Secure DNS: DOT versus DOH, which is currently considered most secure?

blackbird9

blackbird9

I have set up my system using unbound configured to use DOT, but noticed that I can also configure DOH directly in firefox settings, so there is a choice.

Using cloudfare's test page here, with firefox: https://www.cloudflare.com/ssl/encrypted-sni/
1) I get the first three tests pass but the 'secure SNI' test fails when using DOT
2) I get all four tests pass when using DOH

However... I've read conflicting opinions on the web as to which is actually more secure, with significant doubts raised about DOH.

What is current opinion on the best one to use? Which is more secure?

Hope this question isn't a dup..
 
From the linked article:
It protects against third-party observers, but does not guarantee what the endpoints do with the (then decrypted) data.

That is pretty much true of almost everything. You do everything you can to protect your information, but once it's stored on a server you don't control (bank, store, etc), it's vulnerable. Lots of leaks happen because someone at the bank did something stupid.
Lots of things get buried in the fine print that no one reads.

But DoT vs DoH: Doesn't HTTPS use TLS? I think its HTTP over SSL/TLS so maybe a theoretical advantage over plain TLS?
 
DOT can be set up on freebsd using unbound (for example see https://joshua.hu/encrypted-dns-over-tls-unbound-mullvad-freebsd-block-unencrypted-dns-traffic ) and DOH is configured as a setting in the firefox security settings, in recent versions of firefox. I've got both of them working on freebsd, using the cloudfare secure DNS servers, so I was trying to decide which version to use. The aim is to prevent attacks like DNS spoofing, directing the browser to a spoofed copy of a legitimate website like a bank.

I found this. https://www.cloudflare.com/learning/dns/dns-over-tls/ and this https://security.stackexchange.com/...ns-doh-dot-differences-performance-comparison .

The TLDR is they recommend using DOH for personal privacy, and DOT for anything adminstered like a company network. DOT has some theoretical speed and latency advantages, but they say those are unlikely to be very noticable in practise.

However, there have been some concerns raised about DOH, for exmple see:-
zensec.co.uk

The dark side of DNS over HTTPS: Why disabling DoH can strengthen security - Zensec

If you’ve noticed unusual activity on your systems and aren’t sure how to respond, contact Zensec immediately, our team can help you investigate and protect
zensec.co.uk zensec.co.uk

So I'm tending to think go with DOT for the time being... but it's not very clear. I just wondered if people on this forum had any recommendations, since there are a lot of knowlegeable people here :)
 
blackbird9 said:
I have set up my system using unbound configured to use DOT, but noticed that I can also configure DOH directly in firefox settings, so there is a choice.

Using cloudfare's test page here, with firefox: https://www.cloudflare.com/ssl/encrypted-sni/
1) I get the first three tests pass but the 'secure SNI' test fails when using DOT
2) I get all four tests pass when using DOH

However... I've read conflicting opinions on the web as to which is actually more secure, with significant doubts raised about DOH.

What is current opinion on the best one to use? Which is more secure?

Hope this question isn't a dup..
Click to expand...
https://calomel.org/unbound_dns.html
 
You must log in or register to reply here.
Back
Top