DNS over HTTPS: things to consider when you go “private”

Currently reading
DNS over HTTPS: things to consider when you go “private”

fredbert

Moderator
NAS Support
Subscriber
2,585
1,047
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
but for the average home / SoHo user, the former isn't relevant, and the latter should be obvious,
The 'average' home/SoHo user generally has very little experience and is a consumer of services.

However, the average home user with a family that relies on access controls for web destinations should be interested: if DoH is being used and enables a way that circumvents these mechanisms. Plus these mechanisms would also have to use DoH/DoT too: once the client device has their securely-got-IP, the mechanism will have to inspect the request for the payload's URL, and reverse DNS the packet's dst IP, otherwise any hiding will be exposed via traditional DNS.

DoH isn't going to that much of an issue with most businesses. There're already proxy services, whether onsite or cloud, that will enforce use of intermediate SSL certificates for internal users. These then facilitate the proxy inspecting any and all requests. Doing this requires quite a bit of oomph hardware-wise but it'll have to become commonplace.
 
127
54
NAS
2x DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. Windows
  4. other
Mobile operating system
  1. iOS
Well said, Fred.

My point was that the objections that enterprises have against DoH that were the main argument in the ZD article linked) don't really apply to the average hom/soho user.

Though I wasn't thinking about it's nefarious use in either a business or a home context (eg moody teenagers) :)
 

fredbert

Moderator
NAS Support
Subscriber
2,585
1,047
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Though I wasn't thinking about it's nefarious use in either a business or a home context (eg moody teenagers) :)
I deleted a bit I was going to add about ISP's holding the account holder responsible for what happens from their connection and used 'nefarious' ... had to double check if I'd left it in :)

I'm wondering if DoH will have a serious impact on HTTPS use, where to track the DoH section within HTTPS then all HTTPS will have to be inspected. Hands up who wants who wants to pull in a virus ... no-one, ok so that lightweight DNS-based mechanism is now useless.

Is DoH (hiding DNS in HTTPS) analogous having to do 100% population surveillance to identify a few terrorists?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thank you for the answers. It is runninig now without that one line. Will look later if I really need this.
Replies
28
Views
4,954
I guess it’s only Tomato and DD-WRT firmware then with such support at the moment! I’ve dabbled with them...
Replies
2
Views
2,158
I've configured the OpenVPN server in SRM (in vpn plus server), and I've checked the 'allow clients to...
Replies
0
Views
248
Yep, thats what I'm doing as wel. Would be nice if Synology would come up with something like Microsoft IPAM.
Replies
6
Views
701
Replies
2
Views
1,916

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top