While I don't particularly trust Google all that much anymore, the fact that ISPs even have an opinion on this is a smoking gun that they're doing sketchy things with DNS data. There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.
They definitely are. I know for a fact that they are running massive Hadoop clusters storing information on DNS records involved in their customer traffic. If I recall correctly they mirror a lot of the traffic to analytics environments.
Netflow data, DNS capture, enrichment of cell tower access data (location), reporting on non-usage (idle time, tracking), Bill and household information, credit account usage, etc. SPs are huge sellers in this market.
We still need to encrypt the accessed resource and DNS queries everywhere.
Even once that’s done, things like opencaching will be used by SPs to gather tons of data where they participate.
Because our government is not really interested in protecting its citizens from abuse at the hands of corporations.
edit: you can see this clearly in the way they pay lip service to "breaking up big tech" (whether or not that's a good idea, this comment is not a statement of opinion on that subject) because it's politically sexy on both sides, while all these other, arguably more egregious abuses of consumer data are so far off the radar that most people probably aren't aware they're happening.
If the government showed an interest in abuse at the hands of corporations, it might start getting embarrassing questions about abuse at the hands of 3 letter agencies.
If it is, the stakes are much higher since they have real penalties if they fail to disclose the practice or lose control of that data. Anyone in the EU can send them a request under the GDPR to learn what’s collected, so it’s much easier to get caught.
GDPR and the tradition of not allowing why wire tapping / traffic mirroring without telling the subject (unless you are the government and have a warrant).
Wholesale data collection has become normalized in the US. For-profits, non-profits, it doesn't matter the industry, everyone is obsessed with capturing as much data as possible and believe it's just the standard way of business. No one outside of HN cares about PII or has an understanding of things like GDPR (it's just for the Europeans). Consumers are clueless or otherwise feel hopeless.
Just want to say for the sake of others reading that this comment is exaggerating + generalizing a bit.
Everyone is not obsessed with turning data into revenue. Most smaller tech companies (ie. Sub billions in revenue) are not in the game of monetizing data. My feeling is the market exists mostly between very well establish and very large companies (such as ISPs, advertising networks), but that same market doesn’t exist between newer / smaller companies that haven’t reached massive scale.
To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.
Everyone in the EU has heard of it, at least for the fact that everyone received a whole bunch of email that mentioned it on May 25th 2018. I'd say a lot of people know that "it's about privacy"; the actual understanding obviously varies.
No one heard about it, at least in Spain. My father asked me about it because he heard it on the news, but I'd say that 99% of my non-tech friends have no idea of what it is about. Anyway, I work for a large telco and they are very paranoid liabilities involving data. It's a behemoth, so you wouldn't expect them to be this careful.
As far as I remember, they still sell some anonymized data (they had some demos on how to plan public transport with location data) and I'd bet they are not doing much with DNS data.
> To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.
Basically everyone who is in EU needs to keep GDPR in mind. Especially if you are employed, then you need to keep in mind GDPR for the interests of your employer so that they are abiding the law, and won't get fined. It is actually legal people who know GDPR very well; not so much tech people. In a lot of Dutch companies a "functionaris gegevensbescherming" (FG; data protection officer) is mandatory, who basically deal with PII, and have known about GDPR (AVG) ever since it was announced it was going to be active (2 years before it was active). The Dutch professional association for the data protection officer was founded in 2003 [1].
On top of that, it was widely covered in newspapers, daily news, etc. If you are in EU and you have not heard about it you are living under a rock, or you're not a working adult (nothing wrong with either).
Anyone working in an office will have probably come in contact with GDPR. Blue collar workers probably not so much.
Maybe people will know it as the cause of cookie popup screens. But I'm also grossly over-estimating computer literacy among the general population so maybe not.
Anyone in the UK who does an office job has heard of GDPR. Most companies are having to update practices to comply with it. It's actually amazing how effective it's been at curbing the "let's just store everything" behaviour.
I'm guessing we're just trusting Google here (and Cloudflare 1.1.1.1 who now also does 10gb free VPNs) + the good will of engineers with access to this information within Google.
Big G is driven by money like any other company, but they lose more money if they don't employ top security practices and prevent others from getting their data. ATT's main business isn't selling the data, it's selling the pipes that carry data, so security on their data lakes is probably less of a priority.
> ATT's main business isn't selling the data, it's selling the pipes that carry data
... and I'm sure their shareholders are pressing them to forego the greater revenue from subscriber data so they can keep their dividend cheques comfortably small.
i suspect they somehow throttle this traffic -- i used to use 1.1.1.1 for a while and had to repeatedly switch out b/c my dns resolution times would be terrible after a while
If you are not using gmail and google search, and are using adblockers, Google shouldn’t really have any information on your IP, so it is anonymised data. Your ISP knows even your bank details.
But the limits of using google DNS (or even encrypted DNS) is that most commercial websites aren’t sharing IP addresses, so I bet the ISP can pretty much reconstruct the data it would get from DNS with very little effort just by looking at your IP traffic and mapping IP addresses to domains from other users DNS queries.
Theoretically, yes. For that to work, you also need everything on your network to never have encountered a google cookie, adwords, Android, Chrome, YouTube, Maps, Google DNS servers, any of various "smart" devices, etc. And hope those Google Global Cache servers living at your ISP are trustworthy.
If you use 8.8.8.8 unencrypted, then both your ISP and Google know your query. With DoH only Google will know. But often Google can figure it out even without DNS data.
You don't need to just blindly trust, there are ToS and privacy statements. My TL;DR is that Google doesn't use logs outside of service health (eg vs DDoS).
I don't know. I think not everything a large company does necessarily immediately pays for itself. Also, Google overall benefits when people use the web more.
Nothing or Google depending on how you want to think about it. Google needed this service for themselves, as the default fallback DNS for their devices, their domain registrar, for GCP and it made sense to just let the public use it too for some good PR.
I wonder why someone who knows how to do any of that, would think it is a good idea or go along with implementing that. The shitbirds who actually want to do this type of thing are not smart enough to execute it.
Engineers are people who come in all ethical flavors. I used to know one whom I consider evil, in the actively, knowingly malicious sense. I've known a whole lot more who generally just don't think about these questions.
Thinking knowledge, intelligence or capability correlates with ethics is a category error.
It's more an industry error, I suspect. The University I went to forced all the Software Engineers to do some of the traditional Engineering papers, including courses on ethics. The professional institute that accredits the University's ability to call their course an Engineering course required those courses.
Courses like that don't fix unethical people, but they make the rest of us aware that ethical concerns exist. Software/Computer Science is such a young discipline that, industry-wide, I don't think we've learnt that one from the other industries yet.
I question the amount that such ethics courses actually help. Business majors have had ethics courses for as long as I can imagine, and yet you don't have to go far on HN (even in this very thread) before you see people saying business majors are unethical.
The bigger problem, IMO, is that many tech companies have started handing out kool-aid that data collection and analytics is ethical. They justify it by saying that it helps people avoid spam, or get better advertisements, or whatever, and then the engineers think they are being ethical and beneficial to society by building these systems.
> Business majors have had ethics courses for as long as I can imagine
I took a business ethics course in undergrad, and it was surprising how many students advocated all sorts of (to me) aberrant ethical views. (Note I’m pretty traditional, morally speaking. The environment was strongly postmodern, and this was before all the modern insanity about “free speech is bad because some people say bad/offensive things”.)
Not that I minded personally, but it was a strong lesson to me that teaching people categories and how to think won’t give them a desire to respect any particular brand of morality.
Impartial view here, not entirely sure where I fall on free speech:
You've concluded that the absolute morality expressed by public consciousness should be the arbiter of publicly expressible speech. Maybe the next thing that gets people killed is not allowing public discourse to challenge socially accepted, morally unacceptable beliefs.
> what arguments exactly do you feel could not legally be expressed in a modern first-world democracy, that actually should be expressed?
Many people use “free speech” to describe more than what is covered by the First Amendment in the USA. For instance, freedom from retaliation, by being fired from your job. According to that view, entities other than the government can engage in suppressing free speech.
I read the argument and then re-read it. Went through few odd stages of amusement and I still disagree. Defending Nazi right to express free speech is more necessary now than ever given that people apparently forgot what an important right it is.
As for the argument that, opinion gets people killed, I can only reply with the following.
Opinions don't kill people. People kill people. It is important to know the difference.
I totally agree, nuclear bombs don't kill people, people kill people. There is no reason people should be unable to build their own weapons and bombs. And don't even start with the WMD slippery slope.
More seriously, limiting speech should not be necessary in a good society were people don't let such stuff spread. But that doesn't seem to be how humans work. The marketplace of ideas does not necessarily prevent bad outcomes. And pretending that a root cause analysis for a genocide doesn't include speech as a vital segment in the chain leading to that atrocity seems illusory to me.
So yes, having reasonable rules doesn't seem that wrong to me. It certainly comes with all the usual problems of gov/regulation. I'm kind of fine with what we have here in Germany. Not that its perfect... but it kind of reminds me of that saying about aerospace rules... they are written in blood.
It is a good argument. It sounds reasonable. But having 'reasonable rules' is a vague statement. It is something akin to me saying in a corporate meeting 'it is all about balance'.It is and it conveniently can be applied to anything.
For the record, I personally dislike German approach despite understanding its genesis.
I can't really speak for aerospace rules, but I am not certain they say that much about speech.
edit. I just remembered. Internet has all manner of rather dangerous information out there. Materials may be highly difficult to procure, but knowledge is still at your fingertips.
Saying that business majors are full of unethical people is like saying that politics is full of unethical people, it is the job that attract those characteristics.
The objective of those ethical classes is to move the neutral/good majority in hope in hope to counterbalance the unethical minority.
And computer science is just as full of unethical people. The highest paying jobs available to those in their 20s and 30s, by far, are computer science jobs. That alone attracts an incredible amount of people only in it for the money.
On top of that, companies which are usually regarded as some of the most unethical companies on the planet (especially in regards to privacy) are companies like Facebook, Amazon, Microsoft, and Google, which are worshipped by and have computer science people scrambling to get hired by them. Going back a little further in history, before FAANG, the companies that were revered by the tech world were the very same ISPs that this post is railing against.
Programmers as a whole seem to have no problem at all being unethical as long as it gets them either money or the chance to work on the latest tech fad.
I do not disagree with this, but it stands that the presence/prevalence of unethical people is not really an argument against ethic courses, as they are meant to do little more that containing the problem
Unless you imagine some sort of industry-wide reckoning from a political/legal perspective, the industry will probably never "grow up". This isn't the sort of industry where a couple bridges might fall down and everyone suddenly gains self-awareness that it's time to be a little more adult.
Just look at the resistance on this forum to the idea of GDPR or data privacy bills. This is one of the most self-aware forums on the internet and still probably a majority of users are not only aware of who (and what) is signing their paychecks, but they actively endorse it in their personal discourse during their time off too.
This surveillance is mostly targeted at residential users. I’m sure they mention this in some opendns legalese, but they definitely don’t openly advertise this.
He is speaking of the developers and engineers who have the technical expertise and should know it's a bad idea but still agree to implement it regardless of their moral compass.
I've worked on questionable projects at a big telecom. I refuse to run ISP provided modems/routers at home, i refuse to use my isps dns and use dns-tls etc etc based on what i have seen.
The devs have often said things bad idea and raise concerns unfortunately you generally have no power, the decision to implement something is made above you. Generally the people making the decisions know things are questionable but you need to make your KPIs / get promoted / earn more money for the company etc etc.
If you don't follow a direct order and refuse to work on a piece of work in reality you will be fired.
That leaves you with the option of looking for a new job yourself or being forced to find a new job as you was kicked out.
While some people can take the moral highground, outright refuse and resign, others have to deal with life issues such as paying the bills and supporting a family which makes it extremely hard to pick a fight refusing to do something. We do not like to think it but we are just another cog in the wheel and dispensable.
Nice point. I've been considering changing my router for a while out of privacy concerns. Do you have a suggestion? I was wondering whether i could use my raspberry pi 3b+ for it.
I've been using Mikrotiks for over a decade, they just work and are pretty cheap. They do require you to know a little bit more about networking then the regular, end user oriented, routers.
Only negative I would mention is that some things are a little bit harder to setup, like a VPN for example (and it doesn't support OpenVPN over UDP).
Why the implication that devs/engineers who have such technical expertise "know it's a bad idea"? There are plenty of devs and engineers who would have no moral issue with mass data collection and analytics. You don't magically become a paragon of morality just because you got a CS degree. Just ask Zuckerberg.
I’m working at a company and they want to do a massive amount of logging from our companies IOS app. Basically log everything in the name of security. I made the statement today what does legal think about the data we would be now storing? It has user locations, gps coordinates, all the other fun stuff you can get from a users phone. They all looked at me like I was crazy for even asking that question. And I don’t think a single person in the room the devs included had even though about the personal data we were going to be able to collect. And if we SHOULD be collecting it.
To be even more fair, I feel pretty sure Zuckerberg would be happy to agree that "you don't magically become a paragon of morality just because you got a CS degree".
I’m not sure why anyone cares about Zuckerberg’s opinions on morality. The point that a CS degree does not impart a higher moral code is not controversial. My comment only pointed out that Zuckerberg was a bad example because he doesn’t have a CS degree.
Google and FB are doing the same thing with their data (and worse) and the engineers they employ don’t seem to care that much, even though they are pretty smart.
Seriously browse through the who's hiring thread... some engineers may see it as an easy way to get their foot in the door in the data analytics industry. Hopefully they just focus on bettering their portfolio.
There are environments where traffic must be logged for regulatory or other legal reasons, so the technique and code to implement it is not universally malicious.
Implementing the mis-feature on a public ISP will be done by people who think the matter isn't worth risking their job by taking a stand on, and just saying no once the decision has been made several levels above their rank won't help anyone because if they don't implement the feature their replacement will.
The nasty dilemma that capitalism poses is that of "take the moral high ground" vs "know whether I'll afford rent next month". It's not your moral compass that determines your worth to society, it's how much people are willing to pay you for your work. If they aren't, you are worth so little to society that you may be out of a home.
Developers may be in a pretty sweet situation, generally, but if you don't have money saved or another job lined up you don't have much choice.
I also think that people are great at finding excuses for what we're doing. I've read somewhere about a hypothesis that conscious thought is mostly just intellectual justification for subconscious urges.
> I wonder why someone who knows how to do any of that, would think it is a good idea or go along with implementing that
Modern silicon valley is built off people implementing similar pervasive tracking, without it there is no google, facebook and many other startups. Not to mention online newspapers and everyone who makes money indirectly from the tracking.
I agree it's a bad thing, but that ship sailed long ago and things like the GDPR are only just starting to bring it back.
Personally I have absolutely zero qualms with implementing any system to collect mass analytics. I just don’t give a shit, at these scales users are cattle.
given the volume of data, i don't care as much on an individual level since each person is a drop in an ocean, but knowledge is power, and this is too much knowledge for ISPs, advertisers, and government agencies.
In the mid 2000s it was common that several large broadband isps would have folks on their DNS team selling DNS traffic data under the table to people engaging in domain tasting and other things. It was only a matter of time until the isps realized they could wet their beak with the same info.
I assume that all US TLAs have (or could have) access to all data that my ISP logs (or could log). That's just how it is. Given government ~monopoly on force.
And that's why I use VPN services. But the same is true for VPN services, regarding US and/or other TLAs. So I use nested VPN chains, to make it harder to get complete data.
And when it really matters, I add Tor to the mix. Even if it's heavily infiltrated by US TLAs, there's at least the chance that it's also heavily infiltrated by TLAs of US adversaries. So, Dog willing, maybe they cancel each other out, at least somewhat.
I mean routing traffic to Tor entry guards through VPN services. The Tor Project does indeed not recommend that. They argue that using a VPN service is risky, because it can log everything. Where access to entry guards is blocked, they recommend using bridges (of one sort or another) run by Tor volunteers.
I don't agree with that argument. Because ISPs can already do that. And for most people, their ISP is far more likely to be cooperating with their local adversaries than some random VPN service is.
And for what it's worth, one of Tor's inventors (Paul Syverson) has agreed publicly that there are reasons to access Tor through VPNs. Basically, when you don't want your ISP to know that you're using Tor. Indeed, if I were a CIA agent using Tor in Iran, I probably wouldn't want the ISP to know that I was using Tor.
But I don't trust VPN services either. So I use nested VPN chains. That's basically the same approach that Tor itself uses, routing traffic through multiple (three) relays. So no one relay (or for me, VPN service) knows both who I am, and what I'm doing online.
There's also the issue of trusting the Tor network. Some argue that it's compromised by US TLAs. So with a nested VPN chain between me and entry guards, I'm less concerned that some TLA is running them. But even if that's just paranoia, there have been bugs that deanonymized users.
For example, some years ago, CMU researchers exploited the "relay-early" bug to allow malicious entry guards and exit relays to exchange information, and so learn that they were routing the same circuit. That allowed said CMU researchers to deanonymize Tor users. The FBI learned of this, and subpoenaed the data. And lots of people went to jail over it. Mostly drug dealers and child pornographers, but whatever.
However, routing VPN services through Tor is a totally different matter. If you do that, your anonymity depends entirely on how anonymously you've obtained, paid for, and used the VPN service. If you used an email address that's linked to you, you're screwed. If there's a money trail in paying for the VPN service, you're screwed. If you ever use the VPN account without Tor, you're screwed.
And even if you manage all that anonymously, the very fact of using a VPN through Tor decreases your anonymity. That's because Tor by default switches circuits at ten minute intervals. But when a VPN is connected through a Tor circuit, that circuit is pinned. So by using a VPN through Tor, you've blocked one way it increases anonymity.
It seems you take your privacy very seriously. But isn't it futile? I mean, the common layman response to privacy issues is something on the lines of "I'm not a criminal terrorist so what do I care". They have a point, the individual doesn't really bear direct consequences of losing privacy (unless he is a terrorist, criminal etc).
The privacy issue is a social one, only when masses of individuals are spied upon, then nasty stuff may happen.
So while your efforts are serious I'm wondering what is their point.
I don't see any solution for this surveillance society we ended up with other than regulations through our government representatives.
I don't think of myself as a criminal or terrorist. But then my moral code is fundamentally from Aleister Crowley. So I'm well aware of the possibility that others might consider me a criminal or terrorist.
Even if there were laws and regulations that better protected privacy, you couldn't count on that. You can't trust government agencies, because they stretch the limits, and outright lie about what they do.
Perhaps because downloading Tor (or even searching for it / visiting its website) demonstrates an active interest in thwarting surveillance.
Almost by definition, that means you're worth taking a closer look at.
Once you're under the microscope, you'd better hope your opsec is flawless or that your activities are completely boring, or else the $TLA knows exactly what you've been up to, TOR or not.
Disclosure: my activities are completely boring, and I don't use Tor, VPNs, or anything like them.
Self-interest rears its head, though. If you don't have anything to hide, running Tor is extra work you don't gain any benefit from. Arguably you just subsidize those who use the tools for evil.
I have yet to be convinced that full anonymity is actually a societal good.
As a pragmatic defense against corrupt governmental agencies, it is probably useful.
I'm not so sure it's a net gain for society as a whole.
And, in a nutshell, I suppose that's why I've never gone down this road.
There are many legitimate uses of Tor. Like opposition in oppressed regimes. But criminals probably make the most out of it. The thing is, it might be the most convenient tool nowadays for selling drugs, etc, but if you'll remove it, criminals will find other ways to connect. Some will be caught, but most won't. And good people might lose a valueable tool to defend themselves.
Except that you don't need to trust anyone, entirely.
That's the point of nested VPN chains. Let's say that you have three different VPN services in the chain. The first VPN knows your ISP-assigned IP address, and the IP address of the second VPN server. The second VPN knows the IP address of the first VPN server, and the IP address of the third VPN server. The third VPN knows the IP address of the second VPN server, and the IP address of the site that you're accessing.
An adversary would need information from all three VPNs, or from their data centers and/or ISPs.
You're still vulnerable at the operating system and hardware level. It doesn't matter what you do after booting up if you're computer has already successfully been infiltrated from the Hardware/BIOS/OS initialization that always happens before.
I don't use hardware that I've purchased using my meatspace identity. The machines mainly come from yard sales and swap meets. Typically nowhere near where I've lived. And all purchased with cash. So I'm pretty confident that they're not backdoored. I have purchased SSDs from stores, but also for cash.
I'm relatively confident that Debian hasn't been backdoored. Windows perhaps, but I rarely use it, and only in VMs.
I'm not sure that I see the point. I mean, the daemon would need to run somewhere. And it'd need to render stuff. I guess that there'd be less going on, so less that's exploitable.
But no, I haven't done that.
I mainly depend on compartmentalization. This VM runs on a host that contains no information about my meatspace identity. And the machine with that information is on a different LAN.
Edit: But upon reflection, I have done something like that. Sometimes I run remote dedicated servers. Accessed via Tor (via nested VPNs) and paid with well-mixed Bitcoin. With LUKS and dropbear, of course.
If I run VirtualBox, I can basically do the same thing I do locally. I use pfSense VMs as VPN gateways, to create nested VPN chains. And then Whonix instances, which hit Tor through those VPNs. And I access the remote VMs via VRDP via SSH via Tor etc.
My first reaction on reading this is that it sounds expensive and difficult to configure. It also reminds me a little bit of how I understand tor to work - is that accurate at all?
At a superficial level, it's exactly how Tor works. Except that there's a static chain, instead of a constantly churning mix of circuits. Each of which uses a different set of three Tor relays. Also, each socket from each app uses a different circuit. And circuits, by default, only last ten minutes, and are torn down and rebuilt whenever a socket resets.
It is expensive, I suppose. In that you must pay for multiple VPN services. I probably spend a few hundred dollars per year, on average. But that's ~nothing for me.
But it's not that difficult to configure. I use pfSense VMs as VPN routers. And pfSense has a very intuitive WebGUI. To create nested VPN chains, I just successively NAT one VPN router through another. Using VirtualBox internal networks. And pfSense optimizes MTU automatically.
Once it's setup, you just run the VMs, and it works.
In my experience, Tor through VPN services isn't substantially slower than Tor alone. I only know that from experiments using VPS, however, because I've never used Tor (or I2P or Freenet, for that matter) directly.
VPNs through Tor also aren't substantially slower than Tor alone. And indeed, one can use MPTCP to aggregate multiple VPN-via-Tor connections. But only between suitably configured devices, of course.
regardless of "substantially slower" it is indeed slower, I guess it depends on your VPN link, but at the very least your MTU has to be considerably smaller meaning more round trips for "large" objects (anything over 1KiB essentially)
I worked for a Comcast subsidiary in 2010-2011 timeframe. The company owned the network end to end. They had about 250k subscribers at the time across 4 states and at the time was the first DOCIS 3.0 network in the US. They were collecting DNS log data back then. I've been told that hasn't stopped and has progressed. Don't trust your ISP to not be passively monitoring. This particular ISP had closets full of old Sandvines [0] hardware as well that I ran across one day. I asked what the hardware had been used for and the answer was simply: "network monitoring for law enforcement". At the time all of that old gear had been decomm'd. But as I've said in older posts the DC had a hands off, tamper taped mobile rack that was plugged into core routing installed by a 3 letter agency while I was employed. This was pre-Snowden and post 9/11, likely courtesy of all those fun programs we found out about that Clapper denied.
We'll know how much this will affect those TLAs when the government suddenly gets involved for some altruistic reason to block DNS over HTTPS. "Don't let google take over the internet!" "Time to break up big tech!"
Not attacking Google - their approach here is fine.
But Mozilla switching people is a worry for me. Sure people “have a choice” but in reality expecting the average Joe who doesn’t even know what DNS is to make an informed decision about it is unrealistic.
Meanwhile Mozilla has started sending a list of every domain you visit to a US company subject to US law enforcement. Not ideal.
I’m friends with solutions engineers at Hortonworks and Cloudera. It’s possible I’m wrong, and since this is anecdotal evidence I see “fact” isn’t a valid use here.
I recall wanting to do research in university and needing this data. It would tell me how frequent bit flips are in dns traffic.
And in anonymous, aggregated form (e.g. only include domains that were accessed by multiple customers, the frequency per day and domain name, maybe geographical data precise to a region corresponding to a million people), I would be perfectly fine with this, even if it gets sent to ad companies. I'd not like it, but I'd also not see the harm and there is a lot of money involved, so if we can't stop it then I'll be fine with it in a basic form (aggregated). At least until we decide that trying to optimize manipulating/influencing people is brainwashing (I'm undecided whether playing psychological tricks on people while they try to get groceries or look for information online or whatever is morally okay).
It used to be illegal for ISPs to use web browsing data for advertising purposes but the Republican House, Senate and President passed a law allowing them to make it an opt-out.
all the major ISP lobby groups signed on to a voluntary set of privacy principles based partly on the FTC framework. They specifically pledged to follow FTC guidance for opt-in consent before sharing sensitive information and to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” Browsing history would be subject to an opt-out system.
Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.
I worked at a couple of major telcos at my country, and at the last one - where we had literally millions of active ISP and mobile users - we were approached by a company willing to pay for DNS resolver data. It is definitely a thing (and possible income source) even if you don’t do that kind of analytics yourself.
But I’m fascinated by the legal implications. Right now in Portugal sites are DNS-blocked for copyright reasons (IIRC without the need for what you’d call full legal oversight, just a sort of loose arbitration with the local equivalent of the RIAA), and this is going to play merry havoc with that.
(Uber’s website was also DNS blocked for a while due to hassles with licensed cabs, which was interesting because the mobile app never stopped working — can’t remember if it was an actual court order, but this should give you an idea of how technically clueless some people are over here...)
I'm living in Kazakhstan which blocks some websites. Also Russia blocks a lot of websites. I can't wait to see how eSNI will play out with all those blocks, if Cloudflare and other big networks will dare to roll it out.
Cloudflare collaborates with censors and reserves a fixed IP for the blocked site so censors can block that IP, they don't block by DNS, eSNI won't help, use Tor.
Here in the UK sky recently pushed out an update to their firmware which made it impossible to use another DNS server other than theirs. There was a decent amount of push back, I managed to get them to downgrade my firmware but who knows how long that will last before they "accidently" update it again.
If your DNS requests are going over the VPN then you will be fine as they will be in the encrypted tunnel before they travel through your router so it can't do anything about them. A change to the router firmware won't be able to override DNS server settings on other individual hosts.
If your router is providing the local VPN endpoint then that is another matter, but IIRC PIA runs on your local station. Do check that it is in fact setting your machine to send DNS requests over the link. I'd be surprised if it wasn't, but you never know.
Don't you run an own router/firewall behind the ISPs? I own my internet facing router AND I run a second one for sensitive parts of my network. As well, I run an own recursive resolver.
> What's the best way to tell if they're intercepting queries
Setup a simple DNS resolver in an external VM (use a service like DO where you can pay by the hour, and the test will cost you at most tens of pennies), configure it with a DNS zone that the rest of the Internet does not know about (thisdoesnotreallyexist.net). Then if you try query for that domain from that server but get an NXDOMAIN response your query was probably intercepted (of course test from other locations too, to make sure the problem isn't a mistake in the new resolver's config).
Or you could configure the test resolver to give different answers for an existing domain, of course, and check for which addresses you get back instead of checking for address or error - that would essentially be the same test.
Or, he says, thinking of the obvious after explaining the more long winded, if you have a DNS server in your control, simply turn on the relevant logging options and run a query against it and see if your query turns up in its logs.
This assumes they are intercepting and NATing all standard DNS requests (usually on UDP & TCP port 53), rather then just DNS traffic going to a list of known alternative DNS services. If they are doing the latter then there are tests you can do that rely on timing and TTL settings (get their server to cache a result, change the name->address mapping, then ask 8.8.8.8 or similar and see what answer you get).
With no changes to your setup it is actually impossible. DNS as it currently exist is a plain text protocol.
If you run your own dns server at your local machine you can enable DNSSEC, which will protect against manipulations for domains that has that enabled. A recursive dns server is pretty easy to setup and it a step towards running your own authoritative server in the future for private domains.
If you want to resolve using googles DNS servers and be sure it is really them then the only method that I know that is also supported by google would be DoH. The other encryption method they support, DoT, do not provide authentication and draft-bortzmeyer-dprive-resolver-to-auth-00 is to my knowledge not implemented by google.
If you want a bit more privacy and have a mix of the two above then go with a VPN or build one yourself. Just note that without DoH you won't be authenticating between the VPN and google, so I would just use a resolver at the VPN.
If you run your own DNS server at your local machine, you'll be exposing all your queries to your ISP, which will log and monetize them. You'll gain support for a DNSSEC protocol that virtually nobody on the Internet uses --- DNSSEC only functions on signed zones, and in 25 years almost nobody has signed a zone --- and so your ISP will almost always be able to manipulate your queries anyways.
If you use google servers under plain text you will be exposing all your queries to your ISP and to google, which will log and monetize them. DNS under plain text is so easily captured that all entities. ISP that spans the traffic to google, google itself, and ISP that spans from google to the resolver can capture, log and monetize the information. Monetizing can occur by logging who queried, what was queried, and in either as a combination or in isolation. A lot of companies consider the later to not be private information or covered by GDPR.
The effectiveness of DNSSEC depend on where you are. If you live in Netherlands or Sweden and visits mostly Swedish or Dutch sites then a larger portion will be signed.
I noticed they were doing this when I saw that in-band DNS updates were failing. Eventually I realied that my router (or something upstream of it) was returning an error to the client rather than passing through the GSS-TSIG-signed nsupdate packet.
So far I have been unsuccessful in my attempts to get through to a technician who knows anything other than "try turning it on and off again". I suspect this policy is deliberate.
Unfortunately that will not help: if the requests to other servers are NATed when they hit the router it will look like your request went elsewhere when in fact to went to Sky. nslookup is reporting what it tried to connect to for an answer, not what actually answered.
BT's DSL router/modems also only hand out BT DNS servers. You have to turn off their DHCP server and run your own to be able to hand out anything else.
Their tech support (the one that's "if we solve the problem we'll charge you") said they could not solve this for me.
We agree that ISPs should not need to view your browsing data without your consent. But there are many technical reasons for an ISP to want to run DNS outside the resolver privacy conversation:
For one some ISPs run content filtering services. Some users prefer to concede extreme privacy for what they view as a safer browsing experience. It might not be your jam, but it exists.
DNS is designed to be provider independent. It literally does not matter if a Google or Cloudflare or OpenDNS or DNSFilter or your ISP resolves requests. It was designed this way so that the system could be distributed and so that there is not a single point of failure for the internet’s arguably most important system.
Its distributed nature means there are technical performance advantages to doing the above: reduced request latency, localized traffic routing and reduced bandwidth, etc. You don’t need a giant any cast network to serve DNS. You just need to use the servers closest to you.
This is a pretty silly debate. All you have to do is look at AT&T's DNS, see it hijack NXDOMAIN to send you to ad sites, and know that mainstream ISP DNS isn't trustworthy. We don't need to weigh up counterfactuals.
I think the missing piece here is the constant focus on the US.
In Europe ISPs are under much stricter rules about data privacy and generally cannot do things like the above. Having worked for several ISPs here I’ve never found them misusing DNS data (although sometimes it was logged for a time for management / troubleshooting.)
For a European; with reasonable trust in my ISP, I don’t want Mozilla sending all my queries to a US company which can be forced to reveal that to the US govt, or use it for some other nefarious purpose.
FWIW I’ve never used my ISP DNS though have always run my own recursor at home.
Nobody is asking you to trust Google more than you already do (if you don't run Chrome, this doesn't impact you at all). But the real question is: do you trust your European ISP more than anybody else that might ever run DNS for you? That seems like an extraordinary amount of trust. What DoH allows you to do is trust someone, anyone else to safely run DNS for you, without exposing anything to your ISP. That's a capability you think Europeans shouldn't want?
Wouldn't the US company resolver be based in the EU though and subject to EU Law? That would have to be the case without the DNS resolver having ridiculously slow DNS query times.
I don't think the US govt can ask for data present/originated from the EU.
This seems pretty wrong. I seem to suck at googling such topics, with [0] being an okay-ish summary. And from what I understand, this is only law enforcement, thus does not even mention NSLs and such.
There is no reason for ISP customers to use ISP DNS, given the available alternatives, and this will become even clearer as more people boot up DoH resolvers as alternatives to Cloud Flare.
Again this is absolutely false. Your ISP, and nobody else, can deliver the lowest latency and quickest path DNS resolution short of other providers paying ISPs for last mile fog boxes (as some DNS providers do). Why can’t my ISP support DoT?
But that also highlights a huge misconception about DoT/DoH: it only provides privacy to the resolver. It does not make your requests private in the eyes of the server or spanning the recursive queries that may be required during resolution. I’m not particularly compelled to trust Cloudflare more than OpenDNS or whatever. It’s the same situation with VPN.
Anyway it’s well known that the actual solution for people concerned with utmost privacy is a round robin resolver selection strategy. It’s super easy to implement... why aren’t browsers providing this type of option?
My ISP’s DNS servers take longer both in round trip and total resolution time compared to both 1.1.1.1 and 8.8.8.8... and I have both Comcast and AT&T in an urban area. While this might have been true in the past, that is definitely no longer the case in a lot of areas.
They can, and I would be fine using it if it were a) fast, b) reliable, and c) (here's the big one) legally required that they not log or do anything with my queries.
As it stands, Comcast's provided resolver is somehow slower than some of the third-party providers for me, and I don't care to give them the ability to sell my DNS data.
> There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.
That’s the part of your comment I am replying to. Anyway I see you’re arguing ISPs shouldn’t care which provider you use, not that they shouldn’t want to default you to running their own. Perhaps I misunderstood your point.
Regardless I’d argue the problem in the us is that any DNS provider can abuse your data. Today it’s big ISPs, tomorrow it’s Cloudflare. Unless we actually prevent (technically and/or socially) DNS from being an open book and develop strategies to mitigate the privacy issues it’s just a game of pick your poison, and that‘s what bothers me.
> But to say there is no reason for an ISP to serve DNS is absurd.
The part of my comment that you quoted does not at all say that. (In fact, no part of my comment says, or even suggest, that.)
I agree that any DNS provider can abuse your data, but it's important to look at incentives. Comcast doesn't care one bit about its public image because it already has a terrible one, but customers have no choice in the matter, so Comcast's public image is mostly irrelevant.
Several DoH providers bill themselves as privacy-focused, and make privacy a big point in their marketing around their DNS service. Violating that privacy would be damaging to their product and reputation, in a way that they'd likely care quite a bit about.
I'd rather just have my local resolver have a list of 5 or so DNS providers with reasonably low-latency presence in my area (possibly including the local ISP, even, who knows), and just round-robin requests to them. There's really no way to make DNS not an "open book" as you put it; you can't ask someone to resolve a hostname for you without telling them what the hostname is.
So yes, we need ways to mitigate harm. Unless a provider has their reputation on the line, I don't really see a way to keep providers from doing sketchy things with your data, at least not without legal regulation. It's not like things like the EU's GDPR and California's CCPA were dreamed out of nothing; they came about because people have started to realize that companies just will not act as good stewards of our data unless we legally mandate toothy financial consequences as punishment.
> Its distributed nature means there are technical performance advantages to doing the above: reduced request latency, localized traffic routing and reduced bandwidth, etc. You don’t need a giant any cast network to serve DNS. You just need to use the servers closest to you.
My issue with this is that I've never been with an ISP that had a faster response time than Cloudflare/Google - and one would think they should, after all, my ISP should be able to reach me as quickly (or quicker) than any other corporation.
My current ISP has the fastest DNS benchmarks I've seen, and they're at 81ms for an uncached response, vs Cloudflare's 63ms and Google's 69ms. Cached response is similar (since I have a local cache).
In addition, my ISP does not provide DoH/DNSCrypt/DNSSec. None. Just 'vanilla' DNS. Furthermore, they also don't provide an unaltered DNS service: they block some websites from resolving, the list isn't made available, and is decided via extrajudicial means. You cannot opt-out, and all ISPs in the country adhere to this. They're not forced by law to do so. I'm also not in a normally thought of as a repressive country: it's a member state of the European Union, after all.
There are very good reasons for people to be outright hostile to ISPs and their shady underhanded practices, as you're seeing in this discussion. I feel that it is in any mostly online-based organisation's best interests to expose those practices.
> In addition, my ISP does not provide DoH/DNSCrypt/DNSSec. None. Just 'vanilla' DNS. Furthermore, they also don't provide an unaltered DNS service: they block some websites from resolving, the list isn't made available, and is decided via extrajudicial means. You cannot opt-out, and all ISPs in the country adhere to this. They're not forced by law to do so. I'm also not in a normally thought of as a repressive country: it's a member state of the European Union, after all.
Many of us do consider EU nations repressive states, especially as regards protections for unpopular speech (and armed self-defense, but that's less relevant here).
It's quite possible that EU member states simply have different philosophical views and considerations as to the value and effects of freedom of speech. In fact, the United States is quite exceptional, but it too draws the line somewhere (assault, threats, child pornography).
Yes, that's probably true. Just because I say repressive in a pejorative tone doesn't mean the people who live in those states are bothered by it. They may prefer not to have to hear some of the speech I find regrettable but a necessary cost of freedom. (I think there's a very good argument for drawing the line where the US does and not somewhere else, but that's a different matter.)
Not sure why you're being downvoted. Personal freedoms are awful in the EU, but it's in exchange for increased safety and economic stability. Obviously an amazing tradeoff.
I'm taking issue at the hyperbolic nature of the comment. I'm not an ISP apologist. But to say there are zero technical reasons for an ISP to want to provide DNS is unfair and incorrect.
Cloudflare and Google pay ISPs for the latency they get, FWIW. If I made my own resolver service today I would not be able to compete with your ISP without forking over $$$.
I don't really understand why you keep repeating this claim that we're arguing that there are zero technical reasons for an ISP to want to provide DNS. No one is saying that.
Perhaps you misunderstood my original topelevel comment. If that's the case, let me try to clarify: ISPs have zero technical reasons to complain that people are using alternative resolvers. I totally see why they want to provide DNS resolvers, and that makes perfect sense. Unfortunately, part of that "want" is so they can sell DNS query data to third parties, which is just another reason why I don't want to use them.
Yeah that’s what happened my bad. Anyway, see my other comment: I still don’t think simply being able to choose your resolver as a consumer is enough. We need to defend against abuse technically and socially. It really shouldn’t matter which DNS provider you do use.
> Cloudflare and Google pay ISPs for the latency they get, FWIW. If I made my own resolver service today I would not be able to compete with your ISP without forking over $$$.
I think the main reason for this is even if your competitor grew like a weed, it would be a decade or two before you had the scale to justify rolling out a CDN/caching infrastructure like that of cloudflare. That's not a matter of simply paying ISPs money.
I don't think any of these things justify the ISP's response.
Regarding content filtering services, in that case the user is specifically opting in to that service, so they won't need or care to use an alternate resolver.
I agree that, ideally, you would use a resolver that's close to you in order to minimize latency and increase reliability, but:
1) This requires you to trust your ISP. Many people don't, and with good reason.
2) ISP DNS isn't exactly always the most reliable or fast thing anyway. I easily get better latency from Cloudflare or Quad9 (their old-school Do53 stuff, not the new-fangled DoH) than from Comcast's resolver.
And regardless, if your DoH provider of choice goes down, you can always fall back to a different one, or to your ISP's resolver.
I'd separate "valid" and "reasonable". UK ISPs have a "valid" reason to DPI DNS and block pornhub, but i wouldn't say its reasonable for them to mess with internet packets not destined for their network. Thankfully DoH pressures them to suck it up and accept that blocking needs to be done by parents via parental controls.
But DoH is provider independent. It's just like I can swap out AT&T's regular DNS service for Cloudflare's in my home setup. Which I did.
Mozilla's move to reconfigure Firefox to use DoH is a bit sneakier, but it fits with their privacy stance and their low market share does give them cover.
That is understandable. But when the majority of US ISPs are monopolitical or oligopolitical organizations with zero oversight (Ajit Patel), it becomes harder to argue that sell.
Actually everyone should prefer the other guy do it rather than host it themselves. Either way the bits have to be transported to the same colocated facilities it's a matter of who has to pay for and operate the servers.
At least Cloudflare has KPMG audit them on their privacy claims. Better than nothing.
At the end of the day, any grouping of individuals are a (partially biased) sample of the society in general. The role of media and education is fairly decisive in forming social norms. We may have one or two lost generations of engineers following orders, but as Joe said 'The future is unwritten".
> Actually everyone should prefer the other guy do it rather than host it themselves.
This isn't true. If you're hosting it, you can control it and you can make sure that it's always operational. The last thing you want is a 100 phone call of "my internet isn't working" and then trying to explain it's not your fault, but rather it's "some other guy".
Not sure I understand. If you're using your ISP's DNS service, majority of your requests are going to hit their cache. You shouldn't notice any downtime as long as the cache doesn't expire.
I mean if all of Google/Cloudflares anycast resolvers go tits up I'm going to get endless calls regardless if the end user can resolve a cached name or not.
Or you can directly ask a domain's authoritative nameserver directly. Using an intermediate caching resolver isn't required. Recursively resolving the DNS query locally only requires asking a centralized nameserver for a domain's authoritative nameservers (the NS records) which can usually be cashed locally for a long time. Every other request is compartmentalized to different servers by domain delegation.
Or do both; configure your local resolver to try recursively resolving a request, and fall back to the ISP (other) cache if needed.
That's a good question, they said it would happen annually so they should have had one by April 1st 2019. I put a question into support, we'll see if it goes anywhere.
The only question that remained was when to launch the new service? This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we're geeks at heart. 1.1.1.1 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.”
Could the collected DNS info be used for their own proprietary investment? I was reading a book about Koch industries and it made me think about the potential that most of the infrastructure companies could have outsized profit out of the derivative investment based on the information gathered from the business they are better known at.
Google's design doesn't ask you to trust Google more than you already do if you use Chrome. It doesn't default you to Google's DNS servers, will honor your current nameservers, and will upgrade you to DoH at any of those servers who support it. I'm honestly not sure what more you could ask for from Google on this particular issue.
Yes, Google used the right approach here. They honor your DNS settings, and upgrade it if it's available. Firefox, on the other hand, plans to force all of their users to trust Cloudflare by default.. and most users won't even know they made that change.
Yes, as Google plan you implement it, which is fine.
Most of the hulaboo is about Mozilla who are moving customers DNS queries to Cloudflare en mass, regardless of what DNS server they have already configured.
Google has promoted its own DNS service over others in the past, including for non-chrome users, and presumably would do the same when DoH (in whatever form) is the norm.
I was simply saying we already know that ISPs misbehave, but presuming that Google wouldn’t is not necessarily a clear cut decision.
I still have something like 15 Spectrum Bogus NXDomains blacklisted on OpenWRT. When I set it up the page they were redirecting too was still the Charter page with a half done Find/Replace of Charter/Spectrum.
There exist pure technical reasons too, from address translation to DNS-level routing and load balancing. For example for ipv6-only network to access ipv4 resources there needs to be something like NAT64 embedding ipv4 addresses into ipv6 ones, but that would require overwriting DNS responses with DNS64 to actually work [1]
Keep in mind, encryption is not privacy. Encrypting DNS queries to a 3rd party resolver doesn't improve your privacy, it's a fight for control, not privacy. ISPs will still violate your privacy to the same extent, except said 3rd party will be able to do that too. If your ISP is not trustworthy the only way to save yourself from it is to use something like a VPN which effectively gives you a different ISP of your choice.
How do you mean? Why should my ISPs hijack communication between me and a content provider and reroute it? This is as if I'm in a phone meeting and when I say "let me call you back at 15:00" the phone company injects "19:00" instead, because that's a time the phone network is less loaded so it'd help them.
> NAT64 embedding ipv4 addresses into ipv6 ones
NAT64 is a good point, actually. But at least in 2019 if you're on IPv6 and switch to your own DNS server that doesn't do DNS64, then it just plain won't work. I doubt Firefox or Chrome will have implementations that break like that.
Some authoritative DNS servers may respond with incorrect IP addresses for specific IP subnets of an ISP (i.e. pointing to unreachable or slow far away servers), so it could be useful to fix this either statically or by forwarding domains to another DNS resolver which gets proper responses. Things like that.
>Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; and (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors. Google’s centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.
While I definitely agree with the sentiment, I would much rather browsers used my own caching DNS server that I can configure to talk to root nameservers: this would be the best of both worlds (ISPs can't track me, and I wouldn't be handing data to another party either, except, well, root servers). I am sure it's going to be possible, but compared to setting it on my DHCP server, now every client's browser would need reconfiguration.
If your DNS server is in the cloud, your ISP can still see your unencrypted queries to that server. If it is at home, your ISP can still see the unencrypted queries of that server to the root servers.
Unless you encrypt the traffic, DNS is transparent to the ISP whichever way you set it up.
And unless you are also using a VPN, the ISP can learn most of what it can learn with DNS just by looking at the IPs you send packets too. Most commercial websites that matter aren’t sharing IPs.
Oh sure, you are right. But the thing with collecting heaps of data is that it needs to be harder. If my ISP is going to filter and process all packets in realtime, sure they can get a lot of unencrypted stuff from me. In essence, other than heavy censoring countries like China, I don't think most ISPs do that (a number of users doing that is pretty small, so the effort on their part is not worth it).
And as you and others have said, it can be done by looking at IP addresses i connect to as well.
What I do achieve is that nobody has a "full" picture of me, but only some subset of data that I transmit.
I also use two independent ISPs in a loadbalancing/failover configuration, so that helps with the cause as well, thougb my primary use is fail-over since I am in this internet business :)
They do use that information, it's not necessarilly sketchy. They run analytics just like everyone else. In fact, one could argue Google's huge push for https was primarily motivated to deprive service providers of valuable data that Google has anyway.
>They do use that information, it's not necessarilly sketchy. They run analytics just like everyone else.
First of all, I think the extent of the data collection that many companies engage in is sketchy.
That aside, if a website runs analytics that you don't like, you can stop using it. There are usually alternatives, if you're willing to give up some convenience. But if your local ISPs are monitoring you, not using the internet isn't really an option these days.
I really wish we didn't have to treat our ISPs as adversaries in that regard, but we've been at that point for a while.
Exactly; it's just the same old story with Google. We all know ISPs and Telcos are greedy af, but when Google is getting into providing DNS, they do it to close a loophole (from their point of view) where web visit sensor data is going to someone else; they really think they own the Internet. In this particular case, even if Google succeeds in establishing DoH via Chrome (and, sadly, also Firefox), ISPs will still get to see your IP data; they could try reverse-DNS lookup to get back domains, but this is much less targetted ever since HTTP/1.1 shared hosting. At the same time, Google is also engaged in AMP such that requests for many sites go to a single IP, with the actual requested site SSL-encrypted. What will happen next is that Google will, via piecemeal extension of HTTP/3, fuckup TCP/IP even more.
I hope somebody in regulation will finally stop Google and others to monopolize the web.
Could be caching too. Bunch of services like youtube and netflix, at least used, use DNS to direct users to local servers. This enabled a better experience for the users and lowered the amount of bandwidth
They also used this method to block region restricted content. Here in Aus Foxtel has a monopoly on all the good shows, they charge >$100 per month if you want access to everything on their crappy, ageing cable tv network. After Netflix blocked the vpn workaround, alot of people went back to torrenting
I wonder if that will be a side effect of this. If the default is DNS via Google, then sites can differentiate on that and do nasty things like block non-google or give different results.
It's not ISP's business to spy on and modify any requests. Their business is to provide connectivity. Period. People can use antivirus and specialized blocking on different level if they need to block something.
if the mechanism is DoH then in this age of non neutrality they do care. it makes it one nanobit harder to throttle (er, optimize) traffic because they capture DNS along with bulk web traffic.
let’s not munge it up either. they don’t care about encryption per se. they care about 3rd party resolvers.
It isn't even all that sketchy, its just providing broad snapshots of what sites are getting traffic and which ones aren't, which is used by advertisers when they bid on their ad placements.
So yeah, its going to chop off some of their revenue and they don't like it.
I have this adversarial opinion that I think is very unusual. Would love to hear your perspective.
Google pissed in the punch bowl by offering google fiber.
This forced the carriers to perceive google as an existential threat they are absolutely dependent upon for cheap ass android and ISP revenue from YouTube.
The only move they could make was to make google bleed. So they start offering content monetization and competing advertising platforms. Their goal isn’t to win, it’s to HURT GOOGLE. Advertising prices go down when there is meaningful competition. So shitty content monetizatuon from Comcast and VZ & ATT forces the price of google advertising down.
There is a big part of me that is pulling for the carriers on this front. I’m bummed more people don’t see it this way.
If the carriers were good actors that in general act in good faith most of the time, maybe (assuming your hunch is correct) I'd feel bad for them. But they don't, so I don't.
I'm fine with encrypted DNS as long as it's from my router to the (encrypted) DNS provider of MY choice.
Interference from browsers with network level operations is my real worry. As far as I'm concerned, as long as the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers, no problem. I'm worried about the "to protect the users we've hijacked their DNS directly via the browser" possibility though.
I know it used to be that using ISP DNS servers gave you access to some of their local caching and such. I don't hear that talked about much in these discussions. Is that no longer a thing, and thus we truly don't need ISP DNS?
If you're on a mainstream US ISP, interference from your browser with your ISP's "network level operations" is a privacy necessity. They're passively monitoring DNS to collect data on their customers and hijacking it to send users to advertising sites. ISP DNS is manifestly untrustworthy.
Well no, because my router is proxying DNS requests, and it's not to my ISP's DNS servers. (It's also serving a number of custom DNS records for internal/work stuff.)
I don't understand how trading one ISP for another (Cloudflare?) is an improvement long-run. The system itself needs to be resilient, not just depend on the kindness of the upstream gods.
> I don't understand how trading one ISP for another (Cloudflare?) is an improvement long-run. The system itself needs to be resilient, not just depend on the kindness of the upstream gods.
Mozilla and Cloudflare negotiated a special privacy policy for Firefox DoH requests [1] that limits what Cloudflare can do with the data – in particular, most information must be deleted after 24 hours. There is no technical measure holding them to that policy, but it’s a contract enforceable through the courts. Nothing similar applies to your average American consumer ISP.
The parties to the contract are presumably Cloudflare and Mozilla, since that page keeps mentioning their "agreement with Firefox" and "agreement with Mozilla". Therefore Mozilla can enforce it. As for costs to breach, that would be determined by a judge or jury based on damages suffered by Mozilla. Depends to some extent on the actual text of the contract, which hasn't been published.
That's the main mechanism for enforcement, but there are a few additional ways it could theoretically be enforced:
- The FTC and state attorneys general can sue companies for violations of their own privacy policies, as "unfair and deceptive acts and practices". For example, they sued Cambridge Analytica recently. [1]
- The California attorney general in particular would also be able to sue under the California Consumer Privacy Act once it goes into force.
- As for ways for individual consumer to sue... well, it's more difficult, but possible. For instance, a class action suit against Facebook on a grab bag of claims, also related to Cambridge Analytica, recently survived a motion to dismiss. Among other things, the judge held that users could sue for breach of contract if Facebook violated its privacy policy. [2]
It doesn't have to be to their servers - they can just dump all data going anywhere on udp/53 from one of their routers. DNS isn't encrypted, anyone between you and whatever server you're using can see everything.
DNS requests are transmitted in plaintext through the ISPs connections. Because DNS is not remotely secure there isn’t any reason they couldn’t simply redirect your selected DNS to their own, or replace “not found” responses with a link to their own advertisements.
So without DoH an ISP knows everything you request, even if you have a different DNS server set, and if they really wanted to they can simply hijack any connection you make.
It's a good point, but it is preventable by the network admin. For example, I bypass that by tunneling everything out over a VPN, and the local resolver attempts to use HTTPS to connect to upstream anyway.
Obviously not every user is in a position to protect themselves in such a way, so I get why the browser is attempting to protect them.
Just seems very wrong to me to take the control away from the user/network-admin in any way.
I mean, if you're gonna do it, go whole-hog. Delete HTTP from the browser entirely, right? I don't think that would go over well either, although it could certainly be justified by the same logic.
Maybe I'm misunderstanding something about the issue, there has been a fair bit of FUD, but I simply don't feel good about the browser taking authority outside it's "please render this code into a webpage" scope.
> take the control away from the user/network-admin
You are confusing the network admin and the user. Most users have little reason to trust their router, they often don't own it, update it or have any clue about it. Even experts change roles here when they use any other entities network.
I understand your use case, but I personally think the end devices should increasingly allow interception by network devices only with user consent, not implicitly.
In other words, opt-in on the device with DNS settings and certificates. If you don't own the device (e.g. have root/admin/etc), you don't get to control it - beyond blocking it.
If you're going to the trouble of VPN'ing your DNS, you're fine in the Chrome scenario and could I suppose reasonably just disable DoH everywhere. Your ISP absolutely does not want you to do this, but they don't want you DoH'ing either. DoH is, after all, just a VPN for DNS.
It’s not being deleted, but Chrome at least has been gradually phasing in a warning in the address bar whenever you visit an HTTP site. [1] (Firefox will apparently do the same starting soon.) I wouldn’t be surprised if the warning UIs get more aggressive a few years down the line, as HTTPS adoption continues to increase.
Firefox currently shows a red crossed out padlock for HTTP sites with form elements, but not yet for HTTP sites without form elements which for now get neutral treatment. The rationale is that you definitely shouldn't be using insecure forms, what could you possibly be writing where you really don't care about at least confidentiality (to prevent eavesdroppers from reading it) or integrity (to prevent a MitM from changing it) ?
If you set HSTS and then subsequently remove HTTPS from a site it should (will for Firefox, kind of for Chrome) brick wall you, saying that it isn't able to reach the HTTPS site without offering to let you see the insecure and perhaps compromised HTTP site even if you spell out the HTTP URL.
Unlike HPKP this isn't considered a foot gun because you can fix it by just enabling HTTPS, and why didn't you have HTTPS anyway?
The biggest forward pressure for HTTPS is that newer protocol versions (after HTTP/1.1) do not in practice exist for plain HTTP. The way to do plain HTTP/2 is documented but nobody has plans to implement it, and there isn't even intent to document a plain HTTP/3 because the stuff it's built on is all encrypted from the ground up. From my point of view this is good news.
I encountered this in a local ISP in India in 2012: they were intercepting all DNS requests and forcibly using OpenDNS’s annoying NXDOMAIN advertising thing. When I returned in 2016 they’d stopped doing that. No idea if the technique is widespread.
This is easily solvable if you're using dnsmasq -- which isn't altogether unlikely as it's in basically every free router firmware (OpenWRT, DD-WRT, etc) as well as, until recently (replaced by systemd-resolved, but still an easy option to go back) used by default by NetworkManager on Linux desktops.
Basically, you just give it the bad IP addresses and it will replace every query result containing them with an NXDOMAIN.
Even with DOH, as things stand right now the ISP can see with SNI what sites your visiting, or certificate name for sites still using TLS 1.2 or lower.
So moving the DNS to Cloudflare only means “now Cloudflare have my entire browsing history as well as my ISP.”
I do appreciate there is a draft on ESNI but it’s not there yet.
You can use a personal installation of dnscrypt-proxy which supports both dnscrypt and DoH and allows you to select multiple providers. It even supports round-robin. This is what I'm doing.
_with_ DoH you are passing not just network information, but session information as well.
DoH is not a privacy boon.
DNS, whilst plaintext is at least federated, and is a network level service. That is, its not tied to a single session in a browser.
as I understand it, there is nothing stopping a browser from appending metadata to the get request, or putting extra headers in. This means that its perfectly possible to nail your complete browsing history, down to the server you've been given.
So, assuming my local LAN DNS resolver, which serves my own custom DNS information to LAN clients, doesn't support DoH itself, but uses DoH to reach out to the authoritative servers, chrome will bypass this my local resolver?
Sounds like interfering with the way my intranet operates to me.
Chrome doesn’t know that your local intranet is trusted or that the local resolver is trustworthy. You need to tell Chrome this by flipping a switch to either change your DoH provider or disable it all together.
This change is explicitly protecting users from malicious network operators. Since you control the endpoints it should be no big deal, you apply GPO, run Puppet, whatever and everybody is talking to your local DNS again but it is absolutely right to not trust local unencrypted DNS by default for every network you connect to.
In that context, I'd be perfectly happy if chrome had a "I'm on an untrusted network right now" switch, like incognito window. Not sure we should assume that the entire network between the browser and cloudflare is untrusted though.
Aren't there some "hijacks" that are actually valuable to users? For example, if I run a network inside an extremely limited internet environment, I can hijack the user's DNS and redirect them to a "Hey, we're sorry, but running Netflix here will ruin the network for everyone, we hope you understand" page. If their browser is ignoring my local DNS server my option would seem to be simply black-hole netflix packets in the firewall, which is a lot less friendly to the user. Would I be a malicious network operator in this case?
There's presumably no way to allow that without also thereby allowing you to change the apparent content of the Netflix service—or of other sites! (Suppose that you could hijack the user's DNS to redirect ubuntu.com to a page that said "Thanks for your interest in Ubuntu! To download the latest version, click <a href='https://evil.com/ubuntu/ubuntu.iso'>here</a>." How can you allow one kind of hijacking without also allowing the other?)
There has been work on allowing networks to communicate out-of-band to browsers for administrative purposes. Even this is risky in general because of the phishing possibilities, among other things. Showing users arbitrary messages from network operators in the middle of the users' other browsing activities is likely to make it even easier to confuse the users into taking actions that they really didn't intend to do.
> Not sure we should assume that the entire network between the browser and cloudflare is untrusted though.
There's a strong case to be made that the vast majority of Chrome users aren't equipped to evaluate this question. These users are very unlikely to know if they're on an untrusted network and thus unable to make use of the kind of very useful switch you wisely suggest.
Perhaps offering a configuration option for the small percentage of technically sophisticated users who are willing to look in settings for it? Certainly Chrome Enterprise (which is a configuration management system, not a pay-for enterprise software offering) offers strong settings management tools.
Strictly from a security perspective, you always assume your network is untrusted and untrustworthy (and use protocols designed to work just fine in such situations). Especially when serving users who aren't equipped to make their own educated decisions. Can you help me understand why Chrome might want to behave otherwise?
Yes. You would be malicious. Doesn't matter what your intentions are if someone with bad intensions could do something bad in that scenario.
For example redirecting the user to a fake webpage asking for their username and password.
A user will learn that there's blocking if they try and access Netflix and it doesn't work.
You can get something like a Juniper SRX firewall which can recognise applications via signature and do blocking that way. Rather than against IP ranges only.
Also as a network admin you're not saying why you won't be able to block DNS over HTTPS providers.
Unless you're thinking there's going to be some unknown DNS server used by the browser.
But if that's your fear you'll need to block all the online DNS lookup websites.
What if a user just types the IP address directly? Totally circumnavigates DNS.
My problem with your "solution" is that it only works under very narrow assumptions. E.g. how does the Netflix client handle such a redirect? At best with "bad connection", I'd presume. I'd hope they would at least forward a better message when using a proper standard to do the blocking, if they consider this worth the effort.
(And yes, I set up a similar easy makeshift DNS solution to "authenticate" for the un-encrypted WLAN i had many years ago)
Why can't your local LAN DNS resolver support DoH itself if it can act as a DoH client to authoritative servers? That way the browser would know it can trust it to begin with.
Exactly this. I build a DNS security product that works at the router level. Everything is secure on home networks running the product and it uses DoT for privacy so that ISPs can’t view your data—no browser intervention needed. Browsers interfering with user-configured defaults is incredibly presumptuous. I’m worried browsers are becoming less user-agent and more platform-agent...
Great. Now I've taken my laptop out of my house (where I'm using your router) to the coffee shop downstairs where they use an ISP provided gateway... And the ISP is spying on me again. Until DNS request is encrypted there are no solutions outside of a wholly self-managed network.
I’m unsure why this has to be set at the browser level instead of the OS level. What happens to all the DNS calls made by non-browser services on your laptop?
I believe it is due to technical problems of switching everything to DoH. Moreover if we think about it, I'll see that it is not a Google or Mozilla problem, it is a problem of OS developers. For example, it might be done by gethostbyname using DoH to resolve names. But it is up to libc developers, and it would lead to other problems, like system after update stopped working, due to custom configuration incompatible with DoH.
Mozilla and Google become unsatisfied with gethostbyname but they cannot change that part of OS. So they are solving their problems on their side.
FWIW, Chrome using an upgrade list only checks the system config (doesn't do any "do I eventually end up using 8.8.8.8" checks), so it shouldn't upgrade DoH even if your backend resolver is a third-party.
> the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers
Usually this isn't the case. Browsers that aren't configured to use a proxy connect directly to some web server using TCP and as speak HTTP to it. On a lower level, it's being facilitated by IP traffic routed by your own router, the ISP and the Internet.
There are "Forward" HTTP proxies (e.g. software like Squid) that act like HTTP clients on the web and provide the real user with results. I suppose they're being set up at large organizations by IT, or at home by privacy geeks but I know no consumer router that does that out of the box.
I am not sure if interfering is appropriate here. Even in the current state, usually, browser perform DNS queries directly with DNS server, that they take from DHCP, which in it's turn supplied to the router by ISP. This has nothing to do with other web clients or IoT performing DNS lookups.
The question is whether Chrome is going to ignore system settings by default.
That's what I do. I actively block third party DNS and known DNS services except cloudflare and quad9, but only when coming from my raspberry pi. I haven't allowed an unencrypted DNS request from my local network in a long time. At least not that I know of. I have blocked a lot of apps/appliances trying to use their own DNS, and so far that has been enough. When they figure out that they can use DNS on non-standard ports I'm fudged.
Google's plans usually have carefully laid out technical justifications, and are mostly kinda boringly/obviously good, like QUIC/HTTP3. That you're usually skeptical of any plan coming from Google suggests that your skepticism is miscalibrated.
Everything warrants skepticism until proven otherwise. Especially things that are being given out for free. Google might be operating on the up and up, but Google is just a large collection of people and some of them will be ethically lacking. And Google's employees have a large incentive to not see any issues with collecting all the personal information that exists.
> And Google's employees have a large incentive to not see any issues with collecting all the personal information that exists.
I can only speak from personal experience. But I would not agree.
Collection of data needs to be covered in a privacy document. You must argue why you're collecting it. There has to be a retention plan, such that data is purged when the user account is deleted, and/or the data expires over time.
You can of course get exemptions, IF there is a valid business reason. But all of this needs to be reviewed and approved by privacy people.
If you want to get things done. The paperwork is a strong incentive to avoid keeping data you don't need.
Note. privacy reviews cover more than I mentioned here. This was just a highlight.
> The paperwork is a strong incentive to avoid keeping data you don't need.
The paperwork is a modest incentive to avoid keeping data Google doesn't need. The problem is that what people need is not necessarily the same as what Google's surveillance and manipulation profit machine needs.
I don't need Google to keep a hyper-detailed record of every site I visit, but Google's business model means that they "need" to do it. So they do.
>> And Google's employees have a large incentive to not see any issues with collecting all the personal information that exists.
You see, Googlers are incentivized not to see the ethical catastrophe that is collecting the data they "need" to collect in order to implement and enhance Google's surveillance and manipulation profit machine.
Sure, if some data are irrelevant to the surveillance and manipulation profit machine, there is a modest incentive not to collect those data. The problem is that Google "needs" a great deal of highly personal, sensitive data whose aggregation poses societal risks that can hardly be overstated. But, since Google--and therefore, Googlers' salaries, bonuses, and RSU gains--"needs" those data, Googlers are incentivized to rationalize its collection, aggregation, and exploitation.
> “You can of course get exemptions, IF there is a valid business reasons.”
For an ad revenue driven business, that’s a pretty big exception.
Ad targeting / re-targeting benefits from a richer picture of the user’s personal life choices. Maybe only a couple percentage points, but every % of a billion adds up.
Your comment is 'dead' (at my time of posting) when you simply stated that you disagree and politely brought up some factual supporting points. I didn't expect such hivemind-like behavior from HN...
Internally, Google employees have quite a large incentive to NOT collect unnecessary data. It's a fundamental tenant. Don't collect any data unless it's for a specific tangible feature that benefits the user.
I think you're cherry picking. I'd say AMP and the consequent AMP for email are recent examples to the contrary. Nothing wrong with skepticism, especially directed at a company the size of Google.
It's easy to make proposals that incrementally increase user security while simultaneously increasing one's own ability to consolidate and exploit user data. Technical appeal needs to be evaluated with a simultaneous critical eye to social impact (QUIC is a perfect example -- it outcompetes TCP on an equivalent link, and falls apart over variable-latency or highly unreliable connections, like those that exist in developing nations -- but of course, Google doesn't care about those audiences).
I tend to call people out when they make claims that are not accurate.
> I care about what people _do_, not what they say in their PR blogs.
Did you read the blog? It's not just words, they are talking about products they have shipped. E.g. Files Go. You can believe what you want, but if you're going to big claims, you should back those up with credible data.
Further, we found that QUIC consumes significantly more than its fair share of bottleneck bandwidth when competing with TCP flows, which can be detrimental to a wide range of applications.
QUIC is at its essence an ARQ protocol, i.e. feedbacks are required to recover from packet losses. And this design choice then leads to inefficiencies when evaluating link conditions. And, in links where latency and losses are unstable, these limitations lead to a significant performance loss.
if you're going to big claims, you should back those up with credible data.
It does show QUIC falling apart with _out of order delivery_, however that is not something that latency or slow networks will produce. There is no reason to think that slow / third world countries have significantly more out of order delivery. The networks might be slower / have higher latencies, but packet order is likely to be the same.
That is different than dropped packets requiring retransmissions, but given QUIC and TCP both use the same congestion control algorithm (Cubic) there should be no difference on that score.
In terms of it being “unfair” when both types of streams are present that’s correct, but TCP with BBR also produces this kind of effect. It’s the algorithm used, not whether it’s QUIC or TCP, that causes this.
QUIC is not perfect, it’s still only at draft stage in the IETF. I’d be concerned that arguments like this are being made which, while seemingly well intentioned, have the effect of stifling innovation for all internet users.
You can bet that on a high latency link the fewer round-trips to set up a TLS connection with QUIC are gonna improve things.
The claim I was referencing was taking a weakness in protocol, and jumping to conclusions.
This would be the equivalent of one saying, "You don't care about the environment because you took a gas powered bus today". And then provide evidence about how busses are harmful to the environment, and provide details about busses emitting GHGs.
Likewise, you can't jump from a weakness in QUIC to big tech doesn't care about NBU.. when in reality, much of big tech pours so much engineering effort towards NBU (amongst other things). Files Go is a small example, and you can download the app here: https://play.google.com/store/apps/details?id=com.google.and.... It is not vaporware.
I would love to see the evidence for this as well.
Instead of providing any you just attacked the person who questioned you?
What specifically about the transport layer in QUIC makes it perform poorly on high latency links? It’s going through the IETF now I’d be surprised if they were complicit in such a backwards move.
Forget about developing nations, there are plenty of parts of the US where mobile Internet is unreliable or altogether unavailable (I live in Utah, ask me how I know).
Google doesn't even care if you're a paying customer -- they sell phones without expandable storage with the explanation that customers should just use the cloud (i.e., Google Drive) instead.
Then buy a phone with expandable storage, that does run Google's operating system. That's the beauty of Google -- don't like their hardware? Buy one of the hundred other models.
It was just an example in support of the point made in the parent: as far as Google is concerned, the only people that matter are ones with unlimited, fast and reliable Internet access at all times without exception.
If you thought I was facing some kind of dilemma regarding whether or not to buy a phone that is useless half the time I leave my house, then thank you, but that's not the case.
Why are those plans "obviously good"?
They promote a view of the web that is all about piping a ton of content, sprinkled with ads, to passive consumers; just like TV.
I don't think I'm being generous. Google's large scale plans are mostly about making the internet and technology ecosystem faster, safer, and more widely available. Of course, this is because their revenue scales as a factor of the number of people using the internet, the number of pages each person using the internet browses, and the willingness of people to spend money on the internet. But don't let the motive distract from the plans. Consider the plans on their own merits.
Google's technical justifications are usually pathetically self-serving. My favorite example: Why have they not yet removed cookies from HTTP? There are obvious improvements to privacy if we switch to server-managed sessions chosen by user-provided identities, and get rid of cookies, but it would frustrate Google's tracking of us, so it can't happen.
What I fear will happen in several years is that local ISPs will also begin offering DoH by default (if you can't beat the competition, join them) and continue snooping on your traffic, just like Google or Cloudflare could do now technically, if they wanted to. Ultimately this boils down to which entity you trust more, your ISP or some other provider. Today Google/Cloudflare et al are by far the more trustworthy options for DNS at least. But this may not remain forever this way. The price for privacy/security is eternal vigilance, something end users don't (or can't) want to do.
Why would you fear ISPs offering an encrypted service? It’s hardly a step backwards?
DoT would be preferable to DoH (no additional metadata / cookies,) but either way ISPs should adopt encrypted DNS.
You are correct it boils down to “who you trust.” In my country the ISP wins hands down over a foreign mega-corp so I end up making a different decision to you.
The key thing is that is a choice for users, not something software just does without knowledge of what’s going on.
Because DoH is supposed to hide the DNS traffic from ISPs (among others). Sending the DNS traffic straight to the ISP defeats the purpose of it. That's like MITM on the first hop.
> Why would you fear ISPs offering an encrypted service?
encryption doesn't hide anything from whoever's on the other side, just the people in the middle. If the goal is to not let ISPs in on your DNS history, then DoH to the ISP won't do that.
I may not have the technical expertise to understand this fully but right now I'm doing adblocking by using adguard's DNS IPs in my router (1).
It kinda works everywhere but for some apps like Chromecast I have to null route two IP addresses (8.8.8.8 and 8.8.4.4) otherwise it doesn't work. Those are both Google's IPs afaik.
So my question is: will I be able to keep doing it after this? I am asking because I am extremely suspicious of Google these days and wondering if they have an ulterior motive to prevent users from doing such host based adblocking in future?
Yes, 8.8.8.8 and 8.8.4.4 are Google DNS resolvers. Sounds like your Chromecast has them hard-coded instead of respecting your locally configured DNS.
In comparison to your current position, where you're black-holing the hard-coded addresses and the app is falling back to your configured DNS: yes you will be able to continue doing that, assuming the Chromecast will maintain the same fallback behaviour. The exact addresses you need to block and the protocol/ports you need to block may change (eg. to port 443 tcp instead of port 53 udp).
The big thing that DoH will prevent is something that you aren't currently doing, which is: instead of null-routing 8.8.8.8, you could be intercepting DNS requests to 8.8.8.8 and responding to them yourself. You would need to do this if the chromecast didn't fall back to using your proper DNS server. DoH will prevent this kind of interception, so your only choices are to allow it through or block it. And if the Chromecast then refuses to fall back, then blocking it will make the device not work, with no viable workaround short of replacing the firmware.
The goal of DoH is ultimately to prevent your ISP doing the exact same thing to you, ie. intercepting (or just listening in on) your DNS requests even when you want them to go elsewhere. Unfortunately, there's no way to prevent the same protections from extending to a malicious local device trying to circumvent you on your local network.
The reason for 8^4 being used for "can I connect to the internet" is valid since the DHCP DNS might be an internal router that's up even when the internet is unreachable; why it's being used for all DNS queries is less defensible. How long till it uses DoH to https://dns.google ?
If using Firefox you’ll need to manually change the DNS settings, as it will by default bypass your local DNS and send it to Cloudflare using DoH. You can easily disable that though.
Haha Big ISPs...there’s absolutely no reason why regular HTTP requests/responses should be TLS encrypted while DNS queries should not...they go hand in hand for maintaining end-user privacy and YOUR integrity.
"Going blind" is a term I've heard recently when talking with operators. Where as "going dark" referred to the DOJ/FBI's term for ubiquitous encipherment of the content, "going blind" refers to the metadata (DNS in this case).
My view is pretty basic: If I can see your DNS, I can pretty much guess on a very short list what kind of [browsing] behavior you are engaging in.
What you can infer is why and who. Which is the real danger. I would trust google to protect sensitive data like sexual preferences before I trust my ISP.
It all depends how much is abstracted behind a common host (eg name based virtual hosting). I can see you are going to Google. But I don't know what within Google you are really accessing or using in most cases.
It's pretty clear that the ISPs drafted their letter before Google made it clear that they would not be forcing the transition to their own DNS servers. The complaints are entirely about centralization.
Google has attempted to allay some of these concerns, but their initial blog post [1] makes it lear that only certain whitelisted DNS providers would be permitted to participate. That does imply a degree of centralization regardless of Google's assurances to the contrary.
If this prevents ISPs from making even a penny on data mined from DNS queries of their users, even in an aggregated and anonymized manner then so be it because ISPs are supposed to be dumb pipes. And there is nothing creepier than someone mining what I search for. Just fulfill the contract of giving me the internet for my 75USD a month.
Is there a way to set up a big list of round-robin DNS servers in Linux, to at least minimize the amount of navigation history any one DNS provider knows about you?
With the statement "could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues" they are actually lying and misrepresenting the issue. In reality there is not much "to interfere" - especially not so much, that you would need to contact the Congress...
I guess this means no more DNS based ad blocking for devices like the Chromecast which ignore the DNS info provided by DHCP and are instead hard coded to use Google’s server?
How exactly encrypted DNS will reduce spying? ISPs will still be able to observe IP addresses users connect to and even particular host names in SSL handshakes.
Mozilla added a canary domain (use-application-dns.net) that if blocked will default to the local dns resolver. There are several threads in the pihole community about blocking it by default so I expect that will be done before mozilla turns int on for the masses.
Completely untrue. Those services just need to serve their own DoH endpoint and the user can add it in Firefox preferences. No harder than and arguably easier than the complicated procedure for changing system DNS, and it allows you to block things in your browser that you may not want blocked at the system level for all users.
If your PiHole servers a DoH endpoint, you're probably back to exposing plaintext DNS to your ISP. The whole point of DoH is to tunnel DNS out of your untrusted ISP network to anywhere else in the world where it can be trusted more.
What is the case, however, is that you could set up a DoH endpoint on some other network and route your DNS there.
Oh, it totally can, and there's nothing wrong with that. I would just hate for someone to terminate DoH on their home network and expose direct-to-the-roots DNS to their ISP, which is, if anything, marginally more attributable than normal ISP DNS. I'm definitely not talking down the idea of doing a PiHole setup.
I don't get why you'd think direct to the root DNS servers would be worse than using your ISPs servers. Using the root servers means you get DNSSEC which would prevent the greatest threats, hijacking and injection.
There is virtually no DNSSEC deployed on any major sites on the Internet and, because DNSSEC is a terrible protocol, it's unlikely there ever will be. I'm a broken record on this; you can just search "author:tptacek DNSSEC" in the bar below to get lots of different reasons why.
The most important thing for this thread though is that DNSSEC provides zero privacy and, in ordinary deployments (where you talk to a nameserver rather than directly running on on your computer) no protection against injection between you and your nameserver.
I don't think DNSSEC itself is likely to ever win. But it does have an additional dimension that makes it a better foundation for privacy than DoH. DoH is strictly transport layer security, meaning it still relies on a trusted third party (Mozilla or Google or whomever) to not vacuum your requests. Whereas if records are signed, they can be sent laterally between mutually untrusting peers, including bulk broadcasts, etc.
A better foundation for privacy? No. DNSSEC provides literally no privacy. It doesn't encrypt, it only signs. DNSSEC is passively observable by design.
For privacy, getting records signed is ultimately more long-term important than getting queries encrypted immediately. As DoH shows, bolting on transport layer security is trivial.
For example, you'd never want to set your DoH resolver to an arbitrary TOR hidden service. But there would be no problem querying DNSSEC through TOR (assuming the setup wrapped the server-server protocol in something that allowed such forwarding).
What a strange argument. If you want to argue that Tor is superior to DoH, argue that. DNSSEC has nothing to do with it. Which, of course, is obvious: DNSSEC is passively observable by design.
I'm not arguing TOR is "superior" - rather it just demonstrates a use of not needing to trust an upstream. It's also another datapoint for how easy it is to bolt on transport security.
The general principle I'm appealing to is that it's better for a protocol to be missing more-critical qualities that are easier to add later, than less-critical but harder-to-change qualities that will forever be a hindrance. Signed records make for a fundamental security property that cannot be made up for with transport security.
Another way of looking at it is that the records in DNS/DNSSEC form a higher layer protocol than the server-to-server communication. Every party in the system has to agree on the format/semantics of those data objects, whereas the server-to-server protocols can be upgraded pairwise.
I didn't claim DNSSEC was good, but it is available and serves to at least verify the communication with the root servers. That is the main reason I think using the root servers is superior to your ISPs. And I thought the context was a pi-hole with a recursive resolver (like unbound) configured to use the root servers using DNSSEC. In this case it would protect against hijacking... wouldn't it?
How does DNSSEC at the roots actually protect you from an attacker manipulating DNS? They'll simply target the records from the authority server for the name you're querying --- in fact, that's what they're targeting already --- which are almost certainly not signed. Isn't "trusting the roots with DNSSEC" just security theater?
It doesn't make it impossible, but it makes it a lot harder ($$$). Checking at least the root DNSSEC prevents them from setting up a simple proxy to their own DNS resolver. They instead have to inspect each UDP and TCP packets, determine which are DNS related, if they are for root, or any other server that has DNSSEC implemented, you pass them through.. you can proxy what's left. One of those smells a lot more expensive than the other.
Again. I'm not comparing this to DoH, but to only using your ISP's DNS resolvers. To me it still seems like an improvement.
You're not answering my question. I think maybe I didn't communicate this well enough: attackers already target the unsigned domain records; the ordinary M.O. of a DNS attacker isn't to intercept the root servers. How can you make it "a lot harder" for those attackers by layering more "security" on the root servers themselves?
> How does DNSSEC at the roots actually protect you from an attacker manipulating DNS?
Assuming that is the question you mean... it works by not allowing the attackers to take the easy course of hijacking all DNS queries and answering how they like. Instead they have to inspect each packet and only hijack those they can, which is a lot harder to do. So it is raising the bar in hope of raising it high enough that it isn't worth it ($$ wise) anymore to them. Part of this is that most people don't do this.. so the economics are not the cost of packet inspection for all their customers, but for a small fraction.
You're not following me. What you're saying is the "easy course" is neither easy nor the normal way DNS hijacking occurs. DNS hijacking typically starts with a target domain.
If they were "packet inspecting all your DNS traffic", DNSSEC wouldn't matter to begin with, because it's a server-to-server protocol; your browser's resolver can't cryptographically verify anything. But that's not in fact what's happening.
But we are specifically talking a using a recursive resolver communicating with the root servers, server-to-server. The browser only comes into play here as a client to the local resolver. The original context was about a pi-hole running a recursive resolver directly against the root servers instead of the ISP's.
What’s stopping your PiHole or DMS adblocker from functioning as a MITM proxy? You’d just terminate HTTPS at the PiHole and perform the filtering there, right?
Regardless, it’s a tiny thing to give up for more privacy.
Running a MITM HTTPS proxy means running a CA, means the proxy gets to decide what to do about certificate errors instead of the client, means maintaining a whitelist of sites that can't be MITM'd, means segregating all the devices that I can't put a CA signing certificate on, and is just in general an ugly thing that should be avoided wherever possible.
Mozilla's method of implementing this has also created a blueprint for malware to avoid network-level detection.
I don't like it. In my view, what's being given up is significant and the privacy gain minimal.
(Right now, Mozilla has a DNS-based killswitch, but how long until all the 'bad actors' Mozilla is targeting have implemented it? I know of one public DNS provider already doing that. They'll take away the killswitch, then all the 'bad countries' will force their populations to install MITM certificates [along with the UK] and the world is going to end up worse off thanks to Mozilla)
Thanks. I was also thinking... how does DoH prevent an ISP from spying on you? Even though the DNS requests and responses are encrypted, content requests are still routed via the ISP, right?
So the ISP still has a log of which IPs you’ve visited. They can resolve this back to site names and get the same information on you they had before.
I hate to respond to low-effort snark but will do so here to remind people that Google's plan doesn't default you to Google's servers, will honor your own nameservers, and will upgrade you to DoH if any of those servers support it. It's really hard to see what more you could ask for.
If I get the choice between finding a different way to do DNS based ad blocking and hiding my traffic from ISPs' advertising divisions, I will happily find a new PiHole alternative.
There have been several articles in the past few days whinging about both mozilla and chrome incorporating DNS over TLS. Someone seems to be REALLY unhappy about this and those people seem to be trying to use the press as a microphone.
It seems like it's touching a nerve and advertisers and governments are really sweating losing their ability do low effort snooping.
Google defaulting to ignore system settings and use Google DNS server is an issue.
But it's cute how ISPs are trying to mash deploying of DoH support and default to Google server into one issue.
The last paragraph absolutely seems like fearmongering:
Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; and (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors. Google’s centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.
I don't see how IoT management is going to be affected by DNS resolution made by a browser. CDN's DNS server in any case sits upstream and should be able to perform needed optimization. Google's or any other US DNS provider is not exempt from complying with the US law and court orders.
Something I’ve wondered: It isn’t quite clear from the various articles how they’re doing this monitoring. I can totally see how they could monitor their own caching resolvers. They might even passively monitor popular internet resolvers (1.1.1.1, 8.8.8.8). But if I run my own caching resolver at home, is that data being mined? I am aware it’s unencrypted and possible to do so, but is it actually happening? DoH sounds nice, but it brings me back to using a shared caching resolver which I’m not a huge fan of.
Your resolver still makes DNS requests that the ISPs snoop. Unless that connection is encrypted, they have the same info as if you used the ISP’s servers.
I am a bit stuck here. I know it is a bit insane, but I run a simple system at home because I think, so if I drop dead tomorrow how is my wife going to sort this. If I am dead, internet still needs to work so my kid can do her home work. So despite my geek love, I do not run my own DNS, etc. the other part is I use unblock-us so iPlayer (BBC) works here in the US. I would love to set everything up so everything is encrypted but ... yah. Sorry depressive.
That sounds backwards. You sure that will be their biggest concern if you drop dead? They can always throw out your weird techy stuff and buy some cheap commodity solution and get them installed.
Your reasoning sounds like, I'm not going to do breakfast for my family, because, ya know, if I drop dead, they will miss the breakfasts.
Correct. We have life insurance. We have a trust. All the normal stuff you do. What I am looking at is what are the things that I do / maintain for the family and how will that be handled if something happens? Having an overly complex technical setup is one of the areas on that list. My death would of course have the normal emotional impact it would have for any family. I am trying to make sure that everything else around it that I can sort, I do. My daughter works hard everyday at her schooling because she is determined to be a doctor. My job as a parent is to give her everything I can to make sure she is happy and successfully in her life for as long as I can. The is the promise I made when we had her.
Some of the comments here are taking the piss...let see how you feel when you hold your baby for the first time.
Btw, for context, in the last 3 years I have had perfectly heathy friend that was in perfect shape drop dead from unexpected heart issues at 38. He had 3 kids. Another friend with 2 kids was killing in a car wreak at 44. Looking at the things their family’s have had to deal with is the reason why I am thinking about this.
Look, I did not want to insult, sorry if it came across like that. I just wanted to point out that _in this specific instance_ you may exaggerate the cost of switching from your weird techy stuff to a commodity solution.
That doesn't say anything about your general principle - which is totally reasonable.
Setup a seperate SSID called "DadDied" with a simple password, scrawl it onto the fridge door with a knife. Have this SSID give out standard ISP DNS. Bonus points if you setup the SSID on the ISP supplied router, bypassing all the equipment you installed behind it.
Your ISP, by virtue of supplying the pipe to the internet, can (and very likely does) still snoop on any old-fashioned plaintext DNS requests you make across it, even when you're not using their servers.
I might have misread the GP, but I kinda felt that it also brought up the issue that a pihole (or similar solutions) might cease to work in a "DoH / I automatically pick the best resolver if I deem yours not good enough" world.
DNS privacy is awesome. Filtering malicious and annoying (read: ads) content at the DNS level is mandatory for me..
I don't think how that would cease to work. At least in the case of Mozilla they try to detect if you have a custom DNS server. When found, they won't use DoH for fear of breaking many intranets in enterprises.
At the request from some less technical friends I cooked up a solution for using encrypted DNS and Pi-hole together nicely wrapped in a docker-compose config that supports both x86_64 and ARM (RaspberryPi) deployments.
I work for a large retailer ecommerce office and over the years found the business purchase huge lists of subscriber names plus domains from ISP customer browsing. Att and Verizon selling that I know about, maybe more that I dont know. With the amount of money involved that Im sure they aren't happy.
It wont necessarily be Google... From what I understood from the article, if you're currently using OpenDNS, Cloudflare DNS, etc., after the change you'll still continue to use them, only the protocol used to access them will change...
In many economies, ISPs have legal immunity from acts done by users (customers) because of laws associated with 'common carrier' status.
But that status is fragile. The ISP has to act like it knows its obligations in law, and there are things ISPs have been doing to work with LEA for a long long time, which they won't be able to do as simply, or as well, or in some cases at all.
As a customer its easy to assume the only answer is "good" but in fact, its more complex. Society depends on law, and the application of law around what people do online is not trivial, and does not reduce down to 'all snooping is always bad all the time' -Warrants exist to do things, and warrant canaries are a reaction to them but not one which says warrants don't exist: they say silent warrants should not be obligated on the receiver of the interception: They're a position on secret law, not a position on law in itself.
TL;DR DoH and DoT are challenging established law in telecoms and big ISPs who have common-carrier defence depend on interception in DNS and DPI and the like, to perform their role facing LEA demands from the state which in many cases are entirely normal and justified
Not all DoH and DoT stories are good stories for society at large.
Please don't reduce this to a libertarian vs everyone else debate, I would invite you to think about what an ISP is, and what we want from ISPs as a whole, not just as customers seeking pirate bay, but as a society investing in a telecommunications-rich future.
The first casualty of war is the truth. The second (in WWI and WWII) was the deep sea telecommunications cables.
DoH and DoT are just new delivery technologies. You've always been able to securely tunnel your traffic out of the country and you always will as it's trivial. DoT changing the resolver from one public company in the to another public company of the will not prevent the government from issuing warrants, particularly since they already issue warrants to these companies as it is.
Common carrier defence is not going to be lost from encrypting URLs, the same FUD was spread about encrypted banking then the encryption of most websites. The only thing that has resulted from the increase in encryption is the decrease of ISP injected ads and the decrease of customer tracking information being sold.
There is a volume of ability north of 95% which could be lost, and the ISP has a mechanism to act (block DoT) but in DoH, its less simple. Hence, the liaison between Mozilla and Google, and state authorities.
Why do you think Mozilla turns this on selectively?
> The ISP has to act like it knows its obligations in law, and there are things ISPs have been doing to work with LEA for a long long time, which they won't be able to do as simply, or as well, or in some cases at all.
As I understand the current caselaw, whilst an ISP is required to make some efforts, they are not required to make efforts when a task is impossible or difficult.
If an ISP is required to create a porn filter, for example, they aren't also required to try and forward that blocker across Tor.
Rather a "best effort" is exactly what is legally required.
So when a new technology is adopted that makes their previous "best efforts" obsolete, then they will no longer be forced to attempt something that is no longer possible.
However, that whole conversation is mute when it comes to this particular instance.
Google will attempt to use the ISP's own DoH resolver. So the answer is simply to run one, or not. If Chrome can't find a DoH with the current DNS, it'll fallback to today's behaviour. This isn't changing the status quo at all.
It's only a problem if customers move wide-scale away from the ISP's own DNS servers. Which happens when the ISP's interests conflict with the user's already, so again, no change to the status quo.
I'm not sure what the issue is. My ISP can still intercept my DNS traffic and provide it to law enforcement. If it's unreadable because of encryption, how is that different than the fact that all my HTTPS requests are similarly unreadable?
They can't provide what they don't have. ISPs in the US (and I presume most countries) aren't obligated to ensure their customers don't use encryption.
The fact that an ISP can snoop customers' data and DNS requests is a side-effect of their business. I don't buy any of the 'responsibility to law enforcement' argument at all, for a number of reasons but the one pertinent to this issue is that privacy legislation is about 30-years out of date - and it's basically this legislation-lag that's the loophole allowing ISPs to do whatever they want with the data.
And it's legislation that no Government is in any hurry to amend because it serves their purposes in maintaining the façade of 'keeping our citizens safe'.
Additionally, this statement is almost entirely the opposite of my understanding. DoH ENSURES that ISPs cannot be held responsible at least for the DNS content since they cannot see it for technical reasons:
TL;DR DoH and DoT are challenging established law in telecoms and big ISPs who have common-carrier defence depend on interception in DNS and DPI and the like, to perform their role facing LEA demands from the state which in many cases are entirely normal and justified
For what it’s worth, at least in Chromium’s implementation:
- The hosts file should still take effect (Chromium can read the hosts file and parse it already.)
- The DoH upgrading should not override your default resolver. It works by having a lookup table of providers that support DoH and using DoH if your provider supports it. The list can be seen here: https://cs.chromium.org/chromium/src/net/dns/dns_util.cc?q=D... (note: this URL may become stale over time; there’s ways to improve this but I am on mobile at the moment.)
Google is an ad company and has the largest browser market share by far.
How is this not abuse?
Google can claim that things like AMP are not intended to rope us into their walled garden, that it's all about improving performance. But at the end of the day, most of the moves they make further their goal of serving more ads.
In twenty years I wouldn't be too terribly surprised if independent websites are largely gone. Disappeared like IRC, RSS, blogging on your own website, and the like.
I'm sorry you disagree. I just don't like what I see happening.
My Chrome browser still perfectly blocks ads. The day it stops doing that, then you have a valid point. Until then, it's mostly fear mongering and misrepresenting the situation.
Only the unencrypted traffic, which is increasingly becoming just DNS. But even if all DNS was encrypted, the default DNS servers you hit are those of your ISP so they’d still have access in the common/default case
Would a local DoH server making going between different networks a little clunky? I have unbound handling dns at home but the old way lets the network define where to get dns information and/or allow for multiple options. Seems like Firefox doesn't have that flexibility yet.
I agree with this perspective, it doesn’t make any difference on computers, but embedded devices and applications now have the ability to bypass DNS restrictions such as the pihole.
Personally, I would have liked to see strong privacy laws fill the gap, but it looks like DoH is here to stay now.
Google wants the whole internet to go through them. Starting with the bloody DNS ... nice plan ... probably needs quite a bit lobbying and bad-mouthing other actors to succeed though ...
Absolutely. You can find a dishonest ISP. The difference is that there are thousands of them. And not just one big opaque entity.
They're not moving anybody to Google's own DNS servers. If your current DNS provider offers encrypted service, they'll begin using that.
Starting with version 78, Chrome will begin experimenting with the new DoH feature. Under the experiment, Chrome will "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider," Google wrote. "If the DNS provider isn't in the list, Chrome will continue to operate as it does today."
ISPs are de facto more opaque than Google, and I'm not sure having a thousand of them is better than having only one.
A single company is easily legislatable, auditable, fineable, and chargeable if offenses are found. A thousand individual bad actors? The odds decrease.
