back to article Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced. This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using …

  1. elDog

    So will Tor be using Comcast for DNS? Will my VPN also start going through my ISP?

    It's like musical chairs. Trying to figure out which browser you trust, and then which ISP and which DNS provider.

    I'll just use whatever Jared uses. It must be secure and have multiple exit points in Moscow and St. Petersburg. With some undisclosed hops to Israel and China. Damn, my latency is really g.r..o...w...i.....n.....

    1. diodesign (Written by Reg staff) Silver badge

      Re: So will Tor be using Comcast for DNS? Will my VPN also start going through my ISP?

      No, Tor routes DNS through Tor. Your VPN will work as usual. But Firefox, if you use the default and are on Comcast's broadband network, will send its DNS via Comcast over HTTPS.

      Bear in mind most or many subscribers send their plain-text DNS via Comcast anyway, due to their cable modem's DHCP setup, so for them this is no change except it's via HTTPS and Moz has made Comcast swear it'll be nice.

      In a way, DNS-over-HTTPS was an opportunity to shield DNS lookups and route them where you want, but instead, yeah, nah, Comcast will just handle it anyway.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Comcast will just handle it anyway

        So at best, a no-op, and at worst, a false sense of security.

        If you're using ISP resolver(s) anyway, who are you hiding your DNS queries from using DoH?

        In any case, applications like Web browsers shouldn't be making their own name resolution plans; that's a site-based setting and apps should use the OS's setup (including proxy setup). Neither should 'devices' be hardcoded with 8.8.8.8 for DNS. That's how leaks happen.

        1. teknopaul

          Re: Comcast will just handle it anyway

          So at best, a no-op, and at worst, a false sense of security.

          also breaking dns, e.g. dns load balancing or perd hacks, local blacklists etc.

          dns/https is a powergrab, as soon as mozilla made it acceptable Google do it. so most of the world just get another wall around their Internet and a single point of contact for your local cops.

      2. Someone Else Silver badge

        Re: So will Tor be using Comcast for DNS? Will my VPN also start going through my ISP?

        OK, so if I have explicitly set 1.1.1.1 as my DNS server, will I have to change that, or is it simply a matter of telling Firefox to just leave it alone? Or will having Comcast as my provider under this new scheme allow them to snoop it anyway?

  2. Anonymous Coward
    Anonymous Coward

    Why can't people just run operating systems with recursive DNS resolvers?

    1. joesomeone
      Facepalm

      For what end?

      In this example, Comcast can inspect all your UDP/53 traffic coming out of your home which contains all your questions.

      Sure, might be a bit harder than correlating some DNS logs and it (shouldn't) allow them to choose one answer over another... but Comcast is running DPI throughout their environment, so let's consider it a trivial matter.

      The correct answer to this is to look no further than DoT.

      I might add that DoH (and DoT) isn't the panacea that everyone is talking about. Pure opaqueness (outside of the company that's providing that DoH infrastructure) for DoH and DoT requires TLS 1.3, Encrypted SNI and DNSSEC to be supported by both ends of each query/connection. We're still a long way from that, and that seems like a lot of potential weak links in each request.

  3. Kevin McMurtrie Silver badge
    Big Brother

    I knew that a centralized commercial system would be exploited, but that was FAST. Nice work, Comcast.

  4. YetAnotherJoeBlow

    ...but it is DOH!

    "Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program," Firefox CTO Eric Rescorla said on Thursday.

    Eric, you need to stop drinking the Kool-aid. Really.

  5. John Navas
    FAIL

    Naive or Complicit?

    I was already leery of how Mozilla has been pushing out DoH, but this tells me all I need to know, and so I won't be using or recommending Firefox. ComcastCares only about Comcast. Mozilla is either naive or complicit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Naive or Complicit?

      You know that Chrome/Chromium also uses DoH, and will automatically send traffic to your ISP (eg. Comcast) if they support DoH too? I understand Windows itself will also support DoH at the operating-system level, in a similar manner to Chrone.

      Firefox is the only one that is making DNS providers agree to privacy policies before sending DNS traffic to them.

      So what browser are you going to recommend to normal people?

    2. Hubert Cumberdale Silver badge

      Re: Naive or Complicit?

      I cheerfully send all my DoH DNS queries to Cloudflare. At least they're so big that hopefully my data will get list in a big pond... I hope...

      1. Yet Another Anonymous coward Silver badge

        Re: Naive or Complicit?

        Also cloudfare don't have your home address, credit card details and a list of all the TV shows you watch on their cable package as well as all your network traffic - so your dns data is a lot less valuable than to your ISP

        1. joesomeone
          Big Brother

          Re: Naive or Complicit?

          ISPs have plenty of information on you without DNS. DNS is just a cherry on the top that puts a name to an IP (which isn't a PTR RR). They record every single data flow in and out of your home. They know the IP you're going to, how much data is transiting that flow, what AS you're communicating to and over what port and packet type (6 or 17 most likely) that flow is communicating over.

          With that information, your ISP can infer the places your going based on the IP(s) that other ISP customers are getting from unprotected DNS queries.

          And with a bit of inspection, it is trivial to know precisely where you're going with a little packet inspection of the TLS ClientHello packet and the bit of it called "SNI" (Server Name Indication). This is a critical piece of the TLS protocol that allows for more one secured FQDN to exist on the same IPv4 address and the website FQDN is listed in plaintext. I don't know if this is a thing for IPv6 hosted sites.

          Fortunately, this glaring hole was sorted in TLS1.3 with the creation of ESNI (E=encrypted). But I'm sure all the firewall and security appliances manufacturers out there are looking for ways to re-filter corporate comms. Maybe they'll just block "_esni.FQDN" queries.

          Hopefully TLS1.3 will be adapted faster than IPv6. But it does seem to have almost as many moving parts and fall-back processes to provide continuity.

  6. Randesigner

    How much did Comcast pay Mozilla?

    Mozilla, like any other business (for profit or non-profit), has to make money. I'm wondering what they got out of the deal.

    1. Jimmy2Cows Silver badge
      Gimp

      Re: How much did Comcast pay Mozilla?

      Sad but true. Have to assume Mozilla knows they're being figuratively bent-over.

      Maybe they the like it ---->

  7. Jimmy2Cows Silver badge

    Mozilla today insisted its new best buddy Comcast...

    is going to play nice and follow the DNS privacy program's rules.

    Yeah. Of course they are. No megacorp has ever said that and done the opposite. No-sir-ee.

    [Imagines Comcast as a stereotypical evil moustache-twirling villain] Yes, of course, this information is completely safe with us and will never be abused for corporate or personal gain. You can trust us.

    1. W.S.Gosset
      Happy

      Re: Mozilla today insisted its new best buddy Comcast...

      For me, that mental image is perfected by adding 2 words:

      You can trust us, my dear.

  8. Rich 2 Silver badge

    FFS

    I get all the arguments for DoH but the more I read the more I’m thinking what is the f’ing point?!

    If you want genuinely secure DNS then build or find a secure service. However big a bow you stick on it, DoH is NOT such a service - it’s utter bollocks that has been and will continue to be bastardised by the tech industry to circumvent any perceived “security” it ever had (which, in practical terms, is fuck-all)

    1. EnviableOne

      Re: FFS

      with DoH only you and Comcast (and whoever they flog the information to) know the content of your request, with plain old DNS anyone can see whats in the request anywhere between you and comcast

      This is the difference, its slight, but better ...

      DoT would also serve this purpose and allow DNS traffic to be treated diffently

      But as said before DoT or DoH is only one part of securing DNS, you still need to sort the other bits to make the whole lot worth while.

  9. tekHedd

    So the only difference here *really*

    for 99.9% of us, the only difference now is that you can't run your own DNS proxy easily, making it harder to filter out ad servers.

  10. Gene Cash Silver badge

    So how does Comcast handle NXDOMAINs?

    Will they inject a fake response and ads like Spectrum/Brighthouse & Cox does?

    1. Claptrap314 Silver badge

      Re: So how does Comcast handle NXDOMAINs?

      I assume that they won't be stopping.

    2. Mike 16

      Re: So how does Comcast handle NXDOMAINs?

      The behavior you describe did (IIRC) also apply to Comcast, although they may have gone under the name ATTBI at the time. I did notice that among the "We will not" promises listed, that one is missing.

  11. Claptrap314 Silver badge
    Pint

    We need DNS over SQL...

    as I mentioned when this proposal first came out. It's the only way.

    <sigh>

    As always, -----> is for crying in.

    1. stiine Silver badge
      Devil

      Re: We need DNS over SQL...

      djbdns has that covered.

  12. pyhoff@gmail.com

    So what now? What do I use?

    Same dilema again which Browser to use?

    Disable DoH?

    Use a VPN and TOR?

    Brave, sold out to bitcoin

    Google ‘is’ evil

    Edge (no Linux package) but All chromium based suffer same resource exhaustion issue and flaws.

    Operas? Hacker please....

    1. crayon

      Re: So what now? What do I use?

      This announcement hasn't changed anything. You can continue to use whatever you're using now. Mozilla and Comcast aren't forcing you to use DoH.

      Whatever you use, at least one entity will be looking at your DNS traffic, your only choice is to pick which entity that will be.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like