Pushing DOH sounds like a bad idea

This idea of pushing down domain addresses from any old random website seems like a really bad idea. Anyone else think so?

DoH just means DNS requests are encrypted instead of sent in the clear; you seem to misunderstand the term/technology/protocol.

1 Like

This is in reference to the latest episode of Security Now @philodygmn. I think @pinter understood perfectly, and he is right, it doesn’t sound like a great idea to me.

@pinter What will make it “safe” will be the implementation of signed DNS entries via DNSSEC. Although I don’t know enough about DNSSEC to know if the entries are also time stamped… because you wouldn’t want it to be serving obsolete entries that should have aged out.

Early DNS replacement stunts earned the instigators ire because there was really no disclosure of those replacements, and no way to disclose them, but as you note, @PHolder, proper authentication would restore that versatility.

@philodygmn As pointed out I’m referring to the latest episode. The idea that any site can start pushing down DNS Records to your browser seems like asking for a lot of trouble. DNS poisoning is a problem now, imagine if any site anywhere is able to hand out DNS records to anyone. As @PHolder points out I’m sure there’s a way to do this securely but the kinds of shenanigans I can image from this seem like it will keep Steve busy will past ep 999

1 Like

It strikes me as a somewhat similar problem-set to that being forged by “dapps”, decentralized apps: webs of trust rather than canonized central/top-down reference-sets. The problem, I think, lies less in sites having a hand in negotiating a step in the chain than it does in the chain having no involvement from the user other than the requested record. Ultimately, encryption and the user’s own network of trust should replace the one, centralized index. But without that infrastructure in place and well vetted, I completely agree it’s a recipe for disaster and it may be that the cart is being put before the horse ATM. Properly preparing for it will require patience the industry has never demonstrated itself to have, unfortunately, so in that I share your trepidation over this initiative in its current form.

BTW, confusion would have been avoided by posting to the show’s thread, as @PHolder has linked.

Ooh I see, posting in the episode thread, got ya!