Hacker News new | past | comments | ask | show | jobs | submit login
Big ISPs aren’t happy about Google’s plans for encrypted DNS (arstechnica.com)
645 points by Deinos on Oct 1, 2019 | hide | past | favorite | 434 comments

While I don't particularly trust Google all that much anymore, the fact that ISPs even have an opinion on this is a smoking gun that they're doing sketchy things with DNS data. There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.

They definitely are. I know for a fact that they are running massive Hadoop clusters storing information on DNS records involved in their customer traffic. If I recall correctly they mirror a lot of the traffic to analytics environments.

Netflow data, DNS capture, enrichment of cell tower access data (location), reporting on non-usage (idle time, tracking), Bill and household information, credit account usage, etc. SPs are huge sellers in this market.

We still need to encrypt the accessed resource and DNS queries everywhere.

Even once that’s done, things like opencaching will be used by SPs to gather tons of data where they participate.

As a European it baffles me that this is normal in the USA. Why is this even legal? This should be PII.

Because our government is not really interested in protecting its citizens from abuse at the hands of corporations.

edit: you can see this clearly in the way they pay lip service to "breaking up big tech" (whether or not that's a good idea, this comment is not a statement of opinion on that subject) because it's politically sexy on both sides, while all these other, arguably more egregious abuses of consumer data are so far off the radar that most people probably aren't aware they're happening.

If the government showed an interest in abuse at the hands of corporations, it might start getting embarrassing questions about abuse at the hands of 3 letter agencies.

Who says it's not also happening in Europe?

If it is, the stakes are much higher since they have real penalties if they fail to disclose the practice or lose control of that data. Anyone in the EU can send them a request under the GDPR to learn what’s collected, so it’s much easier to get caught.

GDPR and the tradition of not allowing why wire tapping / traffic mirroring without telling the subject (unless you are the government and have a warrant).

Wholesale data collection has become normalized in the US. For-profits, non-profits, it doesn't matter the industry, everyone is obsessed with capturing as much data as possible and believe it's just the standard way of business. No one outside of HN cares about PII or has an understanding of things like GDPR (it's just for the Europeans). Consumers are clueless or otherwise feel hopeless.

Just want to say for the sake of others reading that this comment is exaggerating + generalizing a bit.

Everyone is not obsessed with turning data into revenue. Most smaller tech companies (ie. Sub billions in revenue) are not in the game of monetizing data. My feeling is the market exists mostly between very well establish and very large companies (such as ISPs, advertising networks), but that same market doesn’t exist between newer / smaller companies that haven’t reached massive scale.

To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.

Everyone in the EU has heard of it, at least for the fact that everyone received a whole bunch of email that mentioned it on May 25th 2018. I'd say a lot of people know that "it's about privacy"; the actual understanding obviously varies.

No one heard about it, at least in Spain. My father asked me about it because he heard it on the news, but I'd say that 99% of my non-tech friends have no idea of what it is about. Anyway, I work for a large telco and they are very paranoid liabilities involving data. It's a behemoth, so you wouldn't expect them to be this careful.

As far as I remember, they still sell some anonymized data (they had some demos on how to plan public transport with location data) and I'd bet they are not doing much with DNS data.

> To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.

Basically everyone who is in EU needs to keep GDPR in mind. Especially if you are employed, then you need to keep in mind GDPR for the interests of your employer so that they are abiding the law, and won't get fined. It is actually legal people who know GDPR very well; not so much tech people. In a lot of Dutch companies a "functionaris gegevensbescherming" (FG; data protection officer) is mandatory, who basically deal with PII, and have known about GDPR (AVG) ever since it was announced it was going to be active (2 years before it was active). The Dutch professional association for the data protection officer was founded in 2003 [1].

On top of that, it was widely covered in newspapers, daily news, etc. If you are in EU and you have not heard about it you are living under a rock, or you're not a working adult (nothing wrong with either).

[1] https://www.ngfg.nl

Anyone working in an office will have probably come in contact with GDPR. Blue collar workers probably not so much.

Maybe people will know it as the cause of cookie popup screens. But I'm also grossly over-estimating computer literacy among the general population so maybe not.

Anyone in the UK who does an office job has heard of GDPR. Most companies are having to update practices to comply with it. It's actually amazing how effective it's been at curbing the "let's just store everything" behaviour.

This is definitely happening in Europe. It's not like you get to opt-in to these things

What about

I'm guessing we're just trusting Google here (and Cloudflare who now also does 10gb free VPNs) + the good will of engineers with access to this information within Google.

I think google is evil. But I know AT&T is.

Big G is driven by money like any other company, but they lose more money if they don't employ top security practices and prevent others from getting their data. ATT's main business isn't selling the data, it's selling the pipes that carry data, so security on their data lakes is probably less of a priority.

> ATT's main business isn't selling the data, it's selling the pipes that carry data

... and I'm sure their shareholders are pressing them to forego the greater revenue from subscriber data so they can keep their dividend cheques comfortably small.

With the SPs, all you have to do is look at ANYTHING security related around their business and observe what shambles it is.

The last time I looked, the csrf token issued by the homepage of one of the big three mobile carriers was "undefined."

This. I know from experience how terrible a company they are with customer service, but there is that little arrangement with the NSA called PRISM...

i suspect they somehow throttle this traffic -- i used to use for a while and had to repeatedly switch out b/c my dns resolution times would be terrible after a while

If you are not using gmail and google search, and are using adblockers, Google shouldn’t really have any information on your IP, so it is anonymised data. Your ISP knows even your bank details.

But the limits of using google DNS (or even encrypted DNS) is that most commercial websites aren’t sharing IP addresses, so I bet the ISP can pretty much reconstruct the data it would get from DNS with very little effort just by looking at your IP traffic and mapping IP addresses to domains from other users DNS queries.

> Your ISP knows even your bank details.

Google was buying MasterCard records: https://www.bloomberg.com/news/articles/2018-08-30/google-an...

And they can use that if they know your identity, like if you provided them a phone number.

But I don't believe they can't do much from an IP alone. Unless the ISP starts ratting us out.

Theoretically, yes. For that to work, you also need everything on your network to never have encountered a google cookie, adwords, Android, Chrome, YouTube, Maps, Google DNS servers, any of various "smart" devices, etc. And hope those Google Global Cache servers living at your ISP are trustworthy.



If you use unencrypted, then both your ISP and Google know your query. With DoH only Google will know. But often Google can figure it out even without DNS data.

You don't need to just blindly trust, there are ToS and privacy statements. My TL;DR is that Google doesn't use logs outside of service health (eg vs DDoS).

So what pays for this service?

I don't know. I think not everything a large company does necessarily immediately pays for itself. Also, Google overall benefits when people use the web more.

Nothing or Google depending on how you want to think about it. Google needed this service for themselves, as the default fallback DNS for their devices, their domain registrar, for GCP and it made sense to just let the public use it too for some good PR.

I wonder why someone who knows how to do any of that, would think it is a good idea or go along with implementing that. The shitbirds who actually want to do this type of thing are not smart enough to execute it.

Engineers are people who come in all ethical flavors. I used to know one whom I consider evil, in the actively, knowingly malicious sense. I've known a whole lot more who generally just don't think about these questions.

Thinking knowledge, intelligence or capability correlates with ethics is a category error.

It's more an industry error, I suspect. The University I went to forced all the Software Engineers to do some of the traditional Engineering papers, including courses on ethics. The professional institute that accredits the University's ability to call their course an Engineering course required those courses.

Courses like that don't fix unethical people, but they make the rest of us aware that ethical concerns exist. Software/Computer Science is such a young discipline that, industry-wide, I don't think we've learnt that one from the other industries yet.

I question the amount that such ethics courses actually help. Business majors have had ethics courses for as long as I can imagine, and yet you don't have to go far on HN (even in this very thread) before you see people saying business majors are unethical.

The bigger problem, IMO, is that many tech companies have started handing out kool-aid that data collection and analytics is ethical. They justify it by saying that it helps people avoid spam, or get better advertisements, or whatever, and then the engineers think they are being ethical and beneficial to society by building these systems.

> Business majors have had ethics courses for as long as I can imagine

I took a business ethics course in undergrad, and it was surprising how many students advocated all sorts of (to me) aberrant ethical views. (Note I’m pretty traditional, morally speaking. The environment was strongly postmodern, and this was before all the modern insanity about “free speech is bad because some people say bad/offensive things”.)

Not that I minded personally, but it was a strong lesson to me that teaching people categories and how to think won’t give them a desire to respect any particular brand of morality.

> this was before all the modern insanity about “free speech is bad because some people say bad/offensive things”.)

To be totally fair, the idea "free speech is bad because some people say bad things" is older than the mind of man can remember.

> To be totally fair, the idea "free speech is bad because some people say bad things" is older than the mind of man can remember.

Yes, it's just that we've only recently been allowed to talk about it openly.


This crosses into political flamewar and personal attack, which you can't do on HN, regardless of how right you are or how righteous your cause.

Would you please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here? We'd appreciate it.

Impartial view here, not entirely sure where I fall on free speech:

You've concluded that the absolute morality expressed by public consciousness should be the arbiter of publicly expressible speech. Maybe the next thing that gets people killed is not allowing public discourse to challenge socially accepted, morally unacceptable beliefs.

> what arguments exactly do you feel could not legally be expressed in a modern first-world democracy, that actually should be expressed?

Many people use “free speech” to describe more than what is covered by the First Amendment in the USA. For instance, freedom from retaliation, by being fired from your job. According to that view, entities other than the government can engage in suppressing free speech.

I read the argument and then re-read it. Went through few odd stages of amusement and I still disagree. Defending Nazi right to express free speech is more necessary now than ever given that people apparently forgot what an important right it is.

As for the argument that, opinion gets people killed, I can only reply with the following.

Opinions don't kill people. People kill people. It is important to know the difference.

I totally agree, nuclear bombs don't kill people, people kill people. There is no reason people should be unable to build their own weapons and bombs. And don't even start with the WMD slippery slope.

More seriously, limiting speech should not be necessary in a good society were people don't let such stuff spread. But that doesn't seem to be how humans work. The marketplace of ideas does not necessarily prevent bad outcomes. And pretending that a root cause analysis for a genocide doesn't include speech as a vital segment in the chain leading to that atrocity seems illusory to me.

So yes, having reasonable rules doesn't seem that wrong to me. It certainly comes with all the usual problems of gov/regulation. I'm kind of fine with what we have here in Germany. Not that its perfect... but it kind of reminds me of that saying about aerospace rules... they are written in blood.

It is a good argument. It sounds reasonable. But having 'reasonable rules' is a vague statement. It is something akin to me saying in a corporate meeting 'it is all about balance'.It is and it conveniently can be applied to anything.

For the record, I personally dislike German approach despite understanding its genesis.

I can't really speak for aerospace rules, but I am not certain they say that much about speech.

edit. I just remembered. Internet has all manner of rather dangerous information out there. Materials may be highly difficult to procure, but knowledge is still at your fingertips.

Saying that business majors are full of unethical people is like saying that politics is full of unethical people, it is the job that attract those characteristics.

The objective of those ethical classes is to move the neutral/good majority in hope in hope to counterbalance the unethical minority.

And computer science is just as full of unethical people. The highest paying jobs available to those in their 20s and 30s, by far, are computer science jobs. That alone attracts an incredible amount of people only in it for the money.

On top of that, companies which are usually regarded as some of the most unethical companies on the planet (especially in regards to privacy) are companies like Facebook, Amazon, Microsoft, and Google, which are worshipped by and have computer science people scrambling to get hired by them. Going back a little further in history, before FAANG, the companies that were revered by the tech world were the very same ISPs that this post is railing against.

Programmers as a whole seem to have no problem at all being unethical as long as it gets them either money or the chance to work on the latest tech fad.

I do not disagree with this, but it stands that the presence/prevalence of unethical people is not really an argument against ethic courses, as they are meant to do little more that containing the problem

Unless you imagine some sort of industry-wide reckoning from a political/legal perspective, the industry will probably never "grow up". This isn't the sort of industry where a couple bridges might fall down and everyone suddenly gains self-awareness that it's time to be a little more adult.

Just look at the resistance on this forum to the idea of GDPR or data privacy bills. This is one of the most self-aware forums on the internet and still probably a majority of users are not only aware of who (and what) is signing their paychecks, but they actively endorse it in their personal discourse during their time off too.

What do you mean? There's a whole genre of reasonably talented morally bankrupt "whitehats" building passivedns mass surveillance infrastructure.

Cisco collects more than 24TB of DNS query data every day. Here's a Cisco employee demonstrating the kinds of horrifying analytics they perform on this data https://www.first.org/resources/papers/conf2018/Mahjoub-Dhia...

Wow, that is amazing. Is Cisco telling their clients they're doing this? That's a lot of root servers too.

This surveillance is mostly targeted at residential users. I’m sure they mention this in some opendns legalese, but they definitely don’t openly advertise this.

In countries or locations with a nearly nonexistent tech industry, your employment options as a software engineer may be limited to that kind of crap

To make money on analytics?

He is speaking of the developers and engineers who have the technical expertise and should know it's a bad idea but still agree to implement it regardless of their moral compass.

I've worked on questionable projects at a big telecom. I refuse to run ISP provided modems/routers at home, i refuse to use my isps dns and use dns-tls etc etc based on what i have seen.

The devs have often said things bad idea and raise concerns unfortunately you generally have no power, the decision to implement something is made above you. Generally the people making the decisions know things are questionable but you need to make your KPIs / get promoted / earn more money for the company etc etc.

If you don't follow a direct order and refuse to work on a piece of work in reality you will be fired.

That leaves you with the option of looking for a new job yourself or being forced to find a new job as you was kicked out.

While some people can take the moral highground, outright refuse and resign, others have to deal with life issues such as paying the bills and supporting a family which makes it extremely hard to pick a fight refusing to do something. We do not like to think it but we are just another cog in the wheel and dispensable.

Nice point. I've been considering changing my router for a while out of privacy concerns. Do you have a suggestion? I was wondering whether i could use my raspberry pi 3b+ for it.

I've been using Mikrotiks for over a decade, they just work and are pretty cheap. They do require you to know a little bit more about networking then the regular, end user oriented, routers.

Only negative I would mention is that some things are a little bit harder to setup, like a VPN for example (and it doesn't support OpenVPN over UDP).

Why the implication that devs/engineers who have such technical expertise "know it's a bad idea"? There are plenty of devs and engineers who would have no moral issue with mass data collection and analytics. You don't magically become a paragon of morality just because you got a CS degree. Just ask Zuckerberg.

I’m working at a company and they want to do a massive amount of logging from our companies IOS app. Basically log everything in the name of security. I made the statement today what does legal think about the data we would be now storing? It has user locations, gps coordinates, all the other fun stuff you can get from a users phone. They all looked at me like I was crazy for even asking that question. And I don’t think a single person in the room the devs included had even though about the personal data we were going to be able to collect. And if we SHOULD be collecting it.

If your company does business in the EU, or has users within the EU then the GDPR kicks in.

The legal department would care about that.

To be fair Zuckerberg didn’t get a CS degree. Your point still stands of course.

To be even more fair, I feel pretty sure Zuckerberg would be happy to agree that "you don't magically become a paragon of morality just because you got a CS degree".

I’m not sure why anyone cares about Zuckerberg’s opinions on morality. The point that a CS degree does not impart a higher moral code is not controversial. My comment only pointed out that Zuckerberg was a bad example because he doesn’t have a CS degree.

And my comment pointed out that your parent comment didn't present Zuckerberg as an example, but as a source of support.

(Does that make sense? No, he'd make more sense as an example. But that's not what the comment said.)

Yes, I see now, thanks for pointing that out. The implication being Zuckerberg relies on people with CS degrees even if he himself does not have one.

Google and FB are doing the same thing with their data (and worse) and the engineers they employ don’t seem to care that much, even though they are pretty smart.


There are many different kinds of capitalism

Seriously browse through the who's hiring thread... some engineers may see it as an easy way to get their foot in the door in the data analytics industry. Hopefully they just focus on bettering their portfolio.

There are environments where traffic must be logged for regulatory or other legal reasons, so the technique and code to implement it is not universally malicious.

Implementing the mis-feature on a public ISP will be done by people who think the matter isn't worth risking their job by taking a stand on, and just saying no once the decision has been made several levels above their rank won't help anyone because if they don't implement the feature their replacement will.

> I wonder why someone who knows how to do any of that, would think it is a good idea or go along with implementing that

The age-old answer: money.

The nasty dilemma that capitalism poses is that of "take the moral high ground" vs "know whether I'll afford rent next month". It's not your moral compass that determines your worth to society, it's how much people are willing to pay you for your work. If they aren't, you are worth so little to society that you may be out of a home.

Developers may be in a pretty sweet situation, generally, but if you don't have money saved or another job lined up you don't have much choice.

I also think that people are great at finding excuses for what we're doing. I've read somewhere about a hypothesis that conscious thought is mostly just intellectual justification for subconscious urges.

> I wonder why someone who knows how to do any of that, would think it is a good idea or go along with implementing that

Modern silicon valley is built off people implementing similar pervasive tracking, without it there is no google, facebook and many other startups. Not to mention online newspapers and everyone who makes money indirectly from the tracking.

I agree it's a bad thing, but that ship sailed long ago and things like the GDPR are only just starting to bring it back.

Personally I have absolutely zero qualms with implementing any system to collect mass analytics. I just don’t give a shit, at these scales users are cattle.

given the volume of data, i don't care as much on an individual level since each person is a drop in an ocean, but knowledge is power, and this is too much knowledge for ISPs, advertisers, and government agencies.

In the mid 2000s it was common that several large broadband isps would have folks on their DNS team selling DNS traffic data under the table to people engaging in domain tasting and other things. It was only a matter of time until the isps realized they could wet their beak with the same info.

I assume that all US TLAs have (or could have) access to all data that my ISP logs (or could log). That's just how it is. Given government ~monopoly on force.

And that's why I use VPN services. But the same is true for VPN services, regarding US and/or other TLAs. So I use nested VPN chains, to make it harder to get complete data.

And when it really matters, I add Tor to the mix. Even if it's heavily infiltrated by US TLAs, there's at least the chance that it's also heavily infiltrated by TLAs of US adversaries. So, Dog willing, maybe they cancel each other out, at least somewhat.

So if VPN over Tor (or Tor over VPN) increases anonymity then why is it the popular advice on the Net is not to do it?

I mean routing traffic to Tor entry guards through VPN services. The Tor Project does indeed not recommend that. They argue that using a VPN service is risky, because it can log everything. Where access to entry guards is blocked, they recommend using bridges (of one sort or another) run by Tor volunteers.

I don't agree with that argument. Because ISPs can already do that. And for most people, their ISP is far more likely to be cooperating with their local adversaries than some random VPN service is.

And for what it's worth, one of Tor's inventors (Paul Syverson) has agreed publicly that there are reasons to access Tor through VPNs. Basically, when you don't want your ISP to know that you're using Tor. Indeed, if I were a CIA agent using Tor in Iran, I probably wouldn't want the ISP to know that I was using Tor.

But I don't trust VPN services either. So I use nested VPN chains. That's basically the same approach that Tor itself uses, routing traffic through multiple (three) relays. So no one relay (or for me, VPN service) knows both who I am, and what I'm doing online.

There's also the issue of trusting the Tor network. Some argue that it's compromised by US TLAs. So with a nested VPN chain between me and entry guards, I'm less concerned that some TLA is running them. But even if that's just paranoia, there have been bugs that deanonymized users.

For example, some years ago, CMU researchers exploited the "relay-early" bug to allow malicious entry guards and exit relays to exchange information, and so learn that they were routing the same circuit. That allowed said CMU researchers to deanonymize Tor users. The FBI learned of this, and subpoenaed the data. And lots of people went to jail over it. Mostly drug dealers and child pornographers, but whatever.

However, routing VPN services through Tor is a totally different matter. If you do that, your anonymity depends entirely on how anonymously you've obtained, paid for, and used the VPN service. If you used an email address that's linked to you, you're screwed. If there's a money trail in paying for the VPN service, you're screwed. If you ever use the VPN account without Tor, you're screwed.

And even if you manage all that anonymously, the very fact of using a VPN through Tor decreases your anonymity. That's because Tor by default switches circuits at ten minute intervals. But when a VPN is connected through a Tor circuit, that circuit is pinned. So by using a VPN through Tor, you've blocked one way it increases anonymity.

It seems you take your privacy very seriously. But isn't it futile? I mean, the common layman response to privacy issues is something on the lines of "I'm not a criminal terrorist so what do I care". They have a point, the individual doesn't really bear direct consequences of losing privacy (unless he is a terrorist, criminal etc). The privacy issue is a social one, only when masses of individuals are spied upon, then nasty stuff may happen. So while your efforts are serious I'm wondering what is their point. I don't see any solution for this surveillance society we ended up with other than regulations through our government representatives.

I don't think of myself as a criminal or terrorist. But then my moral code is fundamentally from Aleister Crowley. So I'm well aware of the possibility that others might consider me a criminal or terrorist.

Even if there were laws and regulations that better protected privacy, you couldn't count on that. You can't trust government agencies, because they stretch the limits, and outright lie about what they do.

I also do it because it's fun.

Perhaps because downloading Tor (or even searching for it / visiting its website) demonstrates an active interest in thwarting surveillance.

Almost by definition, that means you're worth taking a closer look at.

Once you're under the microscope, you'd better hope your opsec is flawless or that your activities are completely boring, or else the $TLA knows exactly what you've been up to, TOR or not.

Disclosure: my activities are completely boring, and I don't use Tor, VPNs, or anything like them.

> Disclosure: my activities are completely boring, and I don't use Tor, VPNs, or anything like them.

That's not what our logs show.

That's why more people should use it. You can't take a closer look at everyone.

Theoretically, maybe.

Self-interest rears its head, though. If you don't have anything to hide, running Tor is extra work you don't gain any benefit from. Arguably you just subsidize those who use the tools for evil.

I have yet to be convinced that full anonymity is actually a societal good.

As a pragmatic defense against corrupt governmental agencies, it is probably useful.

I'm not so sure it's a net gain for society as a whole.

And, in a nutshell, I suppose that's why I've never gone down this road.

There are many legitimate uses of Tor. Like opposition in oppressed regimes. But criminals probably make the most out of it. The thing is, it might be the most convenient tool nowadays for selling drugs, etc, but if you'll remove it, criminals will find other ways to connect. Some will be caught, but most won't. And good people might lose a valueable tool to defend themselves.

That's certainly a good argument.

I'm not trying to say Tor is all bad, just explain why I don't use it and why I'm not sure it's an unmitigated good.

> Perhaps because downloading Tor (or even searching for it / visiting its website) demonstrates an active interest in thwarting surveillance.

Not if you access tor over VPN. VPN hides all traffic from ISP and Gov. Obviously, make sure your browser does not use Google or Cloudflare DNS.

Only hides it at the VPN entry point ~ you have to trust the VPN endpoint isn’t giving up your info too!


Except that you don't need to trust anyone, entirely.

That's the point of nested VPN chains. Let's say that you have three different VPN services in the chain. The first VPN knows your ISP-assigned IP address, and the IP address of the second VPN server. The second VPN knows the IP address of the first VPN server, and the IP address of the third VPN server. The third VPN knows the IP address of the second VPN server, and the IP address of the site that you're accessing.

An adversary would need information from all three VPNs, or from their data centers and/or ISPs.

You're still vulnerable at the operating system and hardware level. It doesn't matter what you do after booting up if you're computer has already successfully been infiltrated from the Hardware/BIOS/OS initialization that always happens before.

I have considered those issues.

I don't use hardware that I've purchased using my meatspace identity. The machines mainly come from yard sales and swap meets. Typically nowhere near where I've lived. And all purchased with cash. So I'm pretty confident that they're not backdoored. I have purchased SSDs from stores, but also for cash.

I'm relatively confident that Debian hasn't been backdoored. Windows perhaps, but I rarely use it, and only in VMs.

Do you also browse the web through a daemon that emails you pages, Stallman-style?

I'm not sure that I see the point. I mean, the daemon would need to run somewhere. And it'd need to render stuff. I guess that there'd be less going on, so less that's exploitable.

But no, I haven't done that.

I mainly depend on compartmentalization. This VM runs on a host that contains no information about my meatspace identity. And the machine with that information is on a different LAN.

Edit: But upon reflection, I have done something like that. Sometimes I run remote dedicated servers. Accessed via Tor (via nested VPNs) and paid with well-mixed Bitcoin. With LUKS and dropbear, of course.

If I run VirtualBox, I can basically do the same thing I do locally. I use pfSense VMs as VPN gateways, to create nested VPN chains. And then Whonix instances, which hit Tor through those VPNs. And I access the remote VMs via VRDP via SSH via Tor etc.

I do, and it all goes over nested VPNs/Tor, but my solution is different than the one mirimir uses.

My first reaction on reading this is that it sounds expensive and difficult to configure. It also reminds me a little bit of how I understand tor to work - is that accurate at all?

At a superficial level, it's exactly how Tor works. Except that there's a static chain, instead of a constantly churning mix of circuits. Each of which uses a different set of three Tor relays. Also, each socket from each app uses a different circuit. And circuits, by default, only last ten minutes, and are torn down and rebuilt whenever a socket resets.

It is expensive, I suppose. In that you must pay for multiple VPN services. I probably spend a few hundred dollars per year, on average. But that's ~nothing for me.

But it's not that difficult to configure. I use pfSense VMs as VPN routers. And pfSense has a very intuitive WebGUI. To create nested VPN chains, I just successively NAT one VPN router through another. Using VirtualBox internal networks. And pfSense optimizes MTU automatically.

Once it's setup, you just run the VMs, and it works.

VPN hides all traffic from ISP and Gov.

VPN like... Onavo?

Very funny :)

No, VPN like AirVPN, IVPN, Mullvad or PIA.

Usually because it is very slow to do so.

And anything that likes a persisted connection is likely to get a lot of connection resets. Like websockets (slack) or irc

In my experience, Tor through VPN services isn't substantially slower than Tor alone. I only know that from experiments using VPS, however, because I've never used Tor (or I2P or Freenet, for that matter) directly.

VPNs through Tor also aren't substantially slower than Tor alone. And indeed, one can use MPTCP to aggregate multiple VPN-via-Tor connections. But only between suitably configured devices, of course.

regardless of "substantially slower" it is indeed slower, I guess it depends on your VPN link, but at the very least your MTU has to be considerably smaller meaning more round trips for "large" objects (anything over 1KiB essentially)

Sure. But as they say, speed kills.

Seriously, higher latencies and lower traffic peaks likely improve anonymity.

How do you know this fact?

I worked for a Comcast subsidiary in 2010-2011 timeframe. The company owned the network end to end. They had about 250k subscribers at the time across 4 states and at the time was the first DOCIS 3.0 network in the US. They were collecting DNS log data back then. I've been told that hasn't stopped and has progressed. Don't trust your ISP to not be passively monitoring. This particular ISP had closets full of old Sandvines [0] hardware as well that I ran across one day. I asked what the hardware had been used for and the answer was simply: "network monitoring for law enforcement". At the time all of that old gear had been decomm'd. But as I've said in older posts the DC had a hands off, tamper taped mobile rack that was plugged into core routing installed by a 3 letter agency while I was employed. This was pre-Snowden and post 9/11, likely courtesy of all those fun programs we found out about that Clapper denied.

[0] https://en.m.wikipedia.org/wiki/Sandvine

We'll know how much this will affect those TLAs when the government suddenly gets involved for some altruistic reason to block DNS over HTTPS. "Don't let google take over the internet!" "Time to break up big tech!"

I find it interesting that Google and CloudFlare are now the scapegoats. I mean, it's not like DoH isn't configurable and we don't have a choice.

Not attacking Google - their approach here is fine.

But Mozilla switching people is a worry for me. Sure people “have a choice” but in reality expecting the average Joe who doesn’t even know what DNS is to make an informed decision about it is unrealistic.

Meanwhile Mozilla has started sending a list of every domain you visit to a US company subject to US law enforcement. Not ideal.

>Meanwhile Mozilla has started sending a list of every domain you visit to a US company subject to US law enforcement. Not ideal.

Do you have an article which explains this?

Mozilla only started to doing that for US users.


Thanks for the explanation. I was curious about some more specifics:

- How was the DNS logged?

- Was every query logged, or only unique queries?

- Was it combined with other data?

- How long was it searchable for?

- What were the DNS queries used for? Simply sold to 3rd parties? If so, who was buying?

I’m friends with solutions engineers at Hortonworks and Cloudera. It’s possible I’m wrong, and since this is anecdotal evidence I see “fact” isn’t a valid use here.

I recall wanting to do research in university and needing this data. It would tell me how frequent bit flips are in dns traffic.

And in anonymous, aggregated form (e.g. only include domains that were accessed by multiple customers, the frequency per day and domain name, maybe geographical data precise to a region corresponding to a million people), I would be perfectly fine with this, even if it gets sent to ad companies. I'd not like it, but I'd also not see the harm and there is a lot of money involved, so if we can't stop it then I'll be fine with it in a basic form (aggregated). At least until we decide that trying to optimize manipulating/influencing people is brainwashing (I'm undecided whether playing psychological tricks on people while they try to get groceries or look for information online or whatever is morally okay).

What's their endgame in doing this?

It used to be illegal for ISPs to use web browsing data for advertising purposes but the Republican House, Senate and President passed a law allowing them to make it an opt-out.


Good article, but no link or details on how to actually opt-out?

Up to implementation:


all the major ISP lobby groups signed on to a voluntary set of privacy principles based partly on the FTC framework. They specifically pledged to follow FTC guidance for opt-in consent before sharing sensitive information and to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” Browsing history would be subject to an opt-out system.

Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.

I worked at a couple of major telcos at my country, and at the last one - where we had literally millions of active ISP and mobile users - we were approached by a company willing to pay for DNS resolver data. It is definitely a thing (and possible income source) even if you don’t do that kind of analytics yourself.

But I’m fascinated by the legal implications. Right now in Portugal sites are DNS-blocked for copyright reasons (IIRC without the need for what you’d call full legal oversight, just a sort of loose arbitration with the local equivalent of the RIAA), and this is going to play merry havoc with that.

(Uber’s website was also DNS blocked for a while due to hassles with licensed cabs, which was interesting because the mobile app never stopped working — can’t remember if it was an actual court order, but this should give you an idea of how technically clueless some people are over here...)

I'm living in Kazakhstan which blocks some websites. Also Russia blocks a lot of websites. I can't wait to see how eSNI will play out with all those blocks, if Cloudflare and other big networks will dare to roll it out.

Cloudflare collaborates with censors and reserves a fixed IP for the blocked site so censors can block that IP, they don't block by DNS, eSNI won't help, use Tor.

Here in the UK sky recently pushed out an update to their firmware which made it impossible to use another DNS server other than theirs. There was a decent amount of push back, I managed to get them to downgrade my firmware but who knows how long that will last before they "accidently" update it again.

I use Sky. I wasn't aware of this. :(

I also use my own router so I assume it doesn't affect me or does this mean that their network doesn't allow other DNS servers?

How would that affect a VPN? I use PIA and they have their own DNS servers.

I'll need to experiment with this when I get home I think.

> How would that affect a VPN?

If your DNS requests are going over the VPN then you will be fine as they will be in the encrypted tunnel before they travel through your router so it can't do anything about them. A change to the router firmware won't be able to override DNS server settings on other individual hosts.

If your router is providing the local VPN endpoint then that is another matter, but IIRC PIA runs on your local station. Do check that it is in fact setting your machine to send DNS requests over the link. I'd be surprised if it wasn't, but you never know.

Don't you run an own router/firewall behind the ISPs? I own my internet facing router AND I run a second one for sensitive parts of my network. As well, I run an own recursive resolver.

What's the best way to tell if they're intercepting queries to other dns servers and replying themselves?

Say I manually set my dns to, is there a way to tell if the replies are really from

> What's the best way to tell if they're intercepting queries

Setup a simple DNS resolver in an external VM (use a service like DO where you can pay by the hour, and the test will cost you at most tens of pennies), configure it with a DNS zone that the rest of the Internet does not know about (thisdoesnotreallyexist.net). Then if you try query for that domain from that server but get an NXDOMAIN response your query was probably intercepted (of course test from other locations too, to make sure the problem isn't a mistake in the new resolver's config).

Or you could configure the test resolver to give different answers for an existing domain, of course, and check for which addresses you get back instead of checking for address or error - that would essentially be the same test.

Or, he says, thinking of the obvious after explaining the more long winded, if you have a DNS server in your control, simply turn on the relevant logging options and run a query against it and see if your query turns up in its logs.

This assumes they are intercepting and NATing all standard DNS requests (usually on UDP & TCP port 53), rather then just DNS traffic going to a list of known alternative DNS services. If they are doing the latter then there are tests you can do that rely on timing and TTL settings (get their server to cache a result, change the name->address mapping, then ask or similar and see what answer you get).

With no changes to your setup it is actually impossible. DNS as it currently exist is a plain text protocol.

If you run your own dns server at your local machine you can enable DNSSEC, which will protect against manipulations for domains that has that enabled. A recursive dns server is pretty easy to setup and it a step towards running your own authoritative server in the future for private domains.

If you want to resolve using googles DNS servers and be sure it is really them then the only method that I know that is also supported by google would be DoH. The other encryption method they support, DoT, do not provide authentication and draft-bortzmeyer-dprive-resolver-to-auth-00 is to my knowledge not implemented by google.

If you want a bit more privacy and have a mix of the two above then go with a VPN or build one yourself. Just note that without DoH you won't be authenticating between the VPN and google, so I would just use a resolver at the VPN.

If you run your own DNS server at your local machine, you'll be exposing all your queries to your ISP, which will log and monetize them. You'll gain support for a DNSSEC protocol that virtually nobody on the Internet uses --- DNSSEC only functions on signed zones, and in 25 years almost nobody has signed a zone --- and so your ISP will almost always be able to manipulate your queries anyways.

If you use google servers under plain text you will be exposing all your queries to your ISP and to google, which will log and monetize them. DNS under plain text is so easily captured that all entities. ISP that spans the traffic to google, google itself, and ISP that spans from google to the resolver can capture, log and monetize the information. Monetizing can occur by logging who queried, what was queried, and in either as a combination or in isolation. A lot of companies consider the later to not be private information or covered by GDPR.

The effectiveness of DNSSEC depend on where you are. If you live in Netherlands or Sweden and visits mostly Swedish or Dutch sites then a larger portion will be signed.

I noticed they were doing this when I saw that in-band DNS updates were failing. Eventually I realied that my router (or something upstream of it) was returning an error to the client rather than passing through the GSS-TSIG-signed nsupdate packet.

So far I have been unsuccessful in my attempts to get through to a technician who knows anything other than "try turning it on and off again". I suspect this policy is deliberate.

of course: dnsleaktest.com

If it is not "encrypted" (with some form of end-to-end encryption, like HTTPS or SSH), you dont.

An NSLOOKUP will tell you the DNS server that your query went to.

Unfortunately that will not help: if the requests to other servers are NATed when they hit the router it will look like your request went elsewhere when in fact to went to Sky. nslookup is reporting what it tried to connect to for an answer, not what actually answered.

ISPs can man-in-the-middle spoof that too, right?

Even if you intercept and nat traffic going to UDP/53?

> which made it impossible to use another DNS server other than theirs

'cause DNS logs & users data brings them good money, so they just defends business.

BT's DSL router/modems also only hand out BT DNS servers. You have to turn off their DHCP server and run your own to be able to hand out anything else.

Their tech support (the one that's "if we solve the problem we'll charge you") said they could not solve this for me.

Interesting. Time to switch ISP then.

We agree that ISPs should not need to view your browsing data without your consent. But there are many technical reasons for an ISP to want to run DNS outside the resolver privacy conversation:

For one some ISPs run content filtering services. Some users prefer to concede extreme privacy for what they view as a safer browsing experience. It might not be your jam, but it exists.

DNS is designed to be provider independent. It literally does not matter if a Google or Cloudflare or OpenDNS or DNSFilter or your ISP resolves requests. It was designed this way so that the system could be distributed and so that there is not a single point of failure for the internet’s arguably most important system.

Its distributed nature means there are technical performance advantages to doing the above: reduced request latency, localized traffic routing and reduced bandwidth, etc. You don’t need a giant any cast network to serve DNS. You just need to use the servers closest to you.

This is a pretty silly debate. All you have to do is look at AT&T's DNS, see it hijack NXDOMAIN to send you to ad sites, and know that mainstream ISP DNS isn't trustworthy. We don't need to weigh up counterfactuals.

I think the missing piece here is the constant focus on the US.

In Europe ISPs are under much stricter rules about data privacy and generally cannot do things like the above. Having worked for several ISPs here I’ve never found them misusing DNS data (although sometimes it was logged for a time for management / troubleshooting.)

For a European; with reasonable trust in my ISP, I don’t want Mozilla sending all my queries to a US company which can be forced to reveal that to the US govt, or use it for some other nefarious purpose.

FWIW I’ve never used my ISP DNS though have always run my own recursor at home.

I absolutely agree with you. I have more trust into my local European ISP than into Google, Cloudflare and such.

Nobody is asking you to trust Google more than you already do (if you don't run Chrome, this doesn't impact you at all). But the real question is: do you trust your European ISP more than anybody else that might ever run DNS for you? That seems like an extraordinary amount of trust. What DoH allows you to do is trust someone, anyone else to safely run DNS for you, without exposing anything to your ISP. That's a capability you think Europeans shouldn't want?

Mozilla is only enabling DoH for US users, and Chrome is only enabling DoH if you were already using a DNS provider that also supports it.

Wouldn't the US company resolver be based in the EU though and subject to EU Law? That would have to be the case without the DNS resolver having ridiculously slow DNS query times.

I don't think the US govt can ask for data present/originated from the EU.

This seems pretty wrong. I seem to suck at googling such topics, with [0] being an okay-ish summary. And from what I understand, this is only law enforcement, thus does not even mention NSLs and such.

[0] https://www.lexology.com/library/detail.aspx?g=5649fdce-4345...

I’m not saying that some ISPs aren’t malicious. But to say there is no reason for an ISP to serve DNS is absurd.

There is no reason for ISP customers to use ISP DNS, given the available alternatives, and this will become even clearer as more people boot up DoH resolvers as alternatives to Cloud Flare.

Again this is absolutely false. Your ISP, and nobody else, can deliver the lowest latency and quickest path DNS resolution short of other providers paying ISPs for last mile fog boxes (as some DNS providers do). Why can’t my ISP support DoT?

But that also highlights a huge misconception about DoT/DoH: it only provides privacy to the resolver. It does not make your requests private in the eyes of the server or spanning the recursive queries that may be required during resolution. I’m not particularly compelled to trust Cloudflare more than OpenDNS or whatever. It’s the same situation with VPN.

Anyway it’s well known that the actual solution for people concerned with utmost privacy is a round robin resolver selection strategy. It’s super easy to implement... why aren’t browsers providing this type of option?

My ISP’s DNS servers take longer both in round trip and total resolution time compared to both and and I have both Comcast and AT&T in an urban area. While this might have been true in the past, that is definitely no longer the case in a lot of areas.

> Your ISP, and nobody else, can deliver the lowest latency and quickest path DNS resolution

Ha! Tell that to Verizon, 'cause I'm pretty sure they're not aware of it.

> Why can’t my ISP support DoT?

They can, and I would be fine using it if it were a) fast, b) reliable, and c) (here's the big one) legally required that they not log or do anything with my queries.

As it stands, Comcast's provided resolver is somehow slower than some of the third-party providers for me, and I don't care to give them the ability to sell my DNS data.

I don't think anyone is arguing that there's no reason for an ISP to serve DNS.

> There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.

That’s the part of your comment I am replying to. Anyway I see you’re arguing ISPs shouldn’t care which provider you use, not that they shouldn’t want to default you to running their own. Perhaps I misunderstood your point.

Regardless I’d argue the problem in the us is that any DNS provider can abuse your data. Today it’s big ISPs, tomorrow it’s Cloudflare. Unless we actually prevent (technically and/or socially) DNS from being an open book and develop strategies to mitigate the privacy issues it’s just a game of pick your poison, and that‘s what bothers me.

Your reply was:

> But to say there is no reason for an ISP to serve DNS is absurd.

The part of my comment that you quoted does not at all say that. (In fact, no part of my comment says, or even suggest, that.)

I agree that any DNS provider can abuse your data, but it's important to look at incentives. Comcast doesn't care one bit about its public image because it already has a terrible one, but customers have no choice in the matter, so Comcast's public image is mostly irrelevant.

Several DoH providers bill themselves as privacy-focused, and make privacy a big point in their marketing around their DNS service. Violating that privacy would be damaging to their product and reputation, in a way that they'd likely care quite a bit about.

I'd rather just have my local resolver have a list of 5 or so DNS providers with reasonably low-latency presence in my area (possibly including the local ISP, even, who knows), and just round-robin requests to them. There's really no way to make DNS not an "open book" as you put it; you can't ask someone to resolve a hostname for you without telling them what the hostname is.

So yes, we need ways to mitigate harm. Unless a provider has their reputation on the line, I don't really see a way to keep providers from doing sketchy things with your data, at least not without legal regulation. It's not like things like the EU's GDPR and California's CCPA were dreamed out of nothing; they came about because people have started to realize that companies just will not act as good stewards of our data unless we legally mandate toothy financial consequences as punishment.

> Its distributed nature means there are technical performance advantages to doing the above: reduced request latency, localized traffic routing and reduced bandwidth, etc. You don’t need a giant any cast network to serve DNS. You just need to use the servers closest to you.

My issue with this is that I've never been with an ISP that had a faster response time than Cloudflare/Google - and one would think they should, after all, my ISP should be able to reach me as quickly (or quicker) than any other corporation.

My current ISP has the fastest DNS benchmarks I've seen, and they're at 81ms for an uncached response, vs Cloudflare's 63ms and Google's 69ms. Cached response is similar (since I have a local cache).

In addition, my ISP does not provide DoH/DNSCrypt/DNSSec. None. Just 'vanilla' DNS. Furthermore, they also don't provide an unaltered DNS service: they block some websites from resolving, the list isn't made available, and is decided via extrajudicial means. You cannot opt-out, and all ISPs in the country adhere to this. They're not forced by law to do so. I'm also not in a normally thought of as a repressive country: it's a member state of the European Union, after all.

There are very good reasons for people to be outright hostile to ISPs and their shady underhanded practices, as you're seeing in this discussion. I feel that it is in any mostly online-based organisation's best interests to expose those practices.

> In addition, my ISP does not provide DoH/DNSCrypt/DNSSec. None. Just 'vanilla' DNS. Furthermore, they also don't provide an unaltered DNS service: they block some websites from resolving, the list isn't made available, and is decided via extrajudicial means. You cannot opt-out, and all ISPs in the country adhere to this. They're not forced by law to do so. I'm also not in a normally thought of as a repressive country: it's a member state of the European Union, after all.

Would Cloudflare/Google?

Many of us do consider EU nations repressive states, especially as regards protections for unpopular speech (and armed self-defense, but that's less relevant here).

It's quite possible that EU member states simply have different philosophical views and considerations as to the value and effects of freedom of speech. In fact, the United States is quite exceptional, but it too draws the line somewhere (assault, threats, child pornography).

Yes, that's probably true. Just because I say repressive in a pejorative tone doesn't mean the people who live in those states are bothered by it. They may prefer not to have to hear some of the speech I find regrettable but a necessary cost of freedom. (I think there's a very good argument for drawing the line where the US does and not somewhere else, but that's a different matter.)

Not sure why you're being downvoted. Personal freedoms are awful in the EU, but it's in exchange for increased safety and economic stability. Obviously an amazing tradeoff.

I'm taking issue at the hyperbolic nature of the comment. I'm not an ISP apologist. But to say there are zero technical reasons for an ISP to want to provide DNS is unfair and incorrect.

Cloudflare and Google pay ISPs for the latency they get, FWIW. If I made my own resolver service today I would not be able to compete with your ISP without forking over $$$.

I don't really understand why you keep repeating this claim that we're arguing that there are zero technical reasons for an ISP to want to provide DNS. No one is saying that.

Perhaps you misunderstood my original topelevel comment. If that's the case, let me try to clarify: ISPs have zero technical reasons to complain that people are using alternative resolvers. I totally see why they want to provide DNS resolvers, and that makes perfect sense. Unfortunately, part of that "want" is so they can sell DNS query data to third parties, which is just another reason why I don't want to use them.

Yeah that’s what happened my bad. Anyway, see my other comment: I still don’t think simply being able to choose your resolver as a consumer is enough. We need to defend against abuse technically and socially. It really shouldn’t matter which DNS provider you do use.

> Cloudflare and Google pay ISPs for the latency they get, FWIW. If I made my own resolver service today I would not be able to compete with your ISP without forking over $$$.

I think the main reason for this is even if your competitor grew like a weed, it would be a decade or two before you had the scale to justify rolling out a CDN/caching infrastructure like that of cloudflare. That's not a matter of simply paying ISPs money.

Do peering agreements usually have money exchanged if they're already both at the same IX?

I don't think any of these things justify the ISP's response.

Regarding content filtering services, in that case the user is specifically opting in to that service, so they won't need or care to use an alternate resolver.

I agree that, ideally, you would use a resolver that's close to you in order to minimize latency and increase reliability, but:

1) This requires you to trust your ISP. Many people don't, and with good reason.

2) ISP DNS isn't exactly always the most reliable or fast thing anyway. I easily get better latency from Cloudflare or Quad9 (their old-school Do53 stuff, not the new-fangled DoH) than from Comcast's resolver.

And regardless, if your DoH provider of choice goes down, you can always fall back to a different one, or to your ISP's resolver.

The fact that some nasty hacks used to work doesn’t require anyone to keep them working. In fact, the sooner they stop working the better.

ISPs are still able to run their filtering version of DNS server which the users are able to opt into. Nobody is going to take this away from them.

But that is not a valid use case for filtering dns requests to other services.

I'd separate "valid" and "reasonable". UK ISPs have a "valid" reason to DPI DNS and block pornhub, but i wouldn't say its reasonable for them to mess with internet packets not destined for their network. Thankfully DoH pressures them to suck it up and accept that blocking needs to be done by parents via parental controls.

That's what I'm saying. They can run their own DNS that people can opt into. They can provide those parental controls as well.

But DoH is provider independent. It's just like I can swap out AT&T's regular DNS service for Cloudflare's in my home setup. Which I did.

Mozilla's move to reconfigure Firefox to use DoH is a bit sneakier, but it fits with their privacy stance and their low market share does give them cover.

To be clear I’m not arguing against DoH/T. I’m arguing that there are technical and product reasons an ISP might want to run DNS.

That is understandable. But when the majority of US ISPs are monopolitical or oligopolitical organizations with zero oversight (Ajit Patel), it becomes harder to argue that sell.

Actually everyone should prefer the other guy do it rather than host it themselves. Either way the bits have to be transported to the same colocated facilities it's a matter of who has to pay for and operate the servers.

At least Cloudflare has KPMG audit them on their privacy claims. Better than nothing.

That made me curious to see who runs KPMG and whether it itself is trustworthy.

There is this: https://en.wikipedia.org/wiki/KPMG#Controversies

and then there is this:


At the end of the day, any grouping of individuals are a (partially biased) sample of the society in general. The role of media and education is fairly decisive in forming social norms. We may have one or two lost generations of engineers following orders, but as Joe said 'The future is unwritten".

> Actually everyone should prefer the other guy do it rather than host it themselves.

This isn't true. If you're hosting it, you can control it and you can make sure that it's always operational. The last thing you want is a 100 phone call of "my internet isn't working" and then trying to explain it's not your fault, but rather it's "some other guy".

If Google/Cloudflare are having significant issues resolving DNS everybody is getting a call anyways.

Not sure I understand. If you're using your ISP's DNS service, majority of your requests are going to hit their cache. You shouldn't notice any downtime as long as the cache doesn't expire.

I mean if all of Google/Cloudflares anycast resolvers go tits up I'm going to get endless calls regardless if the end user can resolve a cached name or not.

> If you're using your ISP's DNS service

Or you can directly ask a domain's authoritative nameserver directly. Using an intermediate caching resolver isn't required. Recursively resolving the DNS query locally only requires asking a centralized nameserver for a domain's authoritative nameservers (the NS records) which can usually be cashed locally for a long time. Every other request is compartmentalized to different servers by domain delegation.

Or do both; configure your local resolver to try recursively resolving a request, and fall back to the ISP (other) cache if needed.

Tried searching, but couldn’t find a report by KPMG. Has one been produced already or is this a future thing?

Regardless, impressive step to take.

That's a good question, they said it would happen annually so they should have had one by April 1st 2019. I put a question into support, we'll see if it goes anywhere.

Have you checked April 2 for any posts revealing the joke? :)

From the launch page: https://blog.cloudflare.com/announcing-1111/

“Seriously, April 1?

The only question that remained was when to launch the new service? This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we're geeks at heart. has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.”

Seems like they were pretty serious with it. :)

Same post mentions KPMG.

Could the collected DNS info be used for their own proprietary investment? I was reading a book about Koch industries and it made me think about the potential that most of the infrastructure companies could have outsized profit out of the derivative investment based on the information gathered from the business they are better known at.

We already know they do - they’ve injected ads + “suggestions” instead of dns failures in the past.

They’ve also injected permanently unique cookies in http requests.

ISPs can’t be trusted as dumb pipes, they’re closer to “clueless criminal” pipes.

But I agree with you, I don’t particularly trust google either.

Google's design doesn't ask you to trust Google more than you already do if you use Chrome. It doesn't default you to Google's DNS servers, will honor your current nameservers, and will upgrade you to DoH at any of those servers who support it. I'm honestly not sure what more you could ask for from Google on this particular issue.

Yes, Google used the right approach here. They honor your DNS settings, and upgrade it if it's available. Firefox, on the other hand, plans to force all of their users to trust Cloudflare by default.. and most users won't even know they made that change.

>Firefox, on the other hand, plans to force all of their users to trust Cloudflare by default.. and most users won't even know they made that change.

Mozilla has explicitly stated on their blog that they don't intend to make any change to a user's DNS settings without getting the user's consent.

>When DoH is enabled, users will be notified and given the opportunity to opt out


The problem is it’s just a banner with “ok” at the top, which clearly says “we’ve increased your privacy by (insert technical jumbo jumbo here).”

As Bert Hubert pointed out, to most users it ends up looking like this:


So? It's clearly beneficial for the average user.

As long as the people who don't want it can easily opt out, I'm not seeing the problem.

This is something I really think should be opt-in, even if it's via a notification toast.


The article itself says this.

The article?

So it's more like HSTS for DNS? Auto-switch to encryption if our chosen target supports encryption?

Because that seems MUCH more sensible than a lot of the stories/comments about this recently make it seem.

Yes, as Google plan you implement it, which is fine.

Most of the hulaboo is about Mozilla who are moving customers DNS queries to Cloudflare en mass, regardless of what DNS server they have already configured.

No. The HSTS security model is per-site; the DoH model covers all sites. If you get DoH working anywhere, it's working for you everywhere.

The UI bug tracker is private so we don't know if there might also be a "select DNS resolver" option and/or a checkbox for "encrypt DNS" in Settings.

> Google's design doesn't ask you to trust Google more than you already do if you use Chrome.

So in other words trust them with everything.


A whole bunch of irrelevant retorts + a personal attack. I've never seen a comment more deserving of getting flagged than this one.

That's true, but Google has made no commitment to keep it that way.

I also don’t use chrome :p

Google has promoted its own DNS service over others in the past, including for non-chrome users, and presumably would do the same when DoH (in whatever form) is the norm.

I was simply saying we already know that ISPs misbehave, but presuming that Google wouldn’t is not necessarily a clear cut decision.

I still have something like 15 Spectrum Bogus NXDomains blacklisted on OpenWRT. When I set it up the page they were redirecting too was still the Charter page with a half done Find/Replace of Charter/Spectrum.

> There is no actual technical reason

There exist pure technical reasons too, from address translation to DNS-level routing and load balancing. For example for ipv6-only network to access ipv4 resources there needs to be something like NAT64 embedding ipv4 addresses into ipv6 ones, but that would require overwriting DNS responses with DNS64 to actually work [1]

[1] https://en.wikipedia.org/wiki/IPv6_transition_mechanism#DNS6...

Keep in mind, encryption is not privacy. Encrypting DNS queries to a 3rd party resolver doesn't improve your privacy, it's a fight for control, not privacy. ISPs will still violate your privacy to the same extent, except said 3rd party will be able to do that too. If your ISP is not trustworthy the only way to save yourself from it is to use something like a VPN which effectively gives you a different ISP of your choice.

> DNS-level routing and load balancing

How do you mean? Why should my ISPs hijack communication between me and a content provider and reroute it? This is as if I'm in a phone meeting and when I say "let me call you back at 15:00" the phone company injects "19:00" instead, because that's a time the phone network is less loaded so it'd help them.

> NAT64 embedding ipv4 addresses into ipv6 ones

NAT64 is a good point, actually. But at least in 2019 if you're on IPv6 and switch to your own DNS server that doesn't do DNS64, then it just plain won't work. I doubt Firefox or Chrome will have implementations that break like that.

> If your ISP is not trustworthy

Or country.

Some authoritative DNS servers may respond with incorrect IP addresses for specific IP subnets of an ISP (i.e. pointing to unreachable or slow far away servers), so it could be useful to fix this either statically or by forwarding domains to another DNS resolver which gets proper responses. Things like that.

My experience is that things like that will obviously break more than it fixes. One cannot assume to know better between two third parties like that.

Half of global loadbalancing is getting around ISPs doing stupid shit they shouldn't have been messing with.

Excerpt from the letter sent to Congress.

>Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; and (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors. Google’s centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.

While I definitely agree with the sentiment, I would much rather browsers used my own caching DNS server that I can configure to talk to root nameservers: this would be the best of both worlds (ISPs can't track me, and I wouldn't be handing data to another party either, except, well, root servers). I am sure it's going to be possible, but compared to setting it on my DHCP server, now every client's browser would need reconfiguration.

I don’t understand how that achieves anything.

If your DNS server is in the cloud, your ISP can still see your unencrypted queries to that server. If it is at home, your ISP can still see the unencrypted queries of that server to the root servers.

Unless you encrypt the traffic, DNS is transparent to the ISP whichever way you set it up.

And unless you are also using a VPN, the ISP can learn most of what it can learn with DNS just by looking at the IPs you send packets too. Most commercial websites that matter aren’t sharing IPs.

Oh sure, you are right. But the thing with collecting heaps of data is that it needs to be harder. If my ISP is going to filter and process all packets in realtime, sure they can get a lot of unencrypted stuff from me. In essence, other than heavy censoring countries like China, I don't think most ISPs do that (a number of users doing that is pretty small, so the effort on their part is not worth it).

And as you and others have said, it can be done by looking at IP addresses i connect to as well.

What I do achieve is that nobody has a "full" picture of me, but only some subset of data that I transmit.

I also use two independent ISPs in a loadbalancing/failover configuration, so that helps with the cause as well, thougb my primary use is fail-over since I am in this internet business :)

There has been an agenda against DoH from the start.

China is attacking it, ISP's are attacking it, all with loose arguments and fear-mongering.

They do use that information, it's not necessarilly sketchy. They run analytics just like everyone else. In fact, one could argue Google's huge push for https was primarily motivated to deprive service providers of valuable data that Google has anyway.

>They do use that information, it's not necessarilly sketchy. They run analytics just like everyone else.

First of all, I think the extent of the data collection that many companies engage in is sketchy.

That aside, if a website runs analytics that you don't like, you can stop using it. There are usually alternatives, if you're willing to give up some convenience. But if your local ISPs are monitoring you, not using the internet isn't really an option these days.

I really wish we didn't have to treat our ISPs as adversaries in that regard, but we've been at that point for a while.

Exactly; it's just the same old story with Google. We all know ISPs and Telcos are greedy af, but when Google is getting into providing DNS, they do it to close a loophole (from their point of view) where web visit sensor data is going to someone else; they really think they own the Internet. In this particular case, even if Google succeeds in establishing DoH via Chrome (and, sadly, also Firefox), ISPs will still get to see your IP data; they could try reverse-DNS lookup to get back domains, but this is much less targetted ever since HTTP/1.1 shared hosting. At the same time, Google is also engaged in AMP such that requests for many sites go to a single IP, with the actual requested site SSL-encrypted. What will happen next is that Google will, via piecemeal extension of HTTP/3, fuckup TCP/IP even more.

I hope somebody in regulation will finally stop Google and others to monopolize the web.

I consider most analytics use cases to be sketchy. To me, the onus should be on the company to prove to me that their use is not sketchy.

Could be caching too. Bunch of services like youtube and netflix, at least used, use DNS to direct users to local servers. This enabled a better experience for the users and lowered the amount of bandwidth

They also used this method to block region restricted content. Here in Aus Foxtel has a monopoly on all the good shows, they charge >$100 per month if you want access to everything on their crappy, ageing cable tv network. After Netflix blocked the vpn workaround, alot of people went back to torrenting

I wonder if that will be a side effect of this. If the default is DNS via Google, then sites can differentiate on that and do nasty things like block non-google or give different results.

It's not ISP's business to spy on and modify any requests. Their business is to provide connectivity. Period. People can use antivirus and specialized blocking on different level if they need to block something.

if the mechanism is DoH then in this age of non neutrality they do care. it makes it one nanobit harder to throttle (er, optimize) traffic because they capture DNS along with bulk web traffic.

let’s not munge it up either. they don’t care about encryption per se. they care about 3rd party resolvers.

It isn't even all that sketchy, its just providing broad snapshots of what sites are getting traffic and which ones aren't, which is used by advertisers when they bid on their ad placements.

So yeah, its going to chop off some of their revenue and they don't like it.

Yeah, they are going to tell an advertiser that Sally Doe at IP x.y.z.a is going to the planned parenthood website. Not sketchy at all.

I have this adversarial opinion that I think is very unusual. Would love to hear your perspective.

Google pissed in the punch bowl by offering google fiber.

This forced the carriers to perceive google as an existential threat they are absolutely dependent upon for cheap ass android and ISP revenue from YouTube.

The only move they could make was to make google bleed. So they start offering content monetization and competing advertising platforms. Their goal isn’t to win, it’s to HURT GOOGLE. Advertising prices go down when there is meaningful competition. So shitty content monetizatuon from Comcast and VZ & ATT forces the price of google advertising down.

There is a big part of me that is pulling for the carriers on this front. I’m bummed more people don’t see it this way.

If the carriers were good actors that in general act in good faith most of the time, maybe (assuming your hunch is correct) I'd feel bad for them. But they don't, so I don't.

I'm fine with encrypted DNS as long as it's from my router to the (encrypted) DNS provider of MY choice.

Interference from browsers with network level operations is my real worry. As far as I'm concerned, as long as the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers, no problem. I'm worried about the "to protect the users we've hijacked their DNS directly via the browser" possibility though.

I know it used to be that using ISP DNS servers gave you access to some of their local caching and such. I don't hear that talked about much in these discussions. Is that no longer a thing, and thus we truly don't need ISP DNS?

If you're on a mainstream US ISP, interference from your browser with your ISP's "network level operations" is a privacy necessity. They're passively monitoring DNS to collect data on their customers and hijacking it to send users to advertising sites. ISP DNS is manifestly untrustworthy.

Well no, because my router is proxying DNS requests, and it's not to my ISP's DNS servers. (It's also serving a number of custom DNS records for internal/work stuff.)

I don't understand how trading one ISP for another (Cloudflare?) is an improvement long-run. The system itself needs to be resilient, not just depend on the kindness of the upstream gods.

> I don't understand how trading one ISP for another (Cloudflare?) is an improvement long-run. The system itself needs to be resilient, not just depend on the kindness of the upstream gods.

Mozilla and Cloudflare negotiated a special privacy policy for Firefox DoH requests [1] that limits what Cloudflare can do with the data – in particular, most information must be deleted after 24 hours. There is no technical measure holding them to that policy, but it’s a contract enforceable through the courts. Nothing similar applies to your average American consumer ISP.

[1] https://developers.cloudflare.com/

Oh, they promised not to be evil, did they?

That link isn't very reassuring. Who are parties to the contract? Who can enforce it? What does it cost to breach?

The parties to the contract are presumably Cloudflare and Mozilla, since that page keeps mentioning their "agreement with Firefox" and "agreement with Mozilla". Therefore Mozilla can enforce it. As for costs to breach, that would be determined by a judge or jury based on damages suffered by Mozilla. Depends to some extent on the actual text of the contract, which hasn't been published.

That's the main mechanism for enforcement, but there are a few additional ways it could theoretically be enforced:

- The FTC and state attorneys general can sue companies for violations of their own privacy policies, as "unfair and deceptive acts and practices". For example, they sued Cambridge Analytica recently. [1]

- The California attorney general in particular would also be able to sue under the California Consumer Privacy Act once it goes into force.

- As for ways for individual consumer to sue... well, it's more difficult, but possible. For instance, a class action suit against Facebook on a grab bag of claims, also related to Cambridge Analytica, recently survived a motion to dismiss. Among other things, the judge held that users could sue for breach of contract if Facebook violated its privacy policy. [2]

[1] https://www.ftc.gov/news-events/media-resources/protecting-c...

[2] https://www.cand.uscourts.gov/filelibrary/3755/Order-re-Moti...

It doesn't have to be to their servers - they can just dump all data going anywhere on udp/53 from one of their routers. DNS isn't encrypted, anyone between you and whatever server you're using can see everything.

DNS requests are transmitted in plaintext through the ISPs connections. Because DNS is not remotely secure there isn’t any reason they couldn’t simply redirect your selected DNS to their own, or replace “not found” responses with a link to their own advertisements.

So without DoH an ISP knows everything you request, even if you have a different DNS server set, and if they really wanted to they can simply hijack any connection you make.

It's a good point, but it is preventable by the network admin. For example, I bypass that by tunneling everything out over a VPN, and the local resolver attempts to use HTTPS to connect to upstream anyway. Obviously not every user is in a position to protect themselves in such a way, so I get why the browser is attempting to protect them.

Just seems very wrong to me to take the control away from the user/network-admin in any way. I mean, if you're gonna do it, go whole-hog. Delete HTTP from the browser entirely, right? I don't think that would go over well either, although it could certainly be justified by the same logic.

Maybe I'm misunderstanding something about the issue, there has been a fair bit of FUD, but I simply don't feel good about the browser taking authority outside it's "please render this code into a webpage" scope.

> take the control away from the user/network-admin

You are confusing the network admin and the user. Most users have little reason to trust their router, they often don't own it, update it or have any clue about it. Even experts change roles here when they use any other entities network.

I understand your use case, but I personally think the end devices should increasingly allow interception by network devices only with user consent, not implicitly.

In other words, opt-in on the device with DNS settings and certificates. If you don't own the device (e.g. have root/admin/etc), you don't get to control it - beyond blocking it.

If you're going to the trouble of VPN'ing your DNS, you're fine in the Chrome scenario and could I suppose reasonably just disable DoH everywhere. Your ISP absolutely does not want you to do this, but they don't want you DoH'ing either. DoH is, after all, just a VPN for DNS.

> Delete HTTP from the browser entirely, right?

It’s not being deleted, but Chrome at least has been gradually phasing in a warning in the address bar whenever you visit an HTTP site. [1] (Firefox will apparently do the same starting soon.) I wouldn’t be surprised if the warning UIs get more aggressive a few years down the line, as HTTPS adoption continues to increase.

[1] https://blog.chromium.org/2018/05/evolving-chromes-security-...

Firefox currently shows a red crossed out padlock for HTTP sites with form elements, but not yet for HTTP sites without form elements which for now get neutral treatment. The rationale is that you definitely shouldn't be using insecure forms, what could you possibly be writing where you really don't care about at least confidentiality (to prevent eavesdroppers from reading it) or integrity (to prevent a MitM from changing it) ?

If you set HSTS and then subsequently remove HTTPS from a site it should (will for Firefox, kind of for Chrome) brick wall you, saying that it isn't able to reach the HTTPS site without offering to let you see the insecure and perhaps compromised HTTP site even if you spell out the HTTP URL.

Unlike HPKP this isn't considered a foot gun because you can fix it by just enabling HTTPS, and why didn't you have HTTPS anyway?

The biggest forward pressure for HTTPS is that newer protocol versions (after HTTP/1.1) do not in practice exist for plain HTTP. The way to do plain HTTP/2 is documented but nobody has plans to implement it, and there isn't even intent to document a plain HTTP/3 because the stuff it's built on is all encrypted from the ground up. From my point of view this is good news.

I encountered this in a local ISP in India in 2012: they were intercepting all DNS requests and forcibly using OpenDNS’s annoying NXDOMAIN advertising thing. When I returned in 2016 they’d stopped doing that. No idea if the technique is widespread.

Indian ISPs have intercepted HTTPS traffic to inject ads [0]. And DPI is now a thing among Indian ISPs.

[0] https://news.ycombinator.com/item?id=12091900

This is easily solvable if you're using dnsmasq -- which isn't altogether unlikely as it's in basically every free router firmware (OpenWRT, DD-WRT, etc) as well as, until recently (replaced by systemd-resolved, but still an easy option to go back) used by default by NetworkManager on Linux desktops.

Basically, you just give it the bad IP addresses and it will replace every query result containing them with an NXDOMAIN.

Even with DOH, as things stand right now the ISP can see with SNI what sites your visiting, or certificate name for sites still using TLS 1.2 or lower.

So moving the DNS to Cloudflare only means “now Cloudflare have my entire browsing history as well as my ISP.”

I do appreciate there is a draft on ESNI but it’s not there yet.

You can use a personal installation of dnscrypt-proxy which supports both dnscrypt and DoH and allows you to select multiple providers. It even supports round-robin. This is what I'm doing.

_with_ DoH you are passing not just network information, but session information as well.

DoH is not a privacy boon.

DNS, whilst plaintext is at least federated, and is a network level service. That is, its not tied to a single session in a browser.

as I understand it, there is nothing stopping a browser from appending metadata to the get request, or putting extra headers in. This means that its perfectly possible to nail your complete browsing history, down to the server you've been given.

There is a difference between not respecting ISP supplied DNS and not respecting DHCP supplied DNS.

Chrome's design attempts to use your current DNS settings to access a DoH resolver and fallsback to the current behaviour if it fails.

The browser isn't interfering in any of your network operations.

So, assuming my local LAN DNS resolver, which serves my own custom DNS information to LAN clients, doesn't support DoH itself, but uses DoH to reach out to the authoritative servers, chrome will bypass this my local resolver?

Sounds like interfering with the way my intranet operates to me.

Chrome doesn’t know that your local intranet is trusted or that the local resolver is trustworthy. You need to tell Chrome this by flipping a switch to either change your DoH provider or disable it all together.

This change is explicitly protecting users from malicious network operators. Since you control the endpoints it should be no big deal, you apply GPO, run Puppet, whatever and everybody is talking to your local DNS again but it is absolutely right to not trust local unencrypted DNS by default for every network you connect to.

In that context, I'd be perfectly happy if chrome had a "I'm on an untrusted network right now" switch, like incognito window. Not sure we should assume that the entire network between the browser and cloudflare is untrusted though.

Aren't there some "hijacks" that are actually valuable to users? For example, if I run a network inside an extremely limited internet environment, I can hijack the user's DNS and redirect them to a "Hey, we're sorry, but running Netflix here will ruin the network for everyone, we hope you understand" page. If their browser is ignoring my local DNS server my option would seem to be simply black-hole netflix packets in the firewall, which is a lot less friendly to the user. Would I be a malicious network operator in this case?

There's presumably no way to allow that without also thereby allowing you to change the apparent content of the Netflix service—or of other sites! (Suppose that you could hijack the user's DNS to redirect ubuntu.com to a page that said "Thanks for your interest in Ubuntu! To download the latest version, click <a href='https://evil.com/ubuntu/ubuntu.iso'>here</a>." How can you allow one kind of hijacking without also allowing the other?)

There has been work on allowing networks to communicate out-of-band to browsers for administrative purposes. Even this is risky in general because of the phishing possibilities, among other things. Showing users arbitrary messages from network operators in the middle of the users' other browsing activities is likely to make it even easier to confuse the users into taking actions that they really didn't intend to do.

> Not sure we should assume that the entire network between the browser and cloudflare is untrusted though.

There's a strong case to be made that the vast majority of Chrome users aren't equipped to evaluate this question. These users are very unlikely to know if they're on an untrusted network and thus unable to make use of the kind of very useful switch you wisely suggest.

Perhaps offering a configuration option for the small percentage of technically sophisticated users who are willing to look in settings for it? Certainly Chrome Enterprise (which is a configuration management system, not a pay-for enterprise software offering) offers strong settings management tools.

Strictly from a security perspective, you always assume your network is untrusted and untrustworthy (and use protocols designed to work just fine in such situations). Especially when serving users who aren't equipped to make their own educated decisions. Can you help me understand why Chrome might want to behave otherwise?

Yes. You would be malicious. Doesn't matter what your intentions are if someone with bad intensions could do something bad in that scenario.

For example redirecting the user to a fake webpage asking for their username and password.

A user will learn that there's blocking if they try and access Netflix and it doesn't work.

You can get something like a Juniper SRX firewall which can recognise applications via signature and do blocking that way. Rather than against IP ranges only.

Also as a network admin you're not saying why you won't be able to block DNS over HTTPS providers.

Unless you're thinking there's going to be some unknown DNS server used by the browser.

But if that's your fear you'll need to block all the online DNS lookup websites.

What if a user just types the IP address directly? Totally circumnavigates DNS.

My problem with your "solution" is that it only works under very narrow assumptions. E.g. how does the Netflix client handle such a redirect? At best with "bad connection", I'd presume. I'd hope they would at least forward a better message when using a proper standard to do the blocking, if they consider this worth the effort.

(And yes, I set up a similar easy makeshift DNS solution to "authenticate" for the un-encrypted WLAN i had many years ago)

> Not sure we should assume that the entire network between the browser and cloudflare is untrusted though.

The network is compromised. This is the fundamental assumption of networks. If you operate from this position you are much less likely to get burned.

Why can't your local LAN DNS resolver support DoH itself if it can act as a DoH client to authoritative servers? That way the browser would know it can trust it to begin with.

No it should use your local resolver.

Exactly this. I build a DNS security product that works at the router level. Everything is secure on home networks running the product and it uses DoT for privacy so that ISPs can’t view your data—no browser intervention needed. Browsers interfering with user-configured defaults is incredibly presumptuous. I’m worried browsers are becoming less user-agent and more platform-agent...

Great. Now I've taken my laptop out of my house (where I'm using your router) to the coffee shop downstairs where they use an ISP provided gateway... And the ISP is spying on me again. Until DNS request is encrypted there are no solutions outside of a wholly self-managed network.

I’m unsure why this has to be set at the browser level instead of the OS level. What happens to all the DNS calls made by non-browser services on your laptop?

I believe it is due to technical problems of switching everything to DoH. Moreover if we think about it, I'll see that it is not a Google or Mozilla problem, it is a problem of OS developers. For example, it might be done by gethostbyname using DoH to resolve names. But it is up to libc developers, and it would lead to other problems, like system after update stopped working, due to custom configuration incompatible with DoH.

Mozilla and Google become unsatisfied with gethostbyname but they cannot change that part of OS. So they are solving their problems on their side.

Go pay Microsoft and/or Apple to implement DNS over HTTPS.

FWIW, Chrome using an upgrade list only checks the system config (doesn't do any "do I eventually end up using" checks), so it shouldn't upgrade DoH even if your backend resolver is a third-party.

Your key takeaways align with mine, but FYI:

> the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers

Usually this isn't the case. Browsers that aren't configured to use a proxy connect directly to some web server using TCP and as speak HTTP to it. On a lower level, it's being facilitated by IP traffic routed by your own router, the ISP and the Internet.

There are "Forward" HTTP proxies (e.g. software like Squid) that act like HTTP clients on the web and provide the real user with results. I suppose they're being set up at large organizations by IT, or at home by privacy geeks but I know no consumer router that does that out of the box.

I am not sure if interfering is appropriate here. Even in the current state, usually, browser perform DNS queries directly with DNS server, that they take from DHCP, which in it's turn supplied to the router by ISP. This has nothing to do with other web clients or IoT performing DNS lookups.

The question is whether Chrome is going to ignore system settings by default.

If you're so technical. Why not just put some firewall rules to block known DoH providers?

If a malicious app was to use their own DoH server then there's nothing you can do.

Well you can get a MITM web security product to inspect traffic.

Or only allow internet traffic through a proxy on your network and then block DNS providers.

Local caching via DNS? Perhaps on unencrypted HTTP traffic.

That's what I do. I actively block third party DNS and known DNS services except cloudflare and quad9, but only when coming from my raspberry pi. I haven't allowed an unencrypted DNS request from my local network in a long time. At least not that I know of. I have blocked a lot of apps/appliances trying to use their own DNS, and so far that has been enough. When they figure out that they can use DNS on non-standard ports I'm fudged.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact