79
you are viewing a single comment's thread
view the rest of the comments
[-] lemmyvore@feddit.nl 56 points 3 months ago

Everybody should be using DNS over HTTPS (DoH) or over TLS (DoT) nowadays. Clear DNS is way too easy to subvert and even when it's not being tampered with most ISP snoop on it to compile statistics about what their customers visit.

DoH and DoT aren't a full-proof solution though. HTTPS connections still leak domain names when the target server doesn't use Encrypted Hello (ECH) and you need to be using DoH for ECH to work.

Even if all that is in place, a determined ISP, workplace or state actor can identify DoH/DoT servers and compile block lists, perform deep packet inspection to detect such connections regardless of server, or set up their own honey trap servers.

There's also the negative side of DoH/DoT, when appliances and IoT devices on your network use it to bypass your control over your LAN.

[-] Findmysec@infosec.pub 5 points 3 months ago

How would they do DPI on DNS packets routed using DoH? It looks like HTTPS traffic, it's encrypted, and other than size and frequency I don't see how they can gey anything out of it. Yeah they'll get the SNI with eCH but that's supported by FF and by a lot of providers using DoH

this post was submitted on 08 Aug 2024
79 points (98.8% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54420 readers
146 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS