From under my tinfoil hat, I have to wonder why we would listen to any recommendations from the NSA? Why would we not believe they are going to make recommendations of methods they know how to exploit?<p>Taking off my tinfoil hat, I understand that one of the purposes of the NSA is to keep US information safe. Following their recommendations should make your data safer.<p>However, Snowden showed us that the NSA doesn't always follow the rules it is supposed to operate within. Does that mean they are always be suspect? How do we decide when their recos are for the good fo all?
>NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver.<p>its either a slow day at the NSA or federal agencies have become so intellectually bankrupted by the cloud that they consider proclamations of the fundamentals of DNS and networking to be some sort of sage wisdom.
I don't understand why people can't see the dangers of moving everything to DoH. For example if you have a 3000 user network and 2900 of them are using a local resolver. You have almost no chance of finding those 100 nodes doing DoH without MITM everything over 443.<p>Someone will probably respond with something like: "Just block the IP address ranges of public DoH resolvers" and that would work for the resolvers we know about.
They are just saying within enterprises it is of the enterprises best interest to control all aspects of dns so all traffic can be monitored. Which you seriously need to do if you aren't doing it already.<p>Dns needs to be monitored holistically it is a great place to catch IOCs.
There's good money to be made selling a solution that detects and blocks rogue DoH requests.<p>Anyways, it's possible: <a href="https://dl.acm.org/doi/abs/10.1145/3407023.3409192" rel="nofollow">https://dl.acm.org/doi/abs/10.1145/3407023.3409192</a>
There has certainly been evidence of censorship amongst the thousands of third party open resolvers. Are there any examples of known "malicious" third party DoH or DoT resolvers. Has anyone been studying this.
Could someone create a replacement for DNS entirely please?<p>DNS does WAY more than what the typical user needs it for and services that present it are resultantly much more complex than what is needed for the 99% use case.<p>The 99% use case: resolve x.y.z to some IP address.<p>What I think should happen:<p>1. At each level, a public/private keypair is used to authenticate valid records for the name. Eg: .com has public/private keypair(s) to represent who can sign x.com records. .com owner only needs to publish these. Reliable sources ( ISPs etc ) can then share these.<p>2. The x.com records themselves would be: Mapping from x.com to IP address(s) / public key.<p>3. The x.com owners could then publish out their x.y.com records freely and they could be mirrored by everyone.<p>Unlike the current methodology, there would be far less need to trust where you get the records from. The public/private keypairs should change WAY less frequently.<p>Agreeably in such a widely distributed system you wouldn't have nice TTL, but that is for the better. DNS records should not be changing that frequently.<p>Such a new system also should be done in a fully distributed way and NOT controlled by a bunch of money grubbing bastards who make way too much money from records.<p>It should NOT cost $20/yr to own a record pointing x.y to a number. It's absurd and really needs to stop.
Bunch of garbage, NSA and FBI hate ESNI.<p>Firefox silently pulled all production ESNI code as of v83 without a word of warning to anyone. As in, the Firefox development team simply killed encrypted SNI and told nobody that may have been using ESNI in despot regimes, in exchange for future ECH support which is not implemented anywhere yet.<p>Nor will ECH be endpoint supported any time soon.