
Comcast Is Lobbying Against DNS Encryption - president
https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data
======
jrockway
ISPs are dying to find some sort of "value add" to get more revenue, but it's
just not there. ISPs need to realize that they are strictly a utility now. All
the value that they could possibly add can be obtained from any other company
now. They used to provide TV service, but nobody wants linear TV and can just
send their money directly to the company that produces the TV content and have
it delivered over IP. They used to provide phone service, but nobody wants
phone service; they have a cell phone and can get a fake landline from any
number of companies for almost no money. They used to provide a DNS resolver,
but they used the DNS resolver to inject fake addresses, so the power has been
moved away from them. They used to provide Usenet, but their "content
partners" didn't like that, so now you get Usenet from a third-party provider.

IP is just too versatile. All customers want from their ISP is the dumbest
possible pipe, because they can get all other services over that pipe and pick
the best deals. If you aren't interested in infrastructure, then you shouldn't
be an ISP.

(That said, I don't see why companies like Comcast aren't pursuing things like
becoming Cloudflare or AWS. "Click here to host your docker container 1ms away
from 87% of the US population," seems like a service that could make a lot of
money.)

~~~
AnthonyMouse
> ISPs are dying to find some sort of "value add" to get more revenue, but
> it's just not there.

Yes it is. It's Google Fi. Comcast could do Google Fi better than Google does,
because they could make every Comcast modem an access point for it.

Then for a few bucks on top of your cable internet subscription you give
people unlimited mobile data _on unlimited devices_ whenever they're connected
to a Comcast access point, which is 97% of the time because they're
everywhere, and metered data using some deal with Sprint/T-Mobile/whomever the
other 3% of the time.

How much money is on the table when you allow families to cancel their
wireless plans on four, five, six different mobile devices yet still have
service everywhere?

~~~
nickjj
My ISP has done something similar for years. They give you a router which
doubles as a "wifi hotspot", where anyone with a valid ISP login can use that
network at no cost beyond their regular internet bill. It just becomes a part
of what you get with their service.

This doesn't quite work out as well as Google Fi because they don't have the
other half of the equation which is to jump to a mobile provider when there's
no valid wifi connection. My area has 2 choices for broadband and even with a
majority of customers in this area there's still large gaps to the point where
if I walk around the neighborhood there's tons upon tons of dead zones.

~~~
AnthonyMouse
> This doesn't quite work out as well as Google Fi because they don't have the
> other half of the equation which is to jump to a mobile provider when
> there's no valid wifi connection.

That's the key though. Even if you have 97% coverage without it, if that other
3% could be when your car breaks down on the side of the road, people aren't
going to be willing to switch off their existing wireless service which does
work there.

But add existing wireless carriers as metered data which costs nothing unless
you use it, and you satisfy that blocking factor and get the customer.

------
gormandizer
Encrypted DNS is great. My only problem (as a linux user) is that I want all
DNS lookups on my machine to be performed by querying the servers listed in
"/etc/resolve.conf". DoH as implemented by Firefox and Chrome breaks that.

~~~
msla
> My only problem (as a linux user) is that I want all DNS lookups on my
> machine to be performed by querying the servers listed in
> "/etc/resolve.conf".

I fear that they're going to end up seeing the inner-platform effect as a way
to increase security: Browser makers decide they can't trust Standard OS
Component Z, so they implement it themselves inside the browser, and lock it
down so their imagined Non-Technical User can't be tricked into changing it to
their own detriment. Now you have behavior inside your browser you can't
configure because configurability in the wrong hands is a security hole...
_you 're welcome_.

[https://en.wikipedia.org/wiki/Inner-
platform_effect](https://en.wikipedia.org/wiki/Inner-platform_effect)

~~~
Spivak
I don’t necessarily see a problem with this. If OS vendors want to be more
than just another layer for running a browser then they need to catch up
_fast_ to the work that browsers are doing.

It is insane that connecting to a network is entering into a trust
relationship with the the local network operator.

Its silly that most apps run with the full privilege of the user that ran it.

These were fine decisions when they were made years and years ago but browsers
have second-mover advantage and aren’t burdened nearly as much by backwards
compatibility.

------
wayneftw
How can you lobby against a browser feature?

It's not like Google or Mozilla were trying to write a new law.

Are there laws that browsers MUST adhere to? Because I'm pretty sure I can
create a web browser that behaves in any way that I see fit.

~~~
tptacek
There were literally just House hearings about the impact of DoH on law
enforcement investigations. You lobby against it by trying to get a law passed
to ban it.

~~~
schoen
Are you sure you're not thinking of hearings about some other aspect of
encryption? I've been working on the DoH issue, including writing to Congress
about it, and I don't recall a hearing having happened yet.

~~~
tptacek
I’m sure. I’ll dig up a link; you can watch it.

~~~
schoen
Please!

~~~
tptacek
[https://youtu.be/FBF1n6Q5vvY?t=6144](https://youtu.be/FBF1n6Q5vvY?t=6144)

------
jedisct1
And at the same time, they deployed a DoH server:
[https://github.com/DNSCrypt/dnscrypt-
resolvers/blob/master/v...](https://github.com/DNSCrypt/dnscrypt-
resolvers/blob/master/v2/public-resolvers.md#xfinity)

~~~
magashna
No mention of whether it is logging or not. I think I can safely assume they
are logging everything.

~~~
cremp
Which is just gravy, because the whole DoH crowd is against ISP monitoring and
selling it.

Goes to show that the only thing Doh/DoT/et al. did was to make things more
complicated and harder to work with.

------
ravenstine
Did everyone forget that it was Comcast that was injecting JavaScript into
unencrypted HTTP responses? I wish I had time to dig out that HN thread. It
only makes sense given Comcast's lack of ethos that they would be against
encrypted DNS.

~~~
proverbialbunny
I worked on that code. Sorry.

Originally it was a dutch isp that wanted the feature. They wanted a pop up
that would ask the customer if they would like to buy more gigabytes when the
costumer began running low on data.

There was a large back and forth. The general thought process at the time was,
"If technology can be used a certain way, it will be used that way." So, we
went back and forth over hypothetical situations of how an ISP or business
could use javascript injection. Like, "Could an ISP use this to steal personal
data?" Ultimately, browsers were beginning to default to tls at the time, so
it seemed like it would be a short lived feature.

------
kodablah
From the summary[0]:

> If activated, this feature would by default route all DNS traffic from
> Chrome and Android users to Google Public DNS, thus centralizing a majority
> of worldwide DNS data with Google

I can't decide if Comcast is just ignorant since Chrome's plans are to NOT do
this, or if they are outright lying about what Chrome's plans are. As I
mentioned the other day, this is the problem with not separating the DoH
protocol discussion from the DoH browser-provided default resolver. Good job
Mozilla, now we can't have a debate about the merits of DoH the protocol
because y'all have muddied it with default resolver choice.

[0] [https://assets.documentcloud.org/documents/6509454/ISP-
DoH-L...](https://assets.documentcloud.org/documents/6509454/ISP-DoH-Lobbying-
Slide-Deck.pdf) (PDF)

------
ivankolev
That instantly makes me feel dns encryption is something worth exploring in
depth...

~~~
flatiron
I do DoH with pi hole and cloudflare (followed arch wiki for all of that) but
I think it’s silly. You don’t know what I’m resolving but you still know what
ips I’m visiting and can just look up their host names. What does it really
do?

~~~
fweespeech
You can have multiple hostnames per IP. (i.e. If you are using a site that
uses cloudflare)

That fact will make it very difficult to resolve hostname to ip address for
anyone behind a CDN. That is the reason Comcast is fighting it.

~~~
flatiron
Makes sense. Thanks. Then I’m glad I’m using it! I fell into the arch wiki
black hole and an hour later had pi hole, DoH and OpenVPN all configured so
all my devices including my iPhone go through my home internet and the pi
hole. Pretty neat. No ads while mobile. I did have to do tcp on 443 since udp
and t mobile did not play nice together. I was too lazy to debug that though.

------
virtuallynathan
This isn’t exactly true... Comcast just launched their own DoH endpoint. I
also used to work very closely with the DNS team at Comcast. At the time, they
did not sell or even log/look at DNS data. It was sampled in aggregate to
break down CDN traffic in Netflow data.

~~~
kevin_thibedeau
Comcast's masters likely have the same arrangement that AT&T does. Everything
passes through a closet the rank and file know nothing about.

~~~
virtuallynathan
That's a totally different and unrelated assertion. If the Gov't wants that
traffic, they can just go to a Level3 fiber regeneration site in the middle of
nowhere and tap the fiber traffic of hundreds of companies.

------
NelsonMinar
If Comcast doesn't want it then it must be a good thing for consumers.

------
pmlnr
Pitiful people Comcast, shame on you. This information never should have been
sold.

~~~
sliken
Just imagine if Comcast loses the ability to hold content providers hostage.
With DOH it's much harder to tell that most of your customers are streaming
from Netflix, so it's much harder to artificially degrade their network
connections so you can ask Netflix to pay extra.

~~~
zzzcpan
Beefy cache nodes of any company, not just Netflix, are trivially
identifiable.

~~~
sliken
But if you have a list of 1000 beefy cache nodes who do you send the ransom
letters to?

How about if each beefy cache node has 1000 IPs instead of 1?

What if each client was sticky, so if Comcast buys a Netflix account they only
end up on one beefy cache node?

Hell if pushed hard enough maybe netflix would enable p2p (encrypted with DRM
of course) for content delivery. I'd happily hook up a 1TB usb to my roku if
it improved the playback experience.

Of course DoT is not perfect, but it does seem like it would help, so much so
that Comcast is lobbying against it.

------
foxfired
I may be the last person to join the party, but I do not understand how Dns
over HTTPS hides me from my ISP.

From my understanding to fetch a url, my make a request to the dns server. If
I do it unencrypted, the isp sees the request in plain text. They know where I
am going.

But when I do it over DoH, I send an encrypted DNS request to a service, of my
choosing, that gives me the ip address of my destination. (is this correct?)

Now, in order to reach that destination ip address, don't I have to use the
ISP? Aren't they the ones routing me my request to the destination? Even if it
is under HTTPS, the destination has to be known, right? I'm sure I am missing
a piece of the puzzle, but where exactly I don't know.

~~~
zeta0134
With DNS over HTTPS, the ISP would have the ability to see the IP address you
are connecting to, yes, but critically they would not have the ability to see
the domain name that you had visited unless your browser is also doing SNI.
Which it probably is, so from a privacy standpoint, not much changes.

What does change is the ISP's inability to _tamper_ with the DNS response.
Many, many ISPs will refuse to actually send a DNS not found for certain
record types, instead serving up their own custom search pages with
advertisements and other garbage. It also prevents certain classes of MitM
that involve intercepting plain-text DNS and re-routing that request to a
different server by responding with an attacker-controlled value.

So, from a privacy standpoint, DNS over HTTPS by itself isn't buying you all
that much (since SNI leaks the same information during the SSL handshake to
your target) but in terms of making your access to the DNS infrastructure much
harder to tamper with, it does a whole bunch.

EDIT: ooohhh, ESNI is a thing? This seems interesting to keep an eye on:
[https://blog.cloudflare.com/esni/](https://blog.cloudflare.com/esni/)

~~~
judge2020
eSNI is still in the draft stages, which is why Chrome has opted not to
implement the draft until the standard is finalized or in a state it deems
satisfactory[0]. Currently FF and CF implement draft.

There are also many hurdles Google has to consider when rolling out things
like this that will break Enterprise deployments. Currently, DoH is completely
inaccessible if the browser is "managed" (has Policies) at all, even if the
disable DoH policy isn't set. I imagine the same will happen with eSNI.

0: [https://crbug.com/908132#c7](https://crbug.com/908132#c7)

------
alzaeem
Just so I understand, why does an ISP care so much about providing the DNS
resolution? Anyway once you have a destination IP address, that'll be visible
to your ISP from your packets, and a simple reverse DNS can tell them what
these IPs are for. Or am I missing something? That's also why I'm not so
bullish on the benefits from DNS encryption, though it's a step in the right
direction.

------
ga-vu
And this is a problem why?

DoH is garbage and Mozilla's implementation is just a cashgrab with
Cloudflare. Adopt DoT+DNSSEC instead.

~~~
arpa
A million times yes. DoH is powergrab crap and needs to die.

------
dreamcompiler
The fundamental law of pipe companies: Every pipe company hates being a pipe
company.

------
mrlala
I still can't wrap my head around DNS encryption; can someone explain it or
link me to an article/video?

I seem to remember reading that for this to work, you would have to trust
someone like google, but then wouldn't you essentially have to proxy all of
your data through google or some dns encryption source.. i.e., almost making
it a VPN?

Surely I am missing something- I just don't see how you can hide traffic from
your ISP without a proxy in the middle..

~~~
heavyset_go
DNS isn't encrypted. Anyone passing your DNS queries between you and your DNS
provider can inspect them.

DoH or DoT would allow your upstream DNS provider to see your queries, but
anyone passing them around wouldn't see the content of the queries.

Comcast won't be able to read those queries if they're encrypted via DoH, and
part of their business model involves spying on their customers' queries and
selling the data.

DoH has nothing to do with proxying.

~~~
jagged-chisel
Has DNS yet removed the possibility of an ISP front-running replies for
outside DNS? For example, you want to see HN, but Comcast would rather you see
HN through their ad-injecting proxy - their systems can see your DNS query and
reply with the proxy.

Seems like encryption and signing would help here as well.

~~~
growse
Do you mean Dan kaminsky's issue from 2008?
([https://en.wikipedia.org/wiki/Dan_Kaminsky#Flaw_in_DNS](https://en.wikipedia.org/wiki/Dan_Kaminsky#Flaw_in_DNS))

If so, this was fixed... in 2008.

~~~
slededit
Fixed is much too strong a word. Mitigated is more descriptive. From your
link:

> This fix is widely seen as a stopgap measure, as it only makes the attack up
> to 65,536 times harder. An attacker willing to send billions of packets can
> still corrupt names.

~~~
growse
Fair.

------
koolba
How hard would it be for them to instead reverse lookup the outbound socket IP
addresses to determine the servers to which you are connecting?

Assuming they have _some_ people performing the same DNS lookups from similar
locations I bet they could construct a good enough mapping. It’d probably be
even more accurate if there’s DNS caching client side as it’d count actual
connections and not just lookups.

~~~
GhettoMaestro
Your method wouldn't work too well as multiple websites will be multiplexed
behind a single IP address via a method known as "named-based virtual
hosting". It exists even with TLS, as SNI (Server Name Indication) was added
to serve this purpose. However, in the future, TLS will most likely mandate
that SNI be encrypted and not visible to a passive attacker (it is currently
in IETF draft status, as someone pointed out below).

~~~
anfilt
Its still just a draft last I checked. [https://tools.ietf.org/html/draft-
ietf-tls-esni-04](https://tools.ietf.org/html/draft-ietf-tls-esni-04)

Where as tls 1.3 is a RFC.
[https://tools.ietf.org/html/rfc8446](https://tools.ietf.org/html/rfc8446)

------
steve19
Does anyone know how DoH works in browsers when connected to a new WiFi
network with a captive portals?

------
js2
Direct link to slide deck:

[https://assets.documentcloud.org/documents/6509454/ISP-
DoH-L...](https://assets.documentcloud.org/documents/6509454/ISP-DoH-Lobbying-
Slide-Deck.pdf)

------
meed
Is there anything that this company does that ain't suck?!

------
Darth_Hobo
At first I was excited about DOH, until I realized that you are simply
switching data collection from ISP to whomever you choose as your trusted
resolve in DOH (most likely Google or Cloudflare). So ideally we need another
machine that does DOH requests and then sends you the results, but at this
point you might as well setup a full VPN.

DOH might be a good alternative in places like China, because Cloudflare
knowing about your browsing history is a lot less dangerous than Chinese
goverment knowing about it. Unless DOH providers will sell that data to China.
Which they probably will.

~~~
wp381640
You can still use DoH with your ISP - it's about finally encrypting DNS
requests in transit

The reason why ISPs are afraid is because they know that given the choice most
people wouldn't opt for ISP hosted DNS since they have a history of being
abusive

~~~
wahern
Most people won't care. The coming battles are about defaults.

Mozilla's motives may be pure, but with a key press they're poised to funnel
the DNS requests of hundreds of millions of users to a single entity. That's
_power_ anyway you look at it.

------
rammy1234
how will this enhance common man's life is something they need to expose to
the public , don't they need to let everyone know?

------
raxxorrax
That probably just means they take advantage of DNS data of their users and
that DNS encryption is a very good idea.

------
apeace
Which is exactly why government should have nothing to do with internet
standards.

------
xedrac
Doesn't DNS encryption effectively break ad blocking software?

------
peterwwillis
DNS encryption is going to be one of the big boondoggles of the 21st century
internet.

I am currently going through a project at work to certify all the applications
which need a custom root CA cert added to them, for their traffic to be
inspected. _This is part of GDPR certification_. This is not some nefarious
project to spy on employees, or even a DLP initiative. To comply with GDPR, we
have to know where PII comes and goes, and over 80% of that data goes over
HTTPS. That means that for any company to be able to comply with GDPR, they
have to inspect all HTTPS traffic.

Now, could TLS clients provide a mechanism to export all decrypted traffic,
_separate from the validation path_? Sure. But that's not a part of the TLS
spec, so to my knowledge, TLS libraries just don't have that option, and all
the applications I know of certainly don't expose it. So even though to
provide for the above requirements, all we need is a read-only tap of the
decrypted content, it wasn't required (or possibly even considered), so now we
need _read-write access to all content_ , which is in no way what the
requirements were intended for.

That's bad, but what's worse is this process is introducing dozens of bugs. In
many cases, the proprietary content filters are actually _failing to validate
correctly_ , and proxying payloads from hosts with invalid certs to
unsuspecting clients. Not only do we have to MITM everything, but we're making
security worse, and breaking apps. Take all of these considerations, and now
instead of it being HTTP content, it's DNS.

From an internet privacy perspective, there are only so many hostnames and IPs
on the internet. Regardless of how you encrypt it, if you can observe hundreds
of millions of individual users' traffic, it will be trivial to discover what
DNS records a connection is requesting by statistical analysis. I agree with
making the data integrity immutable, but that doesn't mean we have to force it
all to also be private, not to mention breaking the distributed, decentralized
design that made DNS resilient to begin with.

~~~
perl4ever
It's comforting to know 20% of the PII wasn't being encrypted in the first
place.

~~~
peterwwillis
...you do know that HTTPS isn't the only kind of encrypted network connection,
right

~~~
perl4ever
Well, it seems like we're approaching that situation, when people are talking
about running DNS over it.

...so what else is being used?

