Oh, to be able to buy that anymore. I don't see anyone implementing it that way though. I see it being implemented in a way whereby all DNS activity must go through the corp resolver first, essentially giving full tracking history of 99% of users.
Yes, it already happens with corporate proxies, and yes, I'm sour about that too...
To be clear, I'm not blaming any NetOps here. It's just... Why is it so tempting? The things you can do with that type of data, it almost seems like you have to be superhuman in terms of keeping people away from it. Maybe I"m just too damn enchanted by just delivering packets to enable people... But when you get pushes from agencies suggesting "Hey, add a by definition awesome logging and tapping point" it really ruins my day.
And yes, I run a network too. No. I don't give a darn what my users do with it as long as the servers are up and fine, and the global riffraff stay out. I don't know. Just overly grumpy I guess.
To be honest, I have no idea what point you're trying to make.
Here it is:
* Companies have internal (intranet) network services
* Companies operate their own DNS (DoH) resolvers
* They also have global (internet) employees
* The devices those employees use have hard-coded DNS (DoH) resolvers (Google, CloudFlare)
* Don't let them use the hard-coded DNS (DoH) resolvers
* Make sure their machine uses the company DNS (DoH) resolver.
I know people think that DNS-over-HTTP makes everything private and secure, but it doesn't. Google and CloudFlare still see every single DNS query from everyone.
>And yes, I run a network too. No. I don't give a darn what my users do with it as long as the servers are up and fine, and the global riffraff stay out.
You don't care if your users get hacked? Would you mind telling me what company you work for?
Yes, it already happens with corporate proxies, and yes, I'm sour about that too...
To be clear, I'm not blaming any NetOps here. It's just... Why is it so tempting? The things you can do with that type of data, it almost seems like you have to be superhuman in terms of keeping people away from it. Maybe I"m just too damn enchanted by just delivering packets to enable people... But when you get pushes from agencies suggesting "Hey, add a by definition awesome logging and tapping point" it really ruins my day.
And yes, I run a network too. No. I don't give a darn what my users do with it as long as the servers are up and fine, and the global riffraff stay out. I don't know. Just overly grumpy I guess.