1. 2

    Unpopular opinion time!

    These types of services can not work as marketed. If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext. US ISPs, Comcast being the biggest offender, are known to hijack those requests.

    Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today. A passive attacker could pre-compute the packet data length for the most common domains (Alexa top million, for example).

    The only real solution is to mix different kinds of traffic in to a network specially crafted for privacy/anonymization, like Tor, which supports tunneling DNS queries.

    1. 3

      If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext.

      Well… yeah. Of course you don’t get any security benefits if you don’t use TLS. (Well, even without it you do get some, but it really buys you very little.)

      Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today.

      You can pad an HTTPS query URL with random data. Google even documents it.

      1. 3

        Cloudflare actually addresses that in their blog post:

        While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

        An attacker can also observe server name indication in your TLS connections to see who you’re contacting anyway. Preventing hijacking is much more significant in my opinion.

        1. 2

          Not all resolvers support DNSSEC. Not all people even like or trust DNSSEC.

          Either way, I don’t buy that Cloudflare’s solution, especially when using plaintext DNS, enhances security. It simply allows more entities to snoop and/or modify your data en-route.

          1. 2

            That’s true, your ISP can still snoop the DNS traffic going to Cloudflare. But it does make it harder for them to send you bogus records than if you were querying them directly. Assuming Comcast isn’t modifying my traffic in flight, which I agree is sadly a big assumption, I trust Cloudflare more. Right now I use Google DNS, which has all the same problems you’re describing. At minimum, I’m happy Cloudflare is championing a more secure version of DNS (over HTTP / TLS), even if it isn’t perfect.

            I have considered setting up a recursive DNS resolver on a $2.50/mo VPS and tunneling DNS from my home network to there. The IANA of course provides the root information for the root DNS servers, so it wouldn’t be that hard.

            So I guess I don’t disagree with you. DNS is a complete shitshow one way or another, there’s no way to deny that. Unpopular or not, your opinion is objectively correct. It’s more of an uncomfortable fact than an opinion.

            1. 1

              It’s trivial for an ISP to anycast announce 1.1.1.1 and 8.8.8.8 wholly within their own network, capturing all of your DNS requests anyway. They can configure (or not, who would even notice?) all the same features available on CloudFlare or Google. I would be very surprised if people are already not doing it. If you wanted to be sneaky about it you can even set up a reverse proxy for the web content.

              1. 1

                Some Linux nerd might run traceroute and blog about it.

                In any case, if you’re using Cloudflare DNS over HTTPS, they can’t forge Cloudflare’s certificate.

      1. 8

        I’ve been using Homebrew for a few years–long enough to not realize what may be its limitations. How is Pkgsrc different/better/worse?

        1. 10

          One of the main differences is that it’s binary packages rather than all source. Whenever I finally updated homebrew my Mac was nearly useless for a few hours compiling some rather large packages and their dependencies. Updating pkgsrc takes only a few minutes to update in nearly every case.

          Pkgsrc also has over 14k packages whereas homebrew only has about 3500. And pkgsrc is cross-platform. I use it on OS X, SmartOS, OmniOS, and Linux to get a consistent set of packages/versions/configuration style across all platforms. Pkgsrc directly supports 18 different platforms and I’ve seen unofficial builds on several more.

          Pkgsrc packages are fairly easy to update if you want a newer version of something, and the maintainers, in my experience, are always willing to work with you to get patches/updates into trunk.

          Homebrew cute when you’re in college and beer is the central focus of your life. But really, I just need to get stuff done. For the most part pkgsrc does a better job of that than homebrew.

          1. 5

            Homebrew does have binary packages for quite a lot (all?) brews now to be fair, as long as you stick it in /usr/local.

            (Not advocating homebrew as better than pkgsrc though. Love pkgsrc on my servers, still using homebrew locally. Love both.)

            1. 2

              But really, I just need to get stuff done.

              Well, I guess Google doesn’t get stuff done then ;).

              https://twitter.com/mxcl/status/608682016205344768?lang=en&lang=en

              One of the main differences is that it’s binary packages rather than all source.

              That’s years ago. Nowadays, many Homebrew formulae are precompiled, so Homebrew rarely compiles stuff anymore:

              https://bintray.com/homebrew/bottles

              Pkgsrc also has over 14k packages whereas homebrew only has about 3500.

              This is a bit disingenuous, because pkgsrc keeps a lot of old versions. E.g.:

              http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/multimedia/

              There multiple versions versions of VLC, ffmpeg, etc. Then surprisingly, quite a few packages that I regularly use are absent from the Darwin packages (they are in Homebrew). For instance: Qt 5, bazel (for building tensorflow), Armadillo, ghc, cabal-install, pandoc, libsvm, rust (though I’ve switched to rustup.rs), and SWI Prolog is at an old version and only with all packages disabled (lite).

              https://pkgsrc.joyent.com/packages/Darwin/trunk/x86_64/All/

              Although I like pkgsrc, there are also some nice advantages to Homebrew. E.g., if you want to compile and install your own software, you just use /usr/local/Cellar/<mypackage>/<myversion> as the prefix and then the usually Homebrew functionality works (brew link <mypackage> to link under /usr/local, brew uninstall <mypackage> to remove, etc.).

              1. 4

                Qt 5, bazel (for building tensorflow), Armadillo, ghc, cabal-install, pandoc, libsvm, rust (though I’ve switched to rustup.rs), and SWI Prolog

                Thanks, this is useful, I’ll take a look at adding or fixing these. If there are any other packages that people would find useful that are missing, please feel free to raise an issue.

              2. 1

                Thanks, that’s useful background (well, minus the equation of one’s package manager and one’s age or taste for alcohol ;)