
A cartoon intro to DNS over HTTPS (2018) - shekhardesigner
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
======
judge2020
I'll say what has been said time and time again in the past: CF should not be
the default server. There shouldn't be a default server. Have an onboarding
flow that says "choose DNS server" and allow the user to choose between
clearly-unencrypted endpoints (ISP/router, Google, quad9, etc) and encrypted
endpoints that use DoH.

And again, Google's DoH solution is infinitely less controversial: an upgrade
list[0] so that, if your computer/router advertises 1^4, it uses Cloudflare's
DoH. If it advertises 8^4, it uses [https://dns.google](https://dns.google).
It even works for a provider known as clean browsing[1] that filters DNS.

0: [https://blog.chromium.org/2019/09/experimenting-with-same-
pr...](https://blog.chromium.org/2019/09/experimenting-with-same-provider-
dns.html)

1:
[https://github.com/chromium/chromium/blob/711b1ba2735f8af4bd...](https://github.com/chromium/chromium/blob/711b1ba2735f8af4bd6359c6292e1875412df74f/net/dns/dns_util.cc#L146-L217)

~~~
mcnichol
Having a default vs needing to understand all of this?

Do you believe you are selecting the path of least resistance?

How many defaults in systems do you use today so you aren't configuring the
dials and knobs of a spaceship everytime you power on.

Using Cloudflare as a default vs the ISP's defaults.

If you care you can learn and change them the same way we operate today.

The browser is a product, UX wins. How do I make my product easy to use while
still maintaining a security forward stance? Defaults.

~~~
mcnichol
> However, we’ve spent time studying these risks… and we have negotiating
> power. We worked hard to find a company to work with us to protect users’
> DNS data. And we found one: Cloudflare.

> Cloudflare is providing a recursive resolution service with a pro-user
> privacy policy. They have committed to throwing away all personally
> identifiable data after 24 hours, and to never pass that data along to
> third-parties. And there will be regular audits to ensure that data is being
> cleared as expected.

I think this is a fair and reasonable reason to land on Cloudflare if they are
willing to cooperate in interest of the user and make their organization open
to audits aligned to that.

I don't understand the hyped up hate on picking a default who is appearing to
be going over the top as an ally for end users privacy, users aren't forced
into staying with, and would be an arguably more transparent starting point
than what people have today.

~~~
belorn
Reading what cloudflare sells, people who have a domains on Cloudflare and buy
Pro, Business and Enterprise plan have access to DNS analytics that displays
DNS queries from Cloudflares DNS servers, including geographic information.

Personally I don't see how that product can coexist with the privacy policy.

~~~
elithrar
> Reading what cloudflare sells, people who have a domains on Cloudflare and
> buy Pro, Business and Enterprise plan have access to DNS analytics that
> displays DNS queries from Cloudflares DNS servers, including geographic
> information.

Those analytics are for authoritative queries against the domain(s) that you
have on Cloudflare; not for queries to any domain.

Not logging _recursive_ queries against their public resolvers - and it's
those recursive queries from end-users that hold the biggest risk to user
privacy - is an entirely different thing, and these two systems can co-exist.

~~~
belorn
The distinction between authoritative and recursive queries is not meaningful
in the context of DoH since that protocol is only about recursive servers. A
user who connect to cloudflare through DoH is connecting through a recursive
server, and knowing that the privacy policy say no logs, is unlikely to expect
that logs are kept if the domain owner happens to be a customer of cloudflare.

Cloudflare could do as google and not include any query that comes via the
public resolver. Any DoH query would thus be a blackhole in regard to
analytics and only display data from users who used someone else recursive
resolver for the query. In that way no logs from the public DNS resolver ever
ends up as data, the privacy document is followed, and companies can not buy
query data by becoming customers to Cloudflare.

------
throwaway191020
I have a concern.

DNS over HTTPS feels to me like we're edging towards end-to-end encryption for
DNS. This seems like a good thing, but even though it will protect against ISP
and state level observations of DNS, will it not reduce ones control over DNS
locally?

My threat model remains web site operators and the malware and tracking
inserted at that point. Additionally devices on the network that may observe
locally and communicate externally like TV boxes and games consoles.

To manage those threats I use Pi-Hole. But once we start end-to-end
encrypting, and especially when we start verifying those ends, how do I
locally intercept and manage DNS for my privacy and security?

Is this a genuine concern about DNS over HTTPS? Or is the plan to enable
systems like Pi-Hole to be a trusted and configurable resolver too so that
consumers retain the ability to control their own systems like this?

~~~
JoshTriplett
> will it not reduce ones control over DNS locally

No. Run your own DoH server, point your DoH client to your own DoH server, and
your DoH server can then provide any responses you want. (And it in turn can
use DoH or do standard recursive resolution.)

End-to-end encryption means that malicious parties can't MITM your traffic or
otherwise make you talk to the wrong destination server. That doesn't prevent
you from intentionally running your own local servers and pointing clients to
them.

If you have a client device on your network that you don't trust and can't
change the configuration of, it has far more secure methods for protecting
itself from you than just using DoH.

~~~
throw0101a
> _No. Run your own DoH server, point your DoH client to your own DoH server_
> ...

Except when the client ignores what you tell it. Per Paul Vixie:

    
    
       google, this is bogus as hell. my dhcp server gives you dns servers to 
       use. please don't make me route and answer 8.8.8.8 just to watch youtube.
       
       > [71] 2019-02-13 16:39:40.548137 [#68 vtnet0 4095] \
       >         [24.104.150.186].56915 [8.8.8.8].53  \
       >         dns QUERY,NOERROR,7357,rd \
       >         1 lh3.googleusercontent.com,IN,A 0 0 0
       > [71] 2019-02-13 16:39:40.548210 [#69 vtnet0 4095] \
       >         [24.104.150.186].56915 [8.8.8.8].53  \
       >         dns QUERY,NOERROR,49247,rd \
       >         1 lh3.googleusercontent.com,IN,AAAA 0 0 0
       
       (no, this device i've paid for, will NOT be allowed to send you any 
       information, other than what i personally approve, which will never 
       include DNS traffic. if you don't like that deal, buy it back from me 
       and i'll find some other video appliance that doesn't twist my arm.)
    

* [https://news.ycombinator.com/item?id=19170671](https://news.ycombinator.com/item?id=19170671)

Of course with DoH you can't just do a UDP redirect. With DoT, which uses
tcp/953, you can at least block access.

But with DoH, you have just lost control of your network. (Unless block 443
and force everything to go through a (Squid) proxy?)

~~~
josteink
> But with DoH, you have just lost control of your network. (Unless block 443
> and force everything to go through a (Squid) proxy?)

Expect “enterprise” network equipment using an approach like this to provide a
“DOH firewall” in the near future.

Net privacy gained: negative.

~~~
throw0101a
I've been on networks where everything had to go through a proxy, where
browsers were told how to act via WPAD/proxy.pac and you set an HTTPS_PROXY
env for wget/cURL to work.

------
zaro
I don't really understand what kind of improvement is the DNS over HTTPS.

Yes some middle parties won't be able to tamper with my DNS queries. At what
price? Total control for the people providing the DOH endpoints. So chrome for
sure will be using Google DNS for this, and with their efforts to remove ad
blocking this fits nicely that you won't be able to use simply DNS based
blocker.

~~~
marksomnian
We already have this situation though - the people who control DNS resolvers
already have total control. ISPs have already been known to abuse this power
[0].

This proposal doesn't solve this problem. Rather, it solves the problem of
e.g. your ISP intercepting, logging and/or modifying your DNS request.

The solution will then just be to run your own DoH endpoint / proxy.

[0]: [https://arstechnica.com/tech-policy/2009/08/comcasts-dns-
red...](https://arstechnica.com/tech-policy/2009/08/comcasts-dns-redirect-
service-goes-nationwide/)

~~~
zaro
My first question in running my own DOH proxy will be how it works in my home
network?

Right now I have my own dns configuration on my router, and any device that
connects to the router is automatically using this dns. With DOH this doesn't
seem to be the case though. I'll need to go and change the settings for each
device to use my own DOH proxy. But whether I'll be allowed to do so is quite
unclear if you ask me.

Becauae what happens when chrome says : "we have you covered, it's best to use
only our DNS over HTTPS. If you need something else you can buy enterprise
subscription"

~~~
zamadatix
Are you worried about things like Chrome fucking you over or are you worried
about DNS encryption? The former does not require the latter, it's just one of
a million ways to do it. Probably one of the more roundabout ways to be
honest.

~~~
zaro
You are right, Chrome doesn't need the DNS encryption to screw me.

But I think what they need is screw all of us, in a way which we won't resist
much because it's for our own good.

------
ohazi
One of the big concerns here is that this is another instance of "making the
internet less decentralized by leaning on Cloudflare."

Someone once pointed out that if the NSA wanted to build a front company whose
goal was to make hoovering up the internet easier, it would probably look a
lot like Cloudflare. I'm generally not much of a conspiracy theorist, but this
one has been frustratingly difficult to shrug off.

~~~
tedk-42
I wonder how long it will take for conspiracy comments like these to pass.

Anyone know how long it took for people to trust Lets Encrypt? Or did we all
forget (myself included) of the times when people talked about the issue of
trusting some random 3rd party handing out free certificates?

~~~
ohazi
You don't need to trust Let's Encrypt anywhere near as much as you need to
trust Cloudflare.

With Let's Encrypt, I generate my own encryption keys and never show the
private key to anyone. LE just signs the public key. The risk is that they
might also sign _someone else 's_ public key as being valid for my domain. But
my servers will reject any traffic that isn't encrypted with my real public
key. The best an attacker could do is set up a phishing operation.

But _any_ CA can improperly sign a public key as being valid for my domain,
not just LE. This is just a result of the CA system being broken by design.

On the other hand, Cloudflare is usually only useful if you let them terminate
TLS on your behalf. So you have to give them your private key, and they really
do have access to all of your traffic. At this point, they can do whatever
they want with it, largely undetectably (i.e. without the risk of releasing
obviously fake certificates into the wild).

------
peanut-walrus
So they start with talking about ESNI and then kinda completely gloss over it
afterwards. Yeah you can reuse the TLS session if several sites are using the
same CDN, however, this is again relying on centralization for privacy.

The cool thing about DNS architecture is the fact that it is decentralized.
Mozilla's plan with DoH tries to fix missing features in DNS by getting rid of
arguably the biggest killer feature DNS has.

Furthermore, several governments use DNS right now to block websites deemed
illegal in their country. Not just authoritarian states that attempt to censor
material critical to the regime, but also western countries (copyright
infringement, child porn, gambling, etc). Does Mozilla and Cloudflare
seriously think they will just go "oh ok, I guess everything is unblocked
again now". No, they will either force Cloudflare to do the same or force
local ISPs to implement even stronger filtering controls.

~~~
zamadatix
Aside: I've never understood how DNS is decentralized.

The internet: I get a number (from a central authority), I plug into other
numbers, a path to my number appears. Sounds pretty decentralized once I have
a number it's up to peering.

DNS: I get a name (from some authority) under a hierarchy. To look names up in
this hierarchy you start with sanctioned root servers (from a central
authority) which point you to TLD lookup servers (sanctioned by the same
authority) which are the authority for that level and so on until you get to
your name. Doesn't sound very decentralized, the only portion that's
decentralized is the cache.

Anyways to your original point: I disagree losing a layer or two of
distributed cache servers (depending on the deployment" is "the biggest killer
feature DNS has" and I think encrypted randomization and stepping towards end
to end integrity are better "killer features" that haven't been able to take
off with traditional DNS.

> Furthermore, several governments use DNS right now to block websites...

So it has to be air tight in standing up to the worlds governments to provide
value over being unauthenticated plain text? Even in the cases of governments
you'd be surprised how far making it more difficult goes in the volume of
collection or how it makes governments have to explicitly admit they are
monitoring particular traffic due to the way the technologies work.

~~~
throw0101a
> _Aside: I 've never understood how DNS is decentralized._

I use my ISP's recursive DNS resolvers (or not); you use your ISP's recursive
DNS resolvers (or not). Anyone that wants to track "everyone's" browsing has
to track a whole bunch of ISPs (and 3rd party DNS operators) if they want to
keep a database of activity. There is no central facility that has everyone's
DNS requests, unlike (e.g.) MSN Messenger back in the day where all traffic
was transferred through the central system.

Further, because of caching, it is impossible to get exact numbers on people
querying DNS. So while the records for www.youtube.com are in a central place,
the exact number of people sitting on their couches at home asking for the A
record is masked by people's home routers doing caching and also their ISP DNS
servers (which the home routers talk to) doing caching.

So there is no "central DNS" server that does hostname-to-IP mapping: there
are (tens of) thousands--millions if you count people's home
Linksys/Dlink/Asus routers running dnsmasq (or whatever).

~~~
zamadatix
Yeah that's a fair take on it being privacy decentralized from a query
disaggregation perspective, thanks.

------
belorn
Over the year of discussions in regard to DNS over HTTPS I find the best
illustration is to look at email. Your email client on the phone or PC send to
a email over SMTP to a email server, the server look at the address and
contact the recipient server and delivers the request. In email it is
client->MTA->server-recipient. In DNS it is client->Resolver->Authoritive-
server with the answer traveling back in the chain.

A little historical similarity, ISP used to provide a default MTA servers just
like they do with resolver. Now days it most people use a email provider of
choice.

So lets now imagine we solved the plain text problem of email by having the
client use a default list of trusted MTA, with thunderbird defaulting to
partner with gmail, and just sent it there over HTTPS. Gmail would take the
email and forward it in plaintext to the recipient-server.

Email security did not follow that path. There we collectively decided to
first encrypt communication between the client and the MTA using TLS,
addressing the first step in the chain. Then the communication between MTA and
recipient server got encrypted. In order to prevent downgrade attacks there is
also currently two competing standards, one based on DNS and the other on
HTTPS side channel. Looking at email, we are also almost done converting the
plain text protocol to encrypted:
[https://transparencyreport.google.com/safer-
email/overview](https://transparencyreport.google.com/safer-email/overview)

The general question is then, why not just copy the success of email? The
answer it seem is about money. No company got more users or data when email
protocols got encrypted. Cloudflare however will benefit if everyone route
their DNS through them as that gives them a comparable performance benefit
when people use them as a hosting provider. They also say they won't sell
data, but people who move their domain hosting to cloudflare and pay for Pro,
Business and Enterprise plan can get access to DNS analytics.

~~~
scrollaway
Whatever happened to DNSCrypt? I remember setting it up and happily using it
for over a year without any issues a few years ago.

~~~
jedisct1
Still here, still what most public secure DNS run, still secure and reliable,
still being constantly improved, and new implementations keep being written.

[https://dnscrypt.info](https://dnscrypt.info)

The protocol was recently extended with Anonymized DNS, a mechanism that hides
client IP addresses from resolvers by using relays dedicated to secure DNS
forwarding. A new network of DNS relays is currently being deployed.

[https://www.reddit.com/r/dnscrypt/comments/dhoxah/anonymized...](https://www.reddit.com/r/dnscrypt/comments/dhoxah/anonymized_dns_is_here/)

dnscrypt-proxy, the reference client implementation, is at version
2.0.29.beta3, released yesterday.

There is a new, easy to use and deploy implementation in Rust to add DNSCrypt
support server-side, Encrypted DNS Server:
[https://github.com/jedisct1/encrypted-dns-
server](https://github.com/jedisct1/encrypted-dns-server)

DoH, DNSCrypt and DNS relaying can happily share the same TCP port 443.

A complete protocol description has been available for years, but turning it
into an IETF document is time consuming. It will eventually happen, but as an
independent project, writing software has been prioritized over marketing.

~~~
scrollaway
Thanks for the information. Are you involved with the project?

~~~
jedisct1
A little bit. I run some public DNS servers.

------
xg15
As another post on HN argued a few weeks ago and as is stated in this article
again:

> _After you do the DNS lookup to find the IP address, you still need to
> connect to the web server at that address. To do this, you send an initial
> request. This request includes a server name indication, which says which
> site on the server you want to connect to. And this request is unencrypted._

Note that, until encrypted SNI is in place, DoH does not actually increase
your privacy. Your ISP can still track all domains you connect to by analyzing
the SNI header. The only thing they cannot do anymore is block or redirect any
of the domains.

------
ga-vu
My problem is that this is highly overhyped by the Mozilla/Cloudflare PR
teams, and both companies stand to make money out of it.

A better solution would be DoT+DNSSEC:
[https://twitter.com/jschauma/status/1184483451111727106](https://twitter.com/jschauma/status/1184483451111727106)

I don't trust Mozilla anymore, especially after becoming a VPN vendor and
partnering with Cloudflare. They now have commercial interests in pushing
standards down on everybody, similar to Google.

~~~
oskapt
My ISP (Entel Chile) started blocking DNS requests to non-Entel servers in
July. DoT would not give me a way around this, because they can still see that
it is DNS traffic by the port. DoH mixes DNS traffic in with the noise of
HTTPS traffic, allowing me to run my own DoH resolvers and bypass their
restrictions.

~~~
throw0101a
> _DoH mixes DNS traffic in with the noise of HTTPS traffic, allowing me to
> run my own DoH resolvers and bypass their restrictions._

And when malware gets on your network and starts using DoH to get around
_your_ home resolvers, what will you do?

* [https://www.zdnet.com/article/first-ever-malware-strain-spot...](https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/)

* [https://www.zdnet.com/article/psixbot-malware-upgraded-with-...](https://www.zdnet.com/article/psixbot-malware-upgraded-with-google-dns-over-https-sexploitation-kit/)

As someone who works in IT, this is my problem with DoH.

~~~
KyleJ61782
That was already a possibility even before all of this DoH publicity. Mozilla,
etc. pushing DoH publicizes it's availability, but there was nothing in the
past preventing malware from tunneling all sorts of traffic over HTTPS. DNS
inspection isn't an end all, be all for malware security. It just gets the low
hanging fruit.

~~~
throw0101a
There was a lot of low-hanging fruit given that most malware writers aren't
going to set up all of this infrastructure for custom protocols.

And even when they did, creating various C&C servers, the lack of ESNI would
allow for detecting activity once the daily domain creation algorithm was
reverse-engineered:

* [https://blog.malwarebytes.com/security-world/2016/12/explain...](https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/)

------
jwilk
Previous discussion:

[https://news.ycombinator.com/item?id=17196415](https://news.ycombinator.com/item?id=17196415)

------
user827272
> So how do we fix these?

> Avoid untrustworthy resolvers by using Trusted Recursive Resolver.

If it's to trust a resolver just 1.1.1.1 (or whatever)

> Protect against on-path eavesdropping and tampering using DNS over HTTPS.

This is the only real change but it is useless for everything outside a CDN
Whit is basically everything that matters for users

> Transmit as little data as possible to protect users from deanonymization.

QNAME minimization can be done already, it is not a DoH thing

------
colllectorof
Firefox could make a long-need replacement for DNS, but they chose to spend
all this effort on adding more ducktape to the current system, while also
contributing to its centralization (more control to Cloduflare, yay).

DNS was a passable solution in the 80s, but right now it's absolute shit.

------
davidjnelson
This is really exciting for security. Lin, you are so talented!!! Great work
explaining this, wow!

------
rishav_sharan
Why is there no Google container extension?

Sometimes it feels that Mozilla is just paying token lip service to the idea
of privacy.

~~~
tasogare
With 90% of their money coming from Google for decades they can’t bite the
hand that feed them. The question is why Google is keeping them afloat? My
guess is that a few millions here and there to create the illusion of
competition is way cheaper than having a monopoly investigation.

------
sdan
This is why I love Cloudflare. Makes everything secure and faster... for free
(not to mention how easy it is to make records and go into developer mode to
purge caching for a bit)

~~~
avian
Have you asked yourself how they can make everything free? What are their
incentives? When they successfully centralized majority of DNS resolving, what
could they do with that power? Keep in mind that even if their motives are
pure at the moment, management and ownership of companies can change.

Look a few years back and you’ll find similar enthusiastic comments about
Google: they make everything better and for free. Everyone should use their
search, everyone should move to GMail, etc.

~~~
sdan
Good points. As others have said, I'll probably move off later on, but for now
I intend to stay with them (similarly I've been with Gmail for a while and now
moved off to stuff like Fastmail, hosting my own "dropbox", etc.).

Primarily because for beginners it's a bit easier to setup everything without
much hassle.

