How is DNS over HTTPS different from a normal VPN?
Please stop regulating the dumb tubes, says Internet Society boss
Andrew Sullivan, chief exec of the Internet Society, has condemned governments that "interfere in underlying technologies that people are allowed to build," as regulators increasingly target net infrastructure to enforce their visions of how the online world ought to be. Speaking to The Register, Sullivan warned that laws …
COMMENTS
-
-
Tuesday 25th June 2019 11:14 GMT chuBb.
DNS over HTTPS differs quite a lot from a VPN
VPN's provide you with an encrypted tunnel between point a and point b depending on how they have been configured depends what traffic gets routed to them, i.e. most remote access vpn's provided by an employer would only direct traffic destined for corporate subnets i.e. all traffic to 172.16.0.0/16 will go via the VPN, unless they are set to replace your default gateway/route when all traffic goes via the VPN (which is good for paranoid employers as all requests can go through their content filters, just crap for end user as your connection will be slower especially if you have a 50Mb+ connection at home and a crappy 20Mb line at the office....). DNS requests sent via VPN are still plain text in terms of protocol just the transmission is encrypted, and still susceptible to monitoring/filtering once they exit the tunnel.
DoH on the other hand (from a high orbit viewpoint) stuffs the UDP payload of a DNS request into a TCP HTTPS request on the client, which is transmitted using TLS (SSL is dead, deprecated should not be used, only exists as an acronym for spotting people who either used to know what they were on about or never knew in first place) to a centralised proxy controlled by the browser maker (google or mozilla here) which accepts the HTTPS request, decodes the payload and performs a normal DNS lookup, which then sent back as a HTTPS reply to the client, which decodes the DNS response and handles as usual.
Essentially its protocol stuffing and open to debate if its a good thing to move away from a decentralized name system, back to something similar to the walled gardens of AOL and Compuserve from the time that every publication came with a set of coasters.... although that reality is a way down the rabbit hole, its not unreasonable to expect google to game responses with paid for preferential results etc. The tricky bit is that by making it a client feature it can and will by pass the network config of the host, i.e. by default chrome would make DoH requests and you would have to go about:config diving to disable this (each and every auto update) and use the DNS configured on your adapter, which unless you have overiden your ISP's defaults will be their name servers. (this could also make life tricky inside enterprises running a split brain DNS for intranet access using the corp domain name)
-
Tuesday 25th June 2019 12:05 GMT Anonymous Coward
"DNS over HTTPS differs quite a lot from a VPN"
While you're not wrong, you're missing the point for why the government wants to ban DoH - they can't filter the content using their existing methods, which makes it identical to a VPN solution using a provider who doesn't currently implement UK government policy.
If the ID laws for porn in the UK are passed (which is unlikely in my view for both political and technical reasons), I wonder if the UK government will crack down on VPN's next? What do you mean businesses have valid requirements for them? It's just individuals trying to hide from the government...
While you raise very valid technical concerns, the UK government has repeatedly demonstrated that it hasn't grasped the basics of the current technical issues without piling on new technologies and the associated long learning curve...
-
-
Thursday 27th June 2019 06:53 GMT James R Grinter
Isn’t PiHole just a DNS resolver that you configure, via DHCP or statically, as your device’s DNS server? It may then make those onward requests, for domains it deems “good”, over DoH but by that point it’s looking up only what it wants to anyway. Essentially it’s doing what some paternalistic ISPs servers are doing, only under your control.
DoH is about your privacy, stopping a middleman from snooping on what domains you are resolving under the guise of “it’s just metadata”) Also, about stopping those paternalistic ISPs from further meddling with your DNS lookups.
-
Tuesday 25th June 2019 13:47 GMT chuBb.
Not missing the point at all, fact is that the number of VPN users is dwarfed by the number of chrome (and by extension chromium based browsers) and firefox users, DoH will be an automatic default for those users, hence a much bigger problem than VPN's; as VPNs have to be activly setup, where as DoH would be a passive setup
If their is a crack down on commercial VPN providers then it will only be a formalisation of existing law forcing them to provide logs on court order, and if they did overstep the mark then users will configure their own or just run a vpn box on aws hosted in a US region, lifehacker will have dozens or articles on how to set it up. It would be impossible to ban or even regulate VPN's as the economic damage would be to great, inter office comms made illegal, secure transport of patient records between hospital and surgery gone, etc.
The fundamental flaw in the "they will ban vpns" argument is that its like saying "Ban roads to stop drivers speeding" a VPN is a transport, DNS is a protocol, legislating against traffic is a wholly different proposition to legislating on how the traffic is carried, regulating DoH is much more like saying mini moto bikes are not road legal and are not allowed on the roads (but their is nothing we can do stop people from doing that of they dont get caught). The real govt (civil service, not the who do you want lying to you popularity contest winners going for the click bait think of the children attention grabbers arguments) fear in my opinion is a ceding of control of domestic surveillance to the NSA as both the major infrastructure providers are US companies and accepting what ever evidence you gain may have been altered as it didnt come from your direct tap...
Interesting you mention the pr0n farce, fully agree with you, if and when it comes into effect (i also believe as currently intended is utterly impossible) it will only effect those that pay for porn online, and what comes into effect will be so watered down as to be effectively optional
-
Tuesday 25th June 2019 15:40 GMT Anonymous Coward
You're still approaching the argument from a technical perspective rather than a political one.
The government has a system they believe works. DoH will stop it working. Therefore, ban DoH. Cause and effect, with no thought of the technical implications.
If the porn laws or something similar comes into effect that makes the widespread use of VPN's within the UK for consumer access, the government will look to ban VPN's or continue the crusade against encryption.
None of this negates the technical arguments - they are all valid, but will be ignored if they don't match political will.
-
Wednesday 26th June 2019 09:05 GMT chuBb.
Nope very much a political approach, bottom line is no MP would go for it once they find out they they can no longer sign in to govnet from the cotswolds and would have to physically travel to approved locations to do their work, which renders the rest of the FUD about vpn's banned moot. Even if that embuggerence for them would probably do wonders for overall infosec in whitehall, until some bugger muppet popularity contest winner puts it all on an unencrypted harddrive and leaves it on a train to work on over the weekend....
-
-
-
-
-
Wednesday 26th June 2019 01:56 GMT doublelayer
And there doesn't technically have to be. Firefox supports it, but you can use any DoH server you please by changing the config. I've suggested running a system-wide DoH client that performs requests for applications that communicate with it locally. However, I wouldn't expect Chrome to make this easy to change.
-
-
Tuesday 25th June 2019 08:38 GMT Pascal Monett
"A very strange thing for Parliament to do [..]"
Not really. Today our society is practically based on the Internet. Whatever is not yet there is going there, and whoever is not on it is increasingly being pushed there, sometimes by their own government (online tax declaration, anyone ?).
Those bits traveling over the wire have a specific function, to query some data that will orient the user to a specific site. That cornerstone of the Internet is how we access the web pages we think we want - which means it is the ideal point of control for a government that wants power over what its citizens can see.
It is exactly like the government controlling what is told in the news on TV and the dead tree network, especially back when the Internet did not exist. It's a reflex for any government, let alone one that likes control.
-
Tuesday 25th June 2019 09:14 GMT Teiwaz
Re: "A very strange thing for Parliament to do [..]"
Harrumph!!
I'm sure we all remember when doing things online was the new, convenient option to doing things.
Now, it's no longer new, and often neither convenient a lot of the time, and getting well onto no longer being an option, but the only way to do things.
-
-
Tuesday 25th June 2019 10:08 GMT Teiwaz
Re: "A very strange thing for Parliament to do [..]"
product numbers over voice phone to a fallible operator
What, have you never ordered something 'online' and gotten somebody elses order instead of yours???
I know I have.
Not often, but then it wasn't any less often than when the family ordered from Freemans* catalogues in the 1970s.
I'm more concerned with other services other than commercial concerns. The kind of thing that often delivers benefit to the customer from interaction with an (at least semi-knowledgeable) employee one to one.
* bought by Sears group in 1988
-
-
Tuesday 25th June 2019 20:23 GMT Teiwaz
Re: "A very strange thing for Parliament to do [..]"
I have never had this happen, personally.
Lucky you, I have three times, once, two out of a four item order were incorrect. Twice my order was IT related and I received clothing items, once I ordered presents for a relative, and they were confused by what they received, and I, embarrassed.
Point is, those fallible operators are probably now manning the warehouses, so it's just passed the fault down the line.
-
-
-
-
-
-
-
Wednesday 26th June 2019 22:32 GMT NetBlackOps
Re: "A very strange thing for Parliament to do [..]"
Google need only pass a hash value corresponding to child porn to some Authority and you will be in a world of hurt. And it need not be officially, it could be some "woke" employee who targets you with one or more planted files. it's been asserted on more than one occasion that governments, specifically their intelligence arms, already do this amongst other bad actors out there.
Just mentioning it. There's a reason I'm a stickler on computer hygiene.
-
-
Tuesday 25th June 2019 19:40 GMT JohnFen
Re: "A very strange thing for Parliament to do [..]"
"Today our society is practically based on the Internet"
Not entirely, yet, fortunately. Personally, I literally can't think of a single thing that I need the internet to accomplish. The internet is more convenient, but I can still do every critical function I need the old-fashioned way if I choose to.
-
Wednesday 26th June 2019 02:23 GMT AdamWill
Re: "A very strange thing for Parliament to do [..]"
"It is exactly like the government controlling what is told in the news on TV and the dead tree network, especially back when the Internet did not exist. It's a reflex for any government, let alone one that likes control."
Indeed it is...
...and just to play devil's advocate: is this necessarily entirely a bad thing?
I mean, I've been using the internet for, uh...26 years now...and, well, the days where I uncomfortably wonder "was this whole thing just a really bad idea?" seem to be getting more frequent.
The last one was when I read this story:
https://www.theverge.com/2019/6/19/18681845/facebook-moderator-interviews-video-trauma-ptsd-cognizant-tampa
I mean...somehow we wound up building a thing which means thousands of poor bastards have to get paid about 15 bucks an hour to watch people beat the shit out of puppies with a baseball bat. All day long.
Is that...good? Because, I mean, it seems not good. And, how exactly are we going to fix that? If you start from the premise that you need the internet to be this giant open access thing to which anyone can send any series of bits at any time, and content moderation is at best reactive...how can you ever not need to make people watch other people murder puppies? OK, sure, AI...if it turns out to work. I really highly doubt it.
The comparison with TV is actually kind of an interesting one to me. It's also an interesting comparison to Sullivan's argument that it's "a very strange thing to do". Is it, though? TV and radio are really just broadcasting bits over the air, after all. But we never let everyone broadcast whatever the shit they liked. This is partly a purely practical technical thing - you can't let everyone do high-power radio/TV broadcasts, after all, it'd be complete chaos - but it also wound up being a restriction on content. If a broadcaster started broadcasting snuff films it'd get its license revoked PDQ. And...really...is that *wrong*? I'm honestly not sure. I still just about remember what life was like when it *wasn't* a given that anyone could broadcast high-quality video of anything they liked to everyone else in the world, and that seems like it was better in some pretty important ways...
-
Wednesday 26th June 2019 07:11 GMT Olivier2553
Re: "A very strange thing for Parliament to do [..]"
A couple of remarks. In the case of TV, I think there are/were people in charge of watching the programs 24/7 to make sure that the content was appropriate at any time.
FB and the like could have a system of pre-moderation where by users content would be approved before it goes online. And only after a user has been deemed trustworthy, could he be allowed for post moderation. many forum work like that, why not FB? Oh yes, here and now, can wait 10 minutes.
In the case of Cognizant, it seems to be a very toxic working environment more than the content of what they are watching: apply the same type of pressure on a postman, he too will commit suicide (yes, that happened in France). What company have bed bugs or pubic hairs in their premises? What company tolerate harassement?
And it is definitely a badly conceived solution: why having the employee come to the office? This is the kind of job that could be made from home, with salary depending on the amount of video you watch.
-
-
-
Tuesday 25th June 2019 11:05 GMT Anonymous Coward
Public blacklist...
... "hey, come here, we've got a list of all the sites you shouldn't see!!!"
Guess what a not small percentage of people will do - just out of morbid curiosity? And bypassing DNS won't be that difficult. For the criminals, a flag they have to move elsewhere.
Anyway this idea "you can't regulate tech" looks to me very alike those who would kill EPA and the like because they "put boundaries to business and progress". The Internet is already polluted as it grew ignoring any downside effects jut like XIX-XX century industries- maybe some regulations are needed as well?
Frankly, I would not trust anyway any basic internet infrastructure run by Google & C. - and all we know between money and ethics what their choice is.
DoH should be run by non-commercial entities at least - and maybe blacklists should not be made public - when they try to block criminal activities.
-
Tuesday 25th June 2019 12:22 GMT Chronos
Re: Public blacklist...
DoH should be run by non-commercial entities at least - and maybe blacklists should not be made public - when they try to block criminal activities.
FFS! You don't understand how DNS works at all, do you? In the first place, which DNS servers you use are purely a consensus, usually a "can't be arsed" decision to accept your ISP's DHCP advertised crap. DoH is just wrapping the payload up in TLS encryption so the contents cannot easily be viewed in-transit. The underlying protocol for turning names into numbers remains exactly the same and you can "can't be arsed" to Cloudflare, Google, Mozilla or any of the other DoH/T providers just by leaving about:config alone.
Where the real fun will start is when the roots and authoritatives start serving DoH/T (stubby as a proxy). Then your private resolver can talk direct, in total privacy. This is not a Bad Thing™, especially when you weigh the risks between world+dog tracking you and a few miscreants who will find a way around whatever filtering you put in place. It'll also make amplification DDoS quite a lot more difficult as TLS requires TCP, which means a spoofed UDP request no longer provides the ability to swamp any poor old sod's pipe. As the chap said, your meddling only increases the collateral damage and does sod-all to address the problem.
-
Tuesday 25th June 2019 14:59 GMT Anonymous Coward
Re: Public blacklist...
Keep on thinking Google works for you and it's not evil - DoH is an attempt to bind people into a very few DNS services and track all their DNS queries. I frankly find people ridiculous when the fret about government tracking, but not "surveillance capitalism".
All of you will awake one day - I hope - and understand the big mistake you did. Meanwhile, keep on watching your porn using Chrome and believing you're not tracked. Nobody is really interested in how much porn you watch (as long as it is legal), the real issues are others.
It's funny how libertarian are exactly alike climate change deniers and polluters when proposed regulations touch their interests. Just like the real environment, the Internet can't become a wild west were a few powerful companies do whatever they like, dictate the rules that makes them more money, and pollute the environment regardless of the effects on people.
"The underlying protocol for turning names into numbers remains exactly the same"
No - it looks you didn't understand what DoH is - and the protocol is HTTP, not DNS. The message format is different, you need a whole new server and client to support the new protocol.
BTW, DNS works on TCP too, if you want.
-
-
Tuesday 25th June 2019 21:50 GMT Chronos
Re: Public blacklist...
You can, John. It's the MITM who can't, exactly the same as, say, HTTPS, assuming your CA trust store is sane.
I'm not even bothering to reply to the cow-herd. DoH isn't the only game in town and I just adequately explained how to move away from the likes of Ogle and Cloudflare, i.e. don't accept the defaults.
-
-
Wednesday 26th June 2019 04:38 GMT bombastic bob
Re: Public blacklist...
non-commercial entities
I spend 5 minutes listening to N.P.R. or any 'public broadcast' news and suddenly realize why I do not want NON-PROFIT CORPORATIONS determining what kind of intarweb access I have...
(ok if I have to explain it, these guys are SO LEFT OF CENTER in their politics and their TRANSPARENTLY OBVIOUS news filtering that it's pathetic, worse than CNN, worse than [P]MSNBS <-- not a typo - 'BS' - and the LAST thing I want is some left-wing-activist-driven "non profit" filtering my DNS instead...)
-
Wednesday 26th June 2019 05:36 GMT Charles 9
Re: Public blacklist...
The problem is that there's no real center: never was. It's just that the modern Internet made it possible for people to not be afraid to admit they're not in the center because they have "friends" to back them up.
Basically, if it isn't LEFT of center, it's RIGHT of center. Anything that claims to be center simply doesn't realize its own inherent biases. So, pick your poison.
-
-
Saturday 29th June 2019 06:03 GMT Joseba4242
Re: Public blacklist...
"It'll also make amplification DDoS quite a lot more difficult"
No it doesn't. Just because DoH is deployed, even if deployed widely, does not mean a single Do53 server is shut down. Unless that happens those same Do53 servers (even if used less by "proper" clients) can still be used for DoS attacks.
-
-
-
Tuesday 25th June 2019 11:21 GMT chuBb.
IWF Handwringing
Something has just occurred to me, sure DoH might break the IWF's watch list for forward requests, but reverse DNS queries of the list would work just fine, especially if they go for the sledge hammer to crack a wall nut approach and block by IP, rather than host header. So why couldnt ISP's just move the check from DNS access to Gateway access for HTTPS requests, and plain HTTP well its just another packet inspection rule at that point...
Of course solutions don't win headlines or votes, so jerk your knee as you think of the children, the sky is falling, damn those terrorists and their hashtags!!!!
-
Thursday 27th June 2019 06:59 GMT James R Grinter
Re: IWF Handwringing
A lot of TLS web sites are hosted on shared services these days: think anything on AWS S3, for example.
There’s separate work going on to prevent them being enumeratable (i.e. to prevent the domain names being disclosed via the certificate when you connect to them)
This will lead to some suggesting the answer is to “man in the middle” every TLS connection, I’m sure.
-
Tuesday 25th June 2019 12:29 GMT Graham 32
Corporate dominance
> Sullivan proposes making all content hosts sign up to what would effectively be a public blacklist
Who are the content hosts? On the internet that can be anyone and everyone. It can only work if there's just a few major platforms hosting everything. It means forcing all the "little people" to become clients of a few big firms for it to be effective.
-
Tuesday 25th June 2019 13:41 GMT TheSmokingArgus
Re: Corporate dominance
Seems to me STATE Supremacists are attempting to put the proverbial toothpaste back in the tube. The free flow of information has for the first time in human history freed the individual to pursue any passion to their heart's content limited only by their motivation.
Such is bad business for authoritarians who prefer use of the regulatory state to keep folks subservient to STATE approved, licensed media outlets.
We saw the same here in the states with the notion of "public airwaves" that led to the licensure of radio & television, thus consolidating those who could or would comply with regulatory barriers, i.e. pre-filtering for copyright, etc.
-
-
Tuesday 25th June 2019 16:26 GMT amanfromMars 1
Jackanory?
"It's all about the content and not the infrastructure." .... Andrew Sullivan
And aint that the gospel truth, the whole truth and nothing but the truth. So help me, Global Operating Devices. But it is not as if you haven't been well advised of the situation, is it ...... so does that suggest you have learning difficulties and/or have a limited and limiting intelligence and a stunting imagination? ...... .... Changed SNAFU Times indeed in Deeds.
Nowadays spinning tall crooked tales is a sure telltale sign of mass intelligence weakness, which is pathetic in the extreme to deny.
Who/what tells you what to expect tomorrow with media tales of what is being hosted and posted today by useful puppets and useless muppets alike .... and who profits in the shadows on right dodgy markets with systems which cannot afford to not make good on the promise to make future killings?
It's all about keeping people stupid and unaware of the quandary and quagmires they be in.
And aint that another doozy to try and deny is a fact with the spinning of more sub-prime fiction.
-
Tuesday 25th June 2019 17:48 GMT LeahroyNake
His opinion
"I don't agree massacres of people should be filmed and shown on the internet or elsewhere. I don't think [child abuse images and footage] is OK. I don't think, either, that we should permanently try to use the underlying infrastructure to stamp out content we don't like."
I agree with all three points mentioned above. The first point though, when it involves <strikeout>US<\strikeout> armed forces killing civilians anywhere. It should not be possible for agencies or governments to block what they do not like / the great firewall of China.
-
Tuesday 25th June 2019 19:49 GMT solinmoon
/etc/hosts restricts access into my private property
DoH gets around my ability to use /etc/hosts to limit who has access into my private property, my personal computing device.
I pay for bandwidth. I can restrict useless, to me, content from ever getting into the pipe.
This will just be another arms race.
Opportunity for a new browser that will have be aggressively proactive and scan the web page as it loads and change any links that are in /etc/hosts to whatever /etc/hosts specifies as the IP address.
Same as it ever was, the powerful taking authority away from the individual.
-
-
Wednesday 26th June 2019 22:48 GMT NetBlackOps
Re: /etc/hosts restricts access into my private property
I've had a proxy for years (over twenty) that dynamically rewrites HTTP(S) on the fly so substituting a locally hosted web site/page for whatever hosts I wish to block/trash isn't at all hard. Started as blocking blinking text, cookies, javascript, &c.
-
-
-
Wednesday 26th June 2019 04:47 GMT SNAFUology
Oh {Sigh} !
"condemned governments that "interfere in underlying technologies that people are allowed to build," as regulators increasingly target net infrastructure to enforce their visions of how the online world **ought** to be."
Now who could determine that ? and why isn't it that way already ?
{analogy}
People have used toilets (WC's) for years now:
they still are designing new ones, have bad ones, people without one, have a need to get deep in it to fix one or otherwise,
and they in some way are more necessary than the internet (provided it isn't the only form of communication).
Guess we will never have an 'ought to be internet' that works perfectly then.
-
Wednesday 26th June 2019 08:21 GMT Dr Stephen Jones
Google speaks
Google devises a protocol which secures its ad business against ad blockers and centralises control over the internet
Google funds Mozilla $300m a year, Mozilla advances it as a “community initiative”.
Google funds the Internet Society (sadly now a Big Tech lobbying shop) to tell you opposing the new protocol is a really bad idea.
You do see what’s happening here folks, don’t you?
-
Wednesday 26th June 2019 14:47 GMT EnviableOne
DNS over What
DNS is not port 80 web traffic so shouldnt be going over port 443
DNS is its own protocol, so should have its own secure protocol like
HTTPS is to HTTP
FTPS (FTPoT) and SCP/SFTP (FTPoS) are to FTP
DNSCrypt and DoT fit this bill, but DoH does not.
segregating this traffic allows more effective monitoring and prioritisation of this specific service and reserving the dedicated port 853 achieves this.
the aim of encryption is privacy, and even if this is segregated from HTTP traffic, this is achieved by TLS (and 1.3 enhances this)
-
Wednesday 26th June 2019 18:20 GMT Charles 9
Re: DNS over What
"segregating this traffic allows more effective monitoring and prioritisation of this specific service and reserving the dedicated port 853 achieves this."
It ALSO allows The Man to BLOCK unwanted services by simply controlling that port wholesale. It's unavoidable: a dedicated port is easy to manage: by you OR The Enemy. That's what a tunneled DNS like DoH is meant to defeat.
-
-
Friday 28th June 2019 22:42 GMT Joseba4242
"You could embed the blocklist in servers on the internet."
No you can't. Well, technically you can of course but in reality it cannot be enforced.
The whole reason why blocking happens on infrastructure level is because it doesn't work at server level. ISPs are accountable to local jurisdiction, the operators are (usually) responsible businesses and there are a reasonably small number of them so they can practically be addressed.
There are hosting providers out there that tolerate kiddie porn. If even that content can't be removed from servers, what chance is there for other illegal content?
Why would IWF bother with ISP blocking if they could just get that content removed from the servers?
That's not even talking about jurisdictional issues for which there isn't an obvious answer. Why should a server operator in Netherlands block content that a UK court deems illegal?
There simply isn't any alternative. What they are proposing means in reality no content, however bad, will be blocked one the proposals are implented. This argument of "I agree with the intentions but there are other means" just isn't true.