ISPs and Governments Don’t Seem to Like Security and Privacy-enhancing DNS over HTTPS (DoH)

Now a lot of the traffic on the Internet is secure, and for example, if you visit this blog your traffic will be encrypted, so your ISP, government or hackers will not know which exact page you visit on the website. But unless you use a VPN or the Tor Network, they’ll still know/or find out you visited CNX Software as most DNS requests are now unencrypted. Hackers may also use a spoofed DNS to steal your credit card info while you think you input your details into a trusted website.

Beside using a VPN service, one solution is to use DNS over HTTPS (DoH) which encrypts the DNS request so that even your ISP or the government (unless there’s a backdoor) may not know which websites you visit. On top of improving privacy, DoH also improves security, as it’s harder to spoof DNS servers and by extension internet websites.

I tried it with Cloudflare 1.1.1.1 DNS service last year, but it was not overly easy to setup, and I had to disable 1.1.1.1 since it failed to resolve many Chinese websites. The good news is that Google has decided to enable DoH by default in the upcoming Chrome 78, and Mozilla will also rollout DoH in Firefox.

DNS-over-HTTPS DoH

We should all be happy about the news, especially we don’t need to use Google DNS servers by default, and any DoH compatible DNS services, such as the one provided by Cloudflare will do. The latter also promised not to store IP addresses with KMPG contracted to audit their systems.

This has apparently made ISPs such as cable and wireless providers unhappy that they’ll lose access to all that user data, and according to the Wall Street Journal, the United States Congress’ anti-trust investigators are currently questioning Google over the update due to concerns raised by those companies that it could give Alphabet/Google a competitive advantage by making it harder for others to access consumer data.

But Google claims “they have no plans to centralize or change people’s DNS providers to Google by default”. This is still a valid concern as it would impact the decentralized nature of the Internet with most requests going through Google servers. So the Mozilla Foundation proposed policy requirements for DNS over HTTPs partners which include privacy & transparency requirements, as well as prohibitions with regards to blocking & modifying DNS requests.

The EFF (Electronic Frontier Foundation) is supportive of DoH standard, but also notes some valid shortcomings including the point mentioned above, as well as issues related to captive portals, which intercept connections briefly to force users to log on to a network, and content blocking such as on company networks (harder to block NSFW websites) or people using parental controls.

 

Via NotebookCheck.net & WSJ. The latter is behind a paywall so search for “Google Draws House Antitrust Scrutiny of Internet Protocol” to access the full article.

Support CNX Software - Donate via PayPal or become a Patron on Patreon
Advertisements
Subscribe
Notify of
guest
47 Comments
oldest
newest most voted
tkaiser
tkaiser
9 months ago

> We should all be happy about the news

Nope. Some food for thought: https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/

Also I understood Chrome 78 will not switch to some of those DoH providers automagically but instead will have a look what the user has configured and then only switch to DoH if the user already has given up on privacy and already sends all his addresses to one of the following DNS collectors:

* Cleanbrowsing
* Cloudflare
* DNS.SB
* Google
* OpenDNS
* Quad9

willy
willy
9 months ago

I strongly dislike this as well and I’m grateful to Jean-Luc for having warned us so that I can disable it in my future Firefox upgrade. In addition it will pollute the net (and your line) with many extra small, uncacheable, requests. The DNS is an important piece of the redundancy of the Internet infrastructure. Routing has already been quite severed over time by peering contracts. DOH will just make it certain that access to the whole internet is purely regulated by the 3 main browser vendors and the 4-5 largest web sites… And all this with an obsolete TLS… Read more »

God
God
9 months ago

/sigh.

The problem is, you use a lot of lingo, and give the impression that you know what you’re talking about… But you clearly don’t.

You’re already making these DNS requests to Google/Cloudflare/whoever. The only thing that’s going to change is that now only that DNS provider can see what domain name you’re getting resolved, instead of every hop between your router and Google/Cloudflare/whoever (your ISP, and various other edge routers between you and Google/Cloudflare/whoever).

dimtass
dimtass
9 months ago

That doesn’t protect us from the ISP though. Even if the ISP is not able to extract the domain name in the DNS query or the translated IP in the response, it will know the IP that you request to connect to after the query. Therefore the ISP can even guess the domain name with an inverse DNS table. I mean the ISP will always know the destination. Is that right?

Therefore, only vpn can fully protect you from this, but then you rely that your VPN service doesn’t misuse your logs.

pmos69
pmos69
9 months ago

“I mean the ISP will always know the destination. Is that right?”
They know the IP address of the destination, but that’s just L3. That’s not enough for blocking or positively identifying websites.
That’s not taking into account SNI, of course.

willy
willy
9 months ago

> That’s not enough for blocking or positively identifying websites.
It is enough for blocking, as blocking rarely considers collateral damage. Blocking this IP will block the site as well as all those on the same IP, and who cares ?

dgp
dgp
9 months ago

>give the impression that you know what you’re talking about Setting yourself up for fail.. >The only thing that’s going to change is that now only that DNS provider >can see what domain name you’re getting resolved The problem is that the information they want from DNS requests is available from other side channels like TLS negotiations anyway. If I can get your DNS traffic I can probably capture all of your TLS negotiations too. Ergo the whole thing is a red herring. In Google’s case the only thing they care about is your ISP and starbucks not having the… Read more »

sunbeam
sunbeam
9 months ago

So maybe decentralizing DNS is the solution? I have pi-hole setup with a local unbound DNS server as the backend configured with many DNS over TLS forwarders. This ensures we’re not sending all our DNS traffic to one provider; making it more difficult for any one provider to build a complete profile on our online activities and behavior.

Willy
Willy
9 months ago

The worst, by far, is not to let them build your profile to deliver you targeted ads. It’s letting them start to filter some responses “for your security”, suddenly breaking the net’s neutrality. This threat is extremely high and I suspect that two years from now we’ll start to discuss about DNS providers and the percentage of the internet that is accessible depending on the one you use.

theguyuk
theguyuk
9 months ago

On a Android media player you can go to Google play and try

Free VPN unseen online
Speedy DNS changer

Reset your Google advert ID weekly and to check what your browsers leaks try, Doileak.com

Not perfect though.

theguyuk
theguyuk
9 months ago

Also if your Android supports it install Exodus Privacy too.

theguyuk
theguyuk
9 months ago

Somebody does not want people seeing how they are watched and followed.

theguyuk
theguyuk
9 months ago

Look on Androidheadlines 18/09/2019 ” More Evidence Smart TVs & STBs Watch You More Than You Watch Them “

jqpabc123
jqpabc123
9 months ago

Encrypting DNS is about security. — *not* privacy.

Encrypting DNS helps prevent your browsing session from being hijacked. Your ISP still knows exactly what web site you are visiting. The destination IP address is on every packet your browser sends. All your ISP has to do is look it up — using reverse DNS. Trust me, they know about this.

The only reasonable way to improve browsing *privacy* is with a VPN or proxy.

SomeGuyNamedDave
SomeGuyNamedDave
9 months ago

This works for one-website-per-IP, but a lot of websites are hosted on ‘farms’ where the website hostname resolves to the IP of a load balancer / caching reverse proxy, and there are hundreds (or thousands) of websites resolving to that IP. (Heck, there are estimated to be a couple million websites out there that are basically a javascript file living in Amazon S3 storage.)

jqpabc123
jqpabc123
9 months ago

Yes, and the same applies with or without encrypted DNS.

The packets being sent to “farms” don’t contain fairy dust. They do contain all the necessary routing info needed to identify the one specific web site you’re looking for. Otherwise, you wouldn’t be able to reach them.

According to some reports (see tkaiser’s link above for one example), 95% of web traffic can be easily identified from just the individual packets. The other 5% no one really cares much about anyway.

The point remains — encrypted DNS has almost no impact on privacy.

willy
willy
9 months ago

> 95% of web traffic can be easily identified

Oh definitely! Just log the SNI exchanged at the beginning of the TLS connection. We produced a small device doing this years ago with a friend just for the purpose of showing people what their phone was doing in their back… It was scary. No wonder where the battery juice goes when “idle”. Mainly to whatever.google.com and random stuff all located in AWS! Yes probably software updates, certainly software updates. All the time to stay up to date.

Phoot
Phoot
9 months ago

A reverse proxy, or any form of Nat, will look at the _domain name_ requested to identify which internal IP address to route the packets to. As we’re interested in the domain name here, DoH absolutely matters in this instance.

This, in a very roundabout way, is kind of the way TOR hidden services can remain hidden (all those HASH.onion addresses).

dgp
dgp
9 months ago

>Encrypting DNS is about security. — *not* privacy.

Signing DNS is about security. That’s what DNSSEC does.

Doodi
Doodi
9 months ago

DNSSEC is about DNS providers (like root servers), being able to tell if its cache is being poisoned. That’s soooo outside the scope of Doh, its not even funny.

dgp
dgp
9 months ago

I’m not sure where you got that idea. DNSSEC is just as valid at your machine’s resolver as it is at an upstream caching resolver. Arguably more so: A DNS provider is less likely to have their traffic open to man in the middle attacks than someone sitting on a public wifi network.

DNS results are public information so there is no reason you actually need to encrypt them. DNS over HTTP and TLS aren’t about securing the DNS information and is more about hiding the steam of requests hence Google and friends advertising it as a privacy thing.

dgp
dgp
9 months ago

Oh and without DNSSEC inside of DNS over TLS or HTTPS you still don’t know if they results you get have been tampered with. The only benefit is if you do noticed they have been tampered with you know the tampering happened at or before the resolver on the other end of the TLS connection.

Jon Smirl
9 months ago

This is mainly a US centric problem. First you need to understand the FCC. Ajit Pai, is the FCC chairman. Ajit Pai is a toad owned by Verizon and he does anything his corporate masters tell him to do. Ajit Pai being chainman was not a planned event. I believe he was initially put onto the FCC by Obama to make Verizon happy. Under Obama he was powerless. But then Trump unexpectedly won and since he was the senior “Republican (he is not a Republican he is a tool for Verizon)” he became chairman. Trump has no ability to fire… Read more »

blu
blu
9 months ago

Hear, hear.

willy
willy
9 months ago

Thanks for this interesting background Jon. With this said, Google and others are not really altruist here. I mean, your ISP’s customers are exactly the same as Google’s and Facebook’s, so Google is just using technical power (remember they wanted to have their own browser very early) to fight a competitor who was using law to compete with them. They’re just using different ways to defend their ability to sell YOUR data to THEIR same customers. Saying that Google is not seeing everything is almost exagerated, they’re on half of the net’s websites and basically all relevant ones, so they… Read more »

Jon Smirl
9 months ago

No one makes you use Chrome. Use Firefox, Internet Explorer, etc.. then Google does not see anything. Try getting rid of your monopoly ISP.

You can also sniff what Chrome is doing on your own machine. Even though Chrome sees all of this data you can verify that Chrome is not sending it back to Google.

dgp
dgp
9 months ago

>Use Firefox, Internet Explorer, etc.. then Google does not see anything.

Until you visit a site that is using googles ad network. 😀

Jon Smirl
9 months ago

Ad block

willy
willy
9 months ago

I disagree with this. I just do not visit sites polluted with ads, but those using ads reasonably (i.e. do not alter the site’s accessibility) live from this. Ads finance 100% of the net. The more you block them, the more you either have to pay for services, or give up some privacy as a tradeoff.

Tad
Tad
9 months ago

> The more you block them, the more you either have to pay for services,
I’m fine with this, as anyone that actually cares about privacy should be.

>or give up some privacy as a tradeoff
You give up far more privacy by allowing the ad networks access.

dgp
dgp
9 months ago

>but those using ads reasonably (i.e. do not alter the site’s accessibility) live from this. Unless you pick your advertisers yourself and only ever run animated gif ads you can’t really run ads reasonably. Making good money from ads means letting an ad network profile your users and directly target them. >Ads finance 100% of the net. I would like to see some numbers to back that up. It might be true ads are the primary revenue source for most blogs, youtubers and other content creators but I don’t think that applies to the whole net. Even content creators don’t… Read more »

eFfeM
eFfeM
9 months ago

Of course ads do not finance 100% of the net. Parts of it are paid for by companies that provide services to their customers. E.g. banks, shops, government sites, schools, association sites, …
They all pay for hosting and bandwidth and in most cases do not get revenues from ads.

willy
willy
9 months ago

> Parts of it are paid for by companies that provide services to their customers. E.g. banks, shops, government sites, schools, association sites
This is a tiny drop compared to the rest. What’s a national bank site’s traffic in front of millions of youtube watchers worldwide, and tens of millions of morons showing their face chewing some gum between two train stations ? Almost nothing. Just the line’s thickness. You’re comparing hundreds of Mbps to tens of Tbps, that’s a 100k factor. Even after you multiply it by 100 such very large organizations it’s still a 1:1000 ratio.

Zeflo
Zeflo
9 months ago

Maybe ads finance most of the “free” stuff. But there are also websites where someone is just financing there prive site and off course websites where you have to pay for the content.

willy
willy
9 months ago

that’s what I meant.

Jon Smirl
9 months ago

2022 is wrong it is August 2020.

dgp
dgp
9 months ago

>Google can only see your interactions with their properties, >when you move off into Facebook Google can’t see what you are doing anymore. I don’t think that’s true. Sure google can just look at what you’re doing directly when you are connected to one of their services but there is nothing stopping them getting equivalent data via side channels if your are visiting facebook via an Android phone. Even if you’re not using Chrome to access a site Android apps emit huge amounts of data to firebase (google) which is backed by bigquery (google again) which would allow Google to… Read more »

Jon Smirl
9 months ago

You can easily monitor the traffic on your own phone and PC to see that Google is not doing this. And if Google were doing this we would see headlines everywhere about privacy abuse. Sure Google could use Android and Chrome to record and snoop everything. But they would have to use the Internet to send that data back to Google. Since you own the phone and browser sophisticated tech people can probe inside that code before the encryption happens to look and see what is being sent to Google. There have been no reports of Google taking data it… Read more »

dgp
dgp
9 months ago

>Sure Google could use Android and Chrome to record and snoop everything. Almost every android app anyone uses is sending data to firebase even if custom tracking events aren’t configured. The basic events are enough to recreate your app session on the android “activity” level, include your location if the app has access it etc. Lots of people have reported on this. If you’ve gone a little further than a hello world example in Android Studio you know it’s there. >Since you own the phone and browser sophisticated tech people can >probe inside that code before the encryption happens to… Read more »

jqpabc123
jqpabc123
9 months ago

Google’s privacy policy is sufficiently vague to allow them to access anything they want on your Android phone.

dgp
dgp
9 months ago

They don’t care about your privacy. They care about keeping their surveillance feeds private so that the resulting data is more valuable.

Sander
Sander
9 months ago

How about a client generating noise by DNS-ing ‘random’ websites? The real requests will drown in that noise.

willy
willy
9 months ago

It’s even worse. Browsers purposely reject explicit connections to port 53 to avoid breaking the internet infrastructure by placing image links in forums. With DoH it means that his vulnerability is explicitly reopened. You’ll start seeing links to images from https://dns9.quad9.net/dns-query for example, until they can’t respond. And since you’ll configure a single provider in your browser the redundancy will rely on the end-user to switch to another provider. It’s even worse than centralization, it’s fragmentation. I guess sooner or later we’ll see different internet subsets based on what DoH provider we use. With some starting to suggest “secure” vs… Read more »

EFU
EFU
9 months ago

DoH is complete shit driven by a war that is not our.
DoT IS the correct long run technical and political answer to the problem supposedly solved by DoH.
And don’t put the word “security” about this whole thing only dnssec give you security. The whole x509 public CA model is moot since decades.

Domih
Domih
9 months ago

Conclusion after reading all the esteemed members: NordVPN or ExpressVPN and a candle in the nearest place of cult that they each don’t log more stuff than they are saying on their web site… 🙂

Advertisements