On 2019-10-01 09:38, Stephane Bortzmeyer wrote:
On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin <lists.nanog@monmotha.net> wrote a message of 10 lines which said:
It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual.
Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing the very party you don't trust to remotely disable security.)
The goal is centralization of DNS and being to see more what users (or at least the aggregate stats, so that they can claim "we do not keep your data/IP/lookups") do, the goal is not that of 'security' or 'privacy'. While the 'connection to the recursor' is 'encrypted', the recursor is still in clear text... one just moves who can see what you are doing with this. Also keep a split between the protocol and the implementation. DoT and DoH both serve the same goal of "encryption", but that is not being used here: they also want to move the recursor to another entity... At least the use-application-dns.net zone is now not DNSSEC signed anymore as it was before, thus at least a NXDOMAIN can now be caused instead of SERVFAIL as .net indicated a signature, while one overrode that locally... Greets, Jeroen