Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nicce 4 days ago

By looking the list of negative sides of DNS over TLS (DoT) in there, this project seems to list artificial problems, which makes me want to avoid the whole project. Maybe there are real benefits on using this protocol, but they should not make the list of problems looking longer than it actually is.

The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level. Nothing also prevents forcing TLS 1.3 which removes most of the described other problems.

This especially sounds odd:

> Questionable practical benefits over DoH

But DoH brings the full TLS stack and also the HTTP stack as well? At the same time the project complains about increased attack surface in DoT, but DoH just extends it even more.

If I also look the DoH list, there is

> Requires TCP

But just few lines befeore, they say that DoH supports HTTP/3 which is UDP.

E.g. Android has supported it 3 years already:

https://security.googleblog.com/2022/07/dns-over-http3-in-an...

throw28158916 3 days ago | parent [-]

I think my opinion is based on idea that for connection between my pc/router and dns server certificates PKI is not needed. You can just hardcode/configure public key of dns server and that is it. Similar to wireguard or ssh server.

> The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level.

I agree that TLS is understood, tested, used every day etc. I do not agree that you sleep calm at night. For example a few years ago [1] or [2] mozilla removed root CA from firefox for bad behavior. And you can argue everything is working properly because bad behavior was detected and removed but the thing is - you can avoid this group of problems entirely by avoiding PKI in protocol. That is why I like dnscrypt protocol more. Less problems to worry about. You only change hardcoded/configured public key if you change which dns server you are using (not a big deal). You do not have to regularly update router to keep root ca store up-to-date. Do you update your router every month? Because I do not.

[1] https://www.feistyduck.com/newsletter/issue_53_certificate_a...

[2] https://www.itbrew.com/stories/2022/12/02/mozilla-microsoft-...

nicce 3 days ago | parent [-]

I see that point. But you can do the same with DoT? Instead of public key, you just pin the cert and bypass CA in that way. And you get the perfect forward secrecy and other benefits of TLS. But this might require the regular update of certs, and does not solve your maintenance problem.