
Internet group brands Mozilla “internet villain” for supporting DNS privacy - muxator
https://techcrunch.com/2019/07/05/isp-group-mozilla-internet-villain-dns-privacy/
======
detaro
dupe:

[https://news.ycombinator.com/item?id=20362548](https://news.ycombinator.com/item?id=20362548)

[https://news.ycombinator.com/item?id=20358300](https://news.ycombinator.com/item?id=20358300)

------
lol768
Tells me everything I ever wanted to know about ISPA. Did they even notice the
juxtaposition of recognising Sir Tim Berners-Lee with an award for a campaign
to "protect the open and free nature of the Internet" and simultaneously
branding Mozilla a "villain" for their work on DoH?

Was glad to see my ISP (Netcalibre) is _not_ a member and sponsors the Open
Rights Group instead:
[https://twitter.com/lchost/status/1147090360226783233](https://twitter.com/lchost/status/1147090360226783233)

AAISP should also be commended for donating an amount equal to the ISPA
membership fees directly to Mozilla:
[https://twitter.com/aaisp/status/1146803916853645314](https://twitter.com/aaisp/status/1146803916853645314)

~~~
philjohn
AAISP's twitter post on it was amazing ... snark personified, and why they are
one of the best ISP's in the UK - technically brilliant management of their
network and all around decent people.

------
CommieBobDole
So they built a content-blocking feature based on a design flaw that can be
trivially bypassed? And now the people who are bypassing the flaw are
villains?

That's some top-notch work there, ISPA.

------
jchw
I’ve been gleefully watching DNS over HTTPS break all kinds of things that are
terrible practices, including ISPs that hijack NXDOMAIN responses for SPAM
search pages even when using other DNS providers.

Here’s to hoping someone comes up with better solutions for captive portal
redirects, though.

~~~
phantom784
Should be easy to work around in the short term. The browser just needs to
request a well-known "test" domain (like example.com) and detect if it gets a
redirect. Keeps portals working without compromising the privacy of real DNS
lookups.

~~~
dijit
My go to: captive.apple.com

~~~
diabeetusman
Similar, but another option is neverssl.com

------
nathan-io
Understandable. How are ISPs supposed to keep mining and monetizing browsing
history if everyone starts using DoH?

~~~
feanaro
By looking at SNI, sadly.

~~~
yegortimoshenko
[https://blog.cloudflare.com/encrypted-
sni/](https://blog.cloudflare.com/encrypted-sni/)

~~~
a012
We're still far from seeing eSNI in mainstream.

------
hedora
I cannot imagine a stronger endorsement of DNS-over-HTTPS than the content of
this article. How do I set my router to proxy all outgoing DNS to HTTPS?

~~~
anaphor
Your router is going to have to support it somehow. It's much easier to just
run a local resolver like stubby + dnsmasq.

Apparently Cloudflare also has some kind of daemon you can run on Windows, but
I don't know if I would recommend that route.

------
skywhopper
Bad headline by TechCrunch. This is not an "internet group" (which in context
implies something like ICANN). It's a UK-specific business association of ISPs
who have an interest in preventing browsers from assisting user privacy.

------
anaphor
Here are some great instructions on how to get set up with Stubby, which is a
DNS over HTTPS resolver you can run on Linux. I was able to get it working
fairly quickly. The instructions apply to pretty much any distro (I got it
working on both Arch and Ubuntu). You can also easily set it up to work with
dnsmasq to do caching.

[https://wiki.archlinux.org/index.php/Stubby](https://wiki.archlinux.org/index.php/Stubby)

After setting up dnsmasq I did not notice any performance hit, and in fact it
worked more reliably than my previous DNS settings.

~~~
snvzz
It's also possible (and I recommend) to set up the dns resolver for the LAN to
be unbound (openbsd's recursive dns server, supports DNS over HTTPS), thus
allowing all devices in the lan to transparently use DNS over HTTPS.

Alternatively, there's dnscrypt-proxy, but it's somewhat slow and eats way too
much ram.

------
kreetx
There are other ways to protect the users. The people deciding on these awards
should inform themselvs better on the _whys_ of it. Instead of labeling
perhaps ISPA should look into collaboration with Mozilla instead?

------
saltyshake
This is bad news for a lot of users in countries with censorship. The censors
would end up blocking entire IP ranges if they can't block domains.

~~~
ptaipale
And then the censors' regimes fall back in technical and economical
development, while they really can't stop true adversaries anyway.

------
vorticalbox
Most vpns also contain DNS query so ISPs can't see them how is this any
different?

~~~
DavideNL
I suppose because only a small percentage of the population (techies) uses a
Vpn.

Now, everyone (who uses Firefox) gets this feature and apparently soon it will
also be enabled by default:

 _"...the goal of deploying DoH by default for our users"_ :
[https://blog.mozilla.org/security/2019/04/09/dns-over-
https-...](https://blog.mozilla.org/security/2019/04/09/dns-over-https-policy-
requirements-for-resolvers/)

------
verisimilitudes
Oh yes, use DNS over HTTPS for your privacy. Just look at these organizations
that oppose it. While I'm at it, you totally can't break into an Apple iPhone™
and all the cool pedophiles should be using that, for safety.

DNS over HTTPS does nothing for privacy and merely takes control from the DNS
providers or user. Companies want to be able to run everything over HTTPS so
you can't block any of it without blocking all of it. They can go to Hell.

------
syshum
My biggest problem with Mozilla's DNS over HTTPS is their partnership with
CloudFlare

Cloudflare is not a supporter for Free and Open Internet, and is just as much
a danger to online privacy as the rest of the Large Technology Companies like
Google and Facebook

Edit: The Undying Support for CloudFlare is amusing, reminds me of all the
defenders of Google years ago until they turned evil... Power Corrupts, the
key is to not give these companies the power. The amount of data the flows
through CloudFlare's various products should be alarming to anyone that
understand Computer Science, history, etc. Sad that many here are willfully
ignorant to the threat CloudFlare poses

~~~
mfatica
[citation needed]

~~~
zzzcpan
Cloudflare doesn't welcome you if you don't let it track you and run arbitrary
code it injects. You can verify that by disabling javascript and/or using
proxies, vpns, tor.

