#25564 closed defect (user disappeared)

DNS-over-HTTPS for exit relays

Reported by: cypherpunks Owned by: Nusenu
Priority: Medium Milestone:
Component: Community/Relays Version:
Severity: Normal Keywords:
Cc: nusenu Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Would mentioning a guide to setup DNS-over-HTTPS for exit relays be worthwhile? It surely is better than just plaintext DNS

Child Tickets

Change History (7)

comment:1 Changed 16 months ago by cypherpunks

Yes, I had the same idea but I came to the conclusion that it is worse since you give all data to 3th party (your DNS-over-HTTPS resolver) instead of not using any forwarding at all.

Unless there are strong arguments against it I'll leave it as is.

comment:2 in reply to:  1 Changed 16 months ago by cypherpunks

Replying to cypherpunks:

Yes, I had the same idea but I came to the conclusion that it is worse since you give all data to 3th party (your DNS-over-HTTPS resolver) instead of not using any forwarding at all.

With plaintext DNS with ISP's own DNS server, those who can see the DNS requests: ISP + anyone snooping on the exit.

With DNS-over-HTTPS with a DNS server other than ISP: Only DNS server can see the requests (+ anyone who can force them to hand that data). ISP + anyone snooping on the exit isn't included.

I think it's less, isn't it? The only problem is finding some trustworthy DNS-over-HTTPS server (Google and Cloudflare are not okay).

Version 0, edited 16 months ago by cypherpunks (next)

comment:3 Changed 16 months ago by cypherpunks

Priority: MediumVery Low
Resolution: fixed
Severity: NormalTrivial
Status: newclosed

comment:4 Changed 16 months ago by cypherpunks

Priority: Very LowMedium
Resolution: fixed
Severity: TrivialNormal
Status: closedreopened

Could you outline your threat model? (what do you want to protect from whom)
(in a context of: most tor traffic is http/https)

You need more than one semi-trusted resolver (we don't want to give _any_ single entity all exit DNS traffic), we would need at least ~20.

I prefer DNS-over-TLS over DNS-over-HTTPS.

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

The problem is: even if you hide DNS content with encryption from a passive observer, they can still watch HTTP and TLS/SNI hostnames and get the same information.

comment:5 Changed 16 months ago by irl

There are open source implementations for DNS resolvers supporting DNS-over-HTTPS. For example this one. More will probably appear as work in the IETF progresses. I would still hope that exit operators would set up a local stub resolver to perform DNSSEC validation, so the instructions would be about how to configure that stub resolver to forward to a DNS-over-HTTPS resolver.

Even having 20 resolvers is too concentrated in my opinion, but this is just based on my general feelings about it, not based on any actual research. Someone should do some research (or find some that has already been done) so that we can decide if this is a good thing that we should recommend or if it's actually a thing that would make the situation worse.

comment:6 Changed 16 months ago by cypherpunks

Cloudflare today released their public resolvers 1.1.1.1 and 1.0.0.1. They support both, DNS-over-TLS as well as DNS-over-HTTPS: https://blog.cloudflare.com/dns-resolver-1-1-1-1/

Would be great if this could find its way into the documentation. Also, they claim to not log any requests & delete logs after 24h - good enough for me, imho.

comment:7 Changed 16 months ago by cypherpunks

Resolution: user disappeared
Status: reopenedclosed

I'm against using cloudflare since they see a lot of (web) traffic already.

Please reopen this ticket if you have a threat model for it.

Note: See TracTickets for help on using tickets.