Suggestion: randomize (Encrypted) DNS

buggyads · March 18, 2021, 5:04pm

As DoH and DoT use cookies and other identifiable information, it is maybe a nice feature to be able to walk through the available Encrypted DNS servers for each request to spread the risk of data / log leaks.

Maybe with options like:

All available
Per region (as some do not want American DNS servers due to legislation there)
Custom lists, for the people that want total control over which DNS to use

Also adding your own Encrypted DNS providers would be a nice feature, but I would already be very thankful if these would be added: DNS Privacy Test Servers - DNS Privacy Project - Global Site

A prerequisite of using DNS lists with randomisation is of course a lot more Encrypted DNS providers.

balboah · March 19, 2021, 9:46am

Blokada does not store cookies when using DoH (DoT is not yet supported in the app)

buggyads · March 19, 2021, 1:27pm

That is cool, but still: isn’t decentralizing DNS a good idea?

buggyads · March 22, 2021, 8:49am

There are headers added to DoH packets that could work to fingerprint individual dns clients, even across multiple source ip’s, that’s why I think this feature can be a great addition. If you route all your DNS through a commercial provider, they could easily make a thorough (advertisement) profile about you. Even if they don’t say they log traffic now, that could eventually change if they see a profitable business case. In the end hosting a DNS server costs money and you’ll need to cover those profits.
Classic DNS doesn’t have any space in the packets to add extra information and doesn’t do this. The only identifiable things are source ip’s and the requests themselves.

balboah · March 22, 2021, 9:19am

Our solution to this issue is to provide Blokada DNS, which in turn talks directly to the source DNS servers without a 3rd party.
It will also shorten the query as much as possible to not give full domains to non-essential providers

buggyads · March 22, 2021, 2:20pm

Which makes you one of the commercial providers I was just mentioning. Not that I question Blokada’s motives and the log policy, but still it makes spreading the dns requests a good idea.

balboah · March 22, 2021, 2:30pm

Sure a distributed solution could be nice, but I wouldn’t consider sharing the queries on multiple providers with the same DNS protocol that may share fingerprintable information to be a nice solution.
Also this is kind of how DNS works today, you talk with multiple servers to get the name you’re looking for. Cloudflare, Google or Blokada is just your “DNS ISP gateway” for managing this multi hoping while keeping information confidential to the ISP closest to your internet connection.

Blokada provides you with Blokada DNS as well as Blokada Plus for encrypting everything including DNS. We are not considering implementing a distributed protocol for DNS directly on the client in the near future

system · March 25, 2021, 5:05pm

This topic was automatically closed after 3 days. New replies are no longer allowed.

Topic		Replies	Views
Is there plans for custom DoH/DoT servers? Other Discussions dns	4	508	May 18, 2021
[Feature Request] Own DNS Entries for unencrypted DNS and DoH Feedback dns , android , feature-request	1	1178	September 15, 2020
Should I use Blokada DNS on Blokada Plus? Support	10	1667	October 7, 2020
[Feature Request] DNS-over-TLS Support Feedback	4	639	September 25, 2020
DNS Server (dot) digitalcourage not up to date Support dns	2	524	June 7, 2021

Suggestion: randomize (Encrypted) DNS

Related Topics