
Thai Database Leaks 8.3B Internet Records - zachberger
https://rainbowtabl.es/2020/05/25/thai-database-leaks-internet-records/?=may-23-2020
======
cbg0
> To be clear: DoH and/or DoT would have stopped the gathering of DNS query
> data in this case. It's simple to set up, and it's just a smart thing to do
> for anyone concerned about their privacy.

Actually, for most people that are not technically savvy this is definitely
not an easy thing to set up, nor are they even aware that DoH/DoT exist.

Unless this feature starts being turned on by default in routers and popular
software, the average user's DNS lookups will not be protected.

~~~
swiley
Most malicious ISPs disable DoH (ex: Verizon) so it likely wouldn’t have
solved this.

If you want it solved find a protocol that can be used in the libc resolver
and make it ubiquitous rather than goofing around with browser defaults.

~~~
microcolonel
How do they disable DoH? They block TLS over that port?

~~~
nix23
Thats DoT, DoH ist just a dns query over https(443)

~~~
microcolonel
Alright, I repeat my question, since it's almost identical: how do they block
that? HTTPS starts with opening a TLS socket, how do they reliably determine
that they can drop that traffic?

~~~
cbg0
I don't know if Verizon is actively doing it, but since most providers that
offer DoH have well-known IPs, like 8.8.8.8, 1.1.1.1, 9.9.9.9, they could
easily just block traffic heading in that direction.

~~~
o-__-o
This follows along with what I read, at first it’s easy to block but it’s a
losing proposition because anyone can stand up a doh server (which is also a
network security nightmare)

~~~
manquer
Not sure what has changed security wise. Any one could also stand a DNS
resolver. Many people use hosts file or used a local resolver for dev domains
for example, security minded folks setup up resolvers on openWRT stack router
for example or a use a piHole.

Blocking popular DNS providers is a common tactic deployed by ISPs. It is
technically easy enough to bypass depending on your skill level and interest
in doing so. Their strategy is make it difficult for majority of their users,
who won't know or care, users doing all this will not make substantial impact
on revenue generated from selling this data, or from showing adds etc so they
don't make the effort.

DoT/DoH is not going to change this, Firefox's market share is not enough for
that. I don't see Chrome or Safari implementing this functionality at all.

~~~
o-__-o
Okay that’s great for my developers now what happens when they download some
malicious script modified their doh queries to use their servers instead of my
corporate wins?

------
baicunko
This is something that the average user fails to understand. One thing is
saying I don't care they check on what I visit but once you aggregate enough
information, it can become something of a "Big Brother".

With enough DNS data I can assure you I can see when you leave to work, get
back, determine the moment when you leave for vacation and no one is home,
etc.

~~~
sirn
(Disclosure: I'm Thai)

Especially in Thailand, where free speech is almost non-existent.

Few months ago there were Twitter user who goes by the name "Anonymous"
("นิรนาม" in Thai) who have been arrested for spreading fake news and being a
threat to the country. The Twitter user mainly tweets about topics subjected
to lèse-majesté law. He never leave any traces, which leaves question on how
officials managed to track him down if Twitter claims they didn't received any
requests from our government.

My small group of friend came up with one scenario where official sent a
honeypot URL via Twitter DM, then trace him via DNS query logs. This is
assuming the scenario where he don't click on random links and using a browser
that performs DNS prefetching of sorts. Everyone thought it was unlikely at
the time, partly because nobody thought ISP would actually logging all DNS
queries.

Apparently, all of us were wrong, at least on the latter.

~~~
WildGreenLeave
Just for my understanding: this wouldn't have happened if the user in question
would've used a VPN and/or TOR right?

Don't get me wrong, I really don't like this in Thailand and it's absurd that
you would even need something like that. As a foreigner visiting Thailand I
don't feel that comfortable with my browsing habits. Usually I trust a local
provider enough to just browse and not care about what I'm looking up,
Thailand is not one of those places and I always use a VPN. (Mostly routed to
Singapore)

~~~
sirn
Yes, it probably wouldn't happened if the user uses VPN or Tor. If VPN or
Tor's setup doesn't leak DNS, at least.

------
kernyan
> Interestingly enough AWN had this DNS dashboard saved with a filter
> specifically looking at Facebook traffic. It's unclear why they would be
> particularly interested in who was going to Facebook.

One likely non-malicious explanation is that the telco is offering some plan
with data caps based on social media such as instagram, facebook, etc.
Searching around, I found the offering below for unlimited data on 9 social
media apps
[http://www.ais.co.th/one-2-call/simcard/en/super_social.html...](http://www.ais.co.th/one-2-call/simcard/en/super_social.html?intcid=one2call-
simcard-en-bt_detail-super_social)

I'm guessing one way the telco implements the selective cap is by tracking
user's DNS, and is probably interested to know traffic to facebook

------
Dolores12
AIS is mobile operator hence assign you random IP from the pool every time you
reconnect to the network. IP address could be used by many different users
during a day, definitely not a household as author states. Looks like useless
data for me.

~~~
sirn
They also have residential internet (AIS Fibre) and also own another ISP (CS
Loxinfo). CS Loxinfo used to use their own DNS servers and such, but have
switched to use the same infrastructure as AIS Fibre (sharing IP address pool
and all) since 2019 or so.

Also AIS mobile is IPv6 (2001:44c8:4400::/44) with CG-NAT since 2017. IIRC
they were giving out /64 to every mobile client, but I'm not sure how long
does /64 assignment lasts.

------
dirtylowprofile
Can someone enlighten me who and what is rainbowtabl.es?

~~~
TN1ck
It's a blog run by the Head of Trust & Safety of Cloudflare.

------
lisk1
Solution for this is to tunnel the traffic through encrypted connection to
servers in countries that respect persons privacy(if that is true nowadays).
The easiest way is to use WireGuard, easy to set up uses only one port and
have clients for many devices.

~~~
nurettin
If you trust your vps dns, easiest way would be autossh -D<port> <user@host>
and set your browser's socks5 proxy to localhost:<port> and tell it to use
remote dns when resolving domains. This requires no wireguard setup, no
certificate generation or anything.

~~~
bouncycastle
I've been doing both and have to say Wireguard is much more performant and
stable than an ssh tunnel. Besides, it shouldn't be too hard to set it up on a
VPS.

~~~
GordonS
As a counter point about reliability, I've been tunnelling my HTTP traffic
(and DNS) through SSH (to get around corporate restrictions and monitoring)
for 10 years or so - I don't think I've ever had any reliability issues.

~~~
bouncycastle
I've had a lot of problems: latency, ssh tcp connections dropping packets and
whole connection becoming unstable, manually configure proxy / browser each
time & also sometimes you may forget to start the tunnel. You also need to
start a new ssh connection for each port you want to forward, so you end up
managing a bunch of ssh connections if you want to expose some services for
example. Wireguard is more deeper down the layers and just works without
jumping through hoops - none of the apps are aware of it and when it's on, it
just stays on). Of course, when all you have is ssh to get around pesky
restrictions, then I guess that will do fine too! ;-)

~~~
GordonS
A good point about switching proxies and apps that don't support SOCKS
natively.

I guess I've been dealing with those issues for so long they don't bother me
anymore!

Also, I use a great extension for Firefox, so I can switch to/from the proxy
in 2 clicks, "Proxy Switcher and Manager".

------
cm2187
There is a special place in hell for software developers who write server
software with no authentication by default.

~~~
a012
Some of them might respond with something similar to "if you know what you are
doing". Probably, security is someone else's job.

~~~
cm2187
Every single one of their customer is a customer that one day installed it for
the first time and didn't know what they were doing because they didn't know
the product.

And with the complexity of modern software, imagine if the defaults in the
whole software stack all the way down to the OS and hardware were open by
default. You would need to be an expert in security to set up anything. Thanks
god everyone else goes secure by default.

