oscpacey on Nostr: calle 👁️⚡👁️ looks like you’ve come up with a nice answer to this ...
calle 👁️⚡👁️ (npub12rv…85vg) looks like you’ve come up with a nice answer to this question with NWS:
quoting nevent1q…t7anschematic of how NWS works
note12vy…yprj
quoting note1z5y…6pxcViews on private DNS?
Standard DNS is unencrypted and for most people used as a cloud service. Thus every URL (specifically, domain name) sought is sent first to your DNS host so it may be resolved to an IP address. This gives your DNS provider and any man-in-the-middle, a live and timestamped historical log of every service you visit.
DNS-over-TLS (DoT) is an encrypted version of the same thing. This takes away the eavesdropping risk of a man-in-the-middle.
DNS-over-HTTPS (DoH) is the same as DoT but transports over HTTPS.
DoH offers better obfuscation by hiding in a larger anonset (HTTPS traffic), and as it uses port 443 it can't be admin blocked without also blocking web traffic (HTTPS).
However neither DoT nor DoH protect from Man-In-The-Backdoor attacks - in other words, the DNS provider, their regulators, hackers and rogue employees still see all.
ObliviousDNS (ODoH)is a nice-ish upgrade. It splits DNS resolution services into a two party service:
User sets up an HTTPS channel with a Target DNS provider.
User send packets for that target *via* a proxy service as a router.
- As a router, the proxy knows the user's IP address, but not the contents of the packet.
- The target can decrypt the HTTPs packet but does not know from where it came.
Not bad! However this dissociation degrades back to plain DoH if the proxy and target collaborate.
Most companies currently supporting ObliviousDoH are large US tech firms and so of course are in direct reach of the US intelligence agencies. They also know who to call for every historical request they've processed together to complete the picture.
So what would be better? Could we take inspiration from Tor or maybe Dandelion routing in Bitcoin?
Perhaps we should just use Tor?
One option which improves all of the above it to run your own DNS server locally. This will still need to talk to other, remote, untrusted DNS servers to source its lookup table info, but importantly it will cache it locally, limiting the amount of metadata sent externally.
I don't think Unbound (a local DNS cache) can be configured to randomly make its requests of a long list of DNS relays - which is a shame as that would help shard the metadata footprint of your IP address.
An idea for a work around of ODoH's faults could be to run your own proxy server in a compute cloud, ideally a provider which doesn't take ID info (pay with bitcoin). Connect to that via SSH tunnel, and have it send the ODoH packets out to target services. It could also very frequently change its own IP address so the target does not realise requests are coming from the same source.
What do you think? What's the best practical means to achieve DNS privacy?