为什么不用 DNS over HTTPS (DoH)？

为什么不用 DNS over HTTPS (DoH)？
Why not use DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) 使用 HTTPS 加密 DNS 查询，旨在保护它们免受窃听。尽管支持者强调了其隐私优势，但批评者认为它将 DNS 查询集中到单个提供商，从而创造了一个新的、可能更强大的数据收集者。核心问题是将广泛的、分散的监控换成了集中的监控。作者认为 DoH 并非真正的解决方案，声称它只是将数据可见性转移到像 Cloudflare 这样受利润驱动的单个实体，并忽略了数据货币化的风险。更好的替代方案是 DNS over TLS (DoT)，它为 DNS 提供传输加密，而无需 HTTP 封装带来的不必要的复杂性和安全风险。作者并不反对对 DNS 进行现代化改造或添加安全功能来保护用户隐私，但他认为 DoH 是一种有缺陷的实现。他批评 DoH 由于需要在 DNS 服务器中使用 HTTP 模块而导致的复杂性，增加了出现错误和漏洞的可能性。他敦促用户在 Firefox 中通过将 about:config 中的“network.trr.mode”设置为 5 来禁用 DoH。

Hacker News 的一篇帖子讨论了文章“为什么不使用 DNS over HTTPS (DoH)？” 要点： * **DoH 和监听:** 一位评论者 (ggm) 认为这篇文章没有讨论哪些公共 DNS 提供商支持 DTLS，并暗示 DoH 只是将监听从一方（例如，Cloudflare）转移到另一方。他们主张运行本地 DNS 解析器。 * **SSH 端口安全:** ggm 不同意作者关于不更改 SSH 端口 22 的观点，并引用了其个人经验，即更改端口后探测减少了。他们还批评了文章中对端口敲击的驳斥缺乏数学论证。 * **IPv6 安全:** 一位用户 (throwaway81523) 提到了为私有服务器使用随机 IPv6 地址，并质疑这种方法是否足够安全。 * **IPv6 扫描难度:** tialaramex 证实扫描随机 IPv6 地址是不切实际的。但也澄清说，为了能够访问这样的地址，需要通过 DNS 或其他方式“公布”该地址。并指出“被动 DNS”日志记录可能会在进行 DNS 查询时暴露此类地址。

原文

BSD How To

Last update: 2018-10-26

tl;dr

DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.

Refuse to use it today: Open about:config in Firefox and set network.trr.mode to 5. This will prevent Firefox from using DoH under all circumstances.

What is DNS over HTTPS (DoH)?

DNS over HTTPS is described in RFC 8484 as a way perform DNS by wrapping it in HTTP and additionally encrypt the data using TLS. Advocates of DoH stress that the transport encryption protects your DNS queries from peepers like your ISP or your network admin at work. Adversaries critic that all DNS queries are directed to single DNS provider who becomes the one known peeper.

The basic idea

The basic idea behind new developments like DoH is to protect your DNS queries from peepers by implementing transport encryption. The same type of transport encryption that protects many other application protocols like HTTP and SMTP. This is a very good idea because DNS queries in clear text contain very interesting meta data about the sites you communicate with over the Internet. This can be useful information for any kind of bad guy, be it the NSA or the cyber-criminal.

DoH encrypts, so it must be a good thing

The public didn't care about this RFC until Mozilla announced that they implement this new protocol in Firefox for broad field testing in collaboration with Cloudflare. The first reactions to this were: “DNS gets encryption? This must be good thing.“ But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries.

But Cloudflare has a data protection policy

So what? Cloudflare is a commercial company. And commercial companies, by definition, must earn money. How does a modern company in the IT business earn money? By selling data.

Is there an alternative way?

Yes, there is. It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol.

Why are you against changes in DNS?

I'm not. The DNS needs modernization. The DNS needs security features that prevent the peepers from reading your DNS traffic. I'm all in for it. But DoH is NOT the answer to this.

But the protocol itself is a good idea

No, it is not. Abusing HTTP as a transport protocol for DNS data adds a unneeded complexity to the protocol. You must add a HTTP module to all DNS servers or interact with a separated HTTP server on the same system in order to support DoH. That is a lot of code which can contain a lot of bugs and security flaws. Complexity is the enemy of security.