what you describe is already live and adopted in 100% of clients. DNSoverHTTPS.
you cannot disable it on IOS or android. Because it is owned by the APP not the OS.
Even firefox had to disable the setting (and about:config! making firefox on android pretty much garbage unless you install from fdroid) just so google would allow firefox on the play store.
Right, but I think this could be used at like a school to control what IPs are accessed on the network for even an untrusted device. So students couldn't bypass DNS blocks via VPN.
disgusting. with a name like "zero trust" i would expect something in-line with the decentralized web, while this is just a built-in windows web lockdown for office drones.
The gist seems to be: Windows Firewall will block outbound connections to IPs that haven't been returned in responses from "blessed" DoT or DoH servers.
This would likely be excruciating to use and kinda pointless for general use PCs (given how much stuff will probably break in the short term). Maybe that's an intended use case long-term but it's not there now.
I could see this being useful for task-oriented boxes that have no business connecting to arbitrary destinations. I also like the idea of using this as a method to funnel all DNS traffic into the system resolver and into controlled DNS servers. I like that this also kills the application-layer DNS arms race.
Implementing a 75% solution akin to this on Linux wouldn't be too tremendously hard, either. All the pieces and parts are already there to do it.
In principle I hate the idea of overbearing corporate IT restrictions, but I think this is a big improvement over using MITM proxies and intercepting HTTPS connections.
This seems like a good compromise that will enable IT admins to get the control they desire while still giving users access to privacy preserving technologies like HTTPS with ECH.
13 comments
[ 2.5 ms ] story [ 50.1 ms ] threadyou cannot disable it on IOS or android. Because it is owned by the APP not the OS.
Even firefox had to disable the setting (and about:config! making firefox on android pretty much garbage unless you install from fdroid) just so google would allow firefox on the play store.
Your comment is like saying that firewalls are disgusting because they can be used to lockdown machines.
This would likely be excruciating to use and kinda pointless for general use PCs (given how much stuff will probably break in the short term). Maybe that's an intended use case long-term but it's not there now.
I could see this being useful for task-oriented boxes that have no business connecting to arbitrary destinations. I also like the idea of using this as a method to funnel all DNS traffic into the system resolver and into controlled DNS servers. I like that this also kills the application-layer DNS arms race.
Implementing a 75% solution akin to this on Linux wouldn't be too tremendously hard, either. All the pieces and parts are already there to do it.
Schools and certain kind of enterprises will welcome this feature.
This seems like a good compromise that will enable IT admins to get the control they desire while still giving users access to privacy preserving technologies like HTTPS with ECH.