
Experimenting with same-provider DNS-over-HTTPS upgrade - migueldemoura
https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html
======
londons_explore
> DoH would prevent other WiFi users from seeing which websites you visit,

This is _false_ , and downright dangerous information. A network attacker can
still see that you are visiting pornhub.com even with DoH, since you are
sending the hostname in cleartext as part of the TLS handshake.

Google isn't a snake-oil security solution - they shouldn't be making such
false claims.

~~~
growse
> This is false, and downright dangerous information. A network attacker can
> still see that you are visiting pornhub.com

This won't be true as soon as ESNI gets implemented. (Chrome:
[https://bugs.chromium.org/p/chromium/issues/detail?id=908132](https://bugs.chromium.org/p/chromium/issues/detail?id=908132)
and Firefox nightlies have it already). However, ESNI is pretty meaningless if
you're making plain-text DNS requests, so DoH is a pretty important part of
the puzzle.

~~~
pjf
...and you think the sequence and timing of IP addresses your machine connects
to alone can't be used to easily infer the website you're browsing? Neither
DoH nor ESNI will make you more secure/private, but DoH will definitely make
some companies more powerful. That's not the Internet as we knew it until now.

~~~
vinay_ys
Thankfully, today's Internet is definitely not the Internet of the early 2000s
I remember – it was highly insecure and infested with virus/worms everywhere.
Thanks to efforts like this Internet has gradually evolved to become more
secure and more useful for real-world applications.

Both DoH+ESNI will make me more secure and private. Here's why:

Today my home ISP has deployed middle boxes that inspect my traffic to profile
my browsing habits and serve me ads. They serve ads by doing click hijacking
on plain http websites. yeah, it's nasty and they do it at a huge scale.

Obviously, we have some legislative gaps to address here.

Irrespective of the legal gaps, I can make it more expensive for them to do
this by ensuring all of my traffic is fully encrypted (TLS 1.3 or wireguard).

They can still see IPs and do IP reverse lookup and traffic timing analysis
etc. But the information leaked this way is far lesser than today and
definitely not actionable immediately the way it is today.

Now, w.r.t making some companies more powerful – that is not inherent to DoH.
DoH makes it possible for anyone to operate a secure and private resolver and
any client is still free to choose who should be their upstream dns resolver.
Client auto configuration protocols will evolve to support the ecosystem as
more DoH resolvers show up.

------
tptacek
Long story short: Chrome will do DoH DNS, but only if your current DNS
provider already supports DoH, and, for now, only as an experimental feature.

People are upset about Firefox's new default of routing DoH to Cloud Flare,
and I understand why. But it's useful to keep the issues distinct: DoH is a
good thing (your ISP should not be able to see your DNS queries), even if
routing them to Cloud Flare isn't.

~~~
tssva
DoH is a good thing when I configure it on a system level. Each individual app
bypassing the system DNS settings to implement DoH within the app is not a
good thing.

~~~
akerl_
As a thought exercise: why is the OS level the correct level for DNS
configuration? Why would the LAN not own this?

It seems interesting that the article and many comments here identify the
application level as inherently wrong and the OS level as inherently right.

What if you were running docker containers on a server?Is it incorrect for the
containers to set their own resolver settings?

~~~
viraptor
> Is it incorrect for the containers to set their own resolver settings?

For generic containers, it is. If you build your own very customised app, then
sure, you can control what it does. But if you build an app, you don't know
where/how I deploy it. It may be without internet access. It may be expected
to use private DNS zones. It may be expected to query mdns. The container
should not guess or assume those things.

~~~
akerl_
I think I agree with you, but also I think I feel the same way about generic
computers. I’d say that outside of specialized use cases, the OS is the wrong
layer to define DNS settings: the network is the correct layer. Because that
means that as computers move between networks, they handle things like private
zones.

That said, I also think that there’s no absolute truth for what constitutes a
“specialized use case”. I think if I’m the operator of a network, or a
computer, or a container, or an application, having it use custom DNS settings
is up to me. And Firefox/Chrome enable that: the operator can change the
setting to whatever they want.

Speaking to the default case, Firefox/Chrome moving towards DNS defined at the
app layer smells painful to me as a network operator, but ISP DNS interception
also smells to me, and for the normal consumer threat model and network
topology, Firefox/Chrome using CloudFlare DNS is essentially pure win. Most
consumer users aren’t on networks with split-horizon DNS, and most consumer
users aren’t at risk from CloudFlare logging their DNS requests, even assuming
they’re violating their published privacy policies.

------
iforgotpassword
On this topic: I recently learned about [https://support.mozilla.org/en-
US/kb/configuring-networks-di...](https://support.mozilla.org/en-
US/kb/configuring-networks-disable-dns-over-https)

Is this just a Mozilla one man show or are there plans by anyone else to
support this? Maybe make this a standard? Some googling revealed nothing...
Now the way Google does it sounds somewhat reasonable but who knows what the
future will bring, or what other software will adapt DoH.

~~~
bugmen0t
The text on [https://use-application-dns.net/](https://use-application-
dns.net/) says that it will be attempted to become a standard through the
IETF. But only time will tell.

------
nickcw
Google make this point which I haven't seen in any of the arguments so far:

> In particular, we are aware of how DNS can play an important role in ISP-
> provided family-safe content filtering.

Lots of families with children use their ISP's safe browsing facilities which
is usually implemented via alternative DNS servers.

Yes it is not terribly difficult to defeat, but it is cheap and effective for
small and non technical children.

This does at least seem like a more sensible experiment than Mozilla's which
will break the above scheme for every Firefox user.

~~~
GrayShade
They address it in [https://blog.mozilla.org/futurereleases/2019/07/31/dns-
over-...](https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-
doh-update-detecting-managed-networks-and-user-choice/).

------
nimrody
They say it will be enabled only for providers supporting this. Do they mean
DNS servers supporting DoH?

If a network DHCP server publishes a local DNS server that is not on the list,
DNS traffic will not bt encrypted?

So a network operator wishing to continue spying on its users just needs a
local DNS proxy?

~~~
throw0101a
> _They say it will be enabled only for providers supporting this. Do they
> mean DNS servers supporting DoH?_

No, they say providers, and mean providers. They are starting their experiment
with a whitelist:

* [https://www.chromium.org/developers/dns-over-https](https://www.chromium.org/developers/dns-over-https)

If you're already using one of those then Chrome/ium will change from "plain
DNS" over to DoH. If you are _not using_ one of them already, then _nothing
will change_.

------
jwilk
Archived copy that can be read without JS enabled:

[https://archive.is/59JCD](https://archive.is/59JCD)

------
Lio
I'd be interested to know if this will affect the ability of things like Pi
Hole to block advertising and user tracking via DNS?

~~~
icebraining
I'm sure Pi Hole will have DoH support, so it should be fine as long as you
can still change the server (in the browser and/or OS). The only snag might be
mobile apps, in case they hardcode a DNS/DoH server instead of using the
system config; that may be hard to change without rooting the device.

~~~
throw0101a
> _I 'm sure Pi Hole will have DoH support_ ...

We'll see.

Pi Hole uses DNSmasq as its DNS (and DHCP) server, and the few DNSmasq mailing
list threads I've seen on the topic seem to indicate that the DNSmasq
developers are not interested in either DoT or DoH. One said that it would be
difficult to implement because of architectural issues IIRC.

It may be necessary to use a front-end proxy:

* [https://dnsdist.org/](https://dnsdist.org/)

~~~
kchamplewski
Pi Hole already has documentation on how to use DoH with it, and it already
works:

[https://docs.pi-hole.net/guides/dns-over-https/](https://docs.pi-
hole.net/guides/dns-over-https/)

Note: this is using cloudflared but that's just a DoH, it can and happily will
query whatever provider you tell it to.

~~~
icebraining
That's for upstream queries, I think we're talking about the connection from
the devices to the PiHole.

------
throwawaynihil
The only thing DoH gives anybody .. is even more of your private data to a
centralized provider with questionable ethics, and the only company more
ethically questionable than Google is Palantir. Run your own local resolver
and move on with your life.

~~~
growse
> ... private data to a centralized provider with questionable ethics

What, like your ISP?

~~~
ndidi
Not everybody lives in the US. I trust my ISP. They are cool, and their
handling of my data is regulated under the GDPR and other laws. CloudFlare?
Not so much.

~~~
growse
I am also not in the US. However, everywhere I look I see large ISPs with
questionable ethics who are centralized providers of DNS.

I'm struggling to see why DoH means "is even more of your private data to a
centralized provider with questionable ethics", which is what the OP said.

------
_Codemonkeyism
Does anyone know how much money Mozilla gets from Cloudflare? Do they get any?
I've tried to find something in Mozilla financial declarations but haven't
found anything.

~~~
ndidi
Might sound like a conspiracy, but yes, I think they are getting money. They
are definitely not sending the entire browsing history of users (DoH) and even
the contents (VPN[]) to CloudFlare and getting nothing in return... right?

[]
[https://news.ycombinator.com/item?id=20927832](https://news.ycombinator.com/item?id=20927832)

~~~
_Codemonkeyism
I'm not in the business of data, so I don't know what the browsing habit of
millions of people are worth.

