Sorry for the late reply,
A few months ago, I talked about the issue at my local DEFCON group
and assembled this slide deck. It's more or less up to date with my
current position on DoH and DoT. It's aimed at people who don't know
the specifics of DNS and walks through both it, DNSSEC, and DoT/DoH.
https://docs.google.com/presentation/d/1dcasmVO6JmlR7KA3qWfHDQatYZ-xl91LwfJy4TrskHw/edit?usp=sharing
This talk directly builds upon an earlier one that goes into details
about WebPKI and TLS certificates and explains the problems with them:
https://docs.google.com/presentation/d/1Zw6njGYKJmIGhWXssCRrOwwnC8HDWmjGb4PVdzFSU74/edit?usp=sharing
I can create a more specific article or document if folks in the NCSG
are interested.
On Fri, Nov 29, 2019 at 2:14 PM Martin Pablo Silva Valent
<[log in to unmask]> wrote:
>
> Michael, if you have some normal people level document that you think really reflects the debate, or settles it, I would love to read it!!!
>
> Best,
> MartÃn
>
> > On 20 Nov 2019, at 12:38, Michael Casadevall <[log in to unmask]> wrote:
> >
> > The problem with DoH is it does nothing to ensure the data integrity
> > of information being sent from the recursive resolver and the browser.
> > When you use DoH, the resolver you're using can still freely change
> > and manipulate data in flight regardless of DNSSEC as DNSSEC data
> > isn't sent to the last mile. The browser can theoretically query this
> > information but no implementation that I've seen actually does this.
> >
> > On Wed, Nov 20, 2019 at 1:50 AM Caleb Olumuyiwa Ogundele
> > <[log in to unmask]> wrote:
> >>
> >> @Sam, that is probably a propaganda spread by ISPs and Governments who like to sniff around and do serious surveillance on citizens as against privacy rights. For me, it is a good idea to see IETF come up with that RFC standard in this age where privacy is key.
> >>
> >> That said, DoH is here to stay. Experimentally, browsers that have implemented it still leave the end user to activate it themselves and not by default.
> >>
> >> Caleb Ogundele
> >>
> >> On Wed, Nov 20, 2019, 1:03 AM Michael Casadevall <[log in to unmask]> wrote:
> >>>
> >>> I've done a fair bit of talking and research with DoH. To summarize,
> >>> the problem is it removes the distributed part of the domain name
> >>> system by basically drastically reducing the number of resolvers in
> >>> use. That in and of itself might be acceptable if DoH (and DoT)
> >>> bothered to fix some of the more fundamental flaws of DNS security
> >>> instead of slapping on a level of encryption and going "yeah that's
> >>> good".
> >>>
> >>> It also marries all the pain of the WebPKI to the DNS ecosystem, when
> >>> the former depends on the latter to check revocation information
> >>> through AIA/OCSP/CRLs.
> >>> Michael
> >>>
> >>> On Tue, Nov 19, 2019 at 3:25 PM Sam Lanfranco <[log in to unmask]> wrote:
> >>>>
> >>>> I could do with some expert opinion and enlightenment here. From what I read the following move is likely to have a negative effect on the security of the DNS system.
> >>>>
> >>>> From circleID: Microsoft Announces Plans to Adopt DoH in Windows
> >>>>
> >>>> Microsoft announced today its plans to adopt DNS over HTTPS (DoH) protocol in Windows and will also keep other options such as DNS over TLS (DoT) on the table for consideration. "[S]upporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic," noted company in a post." Microsft further added: "For our first milestone, we'll start with a simple change: use DoH for DNS servers Windows is already configured to use. There are now several public DNS servers that support DoH, and if a Windows user or device admin configures one of them today, Windows will just use classic DNS (without encryption) to that server. However, since these servers and their DoH configurations are well known, Windows can automatically upgrade to DoH while using the same server."
> >>>>
> >>>> For commentary on the issue: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
> >>>> Sam L.
> >>>>
>
|
