Mozilla DNS-over-HTTPS may be a trojan horse ( conspiracy )

submitted by allahead

The protocol claims to allow people to get around censorship by letting them look up DNS names anonymously. It doesn't matter though because you will still be seen connecting to the actual web site.

The ISP can block websites by more ways than just blocking DNS lookups. DNS just gives you the IP address to connect to. If ISP's want to block access to a website, they can just firewall the IP's, any remotely competent admin knows this.

The problem is that instead of "trusting" (I use the term loosely) some authoritative ISP DNS or any of the commonly used ones like googles 8.8.8.8, you will be using whatever DNS the app maker supplies. If you install an application, and it also modifies the certificate authorities on your computer or phone, the application can now possibly hijack all the DNS queries from your computer and since they have a Cert Authority installed also they can proxy/decrypt all of your SSL traffic.

I don't think we are better off with every sneaky little app maker putting up their own DNS in a closet and pointing it at whatever they fancy at the moment.

3dk

So you're saying any App you install can basically do anything and the only thing preventing that is some loose "trust" and reputation of the developer?

Sounds about right.

SquarebobSpongebutt

The Firefox version allows you to set your own DNS server if you want to do so. Of course it is still possible for the app to ignore it and use whatever it wants or track your queries and give them to law enforcement whenever they want to do so.

Nietzsche__

Yeah, this is "no shit /s" post

libman

We need multiple DNS mechanisms and metalink-style links / bookmarks between sites. If the target site is down, you try mirror locations (including through Tor, Namecoin, etc), and then the last static snapshot via IPFS/etc as a last resort.

We also need better automated Web archiving mechanisms (like archive.fo but decentralized and dumped to common storage like IPFS). They would then try blocking by checksum, but won't be able to due to crypto.

allahead

It's really hard to get started securely. You basically put all your trust with the certs that come with the OS or browser.

Sites change so often, checksums become a popularity contest. If you control DNS and Cert Authorities (CA's) you can masquerade as anyone.

Do you think blockchain could be tied to DNS someway to make it decentralized and authoritative? At some point you have to eyeball the bits or throw your hands in the air and say good enough i guess.

libman

You got two types of entities on the Internet: anonymous and public (aka self-doxxed).

I'm in the latter category. My name is Alex Libman (born 1981/10/19 in Moscow, USSR; now living in Lakewood, NJ, USA). I've already paid the price for telling the truth online - now I am free. No one can impersonate me online for long, because real people in the real world can meet me. Maybe it'll become a trend to wear a printed QR code of your latest IPFS checksum (linking to all your other stuff) on your t-shirt or something. My meatspace identity would be pretty much impossible to fake.

If you wanna be anonymous, on the other hand, your security is only as good as the math behind the crypto, and the assumption that governments don't have trillion-dollar quantum super-computers than turn that crypto to jelly...

Horrux

Personally I would love to see a DNS blockchain.

handsignals

the thought of how slow it would be makes me want to puke. blockchain is the answer to nothing(for most use cases), because its prohibitively slow. to make it faster defeats its purpose (proof of work).

libman

Updating a blockchain (ex. registering a name) is slow. Searching a blockchain is as fast as searching any other data file.

Horrux

Well you wouldn't "MINE" DNS entries. DNS entries would be IN the blockchain and browsers would access that constantly-audited blockchain for DNS entries. A blockchain is secure because millions and millions of users are also auditors.

handsignals

i didn't say you would mine dns entries. but the look ups in the block chain would be too slow to be acceptable, look at all the blockchain apps out there for storage now, they are far too slow at retrieving data, this is because the number of host nodes is too low and they end up serving a ton of requests. unless millions of people are running a client, the network would be prohibitively slow, and even if there are millions running the client, it will still be slow in comparison to traditional dns.

Horrux

All right, you have a valid point. You'd have to have all users host a node and that won't happen.