Improve security and privacy by switching from personalized to generic subdomain
NextDNS looks like a great service. But a personalized subdomain means if my nextdns account is compromised, an attacker could mess with my DNS in a way that leaves me much less secure than I was to start with. A personalized subdomain also reduces my privacy. If these issues were fixed, nextdns becomes a lot more interesting.
I would prefer to connect to a generic subdomain and then transmit account information over https. Some ideas for how this could be accomplished:
* a subdomain which is a base64 encoded version of my preferred options (to avoid becoming vulnerable to attackers yourself, you should deserialize this very carefully!)
* a subdomain which is a hash of my preferred options, then look up the hash in the db and verify that the options present in the db which correspond to that hash do in fact hash to the subdomain I connected to. That way even if attackers compromise your db, my DNS is still not compromised. (My DNS could be compromised if attackers also compromise your codebase and remove the hash protection. But codebase compromise is game over anyways -- you'll just need to have secure devops)
* alternatively, just provide a single set of high-security DNS options for users who are concerned about this, on a generic "high security" subdomain. Or a few standard sets depending on how much inconvenience a user is willing to trade off for security. Standard sets also help with privacy.
Thanks for your consideration. :-)
1 reply
-
Our DoH URLs use dns.nextdns.io as domain. No information is transmitted in the clear.
Content aside
- 2 yrs agoLast active
- 1Replies
- 172Views
-
2
Following