DNS over TLS sometimes not able to open website
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz May 25, 2021, 11:17 AM May 25, 2021, 11:15 AM
@daddygo said in DNS over TLS sometimes not able to open website:
As far as I know, this eSNI stuff is a half - abandoned project
Pretty sure its fully done with - the replacement is ECH (encrypted client hello). When that might be actually something is really hard to say.
But really without esni or ech, all of the encrypted dns technologies are half ass that don't really do anything.. Whats the point of hiding what your asking for something.domain.tld from the bad isp, when you actually go to that IP you send the name in the clear via the sni.
If the sni is hidden as well from the bad isp - when you go to the IP they would know your going to 1.2.3.4 but with CDNs - you could be going to 1 of 1000's of domains. So hiding the sni is really needed if any of the hiding your dns query is going to do anything other than hand your dns to xyz dns provider as well as your bad isp knowing where your going anyway.
-
@johnpoz said in DNS over TLS sometimes not able to open website:
@daddygo said in DNS over TLS sometimes not able to open website:
As far as I know, this eSNI stuff is a half - abandoned project
Pretty sure its fully done with - the replacement is ECH (encrypted client hello). When that might be actually something is really hard to say.
But really without esni or ech, all of the encrypted dns technologies are half ass that don't really do anything.. Whats the point of hiding what your asking for something.domain.tld from the bad isp, when you actually go to that IP you send the name in the clear via the sni.
@johnpoz ,so you say fix you SNI.. okee... but how? :)
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz May 25, 2021, 11:26 AM May 25, 2021, 11:18 AM
Fix? There is nothing for you to fix..
Until the browser and or app wanting to use tls/ssl and the resource your going to support a why to encrypt where your actually whatever.domain.tld there is nothing you can do to actually hide where your going from the isp other than full vpn.
They know what IP your going to, and via the sni that is in the clear in the handshake they will know your going to whatever.domain.tld without really much more effort than looking at their dns logs.
If they do it this way they know for sure you went there, with just dns traffic all they know is you asked about something.domain.tld, they don't know if you actually tried to go there.
-
@johnpoz said in DNS over TLS sometimes not able to open website:
Pretty sure its fully done with - the replacement is ECH (encrypted client hello).
Thanks for the confirmation, then it's finally abandoned project.
Yes, there is still a lot of work to be done to make the good old DNS standard more secure :)
-
@johnpoz said in DNS over TLS sometimes not able to open website:
Fix? There is nothing for you to fix..
Until the browser and or app wanting to use tls/ssl and the resource your going to support a why to encrypt where your actually whatever.domain.tld there is nothing you can do to actually hide where your going from the isp other than full vpn.
They know what IP your going to, and via the sni that is in the clear in the handshake they will know your going to whatever.domain.tld without really much effort than looking at their dns logs.
If they do it this way they know for sure you went there, with just dns traffic all they know is you asked about something.domain.tld, they don't know if you actually tried to go there.
Yeah my bad. "Fully done with" i kinda read so finish and usable instead of abandoned project.
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz May 25, 2021, 11:34 AM May 25, 2021, 11:33 AM
From what I have been reading esni will never become a viable thing.. ech is the current direction, will that ever come to fruition is anyone's guess.
either method esni or ech or whatever else might come about is really a major task. Because its not only the client that has to do it - its also every resource you would be going to.
Its kind of how dnssec has never really gone full mainstream, while its been about for years and years. It depends on the domain to implement it.. This is the problem - many domains don't do it, and then there are ones that do it - and borked it up in their implementation to the point its only causing them issues.
And every registrar is suppose to support dnssec for the tlds that support it to be accredited - but sadly this is not true.. There are many registrars that do not actually have anyway to start using dnssec with domains you have registered with them, or their implementation is so bad that makes it almost impossible for your average joe to jump through the hoops required to get it to function..