Hacker News new | past | comments | ask | show | jobs | submit login

I think Jonnax meant ISPs, not you.



In which case he is wrong. You are the operator of your own network.

If applications decide to bypass you, they are hostile and cannot be trusted.


Then DNS protocol is old and needs to be updated. Security considerations need to be forward looking rather than clinging to the past.

DNS is unencrypted and a security risk. For the user. It's an old technology that needs to be updated.

DNS over TLS/HTTPS allows the browser to get a trusted record of IP which is a public register.

The bypass here is looking up what the corresponding IP address for a hostname is.

DNS based blocking isn't as effective as IP blocking.

You can feed a DNS based list of IPs you want to block into a firewall and have the exact same behaviour.

Both Firefox and Chrome have the ability to set enterprise user settings that can force certain configurations.

So you should have the ability to disable it if you want in your network.

If you're worried about the security of your network don't allow devices that you don't trust into it and restrict internet access properly.

What's more anyone can configure a custom DNS resolver on their device when connecting to a network.


You seem to forget that Domain Name Resolution became a problem after the more generic Name Resolution (ie Novel/lanman/NetBIOS). The Generic Name resolution system used lmhosts, which became hosts to more easily associate IPs and names. [0]

> Originally these names were stored in and provided by a hosts file but today most such names are part of the hierarchical Domain Name System (DNS).

[0] https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_name




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: