.com)

@madosss What do you think of this suggestion?

Mikaela commented

2019-08-30 15:49:23 +00:00

(Migrated from github.com)

Oh, should https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-01 be linked somewhere?

nitrohorse (Migrated from github.com) reviewed 2019-08-30 16:00:37 +00:00

_includes/sections/dns.html

nitrohorse (Migrated from github.com) commented

2019-08-30 16:00:25 +00:00

I’m wondering if there is a better place for this. Do these modes also apply to DoH? I’m thinking they would, but primarily related to Firefox's TRR about:config modes, yeah? Would it make sense to link the about:config section here under DoH?

Mikaela (Migrated from github.com) reviewed 2019-08-30 16:07:16 +00:00

_includes/sections/dns.html

Mikaela (Migrated from github.com) commented

2019-08-30 16:07:16 +00:00

No, the modes are part of Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS for now which is one of the two DoT RFCs everyone (Google Developer documentation) cites.

I think this is currently a big benefit for DoT over DoH (but as you know DoH leads in censorship resistance), but this is hopefully changing as per Centralized DNS over HTTPS (DoH) Implementation Issues and Risks.

Firefox's about:config or even network.trr.mode is just something Mozilla/Firefox has thought of, even if they may have ~~stolen~~ took inspiration from DoT.

No, the modes are part of *[Authentication and (D)TLS Profile for DNS-over-TLS and DNS-over-DTLS](https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-01)* for now which is one of the two DoT RFCs everyone ([Google Developer documentation](https://developers.google.com/speed/public-dns/docs/dns-over-tls)) cites. I think this is currently a big benefit for DoT over DoH (but as you know DoH leads in censorship resistance), but this is hopefully changing as per *[Centralized DNS over HTTPS (DoH) Implementation Issues and Risks](https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-01)*. Firefox's `about:config` or even `network.trr.mode` is just something Mozilla/Firefox has thought of, even if they may have ~~stolen~~ took inspiration from DoT.

nitrohorse (Migrated from github.com) reviewed 2019-08-30 16:09:19 +00:00

_includes/sections/dns.html

nitrohorse (Migrated from github.com) commented

2019-08-30 16:09:19 +00:00

Ah gotcha, thanks for the clarity!

nitrohorse (Migrated from github.com) reviewed 2019-08-30 16:10:58 +00:00

nitrohorse (Migrated from github.com) left a comment

LGTM besides small comment 👍🏼

_includes/sections/dns.html

nitrohorse (Migrated from github.com) commented

2019-08-30 16:10:39 +00:00

Should we hyperlink the tooltip to point to SSLrip? Maybe to give users more info?

Mikaela commented

2019-08-30 16:13:29 +00:00

(Migrated from github.com)

Should we hyperlink the tooltip to point to SSLrip? Maybe to give users more info?

Any suggestions where to hyperlink it to?

> Should we hyperlink the tooltip to point to SSLrip? Maybe to give users more info? Any suggestions where to hyperlink it to?

nitrohorse commented

2019-08-30 16:19:19 +00:00

(Migrated from github.com)

We mean sslstrip yeah? We could link to Moxie’s (author) site: https://moxie.org/software/sslstrip/

Mikaela commented

2019-08-30 16:25:46 +00:00

(Migrated from github.com)

We mean sslstrip yeah? We could link to Moxie’s (author) site: https://moxie.org/software/sslstrip/

I am not entirely sure about that. Is there any more generic term for SSL removing attack or are the available words SSLstrip (typo fixed) and MITM attack? I haven't tested the tool, which only talks about https, but I think the principle is same.

> We mean sslstrip yeah? We could link to Moxie’s (author) site: https://moxie.org/software/sslstrip/ I am not entirely sure about that. Is there any more generic term for SSL removing attack or are the available words SSLstrip (typo fixed) and MITM attack? I haven't tested the tool, which only talks about https, but I think the principle is same.

nitrohorse commented

2019-08-31 01:42:26 +00:00

(Migrated from github.com)

We mean sslstrip yeah? We could link to Moxie’s (author) site: https://moxie.org/software/sslstrip/

I am not entirely sure about that. Is there any more generic term for SSL removing attack or are the available words SSLstrip (typo fixed) and MITM attack? I haven't tested the tool, which only talks about https, but I think the principle is same.

Ah sorry; I think the vulnerability is just "SSL Strip." We could also link to Moxie's overview video.

> > We mean sslstrip yeah? We could link to Moxie’s (author) site: https://moxie.org/software/sslstrip/ > > I am not entirely sure about that. Is there any more generic term for SSL removing attack or are the available words SSLstrip (typo fixed) and MITM attack? I haven't tested the tool, which only talks about https, but I think the principle is same. Ah sorry; I think the vulnerability is just "SSL Strip." We could also link to Moxie's [overview video](https://invidio.us/watch?v=MFol6IMbZ7Y).

Mikaela commented

2019-08-31 08:19:31 +00:00

(Migrated from github.com)

Ah sorry; I think the vulnerability is just "SSL Strip." We could also link to Moxie's overview video.

I will fix the name, but I am not entirely happy about the idea of linking to that video either as it's so long and it's nothing specific to DoT. Could we leave it as it is as curious people can type it to their favourite search engine and learn a lot anyway?

> Ah sorry; I think the vulnerability is just "SSL Strip." We could also link to Moxie's overview video. I will fix the name, but I am not entirely happy about the idea of linking to that video either as it's so long and it's nothing specific to DoT. Could we leave it as it is as curious people can type it to their favourite search engine and learn a lot anyway?

Mikaela (Migrated from github.com) reviewed 2019-08-31 08:23:23 +00:00

_includes/sections/dns.html

Mikaela (Migrated from github.com) commented

2019-08-31 08:23:23 +00:00

          <li>We recommend selecting <em>Private DNS provider hostname</em> and entering the DoT address from documentation of your DoT provider in order to enable strict mode (see Terms above). <span class="badge badge-warning" data-toggle="tooltip" data-original-title="If you are on a network blocking access to port 853, Android will error about the network not having internet connectivity."><i class="fas fa-exclamation-triangle"></i></span></li>

Would this be more proper English, or is it fine?

```suggestion <li>We recommend selecting Private DNS provider hostname and entering the DoT address from documentation of your DoT provider in order to enable strict mode (see Terms above). </li> ``` Would this be more proper English, or is it fine?