Oblivious DNS-over-HTTPS
This new protocol, called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from your ISP.
Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.
IETF memo.
The paper:
Abstract: The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms ofDoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client’s content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption,while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.
Slashdot thread.
Clive Robinson • December 8, 2020 3:46 PM
@ ALL,
Like some here I’ve heard people say things about ODoH. Some think it does not “do enough” on the “Oblivious” side of things as it’s effectively “proxie only” and that it’s going to be “client app usable with minimal proxie” rather than just Server OS where control by a system owner is “global within the computer”. Thus application updates can “reset” the users security configuration at whim.
Something Silicon Valley Big Corps are known to do frequently, which others also remarke is perhaps not coincidental in that it is being pushed by two of Silicon Valley Corps biggest (CloudFlare and Apple). Which raises other suspicions. Not least of which is CloudFlare is quite capable of “tagging” traffic through 1:1 proxies fairly easily as well as other “traffic analysis” techniques.
I guess nothing is perfect but I’m thinking being cautious and mitigating the abuse potential in ODoH is way beyond most single system users.
Guess I’ve got to plow through the docs to see what’s actually being said vis “mandatory behavior” set by the user in the OS -v- “Discretionary behavior” changable by those who write apps and app add ons to effectively bypass “Mandatory behavior”.