Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I trust my ISP and government more than a US company I have no formal contract with and the US government.

And every single intermediary and whoever else might be listening in? This is an unencrypted plaintext connection. Which is the main point here. The whole "we trust ISP more" thing is completely beside the point. The point is DNS is horribly insecure nowadays, and it is about damn time we switch to something better.

> Also, there's the whole 'applications should not override system level settings' thing.

Hopefully, DoH will become a system level setting eventually.



If you use your ISP's DNS servers, there is no intermediary between you and them.


If you use wi-fi without a VPN, you have the coffee shop and the coffee shop's ISP. And anyone listening there. Of course there is cleartext SNI even for SSL connections... but alas.


What coffee shop ? I only connect to wifi at home and at the office.


And you're the only person who uses mobile computing devices.


Not sure what point you’re trying to make here.


Unless your ISP is running Huawei equipment. ;)


There aren't many intermediaries if you use your ISP's internal resolvers.


And there are intermediaries between Cloudflare/other DoH providers and the respective authoritative nameservers anyway.


My ISP is subject to specific regulations for licensed network providers, which Cloudflare isn't.

Thus, Cloudflare is the problematic intermediary.


But unless they have the private key for CloudFlare certs, they can't snoop in so it doesn't matter if there are intermediaries in between.


The traffic between Clouflare and the authoritative nameservers will be good old 53/udp.

The only thing the snooper won't be sure with is, which Cloudflare client asked for that record.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: