
DNS-Over-HTTPS (DoH) Operational and Privacy Issues - sohkamyung
https://www.ietf.org/blog/doh-operational-and-privacy-issues/
======
xg15
> _There is a general expectation that when a browser starts turning on DoH,
> it will give the user a choice of trusted DoH providers and enable end users
> to specify their own trusted configurations, similar to the list of search
> providers seen in browsers today._

Is this really the general expectation?

From what I've read so far, I'd expect that both Chrome and Firefox will
simply hardwire this to dedicated resolver endpoints selected by them - and
maybe provide group policy or about:config options as an override, with strong
communication that ordinary users should not use them.

~~~
da_chicken
That's what browser manufacturers want to do, but that only works in the
consumer space or small office space. A company isn't going to happy about a
browser that by default will self-configure the intranet to be inaccessible.
Especially given the way that updates tend to reset settings when the
developers think that their preferred configuration is the only right
configuration. And sure, they can probably deploy fixed settings that cover
their needs, but what happens when you suddenly need multiple profiles with
different configurations to handle the different DNS needs at different sites?
"It's always DNS," is even a common saying for sysadmins. Now it's going to
get _more_ complicated because web browsers will ignore DHCP? Wow, great.

Simply put, I still don't buy the idea that the browser needs a DNS client.
The OS network stack can, and should, be the provider of that service.

This is just, "We know what's best for everybody. It's easier to ignore router
vendors, DNS server vendors, ISPs, IEEE standards, and so on if we just do it
ourselves in spite of the problems it's sure to cause. That other way is hard,
anyways. Damn the consequences, we're going to do it anyways!"

~~~
zzzcpan
Google or Mozilla picking DoH server for you is somehow good for privacy,
instead of using one configured by you and outside of their control. Sounds
ridiculous, doesn't it? If not a deliberate attempt to make it harder for
users to get any privacy by tracking them across changing ISPs and VPNs.

~~~
Spivak
And you think you'll have better privacy sending queries to whatever server
DHCP hands out?

If you're configuring your own DNS server you're waaaay out of scope for the
problems this is trying to address.

~~~
josteink
> And you think you'll have better privacy sending queries to whatever server
> DHCP hands out?

Yes. Because that's my network, my DHCP and something I have 100% control
over.

There's _literally nothing_ in the universe which better protects my privacy.

~~~
da_chicken
I think the criticism there is guest WiFi, but you can always configure your
system to use a specific DNS server if you wish.

------
amaccuish
It's still not clear to me how this will work in internal networks. AFAIK it's
not possible to distribute internal DoH servers via DHCP, and it seems
orthagonal to the goals of DoH since "cafe wifi" could give you dodgy servers.
But how do I as a network administrator with internal DNS domains serve my
users?

Maybe browsers and OSs could look at the local search domain, and send queries
matching to DHCP servers, and everything else over DoH, kinda like split dns
with a VPN?

~~~
BillinghamJ
Serve the internal IPs from public hostname DNS records?

Internal DNS I think is largely not a good thing and I'd be happy to see it
go.

~~~
kenny_r
As a sysadmin I disagree strongly.

Being able to host my own authoritative servers for my domains inside my org
is a fantastic feature of DNS.

It lets me do things like split-horizon, which lets me deal with clients
coming from different origins that may reach certain servers with or without
NAT.

I'm also not keen on putting all my records on public name servers, for
everyone to discover.

~~~
BillinghamJ
You could run your own DNS server. As long as you can get the relevant TLS
cert, it doesn't even need to be public. You just would need to accept DOH
connections

------
ectospheno
Comically enough, browser manufacturers aren't going to hardcode the IP of the
DoH server. They will look it up using the DNS you already control. Give them
a non-routable address and log the attempt. Then go tell that user to stop.

If some crazy group does hardcode it then they have made your job even easier.

~~~
pmoriarty
Why would you refer to a DNS server by domain name and not by IP in the first
place?

~~~
adrianmonk
I can think of some possible motivations:

(1) Some kind of load-balancing thing and/or edge DoH servers. It gives you an
opportunity to connect to a DoH server near you. Latency matters for DNS, and
for traditional DNS, DHCP takes care of hooking you up with a nearby server.
This could give comparable functionality for DoH. (This could probably also be
done at the IP routing layer. But it's nice to have options.)

(2) Decoupling. You can change DoH server IP addresses without releasing a new
browser build. And anyway, if you did try to do it by releasing new browser
builds, you'd have users who don't bother to update.

------
nimbius
for me this feels like trading the devil you know, for the devil you dont. my
ISP snoops my DNS queries if i use their DNS, however Mozilla has shown time
and time again they dont care what customers think in terms of privacy or
features. no one wanted video chat, DRM content, or pocket and yet here we are
looking at another feature from Mozilla that privileges them to my DNS
queries.

