On Wed, 22 Jan 2025 07:16:07 -0500 Jeffrey Walton <noloa...@gmail.com> wrote:
> On Wed, Jan 22, 2025 at 6:35 AM Frank Guthausen <fg.deb...@shimps.de> > wrote: > > > > On Wed, 22 Jan 2025 10:46:16 +0000 > > Chris Green <c...@isbd.net> wrote: > > > > > > How can it do that in reality? It's connecting to the outside > > > world via the router. It would have to 'tunnel' through the > > > router somehow wouldn't it as otherwise the router will 'see' any > > > attempts to do DNS type things. > > > > You can ask Google's DNS server directly: > > dig @8.8.8.8 -t A www.google.com > > > > Or you can use your local DNS server: > > dig -t A www.google.com > > > > Both methods are ordinary DNS requests. > > > > > Are you saying that Chromium/Vivaldi have some fixed IP addresses > > > that they use for DNS servers out on the internet? > > > > Yes, the protocol used here is DoH or ``DNS over HTTPS''[1] which is > > specified in RFC 8484[2]. This is a bypass for local network > > settings which might not allow to ask external DNS servers as in > > the example above. Since local dial-up connections usually depend > > on the ISPs DNS server, DoH can circumvent manipulation by the ISP > > as quite common in Germany and the EU. However, IANAL and I don't > > know in which cases it might be not legal to circumvent lawful > > censorship. > > > > [1] https://en.wikipedia.org/wiki/DNS_over_HTTPS > > [2] https://datatracker.ietf.org/doc/html/rfc8484 > > In the US, manipulating DNS was (is?) a problem with some ISPs like > Verizon. Verizon would provide incorrect answers for non-existent > domains. Instead of returning NXDOMAIN in response to a query, Verizon > would provide a response that effectively redirected folks to a page > to register or purchase the non-existent domain, or to a search page > with lots of ads. Obviously, Verizon's actions broke the behavior > specified by the RFCs. See > <https://arstechnica.com/uncategorized/2008/02/404-might-be-found-the-curious-case-of-dns-redirects/> > and > <https://freedom-to-tinker.com/2007/11/12/verizon-violates-net-neutrality-dns-deviations/>. > > For a while the BSD folks' network startup scripts issued a query to a > known non-existent domain to see if DNS queries were being tampered > with or DNS was broken. I don't know if they are still doing it. > > When Verizon started doing that, I switched to OpenDNS. I also use > Google's DNS on occasion. > An example: https://uk.linkedin.com/company/barefruit -- Joe
