
A safer and more private browsing experience with Secure DNS - caution
https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html
======
tialaramex
The upside of the "same provider" approach in Chromium is that it defuses a
bunch of the complaints you get with Mozilla's approach about how they're
picking winners (with the inevitable side dish of conspiracy theories).

The downside is that it's opportunistic encryption which means it fails open.
If you're actively targeted this won't protect you. You'll need to explicitly
configure a DoH server to be protected.

~~~
dmayle
Forget the encryption; alter the protocol to support overfetching. (Instead of
fetching a specific site, you fetch blocks of sites). In a naive version,
you'd ask for every site from goodreads.com through to google.com, and then
the client would actually visit the site it wanted. In a hardened protocol,
I'd imagine you'd use hashing, along with a random salt so that there are many
different ways to query the same site.

Right now, your DNS provider has a list of every website you visit (just not
how many times you visited it). The shorter the DNS cache, the more closely
this list matches your browsing behavior.

This definitely complicates the protocol, whether you put the burden at the
resolver layer (needs larger cached) or at the level of authoritative servers
(where'd they be effectively cooperating with root servers), but it's the only
way to truly safeguard browsing data.

~~~
textmode
"Instead of fetching a specific site, you fetch blocks of sites."

I have been doing this for many years, putting bulk DNS data in HOSTS and
personal use zone files served from loopback addresses. It is easier than ever
today with so many sources of bulk DNS data.

DOH now lets users retrieve DNS data from recursive DNS servers (caches) in
bulk, using HTTP/1.1 pipelining. Here is a working example:
[https://news.ycombinator.com/item?id=23242389](https://news.ycombinator.com/item?id=23242389)

Many years ago, I started doing non-recursive (no caches used) bulk DNS data
retrieval for speed and also for resiliency in the event of outages. However
the privacy gains are obvious. A rough analogy is downloading all of Wikipedia
in bulk and browsing articles offline as opposed to making separate requests
online for each article and generating all the requisite DNS and TCP/HTTP
traffic. Openmoko's Wikireader experimented with the idea of offline
Wikipedia.

Not only does the DOH provider get a record of all the user's DNS lookups, she
can now associate each request with the particular user program/device that
made it.

------
buro9
Encrypted DNS is great, so long as the end user retains control over which DNS
servers provide the answers.

This does appear to be the case here, and so it is still possible to disable
it (use a local stubby instance to do encrypted DNS) or to use a custom
setting (your nextdns.io config for example).

------
Areading314
I can see this leading to frustrating issues where your browser works fine but
every other native app on your system can't resolve hostnames because your
regular DNS isn't working. Would be nice to have all hostname resolution dealt
with at the OS level rather than special-cased within the browser. Is that
something that modern OS's are planning to support?

~~~
ComputerGuru
Windows 10 May 2020 update brings DoH support but chrome and Firefox are not
using the Api for it to the best of my knowledge.

~~~
bzb3
What do you mean "the API"? Shouldn't Windows just pass all requests to
resolve domains through doh or dot? Have they really added an opt-in API
instead of making it the default?

~~~
ComputerGuru
Firefox assumes the OS does not use DoH and implements its own DoH lookup
client with its own settings and its own list of servers. It's a huge mess.

~~~
londons_explore
Just like it does for the certificate store.... And not using proper UI
toolkits...

------
eatbitseveryday
Why has the world gone towards DNS over HTTPS as opposed to adding TLS itself
to the DNS protocol?

~~~
AnonC
There’s DoT (DNS Over TLS), which operates on port 853, uses TCP and provides
encryption. But it’s also something network operators can easily block since
it runs on a specific, separate port. DNS over HTTPS (DoH), on the other hand,
rides on HTTPS/port 443, which cannot be blocked in networks without causing
major disruptions to the rest of the web traffic.

A more detailed comparison is here:

[https://www.thesslstore.com/blog/dns-over-tls-vs-dns-over-
ht...](https://www.thesslstore.com/blog/dns-over-tls-vs-dns-over-https/)

~~~
corford
If there was a coordinated embrace and move to DoT (at least for the "last
mile" part between end users and resolvers), network operators wouldn't be
able to get away with blocking it (see secure IMAP, secure POP etc. for
similar shifts in the past).

~~~
sneak
The internet is decentralized and "coordinated embrace" is not realistic or
practical. See also: IPv6.

Pretty much the whole of the internet has been jammed into tcp/443 now, and it
can't much be helped. Internet engineering needs to cope with the world as it
is, not how we wish it were.

~~~
corford
>The internet is decentralized and "coordinated embrace" is not realistic or
practical.

I disagree, see the success of: letsencrypt, the wide spread use of 8.8.8.8
and 1.1.1.1; dkim/spf/dmarc; imaps, pop3s, tls ldap.

Why should a switch over to DoT be any different? If anything it should be
easier. The general need for better security and privacy are much more widely
understood and accepted concerns these days.

------
tialaramex
An interesting detail: How does their upgrade work if you're using a
customised DNS service where the customisation is detected differently in DoH
compared to plain DNS?

For example NextDNS customers using DoH put a customisation parameter in the
DNS URL paths (and so it's opaque to an adversary on the network) but
obviously there's no URL path in conventional DNS, so does Chromium spot your
NextDNS configuration and figure out the right URL path?

------
kamyarg
Had a discussion just today with some colleagues because of internal company
network(VPN) hijacking every port 53 request and responding in 2s(!).

I sure do hope this becomes a visible and flexible feature and not a google-
only-dnses or "Oh, you have to run it with this special flag --use-dns-over-
tls) kind of feature.

I think DNS topic has been underrepresented in the privacy-aware community.
Hope this changes both for OSes and also apps people use regularly.

------
Gaelan
> Furthermore, if there’s any hiccup with the DNS-over-HTTPS connection,
> Chrome will fall back to the regular DNS service of the user’s current
> provider by default, in order to avoid any disruption, while periodically
> retrying to secure the DNS communication

Doesn't that make this pretty trivial to defeat? Just drop the DoH packets and
boom, you've got unencrypted DNS again.

~~~
peterwwillis
I think this is phase 1, where phase 2 or 3 is "enabled by default and don't
fall back to plain DNS". So it's trivial to defeat until they change a
setting.

But that's not even the big problem here. The big problem is how big an impact
this will be on less-than-perfect networks.

The internet feels "snappy" because of DNS's speed and connectionless nature
(and a buttload of DNS caching). Once it relies on a connection-oriented
protocol, a lot of people's internet experience is going to start sucking
badly, and they'll have to modify more of the common internet protocols to
make it suck less again.

~~~
tialaramex
Conveniently DoH servers didn't exist years ago, so any that you're talking to
will be new. But new servers have no reason not to implement TLS 1.3, as does
Chrome.

In TLS 1.3 you can choose to avoid the handshake roundtrip but then you're
subject to a replay attack in which any request side effects happen again
because your legitimate request was replayed. The bad guys don't get to
understand the request or the answer, they just get to perform it, maybe
against a different node of a distributed system or in a different timeframe.
Conveniently DNS lookups are side effect free so this doesn't matter.

So that really cuts down on the potential additional latency compared to even
an HTTP GET.

------
WhitneyLand
So why is this better when people could still take the raw IP addresses and do
reverse look ups?

If I recall looking into the spec before there is a reason it’s an improvement
but I can’t recall what it was.

I know there are tons of servers behind proxies and so forth but still it
seems like over time databases could be built up to give some decent success
with this countermeasure.

~~~
vbezhenar
rocketspark.com -> 104.22.34.138

104.22.34.138 is one of the cloudflare servers, it does not have reverse dns
record and you can't associate it with any specific website. If you're
monitoring traffic, you would have no idea what website user is visiting
unless you can intercept his unencrypted DNS queries as well.

So CDNs increase user security a little bit.

~~~
mappu
If you're monitoring traffic you can see the SNI header in plaintext. ESNI is
not deployed yet (and is only as secure as DNS; that is maybe why browsers are
implementing DoH themselves instead of waiting for the OS).

------
politelemon
From what I have seen Firefox has already been taking a similar approach for
the past year. In enterprise environments, there's the ability to disable DoH.
And for general audiences, the ability to fall back to normal DNS if
necessary.

~~~
badRNG
The significant difference here is that Firefox has made it possible to
maintain Split DNS without managing and reconfiguring every device via a
network signal to continue to use split DNS (e.g. PiHole)

------
badRNG
What is the impact for an organization utilizing a BYOD policy that performs
DNS filtering? What about home users filtering via PiHole or pfSense or
parents that use local DNS filtering? Will every device's browser need to be
changed? Will Chrome revert in the presence of a network signal to use local
DNS (as is the case with FF)?

~~~
tptacek
Your local DNS filtering device can simply speak DoH; Pi-holes already do.
That's a non-problem.

------
kagenouta
Am I the only one thinking it's weird that this rolls out on ChromeOS first
but other Linux platforms (including Android) last?

~~~
RandomBacon
I don't think it's weird. If there's a problem, it limits who is affected or
allows them to fix it while the problem is small.

------
TheChaplain
Sigh, the two words Google and Privacy are like oil and water, but I
digress...

It will be interesting to see what reception this will get in some countries
where all ISP's are legally bound to modify DNS-requests to prevent users
connecting to sites with content such as child pornography.

------
corford
What irritates me about DoH is it's lazy.

I get the impression Google, Mozilla etc. are genuinely irritated with crappy
networks and invasive ISPs meddling with DNS traffic. What I don't accept is
their decision to abuse their market positions to impose a quick, unilateral
solution that comes with a range of unfortunate long term implications and
secondary effects vis a vis centralization.

Imho, it would have been much, much better if they had used their resources
and clout to help fund & advocate for a general, independent transition over
to DoT for last mile and increased adoption of DNSSEC and DNSCurve upstream.

The world manged to move to encrypted email and www. Surely it could move to
encrypted DNS without browser vendors forcing us to split name resolution and
send half of it over HTTP?

~~~
comex
The problem isn't just ISPs meddling with DNS traffic, but ISPs passively
collecting DNS traffic and using it to track users, something which is
believed to have happened in the US on at least one occasion. [1] DoT to your
ISP doesn't help if you don't trust your ISP. There is also the risk of
collection by intelligence agencies.

[1] [https://gigaom.com/2014/05/13/atts-gigapower-plans-turn-
priv...](https://gigaom.com/2014/05/13/atts-gigapower-plans-turn-privacy-into-
a-luxury-that-few-would-choose/)

~~~
corford
If you don't trust your ISP, you are savvy enough to use a). a different
resolver or b). a VPN. In both cases, the decision is opt-in (which is what it
should be).

Edit: or option c). apply pressure to your government representatives to
update their privacy laws so ISP snooping doesn't happen in the first place.
It's a sad state of affairs when the ISP market has failed so badly that you
can't find an ISP you can trust.

~~~
comex
> If you don't trust your ISP, you are savvy enough to use a). a different
> resolver or b). a VPN. In both cases, the decision is opt-in (which is what
> it should be).

So you think that non-savvy users don't deserve privacy?

> Edit: or option c). apply pressure to your government representatives to
> update their privacy laws so ISP snooping doesn't happen in the first place.

That's definitely desirable. Heck, the snooping in question might already be
illegal in California under the new CCPA. But I don't see federal legislation
happening anytime soon, and the US is not the only jurisdiction lacking
privacy protections. And while privacy laws can prevent snooping for
advertising purposes, good luck convincing the government to outlaw snooping
by intelligence agencies. Ultimately, legal and technical measures are not
mutually exclusive, and we should use both.

~~~
axaxs
The nonsavy user gets zero privacy. Who cares about encrypted DNS when your
ISP sees every server you connect to?

------
TrueDuality
I don't see any mentions of it, so I'm assuming Google isn't using a canary
domain to see if they should enable DoH or not. Can anyone else confirm?

------
staticassertion
DNS logs are important in an enterprise. But I'm sure many would want to also
use DoH.

Does Chrome provide any audit logging for DNS while in DoH mode?

~~~
cosmojg
> DNS logs are important in an enterprise. But I'm sure many would want to
> also use DoH.

Really? Why? As someone who works in academia, I don't see why anyone would
need access to my or my colleagues' DNS logs, but I understand things might be
different in industry.

~~~
egyptiankarim
"Important" in the sense that many IT organizations have predicated their data
forensics and incident response capabilities on being able to intercept and
analyze traffic at arbitrary points within their corporate networks.

That's not to say that those choices reflect good architectural design, to be
sure quite the opposite. But like many things in enterprise IT risk
management, it comes down to where you spent your money, and things like
DoH/DoT force will force certain organizations to admit "a lot in the wrong
place".

~~~
staticassertion
To be clear, I'm not asking for the ability to intercept DNS requests, or
encrypted traffic, at all. I'm fine (and encourage) encryption on the wire.
I'm just as happy to get the logs on the local system, and ship them off.

------
StreamBright
Bye bye DNS based ad blocking, hello malwares straight out of Google ads.

~~~
mceachen
You can run a pihole that delegates to a local cloudflared service.

------
johnklos
Oh, get the heck out of here with "Secure DNS". Allowing Google to snoop on
all DNS is the opposite of safer and more private.

~~~
jefftk
_Chrome maintains a list of DNS providers known to support DNS-over-HTTPS.
Chrome uses this list to match the user’s current DNS service provider with
that provider’s DNS-over-HTTPS service, if the provider offers one. By keeping
the user’s chosen provider, we can preserve any extra services offered by the
DNS service provider, such as family-safe filtering, and therefore avoid
breaking user expectations._

Secure DNS is a "same-provider DNS-over-HTTPS upgrade" approach, and it sounds
like you're conflating it with a different design, where Chrome would talk to
Google-run DNS servers?

(Disclosure: I work at Google, speaking only for myself)

~~~
ve55
As far as I have noticed, only time Google makes something 'more private for
everyone' historically, has been when they themselves have found a superior
way to get around it.

Whether this is because the entire Internet uses Google Analytics, Gmail, etc,
or because they have a different more effective way of tracking DNS queries is
irrelevant, since they always manage to find a way due to being omnipresent.

~~~
tptacek
Yes, Google is pushing DoH because, internally, in the AdWords division,
they've broken elliptic curve DSA.

~~~
ve55
Not quite the implication I intended, but when you own something like Google
Analytics, you don't _need_ to see everyone's DNS queries, because you have
much, much more.

------
LeoPanthera
So both Firefox and now Chrome will ignore DNS-level malware blockers, such as
Pi-Hole.

Malware/Adware will inevitably start using the same tricks, if they haven't
already.

And of course DoH is impossible to block without also blocking all of HTTPS.
That's the point of it.

A case study in unintended consequences.

~~~
middleclick
You can turn it off?

~~~
LeoPanthera
In these two examples, yes. In more malicious future software? Certainly not.

------
garganzol
The relation between DNS and internet is the same as between a boot protocol
and computer.

By taking a control over DNS, Google usurps the power and makes the open web a
walled corporate franchise of its own.

In other words, Google steals the open web from the world. It injects a
proprietary Trojan horse in disguise of security and established a total
dictating power, deciding on what can be published on the web and what cannot.

The choice of timing speaks by itself as well. A pandemic is a great mud water
to pull the trick like that.

Didn't you get enough stories about unwarranted pullouts of apps from Google
Store? Website pullouts are the subject of the nearest future if we allow that
to happen.

The community should boycott centralized DNS-over-HTTPS (DoH) approach as it
clearly stays in the way of Open Internet was originally designed. DoH leads
to a totally centralized, usurped, greed-driven future controlled by a single
corporate entity.

This should also bring the closest attention of anti-monopoly committees
around the world.

I know that not all people can grasp the danger DoH brings today, but this is
a very dangerous development that may lead to disastrous consequences for
communities around the world. Internet as we know it may just die.

~~~
sneak
DoH is a huge upgrade over unencrypted DNS. Google offering DoH (amongst
others) is no more a danger to web censorship than their deployment of the
Google Public DNS (8.8.8.8/8.8.4.4). Where was the outrage then?

It's tiresome seeing the same FUD over and over again each time DoH comes up,
whether Google, Cloudflare, or whoever. This is religion, not science.

Did the rlogin/telnet people suffer so when ssh was introduced?

~~~
garganzol
Not true. Publc DNS is opt-in. Pushing DNS with the browser is lock-in.

So who spreads the FUD then? Google and Mozilla combined effort (read
Collusion) pushing this further warrants a thorough investigation.

~~~
sneak
Use of a specific browser is also opt-in (unless you are using an iPhone).

