DNS over HTTPS: things to consider when you go “private”

Currently reading
DNS over HTTPS: things to consider when you go “private”

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
but for the average home / SoHo user, the former isn't relevant, and the latter should be obvious,
The 'average' home/SoHo user generally has very little experience and is a consumer of services.

However, the average home user with a family that relies on access controls for web destinations should be interested: if DoH is being used and enables a way that circumvents these mechanisms. Plus these mechanisms would also have to use DoH/DoT too: once the client device has their securely-got-IP, the mechanism will have to inspect the request for the payload's URL, and reverse DNS the packet's dst IP, otherwise any hiding will be exposed via traditional DNS.

DoH isn't going to that much of an issue with most businesses. There're already proxy services, whether onsite or cloud, that will enforce use of intermediate SSL certificates for internal users. These then facilitate the proxy inspecting any and all requests. Doing this requires quite a bit of oomph hardware-wise but it'll have to become commonplace.
 
120
48
NAS
2x DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. Windows
  4. other
Mobile operating system
  1. iOS
Well said, Fred.

My point was that the objections that enterprises have against DoH that were the main argument in the ZD article linked) don't really apply to the average hom/soho user.

Though I wasn't thinking about it's nefarious use in either a business or a home context (eg moody teenagers) :)
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Though I wasn't thinking about it's nefarious use in either a business or a home context (eg moody teenagers) :)
I deleted a bit I was going to add about ISP's holding the account holder responsible for what happens from their connection and used 'nefarious' ... had to double check if I'd left it in :)

I'm wondering if DoH will have a serious impact on HTTPS use, where to track the DoH section within HTTPS then all HTTPS will have to be inspected. Hands up who wants who wants to pull in a virus ... no-one, ok so that lightweight DNS-based mechanism is now useless.

Is DoH (hiding DNS in HTTPS) analogous having to do 100% population surveillance to identify a few terrorists?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top