DNS as a Vulnerability
In a recent thread I posted that Google can't stop us because we're distributed and do not have a central entity. However we do use DNS, and I wouldn't be surprised if most users either use Google DNS or another DNS provider that shares information with Google and is an affiliate of some sort...
Should the powers that be decide to stop us all they have to do is shut down DNS to the Gemini domain. We are still centralized and all our links rely on DNS.
It maybe wise to prepare for such an attack with an alternative.
Perhaps we can appeal to our search engine operators to provide a daily or even weekly gemini hosts file -- our world is fairly small and static.
We can also ask browser maintainers to consider implementing an alternative lookup scheme.
Or just put them into our own hosts files.
Aug 10 · 2 months ago · 🤔 1
14 Comments ↓
Isn't DNS lookup only by host name? I think we'd be okay.
I put more than a little effort into supporting DoH in Alhena but when I discovered the SNI was sent in the clear to the server anyway, I abandoned the idea.
🚀 stack [OP] · Aug 10 at 22:16:
Yes, but all the links in everyone's pages to other sites would be broken.
🐑 thezipcreator · Aug 10 at 22:47:
honestly, I'm not sure it's much of a concern for gemini being suppressed by big tech or governments or whatever. its presence is barely noticed and probably will continue to be (which, I think is sort of by design).
that said, I wouldn't oppose creating a hosts file or directory of links to IP addresses, just to make sure links are still resolvable as @stack said. extra resiliency is usually always a good thing.
DNS is a distributed database. Google, if they wanted to, could do "filtering" on their own DNS system (8.8.8.8), although tbh, I doubt they would do that (I mean from PR PoV that'd be a terrible move), but more importantly, I don't think it has as many users as you might think.
But even more importantly: any "alternative" DNS idea is likely a bad idea (from security pov).
Another problem is in case of dynamic IP addresses
@stack I'm still not sure I'm following. When creating a connection, you specify the host and the port (not the scheme). How could that be blocked?
@bluesman hostname needs to be resolved. There's a "public" google DNS serve - which is also known to be used by Google to collect information. To use that DNA server you need to either, change your DNS settings manually or be a user of Chromecast, which I believe in some version uses google DNS by default.
see also my comment above.
Maybe, *maybe*, if Gemini used SRV DNS records, then Google and CloudFlair (the other large DNS provider) could filter DNS lookups for Gemini servers. But Gemini doesn't use SRV records, they use A or AAAA records.
If I enter a URL of gemini://example.net/ my computer will do a DNS A/AAAA lookup for "example.net". There's no indication that I'm going for HTTP, Gopher, Gemini, SSH or even QOTD. Get a grip!
@gim I understand how DNS works (which is why I looked into encrypting it in in Alhena with DoH). I was trying to point out what @spc476 said more directly. DNS only uses the hostname to resolve an IP. It doesn't know the scheme (gemini vs http, etc).
I was trying to figure out if stack meant Google could blacklist known gemini servers at the DNS level using an actual list - from TLGS, say. That would be unprecedented and break websites (like my own) that do double duty as both gemini and http servers.
🚀 stack [OP] · Aug 11 at 13:34:
I was thinking goofily and appreciate the subtle reminder of my own stupidity, but I'm surprised that you don't see this giant centralization knot as a vulnerability.
We pride ourselves on privacy and such but pretty much turn over our network graph and usage data to the same masters of the universe...
While DNS is technically distributed, I would be surprised if 90 percent is not using whatever their system defaults to.
DNS is definitely a vulnerability when it comes to privacy. That's the reason I was well down the path of implementing DoH (DNS over HTTPS). There may still be advantages but when I found out the server name would be sent in the clear later, I abandoned the effort. DoG or "DNS over Gemini" wouldn't solve that particular problem either despite having a fun acronym.
There are other name systems out there even if not very popular. I've found a few people running gemini capsules over tor (with .onion domains). A the same would probably work for other network stacks (gnunet comes to mind) as long as they support stream communication in order to tunnel TLS over it. I kind of wish there was better support for this kind of stuff in gemini browsers.
@stack I'm pretty certain it's even more than 90%, but - at least here - default DNS server usually point to ISP dns servers, not google or cloudflare.
(what I'm trying to say is that I _believe_ it is not as centralized, as some other services - say cloud services in general)
Use Quadnine (9.9.9.9 / 149.112.112.112) ; or if you #RunBSD, you can just use unwind and unbound and be your own resolver.
If you are talking about Nameservers, desec.io.
Source