"All of this work is handled by a DNS cache running on your computer."
Running on _your_ computer. Not running on Google's computers, Cloudflare's computers, Quad9's (IBM's) computers, OpenDNS's (Cisco's) computers or a computer belonging to some individual running a DNSCrypt proxy.
This is not how HN commenters and many people active in other web forums believe that DNS works. They believe that DNS requires a third party, such as Google, Cloudflare, Quad9, OpenDNS, etc. In recent times, they often call this "upstream".
Thus, there are different answers to the question, "How does DNS work?"
One answer says that the end user is in control. The end user sends the DNS query to the authoritative DNS server.
Another answer says that a third party, an "upstream" provider, a middleman, is in control. The third party sends the DNS query to the authoritative DNS server.
If we asked the people behind "DNS Over HTTPS" how DNS works, which answer would they choose.
Hint: It is not answer #1.
Authoritative DNS servers do not answer DoH queries. Under the DoH scheme, DNS queries sent to authoritative DNS servers are not encrypted. The only queries that are encrypted are recursive queries to a cache running on a computer belonging to a third party, e.g., Google, etc.
DNSCurve, OTOH, allows the end user to send encrypted, non-recursive DNS queries to authoritative DNS servers. DoH cannot do this; DoH is not comparable with DNSCurve.
Plenty of HN commenters understand that HTTP requests sent to Cloudflare's CDN via HTTPS may be decrypted at Cloudflare before they are forwarded to backend servers operated by Cloudflare customers. As such, Cloudflare can see the contents of every HTTP request. In this regard, DoH is similar. The third party "upstream" DNS provider, e.g., OpenDNS, Quad9, Google, Cloudflare, etc. can see the contents of every DNS query.
Whereas when I use a DNSCurve-compatible stub resolver or cache running on my computer to query an authoritative DNS server running behind a CurveDNS forwarder, there are only two parties that see the contents of the query: 1. the operator of the authoritative DNS server and CurveDNS forwarder and 2. the person who sent it: me. No third party, no "upstream", no middleman.
NB. A "recursive cache" is not an authoritative DNS server.
DoH typically encrypts the connection between the client and the recursive DNS server, and TLS is reasonably suitable for this because the client is always querying the same server and can keep the connection open or use session resumption. DNSCurve is designed to encrypt the request between the recursive and authoritative DNS server, where the requests go to all different authoritative nameservers and the TLS handshake is correspondingly slow/heavy.
Is there any technical problem with DNSCurve or is it just a technology with low current adoption, like source port randomization before the Kaminsky attack?
The "go to market" story for DNSCurve involves it solving some of the problems DoH solves (see "Why DNSCurve" under "For DNS Users" on Bernstein's page). It's had minimal adoption over 15 years, and the case for it has weakened, not improved, since then.
It can solve the same problem, but it also solves it better. If you're using DoH to e.g. Cloudflare, Cloudflare can still see all of your DNS queries. If your own local device operated recursively using DNSCurve to the authoritative servers, there is no such third party intermediary who could be compromised or betray you. Moreover, it could also be used to encrypt the queries between Cloudflare and the authoritative servers for the people doing that.
The lack of adoption is mainly that authoritative nameserver operators have no incentive to spend resources on encrypting DNS unless their customers demand it, but the lesson from this should be to demand that your DNS provider support it.
Yes. It doesn't matter. These are marginal problems. The major adversary for DNS privacy is ISPs, and DoH neatly solves it. AWS and DO aren't (probably can't, in fact) sniffing DNS traffic to generate marketing data feeds). Betamax was better than VHS.
How does DNS work? (2002) - https://news.ycombinator.com/item?id=30173559 - Feb 2022 (7 comments)