1. 35
  1.  

  2. 13

    Maybe I am missing the point, but the slide in the article isn’t totally incorrect.. it will centralize a critical service that the internet depends on under the world’s largest ad company.

    1. 7

      Of course, it’s worth noting that, in 2017, ISPs lobbied Congress to make it possible to sell your browsing data without your consent.

      “Either, they are doing something with this data today that is not transparent to users, or they are working incredibly hard to protect a future business model,” [Marshall] Erwin [senior director of trust and safety at Mozilla] said.

      The attempt to monetize DNS traffic by ISPs is one of the biggest motivations for browsers to DNS over HTTPS, but such a solution does involve trusting a particular certificate authority, just as ISPs already do. Google provides their own DNS services, whereas Firefox seems to be using CloudFlare as the default option when users enable it. By default ISPs provide a default DNS server, and even if a user uses a custom DNS server, ISPs seem to be monitoring and monetizing the users browsing info on which domains they visit, as DNS is unencrypted by default. With encrypted DNS, only the DNS over HTTPS server can know which domains one visits.

      1. 6

        Yeah, don’t get me wrong, ISPs are up to no good, but I think their argument is still worth considering since giving near complete control to Google and Cloudflare is not the answer (IMHO).

        1. 2

          Tor (or equivalent) is the answer to ISP privacy-invasion concerns. not centralized DoH.

          1. 4

            Ok. So ignoring that the Tor network would break if everyone used it, and if everyone had relays & exit nodes the networks would be prohibitively congested, and running into the issue of ISP’s having asymmetric peering speeds, your suggestion for my privacy conscious grandmother is to run Tor?

            1. 0

              Two things

              One, using centralized DoH services like Cloudflare/Google does virtually nothing for your privacy conscious grandmother’s privacy.

              Two, if you’re trying to imply that your grandmother is technically impaired, that’s irrelevant to Tor. Downloading and using Tor Browser is as easy as downloading and using any third-party browser, Chrome included.

              1. 3

                One, using centralized DoH services like Cloudflare/Google does virtually nothing for your privacy conscious grandmother’s privacy.

                A. I said literally nothing about DoH.
                B. That’s not true.
                It’s absolutely not a perfect solution, but its (largely) eliminating an entire set of actors who have pushed forward legislative rollbacks of consumer protections and is actively monkeying with dns resolution. If you don’t like google or cloudflare you also have the option to change the provider (you an even host your own). Its a deeply flawed system as it stands now but its an improvement to the previously deeply flawed system.

                Two, if you’re trying to imply that your grandmother is technically impaired, that’s irrelevant to Tor. Downloading and using Tor Browser is as easy as downloading and using any third-party browser, Chrome included.

                Question: My grandmother watches Netflix regularly, do you support the idea of her being on Tor doing this?

                To be clear. I think Tor is invaluable, and donate to both Mozilla and Tor regularly. But I think the maximalist position of privacy and security is actively harmful if it blocks incremental improvements.

                1. 3

                  Its a deeply flawed system as it stands now but its an improvement to the previously deeply flawed system.

                  It’s not an improvement. Sending all your DNS queries to Google just gives Google more data. It doesn’t prevent Comcast from knowing what websites you’re visiting. It makes a bad problem worse.

                  Question: My grandmother watches Netflix regularly, do you support the idea of her being on Tor doing this?

                  Obviously not, but using DoH doesn’t prevent her ISP from knowing when she watches Netflix.

                  But I think the maximalist position of privacy and security is actively harmful if it blocks incremental improvements.

                  Criticizing DoH for its ineffectiveness at its stated goal is not a “maximalist” position.

          2. 2

            We wouldn’t be forced into this shitty dilemma if Ajit Pai didn’t made it clear ISPs have nothing to fear by selling customer data. Of course, if we had actual competition in telecoms by forcing telecoms to open their networks like in other countries, then consumers might have some choice.

          3. 2

            This isn’t completely true. SNI(over HTTPS/TLS) means that anyone watching the first bits of any/all HTTPS traffic can see it as well. DNS over HTTPS does nothing for this, and ISP’s can keep on collecting who/what/when/where.

            1. 4

              Even ignoring this, the IPs you are connecting to are still in the clear.

              1. 3

                Firefox supports eSNI (not enabled by default yet) that encrypts SNI and the certificate, so ISP can only see the IP. And if the IP belongs to a large CDN, that tells them very little.

            2. 1

              As far as I can tell Google and Firefox aren’t looking to centralise DNS into their control through this push of DNS over HTTPS, rather they are adding the support for DNS over HTTPS into their applications so if the users designated DNS server supports it their application will use it.

              1. 1

                The point that you are missing is that Comcast or any other big company lobbying will say anything as long as it serves their goals. Their goals are not to make the world a better place. Their goals is to stop things from happening so that they can keep using DNS to spy on you and turn that into a revenue source and please their shareholders.

                1. 1

                  That point is not lost on me, I’m not sure why you assumed that it was. The point you are missing is that their argument in the slide from the article is not wrong. The motivation they have for pointing that out doesn’t automatically invalidate their argument.

                  Ideally there would be a solution that 1) prevents ISPs from spying on customers and 2) doesn’t consolidate DNS under the world’s largest ad company (because what could possibly go wrong with that? /s)

              2. 20

                This is not an apology for Comcast, but my gut tells me that wrapping yet another protocol in HTTPS is maybe not the best idea. To be more technical, TCP overhead and SNI loopholes make DoH seem like a half-solution–which could be worse than no solution at all.

                Also, I think DoH is yet another Google power-play–just like AMP–to build yet another moat around the castle.

                1. 16

                  Yea .. I mean, the slides aren’t wrong. And once Firefox is DoH->CloudFlair and Chrome is DoH->Google, who is to say either one wouldn’t just decide to delist a DNS entry they don’t like claiming it’s hate speech. Keep in mind, both companies have already done this to varying extents and it should be deeply troubling.

                  I run a local DNS server on my router that I control. Still, it queries root servers plain-text and my ISP could see that (even though I don’t use my ISPs DNS .. not sure if they’re set to monitor raw DNS traffic or not). I could also pump that through one of my hosting providers (Vultr or DigitalOcean) and it’s less likely they’d be monitoring and selling DNS data (but they still could if they wanted).

                  Ultimately the right legal argument that should be lobbied for is banning ISPs from collecting DNS data or altering DNS requests at all (no more redirects to a Comcast search page for non-existent domains!) That feels like it’s the more correct solution than centralizing control in Google/CloudFlare’s DNS.

                  1. 12

                    I also run a local resolver (a pihole – for dns based ad filtering), but also use DoT (dns over tls) between my resolver and an upstream resolver.

                    It seems like host OS resolvers natively (and opportunistically) supporting DoT would solve a lot of problems, vs this weird frankenstein per-app DoH thing we seem to be moving towards.

                    1. 4

                      not sure if they’re set to monitor raw DNS traffic or not

                      They most certainly do, and a few less scrupulous ISPs have been shown to be MITM’ing DNS responses for various reasons but usually $$$.

                      1. 4

                        Isn’t the real problem here the users choice of ISP? Or has so much of the internet become extremely monopolized around the world?

                        1. 9

                          In the USA, there is basically zero choice in who your ISP can be, many even big urban areas have only 1 ISP provider. Perhaps if SpaceX can get their starlink stuff commercialized next year, the effective number will grow to 2…. maybe. I can’t speak for other countries, but in my experience they aren’t generally better in terms of options, but they do tend to be better in price. US ISP’s know they are the only game in town and charge accordingly.

                          1. 2

                            In the USA, there is basically zero choice in who your ISP can be

                            That’s understandable, but DoH is not the answer here. Addressing the lack of choice is the answer. If Google and Firefox/CF get a free pass in the US, it affects the rest of the world.

                            1. 1

                              I totally agree with you.

                            2. 2

                              I am considering myself lucky then. I can choose between anything that can run over POTS, cable and fiber. The POTS and fiber networks being required to open up their network for other ISP’s as well.

                              1. 1

                                In the USA, there is basically zero choice in who your ISP can be, many even big urban areas have only 1 ISP provider.

                                This is not strictly true at all. Most urban areas in the US of A are a duopoly insofar as the internet goes. You usually have a choice for the internet between the cableco or the telco. In addition, telcos are often required to provide CLECs with some sort of access to the copper lines as well, so, there’s some potential for a additional choices like Sonic DSL, although those become more rare because often the telco charges CLECs more for access to this copper than the price of their internet service directly to the consumer, so, Sonic is one of the few remaining independent CLECs out there.

                                Some areas do have extra third choices like PAXIO, Webpass, Google Fiber, as well as local municipal networks in some areas.

                                1. 3

                                  10% of the US at any speed have more than 2 providers. When you get into slower speeds, there are 2 choices(telco and cable company).

                                  “At the FCC’s 25Mbps download/3Mbps upload broadband standard, there are no ISPs at all in 30 percent of developed census blocks and only one offering service that fast in 48 percent of the blocks. About 55 percent of census blocks have no 100Mbps/10Mbps providers, and only about 10 percent have multiple options at that speed.” - https://arstechnica.com/information-technology/2016/08/us-broadband-still-no-isp-choice-for-many-especially-at-higher-speeds/

                                  Figure 5 in the linked article above pretty much sums it up. So we are both correct, depending on perspective. :) The FCC thinks all is fine and dandy in the world of US internet providers. Something tells me the Cable companies are encouraging that behaviour :)

                          2. 1

                            And once Firefox is DoH->CloudFlair and Chrome is DoH->Google

                            Once the standards are in place for DHCP (et al) to report a default DoH endpoint to use, and OSes can propagate its own idea, informed by DHCP or user configuration, to clients (or do the resolving for them via DoH), there’s little reason for Firefox or Chrome not to use that data.

                            That issue is regularly mentioned in the draft RFCs, so there will be some solution to that. But given that there’s hijacking going on, browser vendors seem to be looking for a solution now instead of waiting that this part of the puzzle propagated through systems they don’t control.

                            Also, web browsers have a culture of “implement first, standardize once you experienced the constraints”, so this is well within their regular modus operandi - just outside their regular field of work.

                            Lobbying work isn’t as effective as just starting to use DoH because you have to do it in each of the nearly 200 jurisdictions around the globe.

                            1. 1

                              Not holding my breath on a legal solution. US gov has not been a friend of privacy, and other governments are far worse.

                              Only thing coming to mind here is some sort of privacy-oriented low-profit/non-profit organization to pool and anonymize queries over many different clients. Even that’s not so great when most setups are 8.8.8.8, admin/password, and absolutely DNGAF.

                              1. 1

                                And once Firefox is DoH->CloudFlair and Chrome is DoH->Google, who is to say either one wouldn’t just decide to delist a DNS entry they don’t like claiming it’s hate speech. Keep in mind, both companies have already done this to varying extents and it should be deeply troubling.

                                Like Cloudflare not supporting edns.. :/

                              2. 3

                                To be more technical, TCP overhead and SNI loopholes make DoH seem like a half-solution

                                The TCP/TLS overhead can be minimized with keep-alive, which DoT clients like stubby already do. You can simply reuse an established connection for multiple queries. This has worked very well for me in my own setups.

                                As others have probably pointed out, the SNI loophole can be closed with eSNI. How soon and if this is going to take hold is anyones guess at this point. But I personally see privacy as more of a side effect as I simply care that my queries are not manipulated by weird networks.

                                This is not an apology for Comcast, but my gut tells me that wrapping yet another protocol in HTTPS is maybe not the best idea.

                                I would love to agree with you here (and I do so in principle), but from my own experience with DoT and DoH I can tell you that many networks simply don’t allow a direct DoT port, leaving you with either DoH or plain DNS to an untrusted (and probably non-validating) resolver. The shift to “X over HTTPS” is but a reaction to real world limitations, where almost everything but HTTP(s) is likely to be unreachable in many networks. I’d love to use DoT and do so whenever I can. But I need to disable it more often than I’d like to. :(

                                A minor fun fact regarding DoH: Since a http(s) server can redirect to different endpoints, it’s in principle possible for clients to choose different “offers” - a DoH server may offer a standard resolution on /query and filter out ad networks on /pihole or whatever. And using dnsdist, this is easy to setup and operate yourself. DoH doesn’t really mean DNS centralization but the opportunity for quite the opposite: You could now take your own resolver with you wherever you go.

                                1. 1

                                  I’m fine with DoH as a configurable system-level feature, but application-level resolvers are bad news, and that seems to be where all of this is headed.

                                  If that’s where it goes, many of applications will default to their own favorite DoH provider for some kind of kickback. The prospect of having to find the “use system resolver” check box for every single application after every other update does not bring joy.

                                2. 3

                                  HTTPS is upgrading to QUIC, so we’ll eventually have DNS back on UDP, but with proper encryption this time.

                                3. 10

                                  I’m not in love with my ISP, but I trust them more than I do Google. As far as I’m concerned, Google is a spyware company at this point. Claiming DoH is “for privacy” is a joke. DoH lets Google spy on you instead of somebody else.

                                  Actually, as an end user I feel the debate between DNS and DoH is almost irrelevant to me. I don’t particularly trust any of the companies involved, and they’re all out to monetize my data without my consent. The only leverage I have is that I can threaten to switch ISPs if they do anything too bad.

                                  1. 5

                                    The logic of using centralized DoH to protect yourself from your ISP is faulty. Even if you route all your DoH requests to Google or Cloudflare, your ISP can still track which sites you visit using destination IPs or the TLS server name.

                                    If the goal is to use centralized DoH to prevent spoofing in a public internet setting (e.g. cafe WiFi), if you’re not already using TLS, then you’re open to worse attack vectors.

                                    Given this I don’t really see the point of centralized DoH. It has an extremely marginal privacy benefit for a large privacy downside (i.e. additionally giving Google / Cloudflare private access to worldwide query data).

                                    On a more technical note, centralized DoH will probably degrade internet efficiency somewhat. Now all DNS traffic will be routed across networks on the open internet, instead of being localized within the ISP’s network.

                                    1. 2

                                      Doesn’t Firefox already do DoH?

                                      1. 2

                                        DNS over HTTPS is available in newer builds, there are steps a user must take to enable it, as it’s not enabled by default.

                                        1. 1

                                          Ah. I had read it was included but wasn’t aware that it wasn’t turned on by default.

                                          1. 3

                                            This kind of information can be a little misleading without a date attached. Mozilla says “We plan to gradually roll out DoH in the USA starting in late September [2019].” More info is available on their help page.

                                            The controversy over browser rollout of DoH has been discussed here quite a bit recently. Some examples:

                                      2. 2

                                        While I’m not totally comfortable with DoH, there’s a lot of this logic goin’ on in the comments:

                                        We have problem X which is caused by both A and B. There’s no point in fixing A because B will still be there. [And implicitly, there’s no point in fixing B, either, because A will still be there]

                                        To be more explicit: Yes, both DNS and SNI leak this information to your ISP. But DoH helps with DNS and TLS 1.3 with SNI encryption helps with SNI. You have to start somewhere, though.

                                        1. 2

                                          Of course they are. It is bad for their business if they cannot see your DNS.

                                          1. 2

                                            It is funny that this is downvoted. That is exactly the purpose of this kind of lobbying and messaging: turn the discussion around and away from Comcast abusing your data.

                                            They are not innocent and their motives are profit driven. Don’t mistake Comcast to be a company that deeply cares about the health of the internet or individual user privacy.