3 risks of using clear DNS

So, there are really sort of three flavors of encrypted DNS right now. There's DOT, which is DNS over TLS, DOD, HTTPS, and let's call it DOC. I don't know if they pronounce it that way, but that's DNS over quick. And quick, Q U I C, that might be new to some folks. Um it's an encrypted layer an encrypted transport that runs over UDP. So, the idea is that it's supposed to be more efficient than for example using TCP as a transport. And actually it was pioneered I believe it was developed originally within Google. It's used a lot within web 3. YouTube a lot, right? Yeah. Yeah, exactly. But efficient transport The nice thing is that by doing DNS over quick, you're not forcing DNS to run over TCP, which is uh is more onerous for DNS clients and DNS servers to handle. Okay, so the advantage you have So, give us some of the advantages. I'll just hit one that I can think of I mentioned earlier. If I don't want my ISP to see where I'm going or like some like someone some Wi-Fi network at the airport or something, I can send my DNS encrypted. So, I am the DNS service here, so not someone in the middle. So, they can't run man-in-the-middle attacks. They hopefully won't be able to spoof that kind of thing. So, just give us some of the advantages of doing it. Yeah, yeah. So, as you said. So, um snooping is is very difficult if you use one of these encrypted DNS protocols. Spoofing is very difficult. Also, impersonating the DNS server if you're using server authentication, which is optional, and spoofing the client to the server, which is also optional, the client authentication part of it. So, all of that is fantastic. But then you asked about disadvantages. — Yeah. For disadvantages, think about DNS within for example an enterprise environment, within some other organization. Um your IT folks are accustomed to being able to see inside the DNS traffic. And maybe that helps them to troubleshoot problems, for example. Or maybe they run software like intrusion detection, intrusion prevention software that might rely on being able to see that traffic in order to do its job. Um all of a sudden if that's opaque, a lot of that stuff isn't going to work or it's going to be much harder for those IT folks in order to do their job. Now, at Infoblox we would say, "Well, since we're the DNS server, we'll certainly give all of those IT folks access to that data. They just have to get it from the other end of the encrypted connection. " Um but you can see that there are some reasons that uh that encrypted DNS might not be appropriate for use within some internal networks. There's also the overhead, of course, because um those encrypted DNS protocols do require more computational horsepower because you're doing encryption and decryption in order to send and receive data. You're using TCP, which is again more overhead.