We already have mechanisms called “DNS-over-HTTPS” (DoH) and
“DNS-over-TLS” (DoT) to encrypt your DNS queries so intermediaries
cannot eavesdrop on them. However, the DNS server you are querying
still knows what you are asking for, and can tie that to the IP
address that you are querying from.
So the next step is called “Oblivious DNS” (“over HTTPS”?) or “ODoH”
This one interposes a proxy to relay the encrypted query and response
between the client machine and DNS server. The proxy cannot decrypt the
communications, and its presence hides the client’s IP address from the
server, further increasing your privacy.
To recap: the DNS server knows what you are asking for, but not who is
asking. The proxy knows who is asking, but not what they are asking for.
Given the controversy from some parties over the existing mechanisms
(remember when the British Internet Service Providers’ Association
dubbed Mozilla a “villain” for implementing DoH
wonder what kind of hoo-hah this further development will trigger...
Show replies by date