DNS encryption preference discussion

JayArr

New Member
I was reading a Reddit post about differences in DNS encryption. This one post from someone who looks to be claiming to work at Quad9 says that DNScrypt exposes metadata and is not an IETF standard. They also criticize DNS-over-HTTPS as "an ugly hack", and seem to back DNS-over-TLS as the solution to both.

Here's the URL if you want to read it: https://www.reddit.com/r/privacy/comments/89pr15
I was reading another article though, and it was claiming that DNS-over-HTTPS was somehow more "secure" because IT administrators weren't able to monitor it as easily given that it's mixed in with other HTTPS traffic. I didn't really buy into their reasoning because it was making the argument that "if you work for a big company, the CTO couldn't spy on workers".... That argument made absolutely no point of logic in my mind.

Anyway, what's your take on it? DNS-over-QUIC is in draft. I've been using it for a bit with the iOS and Android AdGuard apps and it seems fine. Remember that 802.11n was in draft stages for a long time before it was ratified too.
 

philibeur

Beta Tester
Hello, Reddit = Opinions Facts. For DoT & DoH, you can view this. For DNS Crypt, this. DNS over QUIC is too young to be compared to other, only time will saying us more.
 

Bill Woodcock

New Member
Hi. I don't work for Quad9, but I chair its foundation council, which is equivalent to a board of trustees or directors.

Agreed, QUIC isn't fully baked yet, so there's no sense in trying to compare it to anything until it's done and deployed. Reddit is indeed a repository of opinions, but Cloudflare's opinion of DoH and DNScrypt's opinion of DNScrypt are, uh, also subjective. :)

Happy to answer any questions I can, or refer folks to other data sources.
 

ammnt

Beta Tester
Hi. I don't work for Quad9, but I chair its foundation council, which is equivalent to a board of trustees or directors.

Agreed, QUIC isn't fully baked yet, so there's no sense in trying to compare it to anything until it's done and deployed. Reddit is indeed a repository of opinions, but Cloudflare's opinion of DoH and DNScrypt's opinion of DNScrypt are, uh, also subjective. :)

Happy to answer any questions I can, or refer folks to other data sources.
Hello, sir. I would like to take this opportunity to ask you a question directly:

Maybe you know why do DNS servers Quad9 support weak and deprecated protocols and cipher suites (e.g. TLS 1.0, TLS 1.1 etc.), but do not support modern and persistent protocols (e.g. TLS 1.3 etc.)?

Thank you.
Cheers!;)
 

Bill Woodcock

New Member
...do DNS servers Quad9 support weak and deprecated protocols and cipher suites (e.g. TLS 1.0, TLS 1.1 etc.), but do not support modern and persistent protocols (e.g. TLS 1.3 etc.)?
That is not the case:


Protocols
TLS 1.3Yes
TLS 1.2Yes
TLS 1.1No
TLS 1.0No
SSL 3No
SSL 2No

You were looking at the web site, rather than the servers. Our techs tell me that they maintain the TLS 1.1 and 1.0 on the web site for backward-compatibility, and haven't yet upgraded to 1.3. But I don't think anybody has any reason to care about the web site. I mean, if we weren't backward-compatible and they couldn't read the web site, they'd care, but I can't think, off the top of my head, of any problem that could come from supporting old protocols, or not supporting 1.3, on the web site.
 
Top