On 08/21/2018 04:47 PM, Philip Homburg wrote: >> If I got it well, what you are trying to bypass is your ISP's >> security filter that prevents you from connecting to malware or to >> illegal content (e.g. intellectual property violations and the >> likes). > As a user, I think there is little reason to trust an ISP. > > If you take a mobile device, do you trust every hotel, bar, etc. where you > may connect to the wifi? Are they all competent? Are you sure none of them > will > violate your privacy?
Then you have a problem that's not solvable in DNS itself (yet). That's what people usually forget to consider. The hostnames are clear-text in https hanshakes (so far), and it seems relatively easy to collect those. So, by tunneling *only* DNS you don't make it much more difficult for the ISP, and in addition you share the names with some other party. That doesn't sound very appealing to me personally, from privacy point of view at least. (On the other hand, big resolvers will have lots of cached answers, etc.) https://tools.ietf.org/html/draft-rescorla-tls-esni-00 After SNI encryption gets widely deployed, tracking through IP addresses only will be somewhat harder, so there it will start getting interesting. Until then, IMHO you just need to either trust the ISP or tunnel *all* traffic to somewhere, e.g. via tor or VPN to some trusted party. --Vladimir
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop