From 3c9ee6c04bb0b93f529eabff0ff60f26670770d8 Mon Sep 17 00:00:00 2001 From: Peter Easton Date: Mon, 24 Feb 2020 05:54:44 +0000 Subject: [PATCH] Add Q&A about private DNS graying out on IP address. --- static/faq.html | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/static/faq.html b/static/faq.html index 03edbc48..e51a7122 100644 --- a/static/faq.html +++ b/static/faq.html @@ -68,6 +68,13 @@ tracking and silent SMS? +
  • + Day to day use + +

    • @@ -361,6 +368,28 @@ sending texts or other data is not required or particularly useful to track devices connected to a network for an adversary with the appropriate access.

    +

    + Day to day use +

    + +

    + When I enter an IP address into private DNS, the save button + grays out. Why? +

    + +

    This is not a bug, but rather the feature is operating as it is intended to. When + operating in forced mode, private DNS requires a domain and will reject invalid + certificates to ensure that the source is authenticated, not just encrypted. Automatic + mode only uses encryption opportunistically, and must be able to fall back to + unauthenticated encryption or fall back to plaintext if the DNS server does not support + DNS over TLS or the certificate is not valid. Although this does not protect against an + active adversary that blocks encrypted communications to the DNS server or will replace + the certificates entirely to intercept the encrypted traffic, automatic will + transparently provide some opportunistic protection against a passive adversary. When a + private DNS provider hostname is specified, the phone will not proceed unless the + certificates for TLS are valid and will not fall back to an unauthenticated or plaintext + connection should the validation fail.

    +