
Addressing some misconceptions about our plans for improving the security of DNS - migueldemoura
https://blog.chromium.org/2019/10/addressing-some-misconceptions-about.html
======
danShumway
The claim that ISPs are concerned about Google DNS being anti-competitive or
too powerful really rubs me the wrong way.

Google has offered DNS services for years, and ISPs didn't care. The 'problem'
isn't that Google is offering its own DNS -- it's that now those queries are
encrypted and ISPs can't read them.

The pushback on this has been really eye opening for me. I knew that obviously
ISPs were reading DNS queries, but I think the amount of effort ISPs are
putting into stopping what is a fairly basic security measure means that I
under-appreciated just how much they care about that data. Apparently
unencrypted DNS is a bigger threat than I realized.

If ISPs aren't monetizing this stuff now, they're probably planning to.

~~~
zzzcpan
It's not about selling the data for ISPs, never was, never will be. For ISPs
almost all websites are uniquely identifiable by looking at clear text SNI and
Host: headers. But it's much worse, 95% of top 1 million websites are uniquely
identifiable just by looking at IP addresses during page load, basically
netflow data that pretty much all ISPs store. And this data is more detailed,
than DNS queries. There is a lot of detailed data to monetize, cheaply, with
no ability to hide, besides Tor and VPN.

ISPs couldn't care less about such silly attempts to limit spying that don't
really work, what ISPs actually care about is control. They want to be the
ones who decide which websites have which IP addresses, they want to be able
to change them, block them, do address translations, maybe show you ads on
nonexistent domains, etc.

Mozilla, Google and Cloudflare are no better than ISPs here either. They don't
want you to know all of the above. Mozilla wants money from Cloudflare,
Cloudflare wants to control critical piece of infrastructure pretty much all
competing CDNs rely on, Google probably doesn't need it, but just can't help
itself to get its hands on that data.

~~~
user64372
Yes, control. Control and scale.

ISPs can afford some nerds configuring their DNS to 1.1.1.1 or 8.8.8.8 but
they can't afford browsers deciding for all users.

If course Google will say that it won't force nothing and it's true today. But
will it be true tomorrow? Ask uBO users about that

~~~
jwilk
> Ask uBO users about that

What do you mean?

~~~
zaarn
Recently Google blocked uBO Dev Builds on grounds of "including unrelated
functionality", of course, it was all an accident made by some AI, so no
actual human is responsible, and in now way, shape or form did google intend
to kill of a project that harms it's profits.

------
WarOnPrivacy
My issue is with browser based DoH is when it defaults to ON.

That was Mozilla's original plan for Firefox. That's a problem for those of us
who use DNS to reduce the risk from malware, advertising and other invasive
technologies. DoH effectively circumvents those protections.

After a crapstorm, Mozilla walked that back and made DoH a user choice. Even
better, Firefox queries the use-application-dns.net zone - which (added to a
local DNS server) tells Firefox to turn off DoH. This is super helpful for
those who use DNS to safeguard networks.

Now, better than DoH and a more elegant solution overall is DNS over TLS
(RFC7858), which is simply encrypted DNS. It's the natural next step. Frankly,
we all should have been using it for years. It's just beginning to gain
support, tho.

As it stands now only a handful of public DNS resolvers support it (Quad9,
Cloudflare, Google, someone in Germany). None of the root servers do. Nor do
ISPs'.

My approach is to run a local DNS resolver (Unbound) which forwards it's
queries over TLS. Local users' queries are plain text but the forwarded
(public network) queries are encrypted.

------
jwilk
Archived copy, which can be read without JS enabled:

[https://archive.is/5GypR](https://archive.is/5GypR)

------
ahbyb
>The first claim is that Google is going to redirect user DNS traffic to
Google's own DNS or another DoH-compliant DNS provider. That is incorrect.
Because we believe in user choice and user control, we have no plans to force
users to change their DNS provider. [...] We’re simply enabling support in
Chrome for secure DoH connections if a user’s DNS provider of choice offers
it.

Chrome will use the DoH frontend of the DNS server of the computer it's
running on, respecting the user's choice. Instead, the Mozilla Corporation has
decided that Firefox will route all DNS requests through CloudFlare regardless
of user settings.

~~~
the_why_of_y
> Firefox will route all DNS requests through CloudFlare regardless of user
> settings.

[https://support.mozilla.org/en-US/kb/firefox-dns-over-
https#...](https://support.mozilla.org/en-US/kb/firefox-dns-over-
https#w_switching-providers)

~~~
ahbyb
I was talking about defaults. Of course you can also change them on Chrome
too. But defaults matter because most people stick to them. And the default of
Firefox will send navigation history to Cloudflare.

~~~
zaarn
IIRC Cloudflare is currently not the default and there is no plans to turn on
DoH per default if there is no way for Firefox to properly preselect the
provider the user wants.

