
Where is the DNS headed? - m-app
https://www.potaroo.net/ispcol/2020-06/row.html
======
Hnrobert42
If I understand correctly, the author presents a case for securing DNS by
moving away from a shared directory toward application-specific directories.
At the end, he takes a sharp turn to worry that such a move will tear apart
the openness of the internet. I suppose an analogy is moving from phone
numbers, with shared telco-managed directories, to chat apps managing their
own directories. You can’t contact me on Instagram with my HN handle because
they don’t use shared directories.

Ok, but there are more important reasons. Walled-garden directories is a
symptom not a cause. For that matter, SNI and path-based load balancers are
examples of the application-level address resolution overlay already in
practice. Those techniques merely implement, not drive, balkanization.

Basically, application-layer DNS doesn’t pass the “but for” test. As in, it is
not correct to say “but for application-layer DNS, Facebook/WeChat/Google
couldn’t build walled gardens. With it they can.”

------
dpenguin
There are a lot of arguments about how DoH with TLS 1.3 will give us privacy
etc by the proponents of DoH(not this article).. but it’s basically moving the
trust from ISPs to CDNs. There are fewer major browsers and fewer major CDNs
than ISPs, I suppose.. so not sure if it’s a good move.

~~~
Ericson2314
Why can't the ISPs run DoH too?

I agree that due to _social_ issues the problems are fairly real (ISPs ain't
gonna do shit). But on a purely technical level DoH should be fine.

~~~
gsich
They can. But the problem lies with Browsers (looking especially at Firefox)
just ignoring that. The technical aspects of DoH (or DoT) are fine.

~~~
tialaramex
Mozilla provides a clear policy for how you get your resolver onto their list.
US ISPs (the DoH resolver is only enabled by default in the US) _could_ obey
that policy and apply to be added to the list.

But it seems like none of them have done that. Maybe the policy terms are
objectionable? Let's see:

"Only aggregate data that does not identify individual users or requests may
be retained beyond 24 hours."

But how will the poor ISP make extra money selling DNS query information?

"When a domain requested by the user is not present, the party operating the
resolver should provide an accurate NXDOMAIN response and must not modify the
response or provide inaccurate responses that direct the user to alternative
content."

An ISP that obeys this can't put up advertising banners or sell search engine
redirects when you typo a name - they'll have to actually earn money providing
Internet service instead.

~~~
gsich
Mozilla can't verify that the providers behave. Apart from the obvious
NXDOMAIN answers (not many providers will do so).

Also it is questionable why a free service would be better then a paid one. If
one assumes that the ISP is evil, DNS providers are not suddenly less evil.

~~~
tialaramex
As with its Trust Store Mozilla operates in public. If you believe that
providers aren't behaving you can and should present evidence to the
community.

Mozilla isn't suggesting you choose services based on how cheap they are, but
on whether they implement these policies.

NextDNS, who are on Mozilla's list, offer a paid service if you want
advertising filters or porn filtering or whatever but if you're damn sure you
"get what you pay for" then pay them their subscription fee and don't switch
on any filters.

~~~
gsich
>Mozilla isn't suggesting you choose services based on how cheap they are, but
on whether they implement these policies.

Mozilla doesn't know if they do. They can't verify it. So if Mozilla says
"Cloudflare and Nextdns adhere to our policies" it's not verifiable by me and
neither by them. I don't see a "trust but verify"-implementation. This is my
gripe with this behaviour.

------
Santosh83
How is DoH a net loss to decentralization (by moving to a few major cloud
providers) when DoH is merely encrypting the information to prevent MitM
spying? Surely nothing stops your favourite ISP or any other local startup
from providing DoH services right? Presumably the DNS servers will still talk
to each other on the backend over plain text, but if a DoH front-end can be
provided by ANY DNS service then how can it be accused of centralising the
Internet?

~~~
vetinari
> How is DoH a net loss to decentralization (by moving to a few major cloud
> providers) when DoH is merely encrypting the information to prevent MitM
> spying?

It is not merely encrypting the information. Hand-in-hand comes running the
resolvers (which, as you noted everyone can) and having all the DNS-using
software use them.

Which is much bigger problem, that causes the centralization. Applications are
coming today hard-coded for a specific resolver. Configuring it is
application-specific and not-automatable, and certainly not automatable in
generic manner for all applications. I.e. as a network operator you cannot say
that everyone should be using this or that resolver, as you can with the plain
old 53/udp DNS and DHCP.

Users are not going to reconfigure each and every application every time they
change their network. They will leave it at the default value. The net effect
is that the centralization will _just happen_.

~~~
zamadatix
Applications can choose to ignore the system resolver regardless if it's over
UDP or HTTPS. DoH/DoT is showing up in operating system resolvers just not as
fast as apps like browsers were willing/able to add it. Standard DHCP options
for defining DoH details are still missing though (I think, haven't checked in
a while)

~~~
vetinari
> Applications can choose to ignore the system resolver regardless if it's
> over UDP or HTTPS.

They can, but up until Firefox legitimized this practice, they didn't, maybe
except some malware.

> DoH/DoT is showing up in operating system resolvers just not as fast as apps
> like browsers were willing/able to add it.

The browsers were so fast, that they skipped the discussion about ramification
of this change with the rest of community and just abused their position. One
might even wonder, why.

Does not make for good relations in future.

> Standard DHCP options for defining DoH details are still missing though

Yup. Here, browsers are not using their position to finish their push, so
maybe the situation is acceptable for them.

~~~
zamadatix
On one hand you say browsers are to blame because they went too far too fast
bypassing the OS DNS and on the other you say browsers are to blame because
they didn't go far and fast enough bypassing the OS DHCP client.

Again are your arguments actually about DoH causing centralization or are you
just talking about browsers causing positioning centralization irrespective of
the technology?

~~~
vetinari
> On one hand you say browsers are to blame because they went too far too fast
> bypassing the OS DNS

Yup, they shouldn't have do this.

> On one hand you say browsers are to blame because they went too far too fast
> bypassing the OS DNS

No. I'm saying, that once they did what they did, they should have finish the
job. They left it unifished.

> Again are your arguments actually about DoH causing centralization or are
> you just talking about browsers causing positioning centralization
> irrespective of the technology?

My point is that _the way_ DoH was implemented is causing centralization. DoH
could be implemented without causing this effect.

------
troquerre
There will always be a need for a shared global namespace, and DNS needs to
improve its security and privacy as the world continues to rely on it. I don’t
think DoH is the answer since it just shifts trust from ISPs to CDNs[1]. On
the security end, there’s a new DNS protocol called Handshake
([https://handshake.org](https://handshake.org)) that’s trying to shift the
root of trust from CAs to a distributed ledger. It’s still early but it shows
promise with NextDNS.io and Vercel.com supporting it.

[1] CDNs are a lesser evil than ISPs but I still wouldn’t want to need to
trust them to protect my privacy.

~~~
ribasushi
> CDNs are a lesser evil than ISPs

This keeps being repeated, and I simply do not understand it. Could you
elaborate how you arrive at this conclusion that CDN > ISP?

My take:

An unsavory ISP is the only thing I can "vote against" as an end user. I can
boycott it by switching elsewhere, I can pick from a ton of mobile providers,
I can use a VPN to "subcontract" my connectivity experience to an order of
magnitude more providers, or if I am really so inclined I can shuffle all of
that by the likes of Tor.

There is _NOTHING_ I can do as an individual to avoid a CDN, aside from never
visiting content backed by that CDN.

~~~
andreareina
Every ISP I have access to performs DNS-based blocking; to the extent of
intercepting ALL UDP DNS traffic (i.e. using other resolvers doesn't work).
DoH gets around that.

And I think from the context of the parent, you _can_ choose your CDN('s
resolver) -- my version of Firefox (77 on macOS) has NextDNS among the default
DoH providers.

~~~
rswail
The issue isn't whether you can choose your resolver _for Firefox_ , it's that
it balkanizes the namespace resolution mechanism.

Sure, Firefox is using CDN resolver #1, "optimized for the browser
experience", while Spotify uses the CDN resolver #2, "optimized for music
discovery".

The namespace will balkanize, and with that the control moves to the owners of
the resolvers. That would be a natural evolution of the infrastructure purely
due to literal "network effects".

If data can be gleaned from current DNS requests, what data can be gleaned
from a browser sending metadata? Who controls those DoH servers?

At least the current DNS namespace, nominally, is devolved, particularly with
the explosion of TLDs. That has other disadvantages, but there are advantages
too.

------
Ericson2314
s/HTML/HTTP/c in a few places.

~~~
teddyh
What does the “c” flag do?

~~~
dredmorbius
"Confirm". It prompts for verification before substituting, in vim:

[https://www.linux.com/training-tutorials/vim-tips-basics-
sea...](https://www.linux.com/training-tutorials/vim-tips-basics-search-and-
replace/)

~~~
Ericson2314
oh gawd I just type the `c` out of habit now. that wasn't intentional at all.

~~~
dredmorbius
Confirmed ;-)

