Show HN: Small tool to query XML data using XPath (github.com)
5 points by linkdd 18h ago 1 comments
Show HN: dbSurface – A Developer Tool for pgvector (github.com)
4 points by z-gort 1d ago 1 comments
Why not use DNS over HTTPS (DoH)?
83 Bogdanp 93 6/8/2025, 8:36:56 AM bsdhowto.ch ↗
And abusing https is for a good reasons. Blocking ports 53 and 853 is easy and many ISPs will do that.
The author also make it feel like the only option is to use cloudflare DoH on Firefox while that's the first option, there is also nextdns and custom field. There are many providers I would trust more like quad9 and Mullvad DoH.
I think the reasons why not to use DoH is the same for why not using public dns from providers you don't trust anyway.
Most of the people are happily using 8.8.8.8 and handing all their dns information to the biggest advertisement company in the world. Or wosre, using their ISP provided DNS.
In fairness, the date on the post is 2018 - when Firefox first launched this, Cloudflare was the only option
With modern recursive DNS, you don't leak much to the root servers, just the tld you're trying to resolve. And you can axfr the root zone and then the root servers only know you're a resolver. The TLD servers know a lot, by necessity, though.
If the goal is to reduce centralization, a better approach would be to use encrypted DNS (DoH or DoT) with resolver rotation or randomization. That way, users retain privacy from local networks and ISPs without concentrating all DNS traffic in a single provider’s hands.
You’ll only be vulnerable to a MitM attack if your system’s resolver is insecure and also vulnerable to a MitM attack.
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.
Cloudflare, on the other hand is based in a foreign jurisdiction that offers none of these protections.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
Many ISPs explicitly sell DNS data, and are also advertising vendors.
Cloudflare, on the other hand, doesn’t share or sell data and retains minimal data: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
Even if you use a VPN?
They know your government id when you subscribe to their service.
CloudFlare, otoh, never have your identity. They only have the metadata
Based on what?
The bar is real low, mostly for the fact that ISPs are mandated by law in most if not all countries to track traffic flowing through their pipes.
Cloudflare provides relatively better privacy guarantees for the public DNS resolvers it runs: https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...
CF issues are dealt with “hope to get a post on HN trending”.
You're next argument might be "but how do you know the server is really using ODNS?" You don't. If your security threat profile doesn't allow for this, whatever you're doing shouldn't be using a public internet network anyway.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
In the UK there are even aggregators like Fibre Café [1] that makes it easier for ISP's to connect through multiple networks.
[1] https://fibrecafe.co.uk/
This is textbook politician's fallacy. Yes, it may be preferable to continue with a "non-solution" if the solution proposed is stupid enough.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
We must do something. This is something. Therefore, we must do this.
Agree with the general claim that anything "S" could be a power grab by a single peeper. Google pushing HTTPS in Chrome comes to mind.
>DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.
How is this a lie? It does protect your queries from MitM. I doubt anyone ever said anything about protecting from everyone - either you keep a synced copy of the entire DNS database (or its part) locally, or send your query to someone else's computer. How else do you expect it to work?
>Refuse to use it today
"Refuse"? Why???
>Is there an alternative way? Yes, there is. It is called DNS over TLS
How does this eliminate the single peeper? You're still sending your query to someone else's computer. DoT encrypts, so it must be a good thing, right?
In some situations, DoT is fine. In others, it won't work, but DoH will.
If we're getting into the technical part of the discussion though, I personally don't think DoH or DoT are great protocols for DNS. Security is fine, but it's a lot of overhead for relatively small requests where latency matters. I wish DNScrypt had gained more traction as an encrypted protocol designed specifically for DNS.
At the end of the day, if your problem is you don't trust the DNS provider to also be snooping, no flavor of encrypted DNS will solve it. Whoever lands the DNS query will be able to snoop whether it's TLS or DoH
https://ietf-wg-ohai.github.io/oblivious-http/draft-ietf-oha...
Due to recent browser problems I was giving Brave a shot. It's an interesting browser, but it has DoH enabled in a way that seemingly cannot be entirely disabled. It can be frustrating to not be able to interact with a lot of services because the browser is disregarding my local policy on my system.
Some of the websites just don't open without DoH.
The advantages of self-hosting recursive servers include complete configurability, absence of censorship, tracking, and rate limits. However, like any self-hosting solution, it requires an investment of time and money. It's also important to note that DNS lacks an authentication layer, so for access restrictions, it should be placed within a private network or VPN.
The issue of pre-configured DNS over HTTPS (DoH) in many browsers and mobile devices can be addressed through firewall rules on your router.
For creating your own DNS infrastructure, I recommend dnsdist if you have ample time, though bind and unbound are also viable options.
For the past three years, I have been running dnsdist with recursive servers on two ARM VPS instances, costing around 14 EUR per month. This setup provides me with DNS over TLS (DoT), DoH, and other features. I use them with unbound (TLS) or dnsproxy and dnscrypt-proxy across routers, servers, and other machines. For mobile devices, I utilize DoH directly.
Previously, I used bind in recursive mode without any encryption beyond SSH tunneling or VPN.
Alternatively, I can recommend ffmuc as a DNS provider.
[0]: https://en.wikipedia.org/wiki/DNS_spoofing#Cache_poisoning_a...
You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small.
https://adguard-dns.io/en/welcome.html
Run hyperlocal root, run your own dns.
His "don't move off 22 for ssh" is also just opinion. He argues "you will be found" but misses the experience of those of us running on shifted ssh is continuously validated by the visibly lower level of probes we see. He offers no mathematical analysis of how quickly a port knock sequence will be uncovered, and again dismisses it as infeasible and useless.
I've got nothing against strongly held opinions and these are his. But, form your own opinions too.
Worse than that, that post misunderstands it's own statement:
"Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots"
That's a *good* thing, because the move has reduced the signal to noise ratio. By getting rid of most of the crufty noise of the internet, you now know that anything hitting your logs now is more likely to be an actual threat than the poorly automated dictionary attack bots.
Moving SSH to a different port doesn't make the system much more secure (and definitely shouldn't be the only thing you do), but it does generally enable you to be more responsive.
I sometimes think of putting my private servers on completely random IP addresses drawn from /64 IPv6 ranges. It should be near-impossible to find those by address scanning, unless I'm overlooking something dumb. Am I? It wouldn't surprise me.
For example suppose you put my-private-server.vanity-domain.example in DNS with an AAAA pointing to your private server - "passive DNS" service means big DNS providers will sell the answers they saw when anybody (say, yourself, on somebody else's computer) asks AAAA? my-private-server.vanity-domain.example. They don't reveal who asked, so this isn't personal information, but they do reveal what the question was and its answer.
A long time ago we used this to build target portfolios, if we're going to sell your company our product X, this is way we can see that you already have products A, B and C, but not D, E or F so we look a bit smarter coming into the sale.
Come to think of it, I could have a private DNS too. I haven't bothered with that.
Also, does anyone know what's the safest option? And how to configure it for all our home devices?
[1] https://github.com/semihalev/sdns
I think the ideal solution would be if the root servers adopted encryption of some sort. But I can see why they're somewhat reluctant to do that, especially with relatively heavy protocols (compared to DNS) like DoH or DoT.
Edit: With the existence of QNAME minimization, I guess I should say that the requests to the root servers or authoritative DNS servers are unencrypted. This does at least spread out the risk a little, since other than your ISP there's probably some variation in who is actually between you and the various servers you're making requests to.
Article is a bunch of strong opinion with nothing to back them.
because then we could use DoH for hiding our DNS requests..
DoH requests go to /dns-query so you only need that path to proxy onto your DoH handler.
Some DoH clients will also allow you to specify a custom path, so you can also obfuscate the path by configuring client and server to use /foobar instead.
But, re-using an existing site does come at the cost of generating a bunch of extra log noise (fine if it's just you, not so fine if it isn't). If you don't have some kind of auth in place, you might also find that you suddenly come under a lot of load (when I ran a public DoH service, I eventually started getting a lot of traffic from users in an authoritarian country)
Why discredit the whole post by adding an irrelevant tl;dr?
If it's privacy, why offer DNS-over-TLS as an alternative? It has exactly the same privacy properties.
If it's security, then tl/dr and first section makes no sense.
DoH using HTTPS for example is a reasonable choice; it blends the DNS traffic in with HTTPS traffic, not requiring network operators to open a new port and, in fact, making it harder for network operators to stop you from being able to use it. If you are not on a hostile network then there's not much of a practical advantage of picking DoH or DoT, but the reasoning for why DoH made this choice is not unreasonable. And HTTP may be more complicated than DNS, but neither of them are really close to the complexity of TLS, and any OS is going to need at least one good implementation of both if it plans on existing on the Internet, so I'm really not sure why this seems like a good place to draw the line.
Secondly, okay sure, don't trust Cloudflare... But, on the other hand, why is it better to send your DNS requests unencrypted? i.e. why would you disable DoH entirely? One party peeping is still less than an arbitrarily large number? In practice there is an extremely good chance that even if Cloudflare acted in a maximally malicious manner, having them as your DNS provider is the least scary implication. They already have untold amounts of information about you from the fact that they're a middle man terminating TLS for a lot of the websites you visit. And while it would be nice to have private DNS that is hardened against Cloudflare or the U.S. government spying on you, this is kind of at odds with having DNS be low latency, accurate and reliable.
I think a lot of actual dislike of DoH comes from people who believe that network operators should be the ultimate controllers of their domain, but in the future we actually got most people don't even control the WiFi in their home to any meaningful extent. As much as it's hard to trust Google or Cloudflare, since you know they have bad incentives to circumnavigate the will of the user and network operators, they are in the unfortunate situation of "having a good point" with regards to DoH. I ultimately never liked Firefox's decision to roll out DoH by just automatically sending DNS requests to Cloudflare using a trust-me-bro promise; oddly enough, Chrome did a more reasonable approach, trying to use whatever your configured DNS server is, but automatically upgrading it to DoH if it was a resolver that had a known DoH endpoint.
Granted, I believe Google Chromecast devices also will attempt to use DoH to get around a Pi Hole, so obviously I'm not trying to give any undue credit here. You still can't really trust Google or Cloudflare on the whole. But, being wrong about some things doesn't mean you're also wrong about other things, and the points made in favor of DoH still do stand, especially when it is configured explicitly by the end user. (P.S.: and it's silly to really dwell on this point too much anyways. If you had a truly malicious party, they could simply not use any kind of DNS to resolve names at all, in an effort to make their traffic harder to block. Using DoH is still less obscure.)
The bottom line is though, it's not clear if you can really trust your own ISP anymore than Cloudflare, especially depending on where you live. Ultimately, it's not hard to see why Firefox made this choice.
>Is there an alternative way?
What about just using different provider that you trust?
What if I trust Cloudflare more than I do trust my ISP?