Apple adding DoT and DoH support


  • Could have seen this coming I guess:
    WWDC 2020, Enable encrypted DNS

    He talks about "opt in", but that is in reference to the app developers, not the user, if I am understanding correctly. Seems like just a matter of time before we've got far more than just a few browsers circumventing local DNS.

    haha "also called doh!" :)

  • LAYER 8 Global Moderator

    Yeah should be spelled d'oh, this would properly express what you should be saying if enabled..

    Now my dns is secure.. I'm only sending everywhere I go on the net to this single company, they sure wouldn't use it in ways to make them even more money - D'oh!!!


  • LAYER 8 Global Moderator

    hhheheh - very appropriate!


  • The problem of ISPs being given free rein to collect and sell data without any oversight is concerning. DoT/DoH is, however, not a solution. Additionally, it's not all that hard for an ISP to put together a profile of your surfing habits without ever seeing your DNS requests. If you really are in a tin-foil hat mood with all this you will need to route everything through a VPN and never use services like Netflix or Spotify. Oh, and that mobile phone...

    The solution lies (intended spelling) with our lawmakers. I would suggest not holding your breath. Money talks.


  • I get a strange satisfaction when I see all of the tracking sites in the DNSBL list, never mind the really malicious stuff that I probably don't even notice because there are so many tracking sites.

    Yeah, if I had enough money to be influential, I'm sorry to be so honest but I probably wouldn't be enjoying everyone's company on this forum :)

    My primary concern is that it looks to me like our existing DNSBL capabilities may soon become practically useless. Furthermore, I'm concerned about reports of malware that is actually utilizing DoH. I'm guessing that all of this will put a lot of onus onto IPS, and raise the bar above the abilities of average enthusiasts like me.


  • @billl If it's all encrypted an IDS/IPS isn't much help. 😧

  • LAYER 8 Moderator

    @jwj said in Apple adding DoT and DoH support:

    DoT/DoH is, however, not a solution.

    I disagree on the DoT part. DoT is IMHO like HTTPS for the web. But the problem is - like HTTPS - that is has to be configured and maintained by the corresponding server owner. And you can't simply use it as additional setup like HTTPS and tell clients "try DoT on that server and if not, fall back to DNS".

    So DoT wouldn't be a bad idea if it would be implemented more like HTTPS and pushed as hard - or made mandatory by the DNS roots/registrars that your SOA NS Server has to supply both DNS and DoH for your domain to be OK. Then we could simply step up the client side DNS resolvers by using switches like "try DoT first, then fallback" or "try DoT but don't use unsafe DNS - use a custom forwarder" etc. And with more and more servers having to support DoT the switch could go on like the move from HTTP to HTTPS.

    That way you don't centralize DNS but merely move to DNS with TLS instead but are still decentralized.

    But DoH or central DoT servers are indeed not a solution for a free decentralized web.


  • I didn’t think this was a new thing? I have seen apps on iOS trying to bypass local DNS for a while now. I now use an IP ban list for known DoH servers.

  • LAYER 8 Global Moderator

    Yeah but blocking dns to any outside dns via 53 is very easy to block.. But when they sneek it out via common (pretty much the whole internet) port of 443.. Blocking it becomes a whole new problem

    While dot is easy to block as well, since it use 853..

    Where the real problem is going to happen is when they have hardcoded stuff like dns.domain.tld and also a list of ips to try because the doh server is being hosted on CDN.. Which every changing IPs, and IPs that are used to serve up content you want to allow..

    It's going to become a real nightmare if you ask me.