Apple Adds Support for Encrypted DNS (DoH and DoT) (zdnet.com) 16
In a presentation at its developer conference this week, Apple announced that the upcoming versions of its iOS and macOS operating systems will support the ability to handle encrypted DNS communications. From a report: Apple said that iOS 14 and macOS 11, set to be released this fall, will support both the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols. Normal DNS (Domain Name System) traffic takes place in clear text and has been used by internet service providers and others to track users in the past, usually to create profiles to sell to online advertisers. But DoH and DoT allow a desktop, phone, or individual app to make DNS queries and receive DNS responses in an encrypted format, a feature that prevents third-parties and malicious threat actors from tracking a user's DNS queries and inferring the target's web traffic destinations and patterns.
Comment removed (Score:4, Insightful)
Re: (Score:2)
There is secure DNS, but it's about authentication, making sure you're not getting spoofed or intercepted, it's not about hiding the information. These solutions here seem relatively heavyweight, suitable for PCs or phones for not for small resource constrained devices, but maybe the phones is where the need for privacy is in countries with repressive governments.
Re: (Score:2)
DoH/DoT is really not for most of us Slashdotters. We tend to be older, middle class, white dudes in Western countries. We're privileged and the extent to which we are surveiled is a breach of our privacy by nosy advertisers. It doesn't put our lives at risk. These features are meant to protect people whose life could be in danger if their Internet habits were to be made known. Please remember that when you'll be fuming on your keyboards about how DoH/DoT is useless, it concentrated power and so on.
DNS over TLS as part of the naming stack is a positive and welcome development. (As opposed to Mozilla's reckless implementation)
Yet the fact remains anyone who promulgates the idea this technology is providing safety when in fact it is doing nothing of the sort is far worse than doing nothing. It is only helping to "put lives at risk".
My karma be damned, I had to say this.
It's nonsense.
So long as it's per connection type (Score:3)
I've got my own router configured to do DoT but I'd like this for regular cell use and when on other's wifi.
But if it's like Firefox' where THEY choose the resolver - I'm not sure they're operating in MY best interest.
Re: (Score:2)
They chose the default resolver. You can use any resolver you like.
Re: (Score:2)
But if it's like Firefox' where THEY choose the resolver - I'm not sure they're operating in MY best interest.
Sounds like its in *your* best interest to RTFM. You can change the resolver to whatever you want. Firefox even gives you a nice idiot friendly UI to do it complete with a list of several common options including "Cloudflare", "NextDNS", or the very evil and ambiguously named "Custom".
Yeah evil Firefox imaging that, providing the user with the ability to set their own settings. It's 2020. This shit should be hidden deep somewhere in about:config, not under "Options".
Bastards are ruining the internet!
Re: (Score:2)
Sounds like its in *your* best interest to RTFM. You can change the resolver to whatever you want. Firefox even gives you a nice idiot friendly UI to do it complete with a list of several common options including "Cloudflare", "NextDNS", or the very evil and ambiguously named "Custom".
Yeah evil Firefox imaging that, providing the user with the ability to set their own settings. It's 2020. This shit should be hidden deep somewhere in about:config, not under "Options".
Parent has a point. All that comes up is a scary security prompt that does not give you a selection of providers. You don't get to pick a provider. The prompt is intentionally engineered to do two things:
1. Scare people into choosing secure and private with language that does not match reality.
2. Lead people into thinking this is simply a notice dismissed by clicking OK. It is not really providing a choice between Enable and Disable. It is engineered to be dismissed by the typical luser as yet another
The good, the bad and the ugly. (Score:2)
Re: (Score:2)
Bad: an app developer can set their own DoH/DoT settings for his/her own app, that bypasses what power users that have their own home infrastructure might had set before.
Which any application can already do by including its own DNS resolver rather than relying on the one provided by the OS. Nothing's been lost on that front.
I suppose you could previously restrict outbound DNS traffic to specific destinations, however if we're considering the level of maliciousness for an app to be implemented with its own version of DNS, there's nothing preventing an attacker from setting up their own DNS server on a non-standard port and having their application contact that. So, still,
Sigh (Score:1)
Been stock on my Android for over a year.
Keep going, Apple, you'll be first at something at some point.
old skool... (Score:1)
Re: (Score:2)
That's not old school
In my day we memorized the MODE COM commands and the corresponding AT commands to run before trying to send a bang addressed email to an endpoint that was the beginning of the bang route to the recipient. Networking required knowing the modem speed and type you were routing through.
You misspelled Leaking MITM DNS. (Score:2)
Just run a freakin DNS server on your box, and be done with it.