In this blog the chromium team say:
> The first claim is that Google is going to redirect user DNS traffic to Google's own DNS or another DoH-compliant DNS provider. That is incorrect. Because we believe in user choice and user control, we have no plans to force users to change their DNS provider. Today, there are many independent DNS providers, although ISPs serve approximately 97% of user DNS needs. As long as these service providers keep catering to user needs and concerns, it will remain a diverse ecosystem. We’re simply enabling support in Chrome for secure DoH connections if a user’s DNS provider of choice offers it. Chrome will check if the user’s DNS provider is among a list of participating DoH-compatible providers and if so, it will enable DoH. If the DNS provider is not on the list, Chrome won’t enable DoH and will continue to operate as it does today. As DoH adoption increases, we expect to see the number of DoH-enabled DNS providers grow.
This is re-iterated in the next paragraph
> The second claim we’ve seen is that the secure DoH connection will limit the family-safe content controls offered by some ISPs. In fact, any existing content controls of your DNS provider, including any protections for children, should remain active. DoH secures the URL data only while it’s in transit between your browser and the DNS provider, so your provider’s malware protection and parental control features will continue to work as they have in the past.
So this isn't going to break parental controls by default...
...unlike Firefox's proposed scheme which requires action by the DNS providers.
Maintaining a hardcoded whitelist of providers (which is what it sounds like is happening in Chrome) is a bit naff. Mozilla's solution scales, at least.
Also, their solution doesn't _require_ action from the DNS providers - corporate IT staff can customise this behaviour for managed machines via an pref or enterprise policy.
Defaulting to transport security for DNS queries out of the box is a Good Thing.
That is what I meant by the DNS providers need to take action.
Now I imagine these will all get fixed eventually, but I know if I was a teenage boy I wouldn't be complaining to anyone that my internet was suddenly unfiltered ;-)
I'd like to see the OS, not browser, attempt to use the configured DNS entry via DOH, failing back to DoT and finally DNS. I'd like my browser to use the OS to provide DNS services, not implement their own. I'd like my OS to take hints from my network (DHCP etc), but for me, the sysadmin, be able to override them if I don't trust the network.
The main reason to do this it to block ads on smart TVs, etc. though, not for your use case.
They haven't done a good job. FWIW I work for Google, mean no offense to the team that works on this, but it has all sorts of problems, including service reliability. My wife is taking UX design courses and one of her final course projects was a multi page paper breaking down a bunch of our issues with it :-)
We've been down this road for months. Issues at home with mental health damaging content being accessed repeatedly, and I ended up signing up for OpenDNS; problem solved [for now].
I've blocked malware too by having DNS controls, presumably that won't be possible with DoH: Chrome (without addons) might check to see if I've set a local DNS provider but ad-/app- embedded malware won't.
My worry here is that google has proven they see themselves as the only subversives allowed.
They are okay with themselves censoring and curating content but someone outside comes in and they are not happy to have other subversives. I used to trust them to do the right thing many years ago, but that’s not the case any longer.
With Firefox it needs to report use-application-dns.net as not available (see NXDOMAIN below)
$ dig use-application-dns.net.
; <<>> DiG 9.16.1-Ubuntu <<>> use-application-dns.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
So if you want to use DoH within your network and have Pi-hole, I'd probably put a DoH endpoint on the same server as the Pi-hole and configure my browser to point to that instead.
It'd look something like
Laptop/desktop --(DoH)--> DoH server --> Pi-hole --> Upstream DNS --(DoH?)--> Public DNS
Not ideal but until someone creates a system that acts as DoH server, adblocker, upstream DoH resolver, this is probably the best that one can do for now.
I can easily imagine that the resources being spent on DoH are many orders of magnitude more than was spent on actually fixing or updating the DNS protocol.
This is not in defence of the current DNS system, I'm just sad that the only way we can think to fix DNS is to make it not DNS, but some form of HTTP name resolution.
What specifically don't you like about the use of HTTPS? Would you prefer DNS-over-TLS? Apparently  that's an option too. I don't think it would be possible to be quite as lightweight as the plain old UDP-based DNS protocol while giving the desired security properties.
The reason I don't like HTTP for all purposes is because, while it has proven to be expandable, I feel like we're going to have this "oh shit" moment in 10 years where we realise all the cruft we've added to it and how it's bogging down otherwise simple communication.
DNS was designed to be incredibly low latency, QUIC is a response to the high latency of TCP for HTTP in general; but then you're still sending a fair amount of content that is completely unneeded.
A few dozen bytes here and there don't matter much, but that mentality is why computers today have worse input lag than computers 30 years ago, despite being many hundreds of times faster.
I suspect you know rather more about QUIC than I do. DNS-over-QUIC sounds like a secure, low-latency solution, at least on the face of it. Would it really be possible to shave off much overhead there?
For one thing, if your DNS server is nearby, as it traditionally is with an ISP, latency is usually low. If you want to establish a TCP connection quickly, one thing that helps an enormous amount is to move the server as close to the client as possible.
I don't know if they are planning to do this, but you could also do some connection caching. Keep that TCP connection open while you are browsing.
It is a shame to have to do things to mitigate latency that you could have just not added in the first place. But at least the mitigation probably works.
Literally all this does is break things.
DoH stands for DNS-over-HTTPS. You cannot hijack DoH without hijacking an HTTPS connection.
> they’re just going to get the recursive resolver from dhcp
In answer to my earlier question then, you're using your ISP's DoH DNS service, correct? If that's the case, there's no hijacking going on.
> People who bother to use something are the same ones who will tunnel traffic or run their own resolver.
This is the reason Firefox went with CloudFlare's DoH. Resisting ISPs' bullshit is much of the point.
Not true. An ISP can always reroute packets where ever they want. Want to reroute from a trusted resolver to your own, which is bootstrapped over regular DNS? No problem. Client checks it? No problem, it will fallback to regular DNS.
That's a good point, I'd missed that. I'd hope the browser would show a warning in this case though.
I don't imagine there'd be any point redirecting a DoH request rather than just blocking it outright though. No serious DoH implementation is going to fail to check the cert.
I'd prefer dnscrypt (https://en.wikipedia.org/wiki/DNSCrypt). I'm still not sure why we're going with DoH instead of dnscrypt.
TLS does that part. HTTPS solved/worked around a lot of web problems (same-origin policy) that don't apply to DNS.
You're absolutely right. It's obvious that a better way forward is to fix and update DNS.
Is it possible that you are so right that everyone concerned agrees with you, and has for years? There have been efforts to improve, fix, and upgrade DNS for decades now. They've consistently run afoul of intractable political problems in getting improvements into actual use. Long story short, there's a vast number of parties involved, most of whom have no reason to want to upgrade.
You're right. This is sad. It's also the way forward that people have been able to find after literal decades of trying to improve DNS.
Despite getting DNSSEC deployed at most of the DNS roots almost a decade ago, and to a point where companies can actually turn it on if they want, DNSSEC adoption hasn't cracked 2% of .COM, and, if you measure popular domains outside the US government, its adoption gets even worse: virtually no major platforms or tech companies use it. Those companies have security teams with people who specialize in evaluating technology and getting it deployed, and they have all come to the conclusion that what the IETF worked on to "improve DNS" wasn't worth it.
Meanwhile, virtually every major ISP in America monetizes DNS lookups for their customers. Not only that, but most real DNS spoofing attacks are either last-mile interceptions or phishing attacks on registrars. Which is to say, while the IETF was futzing around with a 1990s-cryptography signature scheme nobody is going to use, the real problem was right there waiting to be solved. Thankfully, Mozilla solved it, and in just a couple years DoH has protected more people on the Internet than DNSSEC is likely ever to.
IMO, telling all this to someone who has no historical context and innocently asks "Why not just fix DNS?" is lighting a candle with a flamethrower. Plus all the strong emotions that get conjured by DNSSEC and its history (at some point someone will chip in asking about DNSCurve...).
The important points for the casual observer are that people have considered updating DNS and that DNS is unfixable for political and economic reasons. Which is why the best answer we have today is to tunnel it over HTTPS.
Meanwhile, the idea that we can't do anything but tunnel DNS through HTTPS because of inertia or politics is obviously false, because there are competing proposals, one of them with serious IETF energy, that don't do that. They're just not popular among users.
Under that mentality you could not do much with the last-mile, and you can definitely not do any serious security that protect confidentiality between client and server. You could do something DNSSEC because it did not cause a 10ms lookup to go to 11ms, and thus no one was screaming bloody murder over it.
How likely is it that an attacker can take over an domain on say cloudflare/microsoft using dns authentication, or someone managing to spoofing an email by changing the dmarc signature? On the average case I suspect the risk is very small, but then I don't think that specific attack surface has been well tested enough to demonstrate how good the idea is to put keys and proof of identity in dns without any additional system to validate the records.
For 95% of users, DoH just lets Google monetize the lookups, instead.
This is a tactical move to obfuscate and make port filtering more difficult because suddenly DNS uses the same protocol and same port as 99% as your traffic. This is versus DNS-over-TLS that offers the same privacy BUT still uses a DNS-specific port so is easier to detect and block. Of course you can still block by IP...
Other than that, it is exactly the same DNS messages. It's just that they are encoded in HTTP messages.
DNS-over-TLS uses port 853, so is trivial to block on a firewall and force fallback to plain-text DNS.
DoH is resilient to such an attacker - be it sketchy guy in starbucks trying to steal your cookies, or yourself trying to run pi-hole adblock.
If you are smart, at this point you'd have already switched to a DoH server using your own certificate (I use a local AdGuard Home instance for that). You can then point not just your browser (either using its configuration page or group policies) but also the operating system and secure the whole thing. After that your only threat is the same as it has always been, a device bypassing your local server, it is safe to assume those are compromised and should be put behind a firewall or disconnected from the network (it is also safe to assume that a firewall rule to capture and modify its DNS queries has never been a 100% reliable solution).
DoH already happened, there's no point in arguing against it like it's the end of the world as we know it. It's now time to adapt and update (or replace) the blocking mechanisms we are used to using. This may mean the end of pi-hole should they fail to add a DoH server to the default installation but we already have alternatives.
The downside is, of course, that Starbucks can't redirect you to their "please accept our TOS" portal.
Can't easily block all port 443 traffic (may as well not give any service), and as servers grow maintaining a blacklist of DoH would be problematic - especially when the DoH server is hidden behind normal sites on cloudflare etc.
Of course a sysadmin can always establish a VPN on any port to any IP with TCP, UDP, ICMP, or even running a VPN over unencrypted DNS, and bypass all that network work other than very specific IP whitelisting.
As a network admin and a sysadmin, I want to be able to control my systems from my network without losing control. I like the idea of DoH, I just don't want to have to reconfigure my DoH server everytime I want to connect to a split-brain network, or have an alternative PTR server, and I certainly don't want my browser using a different source for DNS to my other applications.
I don't see things as you do. Specialised protocols are better than generalised ones because they have understandable failure modes.
If DNS goes down, name resolution fails. But if DoH goes down, it could still be DNS, it could be TLS Suites, it could be incorrect headers, it could be mishandling of the proxy (or the proxy forwarding garbage), it could be anything.
that's why we consider DNS to be Layer 6 and not Layer 7, as things on Layer 7 may depend on it.
There are significant benefits to the end user of DoH in bypassing malicious networks. It's out there, it's not going away. I'd like it to integrate well in a situation where I am the user, sysadmin and netadmin.
unless you're saying we should replace SSH with HTTP.
And yes, DNS is easier to debug than HTTP if HTTP depends on HTTP.
The idea of these new transports is not to impact existing DNS.
It encodes the wire format DNS messages in Base64 for requests and plain hex for responses (rfc8484). That's basically only an adaptation layer to fit into http messages.
Which is good because, really, there is no need to change DNS messages and this makes implementation easier.
The aim clearly is to add a new transport for messages with as little impact as possible.
Cloudflare also has the JSON format available
The only security DoH provides is transport security. if your TLS connection between you and the DoH server is OK, then you can be assured that the DNS response you got has not been tampered with.
It doesn't extend any trust beyond that.
You’re talking the protocol frame now, not the original protocol.
Once the proxied package arrive at google/cloudflare it is back to normal dns operations.
An other way to see it is that DoH is a https based VPN that the browser has chosen for you, but which only proxy dns traffic.
Fixing the dns protocol is what DoT is for, and especially aDoT which would allow in the future for end-to-end encryption between end user and DNS server. Sadly aDoT is only a draft right now, and there is a lot of resistance to the idea of moving away from the caching proxy model.
The default behavor of chrome is to automatically use their DoH service if the users broadband ISP supports it. I don't dispute that or intended to comment on it. If my above comment implied something else I am sorry as that was not the intention nor the central message of the comment. The comment was not a critique of googles default choice in chrome, but rather an attempt to explain how DoH relate to the DNS protocol and how aDoT, which is based on DoT, might actually fix the security faults of the dns protocol by enabling end-to-end encryption between the user and the dns server.
Do you have anything to say the aspect of proxying dns to a third party, or the possibility of end-to-end encryption in dns?
With end-to-end encryption there is no kill switch, so that would make it a rather huge practical difference between aDoT and DoT. It also provide confidentiality which is a much better design for privacy than DoH.
As an owner of an computer, are you against end-to-end encryption for dns, or in favor of end-to-end encryption? You comment above does not answer that question.
Given how that is, I wonder how people would react to the idea of using even stronger security like off-the-Record Messaging.
To explain the terminology I use I can source the definitions from RFC 1034. We have "stub", "recursive", and "authoritative" resolvers. A stub resolver sits at clients because in 1987 not every computer had enough computer resources to run a recursive resolver themselves, and stub resolver talks exclusively to recursive resolvers. Recursive resolvers iterative talks to authoritative servers in order to resolve a domain name into a resource record (ip addresses, text, alias and so on), and the recursive resolver return the results to the stub resolver or the computer that host it.
As the RFC specify, there was original two reasons why a machine may want to have a stub resolver and use someone else recursive resolver. One is the above reason that stub resolvers can be used on machines that do not have the computer resources to run a resolver. The second is in order to "centralize the cache for a whole local network or
organization.". The preferred way as specified by the RFC is to do the recursive resolving on all machines, but if you want a centralized cache or have machines that do not have enough in terms of 1987 computer resources then there is a option to use a stub resolver.
DoH and DoT is technology to encrypt the traffic between the stub resolver and the recursive resolver. Neither can be used if one follow the recommendation and operate the recursive resolver yourself. DNS between recursive resolving and the authoritative server is in plain text. aDoT fixes this, allowing for encrypted traffic between the recursive resolving and authoritative server. When a client who runs its own recursive resolver can create a encrypted channel between it and the authoritative server, what we have is end-to-end encryption.
If there is a technical concept here you don't under just let me know and I can try to explain it further.
Isn't QUIC something an OS should provide?
Isn't the OS responsible for preventing antivirus software installing insecure browser plugins?
Isn't the OS responsible for process sandboxing?
Isn't the OS responsible for secure font rendering?
Isn't the OS responsible for shipping with decent optimized image and movie decoding libraries?
The innovation must be pushed somewhere. These days it's being pushed by the browser vendors and not OS vendors.
the problem is, how can chrome+firefox persuade microsoft, apple, debian and redhat to add it? and how long will that take? maybe some of them don't want it at all.
with the current approach they can offer this improvement to their user right now.
It should teach that Evergreen Browser requires Evergreen OS. And there is long tail.
Windows XP (2001) support:
* Internet Explorer 8 (2009)
* Chrome 49 (2016)
* Firefox 52 (2017)
IE supported latest versions only, should have been most integrated and now it's dead.
Given that whole UI and windowing toolkits are moving into the browser, that argument of replacing chunks of the OS, from top to bottom, starts to become more relevant (if not more comfortable).
And then the next step could be to have Google as a compulsory proxy for all web traffic, because of government blocks.
It seems that when DoH and ESNI become the defaults there won't be much sniffing going on? (Apart from looking at the IPs of course.)
Disclaimer: I work for Cloudflare, but not on this project.
Is sniffing of traffic common in other countries?
I don't think that any oppressive regime is going to have any qualms about routing 220.127.116.11 to its own server, or just blocking it. So you use the national DNS or get nothing.
They have (had?) a requirement to block certain sites (e.g., CP), and their CEOs could be sent to jail if they didn't. So from their perspective, Mozilla was not doing a good thing as it was causing them grief in being able to follow the law:
> for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK
So yeah, I can understand why they'd be salty. As someone who works in IT I'm also salty at DoH for similar netsec reasons. (DoT is another matter.)
With UK laws it's close enough.
IMHO, DoH will simply have network operators go from having a light touch on the network with DNS filtering, to a much heavier hand with routing and inspection. Because the regimes and laws that are currently in place won't just magically go away. (Thanks Mozilla.)
China's great firewall for example degrades access to some popular web sites, but it doesn't do a lot of IP blackholing because that hurts China more than they'd like.
If there's collateral damage to some other sites, then depending on the 'importance' of that they want to block--oh well.
More likely they will just force Cloudflare to do their censorship for them, which cloudflare has already been proven to be malleable toward
Perhaps it's a little naive of me to think that ISP and government would consider that they might block and IP that's only going to do something "illegal" for a short while and the be recycled for something else.
Given this is a "free" offering, the data being mined finances this service.
If parent wants to avoid having any of their data cross Google machines, you are completely correct that Chrome is the wrong tool for the job.
I think this is mostly against ISPs who would like to mess with/redirect your traffic (for example show their own page for mistyped URLs).
I was looking for this as I want to explicitly control when I choose to enable DoH.
eta: oh interesting, at some point I turned on "managed" to prevent it from password cloud saving or some other nuisance and now I get this:
Use secure DNS
This setting is disabled on managed browsers
For Chrome this feature seems not to be implemented, making it harder to control your DNS behavior in your own network.
(see Q&A at the bottom of the page)
I’ll be looking to see if what configuration options are available and if I can set up a DoT server on the Pi-Hole.
Ideally I would want at least the ability to set DoT on/off by default based on the network I’m using so if it’s the home network I don’t care but all other networks I would like to have DoT as the default option.
It would also be interesting to see if there is a default fallback unto standard DNS or not.
> google get to decice what web sites that even exist in your universe.