Cool l video, informative. Thank Jason. One question though, With DNS over HTTPS, how will I get warnings, about dangerous sites, that my ISP now gives? Will that not be possible anymore, since ISP has no visibility on my DNS query? What if a person looks for highly illegal content, how will that user be tracked, and the necessary authorities be alerted? I do not think this will be possible , with DNS over HTPS?
the DoH providers would still have a history, assuming they are a legit org and work with authorities for that kind of stuff. But you are correct that your local ISP functionality would be bypassed in this scenario.
Hey Jason! Thanks for the video. I read some stuff about this and the thing that got most of my attention was DNS resolution on the corporate side. If you have Chrome/Firefox on your corporate network and it uses it's on DNS over HTTPs, wouldn't it break your corporate apps?
@@rafaelbianco252 definitely. There are options for that if you have the right equipment at your perimeter. Eric Chen surmised this problem and shared a solution on DC in his article Unbreaking the Internet here: devcentral.f5.com/s/articles/unbreaking-the-internet-and-converting-protocols-30756
Hi DevCentral, great video!! i have a question, how about duckduckgo.com ? they claim privacy and they don't share data to over vendors to give us personalized advertisements, do you think is safe to use?
as presented as a solution, yes, but whereas DoT is just encrypting standard UDP DNS traffic, DoH is also encapsulating those queries in the HTTP protocol, which affords a camouflaging effect with all the other HTTP traffic.
Yes and no. Yes you own the records, and can act as resolver for whatever client has your dns server set. No since the dns has to travel unencrypted on UDP 53 unless we're talking DNS over HTTPS or TLS.
Thanks Jason. Clear and Informative Video.
Hi Jason, nice video can you share a packet capture of the same and also share how will Big IP decrypt Doh.
Thanks in Advance.
I'll add a write-up on DC to my queue and make sure to share packet capture details along with BIG-IP solution details.
F5 DevCentral great that’s just what I wanted to hear!
Cool l video, informative. Thank Jason. One question though, With DNS over HTTPS, how will I get warnings, about dangerous sites, that my ISP now gives? Will that not be possible anymore, since ISP has no visibility on my DNS query? What if a person looks for highly illegal content, how will that user be tracked, and the necessary authorities be alerted? I do not think this will be possible , with DNS over HTPS?
the DoH providers would still have a history, assuming they are a legit org and work with authorities for that kind of stuff. But you are correct that your local ISP functionality would be bypassed in this scenario.
Hey Jason! Thanks for the video. I read some stuff about this and the thing that got most of my attention was DNS resolution on the corporate side. If you have Chrome/Firefox on your corporate network and it uses it's on DNS over HTTPs, wouldn't it break your corporate apps?
The current fallback to not resolving the domain is regular DNS, so local apps should be fine.
@@devcentral but how about apps that use the same external dns but resolves to internal IPs today? These could get messy right?
@@rafaelbianco252 definitely. There are options for that if you have the right equipment at your perimeter. Eric Chen surmised this problem and shared a solution on DC in his article Unbreaking the Internet here: devcentral.f5.com/s/articles/unbreaking-the-internet-and-converting-protocols-30756
Hi DevCentral, great video!! i have a question, how about duckduckgo.com ? they claim privacy and they don't share data to over vendors to give us personalized advertisements, do you think is safe to use?
I (Jason) have heard good things but I'm with Fox Mulder on the "trust no one" side of things. Safe is relative. My $.02.
Is he writing backwards?
I thought the same but then it occurred to me they probably just write normally and mirror the video in editing.
video is flipped
@@StartupYogis Indeed, it's flipped, because everyone is writing with left hand.
Which means they must make special shirts for these video's with the logo flipped
is the term DOH and DOT interchangeable here?
as presented as a solution, yes, but whereas DoT is just encrypting standard UDP DNS traffic, DoH is also encapsulating those queries in the HTTP protocol, which affords a camouflaging effect with all the other HTTP traffic.
What if you run your own DNS servers? Then you, and you only, have the data, no?
Yes and no. Yes you own the records, and can act as resolver for whatever client has your dns server set. No since the dns has to travel unencrypted on UDP 53 unless we're talking DNS over HTTPS or TLS.
@@theycallmeken Thank you for taking the time to educate me.
Shawn Doe for sure, hit me up on twitter if you want a further breakdown.
Thanks mate. Love it