linux-from-scratch/lfs-buildscripts
1
0
Fork 0
mirror of https://github.com/YellowJacketLinux/lfs-buildscripts.git synced 2025-01-23 14:32:20 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

spell check

Browse Source
This commit is contained in:
YellowJacketLinux 2024-10-11 18:39:05 -07:00
parent 3e6d49f3c6
commit d2d8d126e4
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
SECURE_DNS.md
View File

@ -23,7 +23,7 @@ On social media (especially places like reddit) you will often run into
GNU/Linux users who make the claim that `systemd-resolved` is trying to solve GNU/Linux users who make the claim that `systemd-resolved` is trying to solve
a problem that has already long been solved by `/etc/resolv.conf` and is an a problem that has already long been solved by `/etc/resolv.conf` and is an
example of programmers trying to force complexity on us. They will often get a example of programmers trying to force complexity on us. They will often get a
lot of upvotes and confirming replies. I hate to be condescending but those lot of up-votes and confirming replies. I hate to be condescending but those
people are just fucking idiots who like to sound wise. DNS injection attacks people are just fucking idiots who like to sound wise. DNS injection attacks
are a __SERIOUS__ problem that `/etc/resolv.conf` does not even *begin* to are a __SERIOUS__ problem that `/etc/resolv.conf` does not even *begin* to
address. address.
@ -138,7 +138,7 @@ problem.
Failure to resolve domain names because of a TLS problem (such as a revoked Failure to resolve domain names because of a TLS problem (such as a revoked
certificate, a certificate not trusted by your clients certificate bundle, or certificate, a certificate not trusted by your clients certificate bundle, or
an inability for your client and the server to agree upon cypher suite to use) an inability for your client and the server to agree upon cipher suite to use)
results in a *complete loss* of DNS services unless DoT is used as an results in a *complete loss* of DNS services unless DoT is used as an
opportunistic feature that allows a fall-back to plain text. opportunistic feature that allows a fall-back to plain text.
@ -244,3 +244,10 @@ without also blocking all secure web pages.
DoH is both a privacy and security disaster and the companies behind it, that DoH is both a privacy and security disaster and the companies behind it, that
embrace it, and promote it should be ashamed of themselves. embrace it, and promote it should be ashamed of themselves.
When secure DNS is needed, it should be done through DoT. The *only* reason for
DoH to even exist is to bypass system and network privacy and security. Believe
me when I say companies like Apple, Google, and Mozilla (makers of FireFox) most
certainly do NOT have your best interests in mind. They want to track you, they
want to allow advertisers to track you, even when the mechanism by which they
allow such tracking also causes a security nightmare.