Hacker News new | past | comments | ask | show | jobs | submit login

Nothing is wrong with DoH. When people complain about it, it's generally because they like being able to successfully perform the kind of attacks it's meant to prevent, e.g., censorship and surveillance of traffic between endpoints they own neither of, just because the traffic passes through their network.



Are you familiar with https://pi-hole.net/ ?

In my house I want DNS resolution to be performed by my own DNS resolver (https://github.com/NLnetLabs/unbound), after I block ad domains.

DoH circumvents that.


I agree with you, but the counterargument that'll be made against you is "you should be doing that on the endpoints".

That counterargument ignores the fact that you can be the owner of an endpoint but not be permitted, by manufacturer's policy, to control the software running inside. That's what you get for purchasing a proprietary device.

So, as the network operator and owner of the endpoints in the world of DoH (and pinned certificates), you end up being left with the decision to "vote with your wallet" and simply not purchase devices that don't afford you influence on name resolution (or whatever functionality we're talking about)

The counterargument goes on to say that the manufacturers of these sealed-box devices can functionally do this today anyway simply by implementing their proprietary name resolution (content delivery, etc) protocol.

It was all fun while it lasted.


Just configure your endpoints to point at an ad blocking DoH server.


My partner has a Google Chromecast. Please tell me how I can configure it to use a DoH server I want, rather than the one dictated by Google. How about the video intercom systems in my apartment building? How can I configure them to use servers I trust rather than an unknown?


> My partner has a Google Chromecast. Please tell me how I can configure it to use a DoH server I want, rather than the one dictated by Google. How about the video intercom systems in my apartment building? How can I configure them to use servers I trust rather than an unknown?

Devices you don't control are under no obligation to follow your network's DNS policy, or even use published protocols for name resolution at all.


I mean yeah, if you don't trust the devices on your network...don't add them to your network?


Yeah, this entire topic is strange to me. Is the crux of the issue that some devices come with unchangeable DNS servers, so when these are configured to be DoH then they can't be MITMed?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: