nanog mailing list archives
RE: This DNS over HTTP thing
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Wed, 02 Oct 2019 01:55:13 -0600
On Tuesday, 1 October, 2019 22:15, David Conrad <drc () virtualized org> wrote:
DoH (and DoT) encrypt (and authenticate) the application <-> recursive resolver channel (NOT the DNS data) which I gather some view as an attack vector.
Actually no. DoH and DoT encrypt the application <-> recursive resolver application channel. Some people may wish to believe that the current CA system provides some sort of meaningful "authentication" of the endpoint, but unless you have specifically acquired the remote endpoint's certificate through secure means and added it specifically to your verification store (and disabled the CA root), the endpoint is *not* authenticated. (Though it is possible that you have very lax authentication requirements and treat "authentication" based on the hearsay of a third-party that yet another third-party is trustworthy as being valid "authentication") IF AND ONLY IF the party to whom you have connected has kept their private key private THEN AND ONLY THEN is the conversation between the two applications protected from being decrypted by eavesdroppers between, but not at or beyond, each of those communicating applications. It is a common fallacy that TLS connections are authenticated. The vast majority of them are not authenticated in any meaningful fashion and all that can be said about TLS is that it provides an encrypted connection between the two communicating applications. This is perhaps why it is call *transport* layer security ... -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Current thread:
- Re: This DNS over HTTP thing, (continued)
- Re: This DNS over HTTP thing Damian Menscher via NANOG (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Damian Menscher via NANOG (Oct 01)
- Re: This DNS over HTTP thing Niels Bakker (Oct 02)
- Re: This DNS over HTTP thing Tom Ivar Helbekkmo via NANOG (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing Michael Thomas (Oct 01)
- Re: This DNS over HTTP thing David Conrad (Oct 01)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing Valdis Klētnieks (Oct 02)
- Re: This DNS over HTTP thing Matt Palmer (Oct 02)
- Re: This DNS over HTTP thing Jan Philippi (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: FW: This DNS over HTTP thing bzs (Oct 03)