In this post, we describe the differences between the two widespread protocols for DNS encryption: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). We compare the technical aspects of those protocols as well as their implications on user privacy. We also introduce Knot Resolver’s new built-in DoH support and explain some of our design decisions behind DoH.
The Internet is flooded with news about a new attack against DNS protocol called Side channel AttackeD DNS, or in short SAD DNS. The attack is described in detail in Cloudflare’s blog and I strongly recommend you to read it to grasp how it works and why it is novel.
DNS resolvers are constantly adding features while not removing any, but this trend cannot continue indefinitely because the software would eventually break under its own weight. Which features are used in practice and which can be safely removed? We present preliminary results of a survey among DNS resolver administrators, and also invite readers to participate in cross-vendor survey which is open until 2020-06-30.
This article describes NXNSAttack, a newly discovered DNS protocol vulnerability which affects most recursive DNS resolvers. It allows to execute random subdomain attack using DNS delegation mechanism, resulting in big packet amplification factor.
Monday 17 morning Orange clients could not connect to not only Google but also Wikipedia or OVH, biggest French hosting company. Most people got an error message saying that the site wasn’t reachable. Some ended up on a scary page telling them they tried to reach a terrorist website. This page was set up to by the French Ministry of Interior after an anti-terrorist law was passed in November 2014 to allow the police to
request censorship of websites.