Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Cloudflare and Apple made a new DNS protocol to protect your data from ISPs (theverge.com)
81 points by janniks on Dec 9, 2020 | hide | past | favorite | 24 comments

needs to be reposted and made a dupe 39 more times, brb

I wonder if this protocol could provide any relief to network admins trying to protect themselves from aggressive Smart TVs and other IoT devices that use DNS over HTTPS to avoid local DNS blocks. I suspect not, since anything designed to protect against ISP snooping should be available to device manufacturers to protect against local admin snooping.

I guess the only solution is to run your own MITM TLS proxy, and hope that the Smart TV or IoT device lets you install your own root certificate. (Which it quite possibly won't without jailbreaking... and even if it does, it probably isn't documented how to do it)

This needs a fix

Why is protection necessary from these devices?

You can't use a PiHole, for example

Depends on your firewall, but yes you can (assuming your goal is to block those queries)

Which firewalls let you block DNS over HTTPS? (Without resorting to blocking random IP addresses from some list that constantly needs updating.)

pfSense - it only blocks known DNS over HTTPS servers, but generally all “smart” devices that use it use the publicly available servers. I log and periodically check TCP flow metadata, so I could identify new ones later.

Seems like a pretty simple solution. Don’t connect the tv to the internet.

Since introduction, Cloudflare is able to perform HTTPS man-in-the middle attacks even for the websites which do not use Cloudflare CDN: they could forge DNS answer and proxy HTTPS traffic of any website via their CDN, instantaneously issuing a valid HTTPS certificate, as they have root certs and could issue certs for any domain.

Since ODoH they could perform such attacks without being spotted by ISPs. Nice.

Of course intentionally issuing a fraudulent cert would get them kicked out of every root program, and given a good part of their revenue is from being an automated https CDN that would probably have a significant negative impact.

It is too weak a guarantee. We already have seen as risk of revenue losing did not stop Kaspersky.

New certs have to be sent to Certificate Transparency logs, any company mis-issuing them would be taking a colossal risk.

A MITM-attack which starts from DNS could be narrow targeted, forged DNS responses could be sent to a single person or an organization. Certificate Transparency monitors are futile here.

Also, if the reputation risks is the only thing which could prevent them from doing so... it is not the security we expect from the cryptographic protocols. A subpoena/warrant could be a more "colossal" threat to their business.

If the user is running Chrome the cert will not be trusted if it's not been sent to public CT logs.

I'll give you that - based on a brief search - this does not appear to apply to other browsers yet.

They risk losing their status as a trusted CA.

I'd compare the current Cloudflare's power to Kaspersky's ability to steal any file from computers their antivirus is installed on. If they can do it then one day they will have a strong reason to do it, risking the trust and sales volume.

> They risk losing their status as a trusted CA.

There are tons of goals more important than the trusted status. Killing Osama, arresting Silk Road, performing or exposure of election fraud, ...

Losing of the status might happen sometimes later while the traffic interception/modification is what they can do right now. And it could be ordered by someone who do not care on those statuses at all.

If you would like to try out an independent ODoH proxy with Cloudflare DNS, I added ODoH proxying to my DoH server last night - instructions on using it are here: https://padlock.argh.in/2020/12/08/odoh.html

I think this link is relevant to people who want other encrypted DNS alternatives from the big corporate ones.


I’m sticking with DNS over dual server/client certificate.

My home LAN gateway is blocking DoH because the hassle of issuing enterprise-based intermediate CA is not worth the effort to do a Squid TLS transparent proxy so that one can “Pi-hole” to block stray DNS/domains.

This means my own set of authoritative DNS servers.

By now I don’t understand why DNS is not a browser functionality. Or an operating system service.

Someone has to run the DNS servers the browsers talk to - DNS data is big and can change rapidly, especially in the cloudflare and AWS type of cases

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact