On Wed, Jan 22, 2025 at 6:35 AM Frank Guthausen <fg.deb...@shimps.de> wrote: > > On Wed, 22 Jan 2025 10:46:16 +0000 > Chris Green <c...@isbd.net> wrote: > > > > How can it do that in reality? It's connecting to the outside world > > via the router. It would have to 'tunnel' through the router somehow > > wouldn't it as otherwise the router will 'see' any attempts to do DNS > > type things. > > You can ask Google's DNS server directly: > dig @8.8.8.8 -t A www.google.com > > Or you can use your local DNS server: > dig -t A www.google.com > > Both methods are ordinary DNS requests. > > > Are you saying that Chromium/Vivaldi have some fixed IP addresses that > > they use for DNS servers out on the internet? > > Yes, the protocol used here is DoH or ``DNS over HTTPS''[1] which is > specified in RFC 8484[2]. This is a bypass for local network settings > which might not allow to ask external DNS servers as in the example > above. Since local dial-up connections usually depend on the ISPs DNS > server, DoH can circumvent manipulation by the ISP as quite common in > Germany and the EU. However, IANAL and I don't know in which cases it > might be not legal to circumvent lawful censorship. > > [1] https://en.wikipedia.org/wiki/DNS_over_HTTPS > [2] https://datatracker.ietf.org/doc/html/rfc8484
In the US, manipulating DNS was (is?) a problem with some ISPs like Verizon. Verizon would provide incorrect answers for non-existent domains. Instead of returning NXDOMAIN in response to a query, Verizon would provide a response that effectively redirected folks to a page to register or purchase the non-existent domain, or to a search page with lots of ads. Obviously, Verizon's actions broke the behavior specified by the RFCs. See <https://arstechnica.com/uncategorized/2008/02/404-might-be-found-the-curious-case-of-dns-redirects/> and <https://freedom-to-tinker.com/2007/11/12/verizon-violates-net-neutrality-dns-deviations/>. For a while the BSD folks' network startup scripts issued a query to a known non-existent domain to see if DNS queries were being tampered with or DNS was broken. I don't know if they are still doing it. When Verizon started doing that, I switched to OpenDNS. I also use Google's DNS on occasion. Jeff
