DNS in applications a rebuttal

There’s an awful lot going on in the world of DoH at the moment – so rather than writing one huge rambling post I’m going to try and cover everything in several shorter rambling posts. I’m going to start with taking a look at a presentation that Mozilla did regarding “DNS in applications”, which I have many issues with and I think highlights the fundamental disconnect between the Mozilla developers and people that actually have to deal with network and user security. A lot of this has been discussed extensively on the IETF “Applications doing DNS” discussion list. If you’re on that list I’m not going to be saying anything much new, but with that said let’s start looking at the presentation. Continue reading

Defence against the DoH! Arts

I’m afraid it’s another post about DNS-over-HTTPS, but there’s a lot going on. Whilst the current crop of DoH servers don’t suffer from the same problems as normal open DNS resolvers, they do have issues of their own. Whilst fans of DoH are right when they that nothing stopped applications from doing their own DNS before and that the bad guys have always tunnelled data over other protocols. It is also true that DoH has massively lowered the bar for them both in terms of readily available libraries and in the provision of vast, highly resilient, free, tunnelling infrastructure provisioned by reputable companies. However I don’t want to get back into that again, instead lets review the latest happenings in the world of Doh. In the last month we’ve had : a DoH controlled spam campaign, the first malware to leverage DoH and Mozilla nominated for Internet villain of theā€¦ Continue reading

Cloudflare DoH!

This is a follow up to my previous article “Some problems with DoH!“. Given that Cloudflare are the preferred partner of Mozilla who are threatening to impose DNS-over-HTTPS on the majority of people I thought it worth while to have a look at what they have to say for themselves. All of this information is taken from https://developers.cloudflare.com/1.1.1.1/ as it was on 14th August 2018 ( archive.org link ). Some of my commentary may verge on the pedantic*, but given the nature of what is being proposed I think a little** pedantry and cynicism is called for. I may be mainly asking cynical and paranoid questions, given the weasel words and behaviour we’ve all seen from other companies I think this is justified for someone selling themselves on privacy. Continue reading