[Dillo-dev] dns over tls or https

11 views
Skip to first unread message

past...@gmx.com

unread,
Oct 7, 2019, 9:25:47 AM10/7/19
to dill...@dillo.org

Wouldn't it be great if dillo could do dns over tls (or second best dns over https)

Anyone have any experience? with this coding?

---

glad to see the list is back up

I tried to send this and emails to jcid@ and dillo-dev-owner@ 7/13/19 and got all emails bounched back

_______________________________________________
Dillo-dev mailing list
Dill...@dillo.org
http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev

Axel Beckert

unread,
Oct 7, 2019, 10:59:21 AM10/7/19
to dill...@dillo.org
Hi,

On Mon, Oct 07, 2019 at 07:25:20AM -0600, past...@gmx.com wrote:
> Wouldn't it be great if dillo could do dns over tls (or second best
> dns over https)

DNS is not the browser's job but the operating system's job. So no, it
wouldn't be great. One of Dillo's features is to be lean. It should
stay that way.

Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: a...@deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: a...@noone.org X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/

past...@gmx.com

unread,
Oct 7, 2019, 11:05:25 AM10/7/19
to dill...@dillo.org
you might want to research what dns over tls or https is before you say misinformation

https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

past...@gmx.com

unread,
Oct 7, 2019, 11:06:50 AM10/7/19
to dill...@dillo.org
you might want to research what dns over tls or https is before you say misinformation

https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
https://www.chromestory.com/2019/06/dns-over-https/

On Mon, 7 Oct 2019 16:59:00 +0200
Axel Beckert <a...@deuxchevaux.org> wrote:

Axel Beckert

unread,
Oct 7, 2019, 11:51:39 AM10/7/19
to dill...@dillo.org
Hi,

On Mon, Oct 07, 2019 at 09:06:30AM -0600, past...@gmx.com wrote:
> > On Mon, Oct 07, 2019 at 07:25:20AM -0600, past...@gmx.com wrote:
> > > Wouldn't it be great if dillo could do dns over tls (or second best
> > > dns over https)
> >
> > DNS is not the browser's job but the operating system's job. So no, it
> > wouldn't be great. One of Dillo's features is to be lean. It should
> > stay that way.
>

> you might want to research what dns over tls or https is before you
> say misinformation

Ehm, I know very well what DoH and DoT are. I even run DoT enabled
authorative DNS servers.

I though get the feeling that you are not aware of what implications
DNS resolution directly in applications has. I strongly recommend
watching this talk from the Chaos Communication Camp 2019:
https://media.ccc.de/v/Camp2019-10213-doh_or_don_t (No it's not
con-DoH. But it's also not pro-DoH. It shows all the problems it
solves and causes.)

Nevertheless, I don't see any misinformation in the statement that DNS
resolving is a job of the operating system and not of any end-user
application.

Any DNS resolving inside an application can — depending if
application-specific DNS servers are used — causes tons of problems like
not caring about deliberately set search domains or name servers, not
being able to resolve organization-internal (intranet) host names,
leaking nearly everything you do on the internet to external service
providers you can't control, etc. (At least that's the case with DoH
in Firefox unless you configured your very own DoH server.)

Of course also the organization-internal DNS caches could provide DoT
or DoH. This still does not give a reason to do DNS lookup inside an
application instead of using the OS-wide resolver.

past...@gmx.com

unread,
Oct 7, 2019, 12:13:52 PM10/7/19
to dill...@dillo.org

always suspect response when you prune from my repsonse the things that disprove what you claimed

it is the browsers job when i uses dns in clear text - and should be using encrypted dns

https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
https://www.chromestory.com/2019/06/dns-over-https/

Axel Beckert

unread,
Oct 7, 2019, 12:26:46 PM10/7/19
to dill...@dillo.org
Hi again,

since I don't see any point in discussing this topic with you any
further, just a few remarks on the way you discuss:

On Mon, Oct 07, 2019 at 10:13:23AM -0600, past...@gmx.com wrote:
> it is the browsers job when i uses dns in clear text

I can't parse "i uses". Did you mean "I use"? Doesn't make sense to
me, either.

Because in case this should suggest that you want to circumvent
surveillance by using DoH/DoT in your browser and don't run your own
DoT/DoH resolver, you've already lost.

> https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
> https://www.chromestory.com/2019/06/dns-over-https/

Just repeating what you already wrote doesn't prove your point.

End of discussion for me here.

past...@gmx.com

unread,
Oct 7, 2019, 12:49:58 PM10/7/19
to dill...@dillo.org

how hard was it to realize 'i uses' to mean 'it uses' ?? lol


On Mon, 7 Oct 2019 18:26:22 +0200
Axel Beckert <a...@deuxchevaux.org> wrote:

> Hi again,
>
> since I don't see any point in discussing this topic with you any
> further, just a few remarks on the way you discuss:
>
> On Mon, Oct 07, 2019 at 10:13:23AM -0600, past...@gmx.com wrote:
> > it is the browsers job when i uses dns in clear text
>
> I can't parse "i uses". Did you mean "I use"? Doesn't make sense to
> me, either.
>
> Because in case this should suggest that you want to circumvent
> surveillance by using DoH/DoT in your browser and don't run your own
> DoT/DoH resolver, you've already lost.

and whose authoritative dns server do you connect to that has dns over tls ?

>
> > https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
> > https://www.chromestory.com/2019/06/dns-over-https/
>
> Just repeating what you already wrote doesn't prove your point

in this case it clearly does - because not everyone is obviously as smart as you are to set up their own dns over tls server - and i'm glad you don't have to connect to any non encrypted authoritative dns servers (sarcasm)

past...@gmx.com

unread,
Oct 8, 2019, 8:58:27 AM10/8/19
to dill...@dillo.org

Axel, I have bad news for you - dillo is already doing it's/i/it/t own dns - you might want to check the src/dns.c
it calls getaddrinfo all by itself - imagine that -

On Mon, 7 Oct 2019 16:59:00 +0200
Axel Beckert <a...@deuxchevaux.org> wrote:

> Hi,
>
> On Mon, Oct 07, 2019 at 07:25:20AM -0600, past...@gmx.com wrote:
> > Wouldn't it be great if dillo could do dns over tls (or second best
> > dns over https)
>
> DNS is not the browser's job but the operating system's job. So no, it
> wouldn't be great. One of Dillo's features is to be lean. It should
> stay that way.
>
> Kind regards, Axel
>

> _______________________________________________
> Dillo-dev mailing list
> Dill...@dillo.org
> http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev

_______________________________________________
Dillo-dev mailing list
Dill...@dillo.org
http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev

http://www.dillo.org/
You get this email because your address dillo-garc...@googlegroups.com is in the
mailing list dillo-dev. If you do not want to get emails from this
mailing list, click on this link to unsubscribe:
http://lists.dillo.org/cgi-bin/mailman/options/dillo-dev/dillo-garchive-22974%40googlegroups.com?password=itvefame&unsub=1&unsubconfirm=1

Axel Beckert

unread,
Oct 8, 2019, 9:57:58 AM10/8/19
to dill...@dillo.org
Dear Pastebin,

On Tue, Oct 08, 2019 at 06:39:04AM -0600, past...@gmx.com wrote:
> Axel, I have bad news for you - dillo is already doing it's/i/it/t
> own dns - you might want to check the src/dns.c
> it calls getaddrinfo all by itself - imagine that -

*facepalm* You're getting it all wrong.

But that's good to hear, because that's what I call "letting the OS do
DNS".

Because that's just a call to an OS-provided function which utilizes
what is configured in the OS, usually via /etc/resolv.conf,
/etc/nsswitch.conf and /etc/gai.conf (and /etc/services for the port
name lookups) on nowadays' Linux distributions.

What I consider to be bad is if an application _doesn't_ use these
OS-provided system or library calls but does the full DNS resolution
on its own, including deciding which DNS server and transport to use.
(Unfortunately that's the common way, DoT and DoH are used nowadays.)

If the backend of getaddrinfo() or gethostbyname() uses DoT or DoH to
a server configured by the local admin (which might be the sole user
itself), that's totally perfect and I'd appreciate that.

But if an application (i.e. the application developer) decides on its
own that it ignores system wide DNS settings and behaves differently
than the local admin wants, that's definitely bad.

And adding DoH or DoT support to Dillo (or any other web browser or
application) would go into that direction.

If you want to circumvent surveillance or your ISP's DNS manipulations
for their own profit (as said to be common in the US) by using DoH or
DoT, you shouldn't do that just in your web browser but system-wide in
your _whole_ (operating) system.

So I stand uncorrected: DoH and DoT do belong into the OS and not into
(end-user) applications like web browsers.

Using the knot resolver or the unbound resolver as local resolver, you
can configure this (at least on Unices). Of course you still need a
DoT/DoH resolver you can trust.

Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: a...@deuxchevaux.org \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: a...@noone.org X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/

_______________________________________________

Reply all
Reply to author
Forward
0 new messages