Bitcoin Forum
November 12, 2019, 05:26:48 AM *
News: 10th anniversary art contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: DNS over HTTPS  (Read 272 times)
Vod
Legendary
*
Offline Offline

Activity: 2926
Merit: 2322


Licking my boob since 1970


View Profile WWW
November 08, 2019, 08:25:39 PM
 #1

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

I'm into creating universes, smiting people, writing holy books and listening to Prayer Messages (PMs).
BitcoinTalk Public Information Project (BPIP)  - BPIP Reports
"Masturbation makes you feel good but doesn't do anything for the person you're thinking of.  Just like prayer."
1573536408
Hero Member
*
Offline Offline

Posts: 1573536408

View Profile Personal Message (Offline)

Ignore
1573536408
Reply with quote  #2

1573536408
Report to moderator
1573536408
Hero Member
*
Offline Offline

Posts: 1573536408

View Profile Personal Message (Offline)

Ignore
1573536408
Reply with quote  #2

1573536408
Report to moderator
The Bitcoin Forum is turning 10 years old! Join the community in sharing and exploring the notable posts made over the years.
Pamoldar
Legendary
*
Offline Offline

Activity: 1302
Merit: 1375


https://bitcoin.watfordfc.com


View Profile WWW
November 08, 2019, 08:28:04 PM
 #2

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?
What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.

  ▄▄█████▄▄███████▄▄
███████████
     ▀▀███▄
█████████████        ▀██▄
█████████████          ██▄
███████████            ██▄
██▀▀█████▀▀              ██
██                       ██
██                       ██
▀██                     ██▀
▀██                   ██▀
 ▀██▄               ▄██▀
   ▀███▄▄       ▄▄███▀
      ▀▀█████████▀▀
███████   INDUSTRY LEADING CRYPTO SPORTSBOOK   ███████
MULTI
CURRENCY
ONLINE
  CASINO   
DAILY PRICE
BOOSTS
FAST & SECURE
PAYMENTS
█████████████████████████
███████▀▀       ▀▀███████
████▀   ▄ ▀███▀ ▄   ▀████
███  ▄████▄ ▀ ▄████▄  ███
██  ▄ ▀███▀ ▄ ▀███▀ ▄  ██
█  ▄██ ▀▀ ▄███▄ ▀▀ ██▄  █
█  █▀ ▄█ ███████ █▄ ▀█  █
█   ▄███▄ █████ ▄███▄   █
██  ████▀ ▄▄▄▄▄ ▀████  ██
███  ▀ ▄ ▀█████▀ ▄ ▀  ███
████▄  ▀▀▄ ███ ▄▀▀  ▄████
███████▄▄       ▄▄███████
█████████████████████████
█████████████████████████
███████▀▀ █████ ▀▀███████
████▀    ▄█████▄    ▀████
█████▄▄█▀▀ ▄▄▄ ▀▀█▄▄█████
██▀███▀ ▄███▀███▄ ▀███▀██
█   █ ▄██▀     ▀██▄ █   █
█   █ ██         ██ █   █
█   █ ▀██▄▄█ █▄▄██▀ █   █
██▄███▄ ▀██▄▄▄██▀ ▄███▄██
█████▀▀█▄▄ ▀▀▀ ▄▄█▀▀█████
████▄    ▀█████▀    ▄████
███████▄▄ █████ ▄▄███████
█████████████████████████
.
.REGISTER NOW!.
Lauda
GrumpyKitty
Legendary
*
Offline Offline

Activity: 2394
Merit: 2195


Exchange Bitcoin quickly-https://blockchain.com.do


View Profile
November 08, 2019, 08:33:11 PM
 #3

Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.
I really hope that this is a joke gone wrong.

DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.
Note: Good read, if you're interested in malware that uses DoH.

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
ibminer
Legendary
*
Offline Offline

Activity: 1377
Merit: 1413


Goonies never say die.


View Profile
November 08, 2019, 08:41:53 PM
 #4

Maybe I haven't researched this enough but why wouldn't CloudFlare be capable of handling DoH?
https://developers.cloudflare.com/argo-tunnel/reference/doh/

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
suchmoon
Legendary
*
Offline Offline

Activity: 2128
Merit: 4256


nanny of the forum


View Profile
November 08, 2019, 08:50:05 PM
 #5

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.

Lauda
GrumpyKitty
Legendary
*
Offline Offline

Activity: 2394
Merit: 2195


Exchange Bitcoin quickly-https://blockchain.com.do


View Profile
November 08, 2019, 09:05:46 PM
Merited by Vod (1)
 #6

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.
Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

████████████████████████████
████████▀▀ █▀ █▀ ▀██████████
█████████▄ ▄▄▄▄▄▄███████████
██████████▀     ▀  ▀████████
███████▀ ▀  ▄█▀▀▀█▀▀████████
██████▄      █▄  ▀▀  ▀██████
██████         ▄▄█▄ ▄ ▀█████
█████ ▄         ▀▀ ▄ ▀ █████
██████▌          █▀█▀ ▐█████
███████  ▄▌         ▄ ██████
████████▄█         ▄████████
█████████▀     ▄▄ ▄█████████
████████████████████████████
.JACKMATE'S...........
.
MAJESTIC..
████████████████████████
███████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
████████████████████████
.
..WIN 1 BITCOIN ON EVERY PREMIER LEAGUE MATCHDAY..
████████████████████████████████
████████████▀█▀ ▀█▀█▀███████████
███████████▄ ▄▄▄▄▄▄▄████████████
███████████▀▀▄▄▄▄▄▄▄▄███████████
█████████▀▄ ██▀▄▄▄ ▀ ▄▀█████████
███████▀ ▀█████▄▄▄█▄▄▄██████████
███████▀▄████████▀  ▀█ █▐███████
███████ ▀█████████▄█▀▀██ ███████
████████ ███▀██████ ▄ ██ ███████
████████▌▐▀▄ ██████████ ▄███████
█████████▄██▌▐█████▀██ █████████
████████████▄▀▀▀▀▀▄ ▀▄██████████
████████████████████████████████
.
.JOIN US - IT'S FREE! .
suchmoon
Legendary
*
Offline Offline

Activity: 2128
Merit: 4256


nanny of the forum


View Profile
November 08, 2019, 09:08:47 PM
Merited by ibminer (1)
 #7

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Quote
Total time logged in: 1004 days, 4 hours and 23 minutes.

ibminer
Legendary
*
Offline Offline

Activity: 1377
Merit: 1413


Goonies never say die.


View Profile
November 08, 2019, 10:27:35 PM
 #8

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Quote
Total time logged in: 1004 days, 4 hours and 23 minutes.


Ok, a bit off topic but damn, that blows my total time logged in out of the water lol. Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.  Shocked  
I spend a good chunk of time reading while not logged in though so I guess mine is not really an accurate representation of actual time I've spent visiting the forum, at least.. but you make me feel like a newbie.



.. I can't touch that.  Grin


(To keep this somewhat on topic.. MC hammer is Lauda trying to run from CloudFlare/NSA. Cheesy)

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
suchmoon
Legendary
*
Offline Offline

Activity: 2128
Merit: 4256


nanny of the forum


View Profile
November 08, 2019, 11:03:01 PM
 #9

Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.  Shocked  

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.

TryNinja
Legendary
*
Offline Offline

Activity: 1190
Merit: 1595



View Profile
November 08, 2019, 11:13:00 PM
 #10

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.
Do you usually open more than one tab of the forum? The time increases times the number of tabs you have opened, so if you have 60, it goes up 1 minute per second. It's not that accurate.

Vod
Legendary
*
Offline Offline

Activity: 2926
Merit: 2322


Licking my boob since 1970


View Profile WWW
November 08, 2019, 11:35:17 PM
Last edit: November 09, 2019, 02:13:41 AM by Vod
 #11

Total time logged in: 1004 days, 4 hours and 23 minutes.

My profile scraper:
Total time logged in: 1070 days, 4 hours and 21 minutes

I'm into creating universes, smiting people, writing holy books and listening to Prayer Messages (PMs).
BitcoinTalk Public Information Project (BPIP)  - BPIP Reports
"Masturbation makes you feel good but doesn't do anything for the person you're thinking of.  Just like prayer."
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 509


View Profile
November 09, 2019, 08:55:26 AM
Merited by DooMAD (2), ETFbitcoin (1), psycodad (1), PrimeNumber7 (1)
 #12

What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.
You cannot just write a script to stop a DDoS. If it was that easy, every CMS system and OS would have it already implemented. DDoS works mostly by saturating your uplink; while a script on a server can still filter requests, it cannot reduce traffic before it reaches that server.

DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.
It only has downsides.
1. Supporters say that it stops your ISP from snooping, but DoH would concentrate 99.9% of all requests at Cloudflare. If you do not trust your ISP, why trust Cloudflare? Because they promise not to spy? Yeah, sure.
2. Since DoH is just a HTTP request, every piece of software/malware can contact its own hardcoded resolver and ignore system DNS settings. That's a bullet into the head for most DNS based adware/malware filters. Yes, you can define your own resolver in Firefox, but how many average people will do that? Right now you block udp/tcp port 53 to stop access to resolvers except those you allowed.
3. If it would really be about securing DNS with encryption, Mozilla/Google/et al would support DoT which is already defined in RFC7858 which would smoothly integrate into current networks instead of risking to break a core functionality of the Internet.
4. DoT provides the same security as DoH, and still leaves users all the filter/blocking options DNS currently has. You would only enforce DoH if you want all user data concentrated at a single point, ripe for analysis, profiling, censorship, tracking and spying. There is no reason to trust Cloudflare more than your ISP, so the trust argument is entirely void.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3570
Merit: 6663


View Profile
November 09, 2019, 01:05:43 PM
Merited by Foxpup (6), ETFbitcoin (1)
 #13

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I can understand why Firefox etc. are doing it. ISPs have a history of screwing up / tampering with DNS; networks & operating systems often have DNS misconfigured; and Microsoft isn't going to fix anything at the OS level. So for the average user it's going to improve the experience.

But it's giving Cloudflare (ie. a probable NSA honeypot) an unprecedented level of data on users and websites, and also an unprecedented level of control. Cloudflare will be able to take down or redirect sites unilaterally now, only having to fear getting removed by Firefox as a result. Everyone uses ICANN's root servers because everyone else uses ICANN's root servers. If everyone starts to use Cloudflare, then Cloudflare becomes the new ICANN in practice.

Hopefully Tor isn't stupid enough to enable this in Tor Browser, since that'd allow for pretty trivial traffic analysis by Cloudflare, and you wouldn't be able to disable it without highlighting yourself as one of a few people behaving oddly.

It's really a demonstration of the failure of the Internet on a technical level. The Internet is decades of dirty hack on top of dirty hack, and now we're ending up with a world where the only easy way to get things working decently is "just put literally everything on Cloudflare". Very dangerous. The whole structure of the Internet needs to be rethought.

I agree with the idea of moving away from ISP resolvers and traditional port-53 DNS. It sucks. Though ideally it'd be done at the OS level, and in any case you can do a lot better than DoH, yet another dirty hack. For example, it probably wouldn't slow things down much for Firefox to just act as a recursive DNS resolver. That'd be maximally decentralized. Or you could at least use a private information retrieval protocol in order to rely on a single resolver like Cloudflare without actually giving them any information, and have the resolver also provide the full chain of DNSSEC authentication for every query answer.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ibminer
Legendary
*
Offline Offline

Activity: 1377
Merit: 1413


Goonies never say die.


View Profile
November 09, 2019, 03:12:25 PM
 #14

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I'd think anything DNS-related is unrelated to a DDoS attack, in general.. not just CloudFlare. Unless the DDoS is targeting a DNS server with resolutions in an attempt to overwhelm it, they are typically attacking one or more IPs with some form of traffic and don't really need a DNS server at all. Might be why the thread started derailing. Tongue

If we're going to discuss DoH in general, it doesn't seem to me it is really protecting anyone from being tracked by ISPs or middle-men, if that's what the point of this is supposed to be. Outside of something like Tor, once this encrypted resolution is complete, you would still be connecting to a public IP address that could be tracked and identified potentially using RDNS or just a DB that is kept which conducts regular resolutions on domains they may want to monitor, and stores the IPs to cross-reference.

I don't think it is ever a good idea adding an additional point of failure for a DNS resolution inside of a browser as I'd think this could negatively effect a users experience within the browser if CF is having issues, I don't quite understand why DoT isn't more of an accepted solution in the situation.

:-: Bitcointalk Public Information Project (BPIP) New stats, new reports, and a new design(done by me. Smiley)
Don't be obsessed with your desires. The Zen philosopher Basho once wrote, 'A flute with no holes, is not a flute... and a donut with no hole, is a Danish.' He was a funny guy.
100bitcoin
Sr. Member
****
Offline Offline

Activity: 651
Merit: 309


View Profile
November 09, 2019, 04:46:53 PM
 #15

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

retweeting
Jr. Member
*
Offline Offline

Activity: 57
Merit: 2


View Profile
November 09, 2019, 04:48:04 PM
Merited by 100bitcoin (2)
 #16

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

https://developers.cloudflare.com/1.1.1.1/dns-over-https/
Chris Barth
Jr. Member
*
Offline Offline

Activity: 112
Merit: 1

cinemadrom.com | Film Platform


View Profile WWW
November 09, 2019, 05:39:58 PM
 #17

This as I believe isn't the end of cloudfare.
Tho I understand that increasing bandwidth won't prevent these attacks, I've come to see that it helps give some extra minutes before resources are completely claimed by the attacks.

◄◄◄ CINEMADROM ⥋ BLOCKCHAIN ECOSYSTEM FILM PLATFORM ►►►  (https://cinemadrom.com)
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 509


View Profile
November 10, 2019, 09:04:16 AM
Merited by suchmoon (4)
 #18

Conveniently, they do not mention that DoH does nothing for your privacy when someone can monitor your traffic.

Let's assume you used DoH to resolve a domain to its IP. Now you can be happy because your ISP (or any middlemen) cannot see where you go, right?

Wrong.

1a. If the target website has a dedicated IP, the bad guys can try a PTR lookup for the domain name,
Code:
dig +short -x 1.1.1.1

1b. or just check the certificate for the domain names it is valid for:
Code:
echo | openssl s_client -connect 1.1.1.1:443 2>&1 | openssl x509 -noout -text | grep 'DNS:'

2. If the target website is a virtual host (shares the same IP with other websites) then the bad guys just have to watch the traffic, because in order to offer the correct certificate, the server first needs to know where you want to go. And because you cannot have a TLS session without the certificate, your client sends out the server_name in plain over HTTP first to tell the server which certificate to send back.

3. Thanks to OCSP (not stapled), the browser will send a request to the CRL-URL of the CA via HTTP (not HTTPS) so it can be seen in plain text in your traffic.

4. If you use Firefox, the bad guys just need to reply to a DNS query for use-application-dns.net with NXDOMAIN to disable DoH (for now).

So, to sum it up, you get no additional privacy, but less. Having 99.9% of all DNS requests centralized will sooner or later get the attention and interest of not only data-analysts and advertising networks, but also governments.

DoH theoretically protects you from forged replies, but only if you really trust Cloudflare. However, DNSSEC was specifically designed to let the zone-master sign the reply and is already fully functional and available.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!