DNS over HTTPS, Internet vanity-plate IP addresses
Yesterday CloudFlare announced their open DNS recursive resolver. Many of you will have heard of Google’s free DNS (22.214.171.124), and also are aware that there are others like OpenDNS etc (but ironically would have to Google its IP!). Well, joining the fray is CloudFlare with an IP of 126.96.36.199 (and 188.8.131.52).
And CloudFlare has an interesting bent on it. You see, from the start, they are aiming for DNS privacy. They have retained an auditor to ensure they stay on message. And, they have opted to support DNS over HTTPS (DoH). So why would this matter to you?
Well, DNS leaks a lot of information. For example, if you are opening a browser to https://gmail.google.com/ vs https://meet.google.com/, both go to the same IP and are encrypted. But, DNS rats you out, sending an in-the-clear request first.
Also, DNS can be complicit in man-in-the-middle attacks. One can forge a response (assuming dnssec is not preventing) and sent a user somewhere they do not expect.
But also DNS over HTTPS could be faster. Not if you make a connection per request of course, but, if you are resolving inline with the HTTP and using HTTP/2 features, you could rapidly resolve all the sub-domains of a site as needed, on a single connection.
Now, as an end-user, this is not that easy to enable right now. You can replace your stub-resolver with e.g. stubby. Or you could muck around on your lede/openwrt/… router.
But, if you are using Mozilla, you might find that it automatically enables all of a sudden, right in the browser. This would still leave other apps that use the Internet exposed, but would reduce the attack surface for sure. And, we might find Google Chrome does the same. And between those two browsers, there is a lot of market share (most of it!).
And, I’m guessing, even though you have read this far, you can still remember the IP. 184.108.40.206. Check it out. You can even type it into your browser (https://220.127.116.11/), crazy, they have a certificate issued to an IP!.