Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

DoH won't solve redirects. DoH only gets you to a secure query, it won't help you if the government decides to give you a falsified query. For that you'll need DNSSec, which maintains a cryptographic chain of authenticity to the root DNS servers. And DNSSec is even more rare than DoH.


DoH will prevent government from hijacking your query in the first place. These blockades are only possible because of DNS being clear text and suceptible to MITM


That's one level of security, but even for DoH, it's possible for entities to attack and control an HTTPS server, returning falsified DNS queries, and now the antigovernment.com website you logged in to talk about anti-government politics is actually run by government. The only way to prevent that is via DNSsec to make sure that antigovernment.com goes to a real antigovernment.com server.


This makes no sense whatsoever.

If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can't MITM your connection to the real antigovernment.com, they also can't trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.


Wait what do you mean? They can have an HTTPS server and MITM, but how can they get a certificate for the DoH server I use?


They only need a certificate signed by an authority trusted by your resolver. And, unlike for the website itself, your browser does not show certificate information for the DoH server.

DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.


So, like, you are assuming someone using a resolver that ignores the certificate chain of trust, as an evidence that DoH is not useful?

Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?

Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.


> your browser does not show certificate information for the DoH server.

It doesn't show it, but I expect it would put up an error message if the DoH server's cert is invalid.


DNSSec is entirely useless here. The government has two goals here: block you from accessing certain sites, and perhaps prosecute you for the attempt. DNSSec does exactly nothing to help against either of these , even if perfectly deployed.

DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.


DoH uses HTTPS; it solves redirects because you can use a trusted server, and not have the request intercepted and the response spoofed.


https://dl.acm.org/doi/10.1145/358198.358210

I don't really trust many DNSes and neither do many yet we all have few choices

The lack of MitM isn't much comfort

Neither are guarantees of the chain of trust




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: