Re: Securing DNS traffic

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Mon, 25 May 2020 10:17:56 +0200
Jörn Clausen <joernc%googlemail.com@localhost> wrote:

> Hi!
> 
> I was not arguing for "no security at all". It's just this motivation
> for DoT/DoH (disguising the request from your ISP) that I don't get.
> 
> I have only a cursory knowledge of these technologies, but I think
> DNSSEC is the far better approach against the type of forgery you
> mentioned. Why do you expect CloudFlare or any other DoH provider not
> to be corrupted? I have just as much trust in them as in the
> commercial VPN provider you mentioned, or my ISP for that matter:
> very very little. As a European user, I definitely don't want all my
> DNS traffic to be routed through a single US company by default. But
> YMMV...

They are different technologies that complement each other. You need
both DNSSEC and DoT. You're right, any service provider could be
monitoring your activity and I don't believe US vs Europe makes much
difference here. I live in the UK and there has been "Data Protection
Act" in place well before EU "General Data Protection Regulation". Just
because something is legislated does not mean that everybody follows it
to the letter.

With DNSSEC you validate the integrity of the data, so if somebody
managed to poison the cache of some DNS server and insert a bogus
entry, hopefully DNSSEC should be able to flag it. However, if someone
redirects your DNS traffic (as some ISPs do) they could completely strip
out any DNSSEC data and substitute whatever records they like. For
example when you type "site.nosuchtld" into your web browser, instead of
an error, you get a web page filled with ads or some other nonsense. 

With DoT you nominate some trusted DNS server and TLS certificate
validation should flag if someone attempts to impersonate that server.
It's up to you which server to trust CloudFlare, Google or your own
that you setup in some trusted data centre.