Users of DNS over cleartext UDP port 53 (Do53) — i.e. most users of the internet — are at risk from specified privacy and integrity threats, not all of which risks are mitigated by authoritative content signature schemes such as DNSSEC. DNS-over-TLS (DoT) by design does not address several of these risks. DNS-over-HTTPS (DoH) obviates many but not all of the risks, and its transport protocol (i.e. HTTPS) raises historical concerns of privacy due to (e.g.) "cookies." The Tor Network exists to provide TCP circuits with some freedom from tracking, surveillance, and blocking.

Thus: In combination with Tor, DoH, and the principle of "Don't Do That, Then" (DDTT) to mitigate request fingerprinting, I describe DNS over HTTPS over Tor (DoHoT).

Since February 2020, using off-the-shelf open-source software, I have provided DoHoT to my home network. A dnscrypt-proxy caching resolver presents locally as a Do53 resolver that is exclusively configured to make outbound resolution DoH calls over Tor. I have — aside from necessary heartbeats and bootstrap — blocked all outbound port 53 & 853 traffic at my firewall, in order to prevent leaks. I have not sought to prevent other forms of DoH traffic because I am less interested in the challenge of constraining name resolution than I am in enhancing its privacy and integrity.

After an initial five months of testing, tuning, selection of DoH servers, and being forgotten about in the light of world news, in the subsequent seven months (ending February 2021) the DoHoT system has issued more than 1.6 million DoH requests over Tor to a pool of 9 public DoH resolvers, and served an additional 773k responses to clients from cached results. I share performance statistics, a list of technical prejudices that I was told to expect, describe my failure (for the most part) to experience them, and a summary of the experiences of two people relying entirely upon this system for work and personal life during COVID-19 "lockdown".

View More Papers

POSEIDON: Privacy-Preserving Federated Neural Network Learning

Sinem Sav (EPFL), Apostolos Pyrgelis (EPFL), Juan Ramón Troncoso-Pastoriza (EPFL), David Froelicher (EPFL), Jean-Philippe Bossuat (EPFL), Joao Sa Sousa (EPFL),...

Read More

Polypyus – The Firmware Historian

Jan Friebertshauser, Florian Kosterhon, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstad)

Read More

C^2SR: Cybercrime Scene Reconstruction for Post-mortem Forensic Analysis

Yonghwi Kwon (University of Virginia), Weihang Wang (University at Buffalo, SUNY), Jinho Jung (Georgia Institute of Technology), Kyu Hyung Lee...

Read More

DNS Privacy Vs : Confronting protocol design trade offs...

Mallory Knodel (Center for Democracy and Technology), Shivan Sahib (Salesforce)

Read More