Bitcoin Forum
May 27, 2022, 06:39:43 PM *
News: Bitcoin Pizza bake-off contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: DNS over HTTPS  (Read 375 times)
Vod
Legendary
*
Offline Offline

Activity: 3444
Merit: 2929


Licking my boob since 1970


View Profile WWW
November 08, 2019, 08:25:39 PM
 #1

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

vod.fan - coming soon!  Free image hosting and URL shortening
clubcrypto.live coming soon!  Work and play at home - earn crypto and video game NFTs
1653676783
Hero Member
*
Offline Offline

Posts: 1653676783

View Profile Personal Message (Offline)

Ignore
1653676783
Reply with quote  #2

1653676783
Report to moderator
1653676783
Hero Member
*
Offline Offline

Posts: 1653676783

View Profile Personal Message (Offline)

Ignore
1653676783
Reply with quote  #2

1653676783
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1653676783
Hero Member
*
Offline Offline

Posts: 1653676783

View Profile Personal Message (Offline)

Ignore
1653676783
Reply with quote  #2

1653676783
Report to moderator
1653676783
Hero Member
*
Offline Offline

Posts: 1653676783

View Profile Personal Message (Offline)

Ignore
1653676783
Reply with quote  #2

1653676783
Report to moderator
BitcoinGirl.Club
Legendary
*
Offline Offline

Activity: 2072
Merit: 2043


Nastya, KidsCamp, Cocomelon


View Profile WWW
November 08, 2019, 08:28:04 PM
 #2

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?
What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.

.
..........
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████░░██████████████████████████░░███████████████████
███████████████░░██████████████████████████░░█████████████████
█████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░███████████████
█████████████████░░░░░░░░░░██░░██░░░░░░░░░░██░░███████████████
███████████████████░░░░░░██░░██████░░░░░░██░░█████████████████
█████████████████████░░░░░░██████████░░░░░░███████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
.....I AM BLACKJACK.FUN.....
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
█████████████░░██████████████████████████░░███████████████████
███████████████░░██████████████████████████░░█████████████████
█████████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░███████████████
█████████████████░░░░░░░░░░██░░██░░░░░░░░░░██░░███████████████
███████████████████░░░░░░██░░██████░░░░░░██░░█████████████████
█████████████████████░░░░░░██████████░░░░░░███████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████

▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
..........
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2915


Terminated.


View Profile WWW
November 08, 2019, 08:33:11 PM
 #3

Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.
I really hope that this is a joke gone wrong.

DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.
Note: Good read, if you're interested in malware that uses DoH.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
ibminer
Legendary
*
Offline Offline

Activity: 1650
Merit: 2151


Goonies never say die.


View Profile WWW
November 08, 2019, 08:41:53 PM
 #4

Maybe I haven't researched this enough but why wouldn't CloudFlare be capable of handling DoH?
https://developers.cloudflare.com/argo-tunnel/reference/doh/

¤º°`°º¤ø,¸¸,ø¤º°°º¤ø,¸¸,ø¤º°`°º¤
(¯`·.¸¸.-> °º [ BPIP ] º° <-.¸¸.·´¯)
๑۞๑,¸,ø¤º°°º¤ø,¸,ø¤º°°º¤ø,¸,๑۞๑
:•: Most Merit | Most Activity | Most Trusted | Most Recognized
:•: Flag Log | Most Merited Threads | DT Change Log | Most Deleted by Mods
:•: ıllıllı Free World ıllıllı Don't look down (NSFW) ıllıllı Hook ıllıllı Brainwashed
suchmoon
Legendary
*
Offline Offline

Activity: 3052
Merit: 7861


https://bpip.org


View Profile WWW
November 08, 2019, 08:50:05 PM
 #5

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.

Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 2915


Terminated.


View Profile WWW
November 08, 2019, 09:05:46 PM
Merited by Vod (1)
 #6

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.
Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
suchmoon
Legendary
*
Offline Offline

Activity: 3052
Merit: 7861


https://bpip.org


View Profile WWW
November 08, 2019, 09:08:47 PM
Merited by ibminer (1)
 #7

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Quote
Total time logged in: 1004 days, 4 hours and 23 minutes.

ibminer
Legendary
*
Offline Offline

Activity: 1650
Merit: 2151


Goonies never say die.


View Profile WWW
November 08, 2019, 10:27:35 PM
 #8

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Quote
Total time logged in: 1004 days, 4 hours and 23 minutes.


Ok, a bit off topic but damn, that blows my total time logged in out of the water lol. Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.  Shocked  
I spend a good chunk of time reading while not logged in though so I guess mine is not really an accurate representation of actual time I've spent visiting the forum, at least.. but you make me feel like a newbie.



.. I can't touch that.  Grin


(To keep this somewhat on topic.. MC hammer is Lauda trying to run from CloudFlare/NSA. Cheesy)

¤º°`°º¤ø,¸¸,ø¤º°°º¤ø,¸¸,ø¤º°`°º¤
(¯`·.¸¸.-> °º [ BPIP ] º° <-.¸¸.·´¯)
๑۞๑,¸,ø¤º°°º¤ø,¸,ø¤º°°º¤ø,¸,๑۞๑
:•: Most Merit | Most Activity | Most Trusted | Most Recognized
:•: Flag Log | Most Merited Threads | DT Change Log | Most Deleted by Mods
:•: ıllıllı Free World ıllıllı Don't look down (NSFW) ıllıllı Hook ıllıllı Brainwashed
suchmoon
Legendary
*
Offline Offline

Activity: 3052
Merit: 7861


https://bpip.org


View Profile WWW
November 08, 2019, 11:03:01 PM
 #9

Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.  Shocked  

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.

TryNinja
Legendary
*
Offline Offline

Activity: 2114
Merit: 4132


100% Deposit Match UP TO €5000!


View Profile WWW
November 08, 2019, 11:13:00 PM
 #10

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.
Do you usually open more than one tab of the forum? The time increases times the number of tabs you have opened, so if you have 60, it goes up 1 minute per second. It's not that accurate.

Vod
Legendary
*
Offline Offline

Activity: 3444
Merit: 2929


Licking my boob since 1970


View Profile WWW
November 08, 2019, 11:35:17 PM
Last edit: November 09, 2019, 02:13:41 AM by Vod
 #11

Total time logged in: 1004 days, 4 hours and 23 minutes.

My profile scraper:
Total time logged in: 1070 days, 4 hours and 21 minutes

vod.fan - coming soon!  Free image hosting and URL shortening
clubcrypto.live coming soon!  Work and play at home - earn crypto and video game NFTs
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 509


View Profile
November 09, 2019, 08:55:26 AM
Merited by DooMAD (2), ETFbitcoin (1), psycodad (1), PrimeNumber7 (1)
 #12

What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.
You cannot just write a script to stop a DDoS. If it was that easy, every CMS system and OS would have it already implemented. DDoS works mostly by saturating your uplink; while a script on a server can still filter requests, it cannot reduce traffic before it reaches that server.

DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.
It only has downsides.
1. Supporters say that it stops your ISP from snooping, but DoH would concentrate 99.9% of all requests at Cloudflare. If you do not trust your ISP, why trust Cloudflare? Because they promise not to spy? Yeah, sure.
2. Since DoH is just a HTTP request, every piece of software/malware can contact its own hardcoded resolver and ignore system DNS settings. That's a bullet into the head for most DNS based adware/malware filters. Yes, you can define your own resolver in Firefox, but how many average people will do that? Right now you block udp/tcp port 53 to stop access to resolvers except those you allowed.
3. If it would really be about securing DNS with encryption, Mozilla/Google/et al would support DoT which is already defined in RFC7858 which would smoothly integrate into current networks instead of risking to break a core functionality of the Internet.
4. DoT provides the same security as DoH, and still leaves users all the filter/blocking options DNS currently has. You would only enforce DoH if you want all user data concentrated at a single point, ripe for analysis, profiling, censorship, tracking and spying. There is no reason to trust Cloudflare more than your ISP, so the trust argument is entirely void.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
theymos
Administrator
Legendary
*
Offline Offline

Activity: 4494
Merit: 9651


View Profile
November 09, 2019, 01:05:43 PM
Merited by Foxpup (6), ETFbitcoin (2)
 #13

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I can understand why Firefox etc. are doing it. ISPs have a history of screwing up / tampering with DNS; networks & operating systems often have DNS misconfigured; and Microsoft isn't going to fix anything at the OS level. So for the average user it's going to improve the experience.

But it's giving Cloudflare (ie. a probable NSA honeypot) an unprecedented level of data on users and websites, and also an unprecedented level of control. Cloudflare will be able to take down or redirect sites unilaterally now, only having to fear getting removed by Firefox as a result. Everyone uses ICANN's root servers because everyone else uses ICANN's root servers. If everyone starts to use Cloudflare, then Cloudflare becomes the new ICANN in practice.

Hopefully Tor isn't stupid enough to enable this in Tor Browser, since that'd allow for pretty trivial traffic analysis by Cloudflare, and you wouldn't be able to disable it without highlighting yourself as one of a few people behaving oddly.

It's really a demonstration of the failure of the Internet on a technical level. The Internet is decades of dirty hack on top of dirty hack, and now we're ending up with a world where the only easy way to get things working decently is "just put literally everything on Cloudflare". Very dangerous. The whole structure of the Internet needs to be rethought.

I agree with the idea of moving away from ISP resolvers and traditional port-53 DNS. It sucks. Though ideally it'd be done at the OS level, and in any case you can do a lot better than DoH, yet another dirty hack. For example, it probably wouldn't slow things down much for Firefox to just act as a recursive DNS resolver. That'd be maximally decentralized. Or you could at least use a private information retrieval protocol in order to rely on a single resolver like Cloudflare without actually giving them any information, and have the resolver also provide the full chain of DNSSEC authentication for every query answer.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ibminer
Legendary
*
Offline Offline

Activity: 1650
Merit: 2151


Goonies never say die.


View Profile WWW
November 09, 2019, 03:12:25 PM
 #14

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I'd think anything DNS-related is unrelated to a DDoS attack, in general.. not just CloudFlare. Unless the DDoS is targeting a DNS server with resolutions in an attempt to overwhelm it, they are typically attacking one or more IPs with some form of traffic and don't really need a DNS server at all. Might be why the thread started derailing. Tongue

If we're going to discuss DoH in general, it doesn't seem to me it is really protecting anyone from being tracked by ISPs or middle-men, if that's what the point of this is supposed to be. Outside of something like Tor, once this encrypted resolution is complete, you would still be connecting to a public IP address that could be tracked and identified potentially using RDNS or just a DB that is kept which conducts regular resolutions on domains they may want to monitor, and stores the IPs to cross-reference.

I don't think it is ever a good idea adding an additional point of failure for a DNS resolution inside of a browser as I'd think this could negatively effect a users experience within the browser if CF is having issues, I don't quite understand why DoT isn't more of an accepted solution in the situation.

¤º°`°º¤ø,¸¸,ø¤º°°º¤ø,¸¸,ø¤º°`°º¤
(¯`·.¸¸.-> °º [ BPIP ] º° <-.¸¸.·´¯)
๑۞๑,¸,ø¤º°°º¤ø,¸,ø¤º°°º¤ø,¸,๑۞๑
:•: Most Merit | Most Activity | Most Trusted | Most Recognized
:•: Flag Log | Most Merited Threads | DT Change Log | Most Deleted by Mods
:•: ıllıllı Free World ıllıllı Don't look down (NSFW) ıllıllı Hook ıllıllı Brainwashed
100bitcoin
Sr. Member
****
Offline Offline

Activity: 810
Merit: 401


View Profile
November 09, 2019, 04:46:53 PM
 #15

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

retweeting
Jr. Member
*
Offline Offline

Activity: 58
Merit: 2


View Profile
November 09, 2019, 04:48:04 PM
Merited by 100bitcoin (2)
 #16

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

https://developers.cloudflare.com/1.1.1.1/dns-over-https/
Chris Barth
Member
**
Offline Offline

Activity: 569
Merit: 88

Credibility: 999


View Profile WWW
November 09, 2019, 05:39:58 PM
 #17

This as I believe isn't the end of cloudfare.
Tho I understand that increasing bandwidth won't prevent these attacks, I've come to see that it helps give some extra minutes before resources are completely claimed by the attacks.

Get a wallet and move some BTCs, here's mine: [12GZz7hegu8VCkJYHSuP3WTXg7LGXgL1vT]
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 509


View Profile
November 10, 2019, 09:04:16 AM
Merited by suchmoon (4)
 #18

Conveniently, they do not mention that DoH does nothing for your privacy when someone can monitor your traffic.

Let's assume you used DoH to resolve a domain to its IP. Now you can be happy because your ISP (or any middlemen) cannot see where you go, right?

Wrong.

1a. If the target website has a dedicated IP, the bad guys can try a PTR lookup for the domain name,
Code:
dig +short -x 1.1.1.1

1b. or just check the certificate for the domain names it is valid for:
Code:
echo | openssl s_client -connect 1.1.1.1:443 2>&1 | openssl x509 -noout -text | grep 'DNS:'

2. If the target website is a virtual host (shares the same IP with other websites) then the bad guys just have to watch the traffic, because in order to offer the correct certificate, the server first needs to know where you want to go. And because you cannot have a TLS session without the certificate, your client sends out the server_name in plain over HTTP first to tell the server which certificate to send back.

3. Thanks to OCSP (not stapled), the browser will send a request to the CRL-URL of the CA via HTTP (not HTTPS) so it can be seen in plain text in your traffic.

4. If you use Firefox, the bad guys just need to reply to a DNS query for use-application-dns.net with NXDOMAIN to disable DoH (for now).

So, to sum it up, you get no additional privacy, but less. Having 99.9% of all DNS requests centralized will sooner or later get the attention and interest of not only data-analysts and advertising networks, but also governments.

DoH theoretically protects you from forged replies, but only if you really trust Cloudflare. However, DNSSEC was specifically designed to let the zone-master sign the reply and is already fully functional and available.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
Artemis3
Legendary
*
Offline Offline

Activity: 1344
Merit: 1233


CLEAN code made in Rust lang in the Czech Republic


View Profile WWW
November 12, 2019, 11:28:55 PM
 #19

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

DNS resolution has nothing to do with DOS attacks. Its simply hiding your dns requests from your ISP and other middleman, the site you connect to still gets your IP. Are you not confused with Tor? This is not the same thing.

And yes, browsers seem to be integrating this, and you can already manually change your DNS to use the safer ones.

The controversy is that DNS resolution was managed by ISPs or local network admins and this new trend is removing that entirely.

Oh and Cloudflare is one of those offering "public" (secure) dns resolution services. Rest assured, only them will collect your resolution history, not your ISP or your government.

If you are on Linux (many OSes supported), you can do this in the OS level using dnscrypt-proxy and cherry pick the type of servers you trust. It can serve your LAN and it caches too, very nice.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!