To me this feels like turtles all the way down. Ultimately who owns and controls the layer-4 proxies and DoH servers matters and can easily get into turtle arguments. Who controls the certs controls the mathematical obfuscation (encryption) also matters. Pieces of the puzzle can be shared and recombined at any time.
Me personally, I will stick with running my own DoH servers and thus I need not run any turtles (layer 4 proxies) in the middle of my already encrypted connections. Anyone running Unbound DNS can enable DoH if Unbound was built including '--with-libnghttp2' which the Alpine Linux version has. At the moment my browser is talking to Unbound over DoH on my local network so I get the advantages of ECN but I can easily switch it to any server where I have installed Unbound. Ultimately DNS at some point will be unencrypted UDP port 53 so I would rather it be me that determines where that happens so I can optimize my own cache and pre-cache cron jobs to mask my DNS behavior, but that's just me. Others can do whatever they want, as they should. The people that operate my ISP are bigger deviants than I and they know that I know that they know that I know this.
Oh and as a funny side note, I can warm up cache on entirely unrelated nodes and then transfer the cache export to any node and keep it valid on that node as long as I wish making the vast majority of my DNS requests respond in less than 700 nanoseconds not that I am in any hurry.
I can then bring those cache dumps in from any node to my home network making DNS resolution entirely invisible. Automation is only limited to ones imagination. Or AI's imagination. I personally find it beneficial to listen to Pure Imagination from Willy Wonka & The Chocolate Factory (1971)RIP Gene Wilder
It means you can use a decently fast DNS server like Cloudflare without the major privacy problems of using Cloudflare. Or DNS4EU, or any non-ISP DNS server really.
Your ISP snooping on you with SNI logging is something people using normal ISPs don't need to worry about, but feeding all your data into a profit-driven company is.
If you piss off any government enough that you suspect your wires may be tapped, ODoH will not save you and TOR probably will not do much better.
If you live in a place with omnipresent government monitoring (China/Iran/etc.), there is no solution. Any solution to getting wiretapped with a legal order will almost certainly be an extra charge the day you do get arrested.
Please don’t be intentionally tone-deaf. “a nation-state can track my shit therefore it’s not with doing” is a silly, silly, silly approach to security, and does not speak to the concerns of the vast majority of even privacy-focused people.
That's not what I was saying. I'm just saying that if the goal is not to be tracked, that's pretty difficult to achieve with pretty much any normal ISP. Not saying that all forms of tracking are something to be worried about to the point where it's not worth doing defense-in-depth whatsoever... obviously any shred of privacy you can get is good.
My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server.
The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.
I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.
My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.
no, you are actually telling the relay where to redirect your question from the start (because you are encrypting the question with the public key of the destination resolver) - the relay sending the question where it wants would result in the destination to not be able to decrypt it
If relay and target are operated by the same provider, there is no collusion. Collusion occurs between 2+ parties. You have stipulated that they are the same party.
But then the internet can know that you are the one using your own resolvers and so they can trivially identify your traffic.
Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too.
By that logic, someone else would ask "what's the point of ECH since that data will just leak via DNS?" and then neither technology would ever roll out. Deploying this now despite that is exactly how you fix that chicken-and-egg problem.
Assuming you don't have ECH, you leak the question (in practical terms) to your ISP, and you leak your question to the DNS provider. With ODoH you plug the latter leak. Plugging that first leak is then still a problem (solved separately) but it's orthogonal to the second.
Even with ECH, where you plug the TLS leak, you have many more holes to plug. IP address might not be shared or might be shared across too few properties, and then traffic profile after the initial connect (to retrieve all the sub-resources) can identify destinations.
It's not limited to the ISP and DNS provider. Thanks to being plaintext it's anyone anywhere along the network path (unless you were already using DoH of course, but sans-ECH is still the entire path regardless).
Anyway I agree with you that plugging leaks is good (notice my adjacent comment). My response there was intended to provide clarification regarding the preceding exchange.
Between so many service operators intentionally purchasing MitM as a service from the cloud providers and the ever increasing proliferation of centralized captcha solutions that work via fingerprinting the entire situation seems increasingly hopeless.
ODoH selling point is same as DoH selling point: third party DNS providers, e.g., shared caches, want query data for commercial purposes^1
And, funnily enough, they want data from users who are looking for "privacy"
Also, ODoH claims it will hide the client's IP address. ECH, even it were adopted by CDNs and websites, cf. being "supported" by a browser,^2 will not hide the client's IP address
1. Silicon Valley has this bizarre narrative where ISPs are the "bad guys" when it's Silicon Valley who created the online surveillance dystopia we are living in. Truthfully it's a competition over who can collect more data, conduct more surveillance and perform more ad services: Silicon Valley or ISPs. Silicon Valley is generally 100% focused on this as a "business model", cf. selling internet access, they have captured the market and they pose a much greater threat to the user seeking "privacy"
2. Where the browser vendor is Silicon Valley and data collection, surveillance and online advertising services is the "business model"
NB. Third party recursive DNS service has other uses besides "privacy", e.g., avoiding censorship
Pretty cool to see someone actually running public ODoH infra instead of just talking about privacy in theory. I'm just wondering what the biggest operational pain has been so far running a public relay.
this is what i was looking for. seems like a truly zero conf alternative to technetium hope it works nice on mac even with docker. can it run as a service? any future integration planned with tailscale? it would be nice to have a pluggable system so this can be used instead of tsdproxy as well. maybe a connection to docker socket is necessary to have a service discovery feature.
speed (over tor) is not a concern either when much of it is served from the cache. alec muffet has the right ideas. but you might want to study his threat-model before copy pasting.
You wrap the DNS request in a different layer of encryption than the relay server, so the relay server only knows you tried to resolve something, and the DNS server only knows someone tried to resolve a particular domain. That's how ODoH works.
To make it harder for parties to collude, you need additional encrypted hops, the way Tor does. ODoH doesn't do that, unless you're routing ODoH through Tor of course.
You would also need some kind of proof that the DNS records returned by the resolving DNS server haven't been tampered with, or a tracking DNS server could direct you to one of their IP addresses and proxy the request transparently. Unfortunately, the best solution we have for that is DNSSEC which is a very 90s take on DNS validation. It works fine if you don't abuse DNS in weird ways, but it's due for a redesign.
Why not? Cloudflare makes 1.1.1.1 available over tor although the latency is through the roof and you still need to consider the possibility of fingerprinting the client network stack.
The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare
Me personally, I will stick with running my own DoH servers and thus I need not run any turtles (layer 4 proxies) in the middle of my already encrypted connections. Anyone running Unbound DNS can enable DoH if Unbound was built including '--with-libnghttp2' which the Alpine Linux version has. At the moment my browser is talking to Unbound over DoH on my local network so I get the advantages of ECN but I can easily switch it to any server where I have installed Unbound. Ultimately DNS at some point will be unencrypted UDP port 53 so I would rather it be me that determines where that happens so I can optimize my own cache and pre-cache cron jobs to mask my DNS behavior, but that's just me. Others can do whatever they want, as they should. The people that operate my ISP are bigger deviants than I and they know that I know that they know that I know this.
Oh and as a funny side note, I can warm up cache on entirely unrelated nodes and then transfer the cache export to any node and keep it valid on that node as long as I wish making the vast majority of my DNS requests respond in less than 700 nanoseconds not that I am in any hurry.
I can then bring those cache dumps in from any node to my home network making DNS resolution entirely invisible. Automation is only limited to ones imagination. Or AI's imagination. I personally find it beneficial to listen to Pure Imagination from Willy Wonka & The Chocolate Factory (1971) RIP Gene WilderYour ISP snooping on you with SNI logging is something people using normal ISPs don't need to worry about, but feeding all your data into a profit-driven company is.
It doesn't matter which ISP you're using if the cables are tapped, which they pretty much are.
If you live in a place with omnipresent government monitoring (China/Iran/etc.), there is no solution. Any solution to getting wiretapped with a legal order will almost certainly be an extra charge the day you do get arrested.
The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.
I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.
My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.
There are no limitations on what these parties can do with the data they collect or where they can transfer it
But then the internet can know that you are the one using your own resolvers and so they can trivially identify your traffic.
Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too.
Assuming you don't have ECH, you leak the question (in practical terms) to your ISP, and you leak your question to the DNS provider. With ODoH you plug the latter leak. Plugging that first leak is then still a problem (solved separately) but it's orthogonal to the second.
Even with ECH, where you plug the TLS leak, you have many more holes to plug. IP address might not be shared or might be shared across too few properties, and then traffic profile after the initial connect (to retrieve all the sub-resources) can identify destinations.
Anyway I agree with you that plugging leaks is good (notice my adjacent comment). My response there was intended to provide clarification regarding the preceding exchange.
And, funnily enough, they want data from users who are looking for "privacy"
Also, ODoH claims it will hide the client's IP address. ECH, even it were adopted by CDNs and websites, cf. being "supported" by a browser,^2 will not hide the client's IP address
1. Silicon Valley has this bizarre narrative where ISPs are the "bad guys" when it's Silicon Valley who created the online surveillance dystopia we are living in. Truthfully it's a competition over who can collect more data, conduct more surveillance and perform more ad services: Silicon Valley or ISPs. Silicon Valley is generally 100% focused on this as a "business model", cf. selling internet access, they have captured the market and they pose a much greater threat to the user seeking "privacy"
2. Where the browser vendor is Silicon Valley and data collection, surveillance and online advertising services is the "business model"
NB. Third party recursive DNS service has other uses besides "privacy", e.g., avoiding censorship
then submit a pr to Frank https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v...
sudo numa install handles launchd, numa then becomes tailscale's fallback resolver
docker socket service discovery - on the roadmap
speed (over tor) is not a concern either when much of it is served from the cache. alec muffet has the right ideas. but you might want to study his threat-model before copy pasting.
To make it harder for parties to collude, you need additional encrypted hops, the way Tor does. ODoH doesn't do that, unless you're routing ODoH through Tor of course.
You would also need some kind of proof that the DNS records returned by the resolving DNS server haven't been tampered with, or a tracking DNS server could direct you to one of their IP addresses and proxy the request transparently. Unfortunately, the best solution we have for that is DNSSEC which is a very 90s take on DNS validation. It works fine if you don't abuse DNS in weird ways, but it's due for a redesign.
``` cargo install numa
# set mode = "odoh" in numa.toml ```
Repo: https://github.com/razvandimescu/numa