On Tue, Jul 7, 2020 at 5:20 AM Stuart Henderson via mailop < mailop@mailop.org> wrote:
> On 2020/07/07 10:27, Noel Butler via mailop wrote: > > On 07/07/2020 01:01, Johann Klasek via mailop wrote: > > > > > > I have been told that DoH is set into place to solve the privacy > > problem. On a small DNS workgroup meeting I saw a presentation on how > > they statistically identify users by their DNS traffic, and could > create > > a profile with interests and affectations these users have. I think > DNS > > is not that anonymous one would expect. > > > > > > > > Don't you think there is more chance of a perfect picture of you being > built from, ohh i dunno, > > long standing things like, netflow :) > > > > It will tell me a whole lot more about you than any DNS query could. > > Straying a bit off-topic but, with traditional DNS requests are often > aggregated first with other devices in your house/company by a local > forwarder or NAT, then again at your ISP with their other customers, > before being passed on to other servers with whom you don't have a > customer relationship. > > Looking at netflow data, it's at least aggregated with other devices > behind the same NAT IP, and a lot of it is just "tcp 443 to cloudflare" > or whatever which tells a lot less than DNS query data. > > With DoH the query stream immediately goes to somewhere that often > you don't have a customer relationship, and is separated nicely > per-application (not even per-device), so yes a DNS provider very > often does get a better picture of you than an ISP would have from > netflow data. > There seems to be a lot of mixing of the technical DOH vs the Mozilla implementation (push everyone to use certified providers). Ie, Chrome is defaulting to using DOH for the same DNS provider you're already using (if they support it), which doesn't seem like it makes much difference from the policy/privacy discussion here. Of course, Chrome also probably supports the enterprise policies to set DOH as well (though I haven't looked). And, especially for mobile clients, DOH means that DNS queries for Chrome will go through the same corp proxies you're already using, instead of leaking internal web requests to external dns providers. Mozilla is likely the same there. And I think this discussion is underestimating the number of users already being tracked at the DNS level by their ISPs. I know I may be odd here working for one of the big players, but I trust the privacy policies and statements of some of the "large centralized" providers you mention over my telco. I do agree that the concept of running DNS over HTTPS seems completely bonkers at a first pass. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
