1. 4
  1.  

  2. 3

    I’m starting to become more and more scared of DNS-over-some-secure-protocol. I put my IoT devices in a separate home network and hijack their DNS. If IoT devices start using secure DNS solutions it will become harder and harder to have control over them…

    1. 3

      This boat has sailed with HTTPS. Even if you’re able to hijack DNS, the HTTPS will stop you. OTOH if they use insecure HTTP, you just need a different tool to mess with their traffic. And if you’re only blocking them from phoning home, then IP blocks work as always.

      1. 1

        That entirely depends on why you want to hijack it and how HTTPS is set up. I have a thermostat in my home that very happily lets me hijack the DNS, talk to my HTTPS server with a self-signed cert, and I can proxy the things I want to go back to the cloud while removing the things I do not want (such as my network details).

        There are other cases where I hijack the DNS purely to drop specific domains that I don’t want to be able to communicate that rely on an AWS backend, so straight IP filtering isn’t scalable.

        I’ve had some luck “fixing” the DNS-over-some-secure-protocol problem through firewall rules (there are far fewer common DNS servers than web servers out there, so it is reasonably targetable) that would rewrite it to go to my DNS-over-some-secure-protocol server which then can talk to upstream stuff. Honestly, I’ve only ever seen someone on my network trying to access 8.8.8.8 on port 443, even though I have a lot of other common ones targeted for rewrite.

        All that to say, HTTPS doesn’t prevent DNS hijacking from being useful and the new protocols really put more work on the network admin, but don’t make these things impossible.

      2. 3

        I’m starting to become more and more scared of DNS-over-some-secure-protocol.

        You know all that talk about crypto-anarchism in the 90s? It was partially hogwash. Math is just a tool. It cares not who it serves, be it the liberator or the oppressor. Ubiquitous encryption is what enables consumer surveillance devices to spy on you using your own infrastructure to transport their payload while making it difficult or impossible for you to spy back.

        Quis custodiet ipsos custodes?

        I recommend David Brin’s excellent and ahead-of-its-time book, The Transparent Society.