DNS & TLS SNI: Now with encryption... and cloud

Speaker: Bert Hubert

Abstract

DNS is one of the few remaining (generally) unencrypted parts of our daily network use. In addition, TLS sessions (even TLS 1.3) transfer the name of the server visited in plaintext ("SNI"). 2018 saw the release of technologies to encrypt both of these privacy leaks, which is good. Less good however is that with this encryption, your DNS (and TLS SNI) lookups will move to the cloud.

In this talk, I explain the technologies used (DNS over TLS and DNS over HTTPS), but also spend time on what this change means: loss of control over your lookups (forget about your intranet), and how encrypting your data to a cloud provider may provide security against your network admin & government, but does send all your browsing behaviour to California.

Biography

Bert is the founder of PowerDNS. These days he also cares a lot about keeping the internet open. In addition, he can't help document or explain open technologies.

Twitter: @PowerDNS_Bert