RE: This DNS over HTTP thing

["Keith Medcalf" <kmedcalf () dessus com>]

On Tuesday, 1 October, 2019 22:15, David Conrad <drc () virtualized org> wrote:

> DoH (and DoT) encrypt (and authenticate) the application <-> recursive
> resolver channel (NOT the DNS data) which I gather some view as an attack
> vector.

Actually no.  DoH and DoT encrypt the application <-> recursive resolver application channel.  Some people may wish to 
believe that the current CA system provides some sort of meaningful "authentication" of the endpoint, but unless you 
have specifically acquired the remote endpoint's certificate through secure means and added it specifically to your 
verification store (and disabled the CA root), the endpoint is *not* authenticated.  (Though it is possible that you 
have very lax authentication requirements and treat "authentication" based on the hearsay of a third-party that yet 
another third-party is trustworthy as being valid "authentication")

IF AND ONLY IF the party to whom you have connected has kept their private key private THEN AND ONLY THEN is the 
conversation between the two applications  protected from being decrypted by eavesdroppers between, but not at or 
beyond, each of those communicating applications.

It is a common fallacy that TLS connections are authenticated.  The vast majority of them are not authenticated in any 
meaningful fashion and all that can be said about TLS is that it provides an encrypted connection between the two 
communicating applications.  This is perhaps why it is call *transport* layer security ...

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.