DNS Security: Threat Modeling DNSSEC, DoT, and DoH

DNS Security: Threat Modeling DNSSEC, DoT, and DoH
ARANK

October 10th, 2019There's been a lot of talk about DNS-over-HTTPS aka DoH lately, primarily due to Mozilla's and Google's respective plans to move forward with enabling it in their browsers. There's also a lot of misunderstanding and conflation of speculated plans for world domination with practical benefits of the technology; it seemed useful to me to clarify at least to myself the benefits and drawbacks from a more neutral point of view and in comparison to some other approaches to securing the DNS.The DNS is the famously insecure backbone of most things internet. The cause of endless wasted hours troubleshooting bizarre and inconsistent behavior only to find out somebody monkeyd around with /etc/hosts. The DNS is the thing we all rely on, yet which uses plain-text UDP with no assurance of authenticity or integrity of the data. It's really pretty wild, when you think about it.Anyway, so looking at how to secure the DNS, we need to consider the (modified) CIA triad: Confidentiality, …

netmeister.org 5 years ago

Open page

https://www.netmeister.org/blog/doh-dot-dnssec.html