ISPs and Governments Don’t Seem to Like Security and Privacy-enhancing DNS over HTTPS (DoH)

Now a lot of the traffic on the Internet is secure, and for example, if you visit this blog your traffic will be encrypted, so your ISP, government or hackers will not know which exact page you visit on the website. But unless you use a VPN or the Tor Network, they’ll still know/or find out you visited CNX Software as most DNS requests are now unencrypted. Hackers may also use a spoofed DNS to steal your credit card info while you think you input your details into a trusted website.

Beside using a VPN service, one solution is to use DNS over HTTPS (DoH) which encrypts the DNS request so that even your ISP or the government (unless there’s a backdoor) may not know which websites you visit. On top of improving privacy, DoH also improves security, as it’s harder to spoof DNS servers and by extension internet websites.

I tried it with Cloudflare 1.1.1.1 DNS service last year, but it was not overly easy to setup, and I had to disable 1.1.1.1 since it failed to resolve many Chinese websites. The good news is that Google has decided to enable DoH by default in the upcoming Chrome 78, and Mozilla will also rollout DoH in Firefox.

DNS-over-HTTPS DoH

We should all be happy about the news, especially we don’t need to use Google DNS servers by default, and any DoH compatible DNS services, such as the one provided by Cloudflare will do. The latter also promised not to store IP addresses with KMPG contracted to audit their systems.

This has apparently made ISPs such as cable and wireless providers unhappy that they’ll lose access to all that user data, and according to the Wall Street Journal, the United States Congress’ anti-trust investigators are currently questioning Google over the update due to concerns raised by those companies that it could give Alphabet/Google a competitive advantage by making it harder for others to access consumer data.

But Google claims “they have no plans to centralize or change people’s DNS providers to Google by default”. This is still a valid concern as it would impact the decentralized nature of the Internet with most requests going through Google servers. So the Mozilla Foundation proposed policy requirements for DNS over HTTPs partners which include privacy & transparency requirements, as well as prohibitions with regards to blocking & modifying DNS requests.

The EFF (Electronic Frontier Foundation) is supportive of DoH standard, but also notes some valid shortcomings including the point mentioned above, as well as issues related to captive portals, which intercept connections briefly to force users to log on to a network, and content blocking such as on company networks (harder to block NSFW websites) or people using parental controls.

 

Via NotebookCheck.net & WSJ. The latter is behind a paywall so search for “Google Draws House Antitrust Scrutiny of Internet Protocol” to access the full article.

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX RK3588 mini-ITX motherboard

Radxa ROCK 5C (Lite) SBC with Rockchip RK3588 / RK3582 SoC

47 Replies to “ISPs and Governments Don’t Seem to Like Security and Privacy-enhancing DNS over HTTPS (DoH)”

  1. > We should all be happy about the news

    Nope. Some food for thought: https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/

    Also I understood Chrome 78 will not switch to some of those DoH providers automagically but instead will have a look what the user has configured and then only switch to DoH if the user already has given up on privacy and already sends all his addresses to one of the following DNS collectors:

    * Cleanbrowsing
    * Cloudflare
    * DNS.SB
    * Google
    * OpenDNS
    * Quad9

    1. The centralized part is bad, but I don’t think that will matter in the long run.
      Now the list of DNS collectors is limited because maybe ISPs don’t support DoH, and I’m sure if Firefox and Chrome enable the feature they’ll quickly implement this.

      Web browsers could be made to work as follows with DoH enabled by default.
      1. Check if the DNS servers set in the OS support DoH, and if so use those.
      2. If not, randomly connect to a DoH capable DNS from a list which should grow overtime.

      Company networks can disable DoH on their systems if they want to filter websites.
      If parental control is setup in the browser, then it’s easy just disable DoH when parental control is enabled. If it’s another program, then it may be more complicated, but the said software could just tell their users to disable DoH.

    2. I strongly dislike this as well and I’m grateful to Jean-Luc for having warned us so that I can disable it in my future Firefox upgrade. In addition it will pollute the net (and your line) with many extra small, uncacheable, requests. The DNS is an important piece of the redundancy of the Internet infrastructure. Routing has already been quite severed over time by peering contracts. DOH will just make it certain that access to the whole internet is purely regulated by the 3 main browser vendors and the 4-5 largest web sites… And all this with an obsolete TLS architecture relying on a very weak cert chain and a single signer for each certificate.

      Keep in mind that if you don’t know why they’re investing so much to “fix” something that was working pretty well, it’s not to appear as white knights, it’s because YOU are the product they’re trying to sell. Typically in the form of ads space that becomes much harder to remove by centralized infrastructure services for example. Nowadays the word “privacy” is used and abused to make vulnerable people obey whatever rule “for their protection”. There’s a limit to that model, but it does still have some headroom before being completely dried out.

      1. /sigh.

        The problem is, you use a lot of lingo, and give the impression that you know what you’re talking about… But you clearly don’t.

        You’re already making these DNS requests to Google/Cloudflare/whoever. The only thing that’s going to change is that now only that DNS provider can see what domain name you’re getting resolved, instead of every hop between your router and Google/Cloudflare/whoever (your ISP, and various other edge routers between you and Google/Cloudflare/whoever).

        1. That doesn’t protect us from the ISP though. Even if the ISP is not able to extract the domain name in the DNS query or the translated IP in the response, it will know the IP that you request to connect to after the query. Therefore the ISP can even guess the domain name with an inverse DNS table. I mean the ISP will always know the destination. Is that right?

          Therefore, only vpn can fully protect you from this, but then you rely that your VPN service doesn’t misuse your logs.

          1. “I mean the ISP will always know the destination. Is that right?”
            They know the IP address of the destination, but that’s just L3. That’s not enough for blocking or positively identifying websites.
            That’s not taking into account SNI, of course.

          2. > That’s not enough for blocking or positively identifying websites.
            It is enough for blocking, as blocking rarely considers collateral damage. Blocking this IP will block the site as well as all those on the same IP, and who cares ?

        2. >give the impression that you know what you’re talking about

          Setting yourself up for fail..

          >The only thing that’s going to change is that now only that DNS provider
          >can see what domain name you’re getting resolved

          The problem is that the information they want from DNS requests is available from other side channels like TLS negotiations anyway. If I can get your DNS traffic I can probably capture all of your TLS negotiations too.

          Ergo the whole thing is a red herring. In Google’s case the only thing they care about is your ISP and starbucks not having the same sort profiling data they have as that would reduce the value of their targeted marketing data.

    3. So maybe decentralizing DNS is the solution? I have pi-hole setup with a local unbound DNS server as the backend configured with many DNS over TLS forwarders. This ensures we’re not sending all our DNS traffic to one provider; making it more difficult for any one provider to build a complete profile on our online activities and behavior.

      1. The worst, by far, is not to let them build your profile to deliver you targeted ads. It’s letting them start to filter some responses “for your security”, suddenly breaking the net’s neutrality. This threat is extremely high and I suspect that two years from now we’ll start to discuss about DNS providers and the percentage of the internet that is accessible depending on the one you use.

  2. On a Android media player you can go to Google play and try

    Free VPN unseen online
    Speedy DNS changer

    Reset your Google advert ID weekly and to check what your browsers leaks try, Doileak.com

    Not perfect though.

        1. Look on Androidheadlines 18/09/2019 ” More Evidence Smart TVs & STBs Watch You More Than You Watch Them “

  3. Encrypting DNS is about security. — *not* privacy.

    Encrypting DNS helps prevent your browsing session from being hijacked. Your ISP still knows exactly what web site you are visiting. The destination IP address is on every packet your browser sends. All your ISP has to do is look it up — using reverse DNS. Trust me, they know about this.

    The only reasonable way to improve browsing *privacy* is with a VPN or proxy.

    1. This works for one-website-per-IP, but a lot of websites are hosted on ‘farms’ where the website hostname resolves to the IP of a load balancer / caching reverse proxy, and there are hundreds (or thousands) of websites resolving to that IP. (Heck, there are estimated to be a couple million websites out there that are basically a javascript file living in Amazon S3 storage.)

      1. Yes, and the same applies with or without encrypted DNS.

        The packets being sent to “farms” don’t contain fairy dust. They do contain all the necessary routing info needed to identify the one specific web site you’re looking for. Otherwise, you wouldn’t be able to reach them.

        According to some reports (see tkaiser’s link above for one example), 95% of web traffic can be easily identified from just the individual packets. The other 5% no one really cares much about anyway.

        The point remains — encrypted DNS has almost no impact on privacy.

        1. > 95% of web traffic can be easily identified

          Oh definitely! Just log the SNI exchanged at the beginning of the TLS connection. We produced a small device doing this years ago with a friend just for the purpose of showing people what their phone was doing in their back… It was scary. No wonder where the battery juice goes when “idle”. Mainly to whatever.google.com and random stuff all located in AWS! Yes probably software updates, certainly software updates. All the time to stay up to date.

        2. A reverse proxy, or any form of Nat, will look at the _domain name_ requested to identify which internal IP address to route the packets to. As we’re interested in the domain name here, DoH absolutely matters in this instance.

          This, in a very roundabout way, is kind of the way TOR hidden services can remain hidden (all those HASH.onion addresses).

    2. >Encrypting DNS is about security. — *not* privacy.

      Signing DNS is about security. That’s what DNSSEC does.

      1. DNSSEC is about DNS providers (like root servers), being able to tell if its cache is being poisoned. That’s soooo outside the scope of Doh, its not even funny.

        1. I’m not sure where you got that idea. DNSSEC is just as valid at your machine’s resolver as it is at an upstream caching resolver. Arguably more so: A DNS provider is less likely to have their traffic open to man in the middle attacks than someone sitting on a public wifi network.

          DNS results are public information so there is no reason you actually need to encrypt them. DNS over HTTP and TLS aren’t about securing the DNS information and is more about hiding the steam of requests hence Google and friends advertising it as a privacy thing.

        2. Oh and without DNSSEC inside of DNS over TLS or HTTPS you still don’t know if they results you get have been tampered with. The only benefit is if you do noticed they have been tampered with you know the tampering happened at or before the resolver on the other end of the TLS connection.

  4. This is mainly a US centric problem. First you need to understand the FCC. Ajit Pai, is the FCC chairman. Ajit Pai is a toad owned by Verizon and he does anything his corporate masters tell him to do. Ajit Pai being chainman was not a planned event. I believe he was initially put onto the FCC by Obama to make Verizon happy. Under Obama he was powerless. But then Trump unexpectedly won and since he was the senior “Republican (he is not a Republican he is a tool for Verizon)” he became chairman. Trump has no ability to fire him; his term runs until 2022 and he can only be removed by impeachment for illegal activities.

    Ajit Pai then proceeded to do anything Verizon asked him to do. Like repeal Net Neutrality and make it legal for ISPs to record and sell everything you do on the Internet. I truly gag at that last one — we all know it is illegal for a telephone company to listen to your calls and sell the information from the calls. But Pai has let the ISPs do that for your Internet activity. This is far, far worse than what Google does. Google can only see your interactions with their properties, when you move off into Facebook Google can’t see what you are doing anymore. On the other hand ISPs like Verizon can see everything you do with every company. Pai has now let them record and sell all of that.

    This FCC change has triggered an encryption war. The only defense against your ISP snooping and selling everything you do is to encrypt everything. And that is exactly what is happening. Every website in the world is shifting to HTTPS. And now Google is assisting the move to encrypted DNS. The entire purpose of encrypted DNS is to stop your ISP from selling the list of websites you visit.

    Of course centralized DNS is a problem and we don’t want that. But this is just a protocol and Google is supplying a set of easy to use servers. You don’t have to use those servers, change them if you please. But note that this will only protect your browsing. Your OS is still going to use the ISP supplied DNS servers unless you change your system to use something else. And that something else better be encrypted or your ISP is still going to sniff and sell your browsing habits.

    Personally I can’t wait to get rid of Pai and revert the law back to barring the ISPs from recording and selling all of your traffic. That is an insane invasion of privacy done solely to enrich the ISPs at your and mine’s expense.

    1. Thanks for this interesting background Jon. With this said, Google and others are not really altruist here. I mean, your ISP’s customers are exactly the same as Google’s and Facebook’s, so Google is just using technical power (remember they wanted to have their own browser very early) to fight a competitor who was using law to compete with them. They’re just using different ways to defend their ability to sell YOUR data to THEIR same customers. Saying that Google is not seeing everything is almost exagerated, they’re on half of the net’s websites and basically all relevant ones, so they see way more than your ISP since they get full requests with headers etc and run their code in your browser, or worse, your smartphone.

      1. No one makes you use Chrome. Use Firefox, Internet Explorer, etc.. then Google does not see anything. Try getting rid of your monopoly ISP.

        You can also sniff what Chrome is doing on your own machine. Even though Chrome sees all of this data you can verify that Chrome is not sending it back to Google.

        1. >Use Firefox, Internet Explorer, etc.. then Google does not see anything.

          Until you visit a site that is using googles ad network. 😀

          1. I disagree with this. I just do not visit sites polluted with ads, but those using ads reasonably (i.e. do not alter the site’s accessibility) live from this. Ads finance 100% of the net. The more you block them, the more you either have to pay for services, or give up some privacy as a tradeoff.

          2. > The more you block them, the more you either have to pay for services,
            I’m fine with this, as anyone that actually cares about privacy should be.

            >or give up some privacy as a tradeoff
            You give up far more privacy by allowing the ad networks access.

          3. >but those using ads reasonably (i.e. do not alter the site’s accessibility) live from this.

            Unless you pick your advertisers yourself and only ever run animated gif ads you can’t really run ads reasonably. Making good money from ads means letting an ad network profile your users and directly target them.

            >Ads finance 100% of the net.

            I would like to see some numbers to back that up. It might be true ads are the primary revenue source for most blogs, youtubers and other content creators but I don’t think that applies to the whole net. Even content creators don’t seem to be able to live off of ad networks alone and have taken to pushing snake oil like vpns and cdb products.

          4. Of course ads do not finance 100% of the net. Parts of it are paid for by companies that provide services to their customers. E.g. banks, shops, government sites, schools, association sites, …
            They all pay for hosting and bandwidth and in most cases do not get revenues from ads.

          5. > Parts of it are paid for by companies that provide services to their customers. E.g. banks, shops, government sites, schools, association sites
            This is a tiny drop compared to the rest. What’s a national bank site’s traffic in front of millions of youtube watchers worldwide, and tens of millions of morons showing their face chewing some gum between two train stations ? Almost nothing. Just the line’s thickness. You’re comparing hundreds of Mbps to tens of Tbps, that’s a 100k factor. Even after you multiply it by 100 such very large organizations it’s still a 1:1000 ratio.

          6. Maybe ads finance most of the “free” stuff. But there are also websites where someone is just financing there prive site and off course websites where you have to pay for the content.

    2. >Google can only see your interactions with their properties,
      >when you move off into Facebook Google can’t see what you are doing anymore.

      I don’t think that’s true. Sure google can just look at what you’re doing directly when you are connected to one of their services but there is nothing stopping them getting equivalent data via side channels if your are visiting facebook via an Android phone. Even if you’re not using Chrome to access a site Android apps emit huge amounts of data to firebase (google) which is backed by bigquery (google again) which would allow Google to slurp it up and profile it all they want.

      1. You can easily monitor the traffic on your own phone and PC to see that Google is not doing this. And if Google were doing this we would see headlines everywhere about privacy abuse.

        Sure Google could use Android and Chrome to record and snoop everything. But they would have to use the Internet to send that data back to Google. Since you own the phone and browser sophisticated tech people can probe inside that code before the encryption happens to look and see what is being sent to Google. There have been no reports of Google taking data it does not have permission to access. Of course you may not have read the privacy policies at thousands of web sites which tell you they are sending data to Google.

        And if Google were taking data it did not have permission to access you can be sure some government would hit it with a $50B fine.

        1. >Sure Google could use Android and Chrome to record and snoop everything.

          Almost every android app anyone uses is sending data to firebase even if custom tracking events aren’t configured. The basic events are enough to recreate your app session on the android “activity” level, include your location if the app has access it etc. Lots of people have reported on this. If you’ve gone a little further than a hello world example in Android Studio you know it’s there.

          >Since you own the phone and browser sophisticated tech people can
          >probe inside that code before the encryption happens to look and see
          >what is being sent to Google.

          Everyone knows Android apps send huge amounts of data. That isn’t really the problem. The problem
          is taking lots of sources like your browsing in chrome, analytics data across third party apps and sites (via their ad network), data from electric wallet payments etc and turning that into a profile. Facebook has admitted to doing it to people that aren’t even their users and they don’t have the reach google has. I don’t think fines will prevent it from happening either. These companies either think they won’t get caught or don’t care.

        2. Google’s privacy policy is sufficiently vague to allow them to access anything they want on your Android phone.

  5. They don’t care about your privacy. They care about keeping their surveillance feeds private so that the resulting data is more valuable.

  6. How about a client generating noise by DNS-ing ‘random’ websites? The real requests will drown in that noise.

    1. It’s even worse. Browsers purposely reject explicit connections to port 53 to avoid breaking the internet infrastructure by placing image links in forums. With DoH it means that his vulnerability is explicitly reopened. You’ll start seeing links to images from https://dns9.quad9.net/dns-query for example, until they can’t respond. And since you’ll configure a single provider in your browser the redundancy will rely on the end-user to switch to another provider. It’s even worse than centralization, it’s fragmentation. I guess sooner or later we’ll see different internet subsets based on what DoH provider we use. With some starting to suggest “secure” vs “unsecure”, you already see the business model grow up. “Dear Mr site-foo, your site has not yet been audited by our team, let us validate its security for $10K and you’ll appear in our secure database”. Google forced everyone to turn to TLS by threatening to get a bad ranking for non-SSL, it’s trivial to do the same again here but at the DNS level, which is even worse!

  7. DoH is complete shit driven by a war that is not our.
    DoT IS the correct long run technical and political answer to the problem supposedly solved by DoH.
    And don’t put the word “security” about this whole thing only dnssec give you security. The whole x509 public CA model is moot since decades.

  8. Conclusion after reading all the esteemed members: NordVPN or ExpressVPN and a candle in the nearest place of cult that they each don’t log more stuff than they are saying on their web site… 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Khadas VIM4 SBC
Khadas VIM4 SBC