While querying DNS over https lets assume the user gets ip over secure connection. In the handshaking process the website shares its certificate in plaintext which includes website name and other info. Will it kill the DNS over https purpose other than active sniffing?
Will website name in certificate shared by server during handshake kill the DNS over https purpose?
161 Views Asked by sujoshi At
1
There are 1 best solutions below
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in DNS
- Configured TTL for A record(s) backing CNAME records
- Redirecting subdomain to directory on Azure
- SPF and DKIM records for Mandrill on DigitalOcean
- How to convert hostname to DNS name?
- Could someone bring Google OAuth2 for Cloud DNS via Rest to light?
- Spoof Captive Portal Screen on an iOS Device using DNS
- DNS_PROBE_FINISHED_NXDOMAIN on Google App Engine website
- How to check if a redirect leads to a different domain
- IP address to Domain Name? DNS?
- error CS1729: The type `ARSoft.Tools.Net.Dns.DnsServer' does not contain a constructor that takes `4' arguments
- Windows, Apache, Acrylic DNS, and wildcard subdomains
- How to configure DNS for microsoft odbc driver for oracle (in 64 bit arch.)
- How to use one time domain name in android?
- logstash dns filter miss
- Redirect website to another website if blocked in particular region
Related Questions in DNSMASQ
- Kong: Running Mashape Kong fails on Mac OS X
- Dnsmasq failing to catch 307 redirect for https?
- Asterisc(*) signal on DNS Responses with tcpdump
- Laravel Valet + dnsmasq don't work (dnsmasq status error)
- change DNS server programatically in C#
- dnsmasq config being bypassed
- localhost/127.0.0.1 - This site can’t be reached
- Install pihole over bind9
- CoreDNS do not respect local DNS
- Network DNS between pods in rootless Podman
- OpenWrt/network - Configuring dnsmasq for ad-blocking fails with "bad address at"
- I can't do domain painting
- DNSMasq issue with nslookups on CentOS 7.8. I am getting no ANSWERS for AAAA records and always getting REFUSED
- Unable to run multiple dnsmasq dhcp servers on ubuntu 18.04
- Docker container internal vs external dns resolution issue using Traefik
Related Questions in DNS-OVER-HTTPS
- Getting "Illegal Instruction" error when trying to install cloudflared on a fresh Raspberry Pi install
- What is the difference between DNS-over-HTTPS and DNSSEC?
- iOS 14, mobileconfig, DNS over HTTPS with DNSDomainMatch whitelist support
- How to set timeout for cURL CRL checking?
- How to configure iOS MDM payload DNSSettings to stay active after device restart?
- Why don't Google and CloudFlare DNS-over-HTTPS support returning the DS RRSIG for DNSSEC?
- Client cannot resolve my DoH server response
- DNS query not specified or too small
- Unable to make dns-over-https with cloudflare and python requests
- Will website name in certificate shared by server during handshake kill the DNS over https purpose?
- Q: DNS over HTTPS (DOH) and corporate split DNS setups
- Which encoding does application/dns-message use?
- Does curl --doh-url not accept ip address for dns servers and is the response just html?
- Is it possible to enable DNS-over-HTTPS on CEF? How?
- Debugging Android private DNS
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
There are actually two clear-text exposures in the TLS protocols used by HTTPS.
The latest version of TLS: 1.3, which is starting to be adopted by browsers and web server software, provides encryption for the ServerHello, and within a year or so, should be widely adopted, making the exposure of domain names in certificates much less likely.
SNI is more difficult to send in a secure encrypted form that is resistant to active attackers (protection against passive monitoring is more practical, but does not protect targeted clients). SNI is used by web hosting servers to determine which service's certificate should be used when there are multiple services sharing the same IP address.
While clear-text SNI information does weaken the privacy goals of DNS-over-HTTPS and the alternative DNS-over-TLS, there is a strong case to be made that encrypting and authenticating DNS requests and responses
Not all internet traffic is web, if you run a mail transfer agent, it needs to look up the domains of your e-mail recipients and even when it uses SMTP TLS SNI is not usually involved.
For web browsing, there are mechanisms that can be used by the operators of sensitive domains, such as Domain Fronting that can be used to make the exposure of SNI less revealing, by sending one domain in the SNI request, and another in the HTTP Host: header. There is even an Internet Draft proposal to supply the desired "fronting" SNI via DNS.
There are also several different Internet Draft proposals for protecting SNI: one uses both DNS records and TLS extensions and another uses tunneling to protect the SNI information. The author of the latter proposal has a more generally accessible blog post illustrating the difficulties of protecting SNI against all possible attacks.