(blog.cloudflare.com)

1. anjbe ◴[01 Apr 18 17:07 UTC] No.16729297[source]▶

Lately I’ve been thinking about some concerns about domain name privacy:

• My ISP can spoof DNS responses.

• My ISP can sniff DNS requests.

• My ISP can sniff SNI.

• My ISP can look up reverse DNS on the IPs I visit.

DNS over TLS is nice—I just set up Unbound on my router to use 1.1.1.1@853 and 1.0.0.1@853 as forwarding zones. That eliminates the first bullet, at the cost of allowing CloudFlare to track my DNS requests.

I wonder how easy it is to route DNS‐over‐TLS over Tor?

replies(1): >>16729726 #

2. deeebug ◴[01 Apr 18 18:32 UTC] No.16729726[source]▶

>>16729297 (TP) #

What’s your threat model? The latency you’re going to introduce with TOR will make everyday browsing slow

replies(1): >>16729839 #

3. anjbe ◴[01 Apr 18 19:00 UTC] No.16729839[source]▶

>>16729726 #

It’s not like I’d be running everything over Tor. DNS requests for newly‐visited domains would slow down, but unbound’s prefetch feature would keep popular frequently‐used domains cached. Adding one of those advertising domain blacklists might help performance too.

The point would be to keep Cloudflare from being able to track my DNS requests.

replies(1): >>16732322 #

4. cmstoken ◴[02 Apr 18 04:24 UTC] No.16732322{3}[source]▶

>>16729839 #

Why not use a VPN like PIA?

replies(1): >>16733199 #

5. jerheinze ◴[02 Apr 18 08:53 UTC] No.16733199{4}[source]▶

>>16732322 #

> Why not use a VPN like PIA?

A VPN gives you little protection against browser fingerprinting, which may alone leak enough information about you to identify you. Also privacy-by-policy is in no way near privacy-by-design. If you want privacy, use the Tor Browser.

replies(1): >>16771540 #

6. plb4333 ◴[06 Apr 18 07:22 UTC] No.16771540{5}[source]▶

>>16733199 #

What a bunch of false security you're providing. NSA had broken the TOR traffic quite a while back. Worthless.

↑

1.1.1.1: Fast, privacy-first consumer DNS service