Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
throw28158916 4 days ago

I am not an expert but I read this website [1] and got impression that dns-over-tls is first iteration of encrypted dns and dnscrpyt protocol is second iteration of encrypted dns fixing its problems. Also dns-over-tls is not supported by package dnscrypt-proxy2 on openwrt and I have personal bias for not configuring dns-over-https on routers (in my opinion https is too complex protocol and have risk of getting hacked). Maybe I am alone with my opinions - I do not know. I wanted to use dns4eu and got really disappointed with not supporting dnscrypt. That's all.

[1] https://dnscrypt.info/faq

nicce 4 days ago | parent [-]

By looking the list of negative sides of DNS over TLS (DoT) in there, this project seems to list artificial problems, which makes me want to avoid the whole project. Maybe there are real benefits on using this protocol, but they should not make the list of problems looking longer than it actually is.

The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level. Nothing also prevents forcing TLS 1.3 which removes most of the described other problems.

This especially sounds odd:

> Questionable practical benefits over DoH

But DoH brings the full TLS stack and also the HTTP stack as well? At the same time the project complains about increased attack surface in DoT, but DoH just extends it even more.

If I also look the DoH list, there is

> Requires TCP

But just few lines befeore, they say that DoH supports HTTP/3 which is UDP.

E.g. Android has supported it 3 years already:

https://security.googleblog.com/2022/07/dns-over-http3-in-an...

throw28158916 3 days ago | parent [-]

I think my opinion is based on idea that for connection between my pc/router and dns server certificates PKI is not needed. You can just hardcode/configure public key of dns server and that is it. Similar to wireguard or ssh server.

> The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level.

I agree that TLS is understood, tested, used every day etc. I do not agree that you sleep calm at night. For example a few years ago [1] or [2] mozilla removed root CA from firefox for bad behavior. And you can argue everything is working properly because bad behavior was detected and removed but the thing is - you can avoid this group of problems entirely by avoiding PKI in protocol. That is why I like dnscrypt protocol more. Less problems to worry about. You only change hardcoded/configured public key if you change which dns server you are using (not a big deal). You do not have to regularly update router to keep root ca store up-to-date. Do you update your router every month? Because I do not.

[1] https://www.feistyduck.com/newsletter/issue_53_certificate_a...

[2] https://www.itbrew.com/stories/2022/12/02/mozilla-microsoft-...

nicce 3 days ago | parent [-]

I see that point. But you can do the same with DoT? Instead of public key, you just pin the cert and bypass CA in that way. And you get the perfect forward secrecy and other benefits of TLS. But this might require the regular update of certs, and does not solve your maintenance problem.