back to article It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

Last week, amid some acrimony, the Internet Engineering Task Force (IETF) formally adopted a new encryption standard for the internet naming systems. But far from the approval of RFC 8484, better known as DNS-over-HTTPS or DoH, putting the issue to bed, it has stirred up a hornet's nest of upset among internet engineers that …

  1. JohnFen

    The whole thing is just utterly depressing

    I view DoH as a bad thing overall, and it is yet another step in the degradation and corporatization of the internet. The DNS system certainly needs fixing, but it should be fixed rather than bring DoH into the mix.

    But it looks like we're going to get stuck with this bullshit.

    1. Spazturtle Silver badge

      Re: The whole thing is just utterly depressing

      " and it is yet another step in the degradation and corporatization of the internet."

      What do you mean by this? All it is is a new protocol for connecting to DNS resolves, it doesn't change anything beyond that.,

      1. JohnFen

        Re: The whole thing is just utterly depressing

        I say this because of two things it simultaneously does -- it makes it necessary to rely on a large provider for your DNS resolution, and it makes it less likely that the problems with DNS will actually get resolved in a manner that maintains decentralization.

        It's also a security problem, because it only addresses browser use. People are likely to think that all DNS queries will be secure, when that's not the case at all. It also encourages the terrible tendency for people to think that the web and the internet are the same thing, a factor which is, in my opinion, terrible for the internet.

        On top of all that, this is shoving yet another unrelated thing through the HTTPS port. Doing this is also a security problem because it makes it difficult-to-impossible to selectively block services you don't want your network to be interacting with.

        But please understand, if DoH were the only objectionable thing to come down the pike, I wouldn't react so strongly to it. But it just the latest thing in a series of moves that I think is harming the internet as a whole, so there's a bit of "straw that broke the camel's back" going on for me.

        1. Michael Wojcik Silver badge

          Re: The whole thing is just utterly depressing

          this is shoving yet another unrelated thing through the HTTPS port

          Indeed. Schneier and others pointed to the various security problems with "just run it over HTTP" back when Microsoft assaulted the world with SOAP twenty years ago. They're still pertinent, but everyone seems to want to shove every damn thing into HTTP messages anyway.

          I swear, some of these people would probably run all their application traffic in a GRE-over-HTTPS VPN, given the opportunity.

      2. stiine Silver badge
        Facepalm

        Re: The whole thing is just utterly depressing

        re: Spazturle

        What it really does is take control of DNS out of local administrators' hands and forces even tiny companies to use https proxies to prevent this traffic from reaching its end-point.

        In one network I manage, they use OpenDNS. In order to insure that every machine in the company uses the opendns proxies, only the DC's and those proxies are allowed to make dns queries to the internet, everyone else will get a timeout. if they move to DoH, I'll have to stand up a https proxy and then reject DoH traffic.

        1. Spazturtle Silver badge

          Re: The whole thing is just utterly depressing

          @JohnFen

          DoH is not browser only, my system's DNS process has already been updated with DoH support, so my whole system can use DoH.

          "Doing this is also a security problem because it makes it difficult-to-impossible to selectively block services you don't want your network to be interacting with."

          That is an issue for the network operator not for the user, DoH is designed to protect the user from the network operator by preventing them from seeing what the user is doing and/or blocking it.

          @stiine

          I'm sorry but that is the exact purpose of DoH, to take control away from the network operator and give it to the user, and to make inspection harder and more expensive.

          In your case as you are the one doing the snooping it is going to make things harder, but that doesn't make DoH bad for users.

          When designing a secure protocol you can't make it secure and also make it easy for the network operator to manage and inspect, they are mutually exclusive.

          1. Ben Tasker

            Re: The whole thing is just utterly depressing

            > I'm sorry but that is the exact purpose of DoH, to take control away from the network operator and give it to the user, and to make inspection harder and more expensive.

            >

            > In your case as you are the one doing the snooping it is going to make things harder, but that doesn't make DoH bad for users.

            And how's that aim going to be achieved when networks at Schools, Universities and Businesses all start intercepting HTTPS traffic?

            If you haven't got their CA installed, you'll get a cert warning and have a choice - proceed with everything visible to a man in the middle, or don't access whatever you were trying to access. If you have got their CA installed, you won't even get that.

            From a user's perspective, I'd say that's a pretty fucking bad outcome either way.

            And as a home user, I potentially still don't gain anything. My ISP partners with Google and has some of their kit on-net, so when my DoH request hits that PoP, and a plain query then goes out from that (with ECS information attached, so they can see which subnet the query originated from), they're still going to know what I was querying if they're bothering to watch.

          2. JohnFen

            Re: The whole thing is just utterly depressing

            "my system's DNS process has already been updated with DoH support, so my whole system can use DoH."

            That's well and good for people like you and I. It doesn't help people who are less sophisticated, and those are exactly the people who are more likely to get tripped up on this point.

            "That is an issue for the network operator not for the user"

            Fair enough, but it's precisely why I think this is a bad thing. I am both a network operator (of my home network) and user. This leaves me with very few options, outside of beginning to blacklist DoH providers (which, I read, is what a lot of ISPs are planning to do).

            What disturbs me about this is mostly that this is bad for the internet in general. All the time and effort put into this could have been put into actually addressing the underlying problem, rather than coming up with a band-aid that is likely, in the long run, to be detrimental to us all.

            1. Anonymous Coward
              Anonymous Coward

              @JohnFen - Re: The whole thing is just utterly depressing

              And what is the exact underlying problem in your opinion ? This DoH/DoT story is intended to prevent snooping on end-user traffic so what would be your proposition on this ? If your shady provider would set up interception, they will be able to look into your traffic no matter if it's DoH or DoT.

  2. Anonymous Coward
    Anonymous Coward

    Doh.....

    Not on my networks.

    1. Steve Button Silver badge

      Re: Doh.....

      ... and how exactly are you going to stop that? shut down Https?

      1. Ben Tasker

        Re: Doh.....

        For all the "but it looks like HTTPS" arguments, it's still fairly trivial to block the ones that are most likely to be used by the majority of people (i.e. Cloudflare etc). Block TCP 443 to 1.1.1.1 and any others you can find on the net.

        You don't, for a second, have to block everything. If you block enough to be inconvenient then users will likely start turning TRR off.

        I'm not saying I support that approach, just that claims it's unblockable because it just looks like https are crap. A good traffic profiler will probably be able to start picking out likely TRR destinations too, so you could even auto-populate an ACL if you're willing to accept occasional overblocking.

        1. Anonymous Coward
          Anonymous Coward

          @Ben Tasker - Re: Doh.....

          And VPNs too ?

  3. Nate Amsden

    where are the implimentations ?

    I'll admit I haven't followed this closely. Just looking now at DNS over HTTPS for example, other than some web browsers, and Cloudflare (maybe some other public recursive systems) where are the other implementations of this? (specifically looking for server implementations, not stuff that is locked away by a service provider black box like Cloudflare). Speaking as someone who has run recursive and authoritative name servers for 22 years now(and still does today).

    Wikipedia's info on it is pretty void of info https://en.wikipedia.org/wiki/DNS_over_HTTPS

    Recently I looked into DNS over TLS(was just curious), specifically for BIND anyway and came across this page https://kb.isc.org/docs/aa-01386 , which talks about using stunnel in front of bind for DNS over TLS. Which to me is just a hack. I'd expect to see native TLS support in something like BIND, at least so you have full visibility into the IPs that are sending requests(with a proxy like stunnel that information would get lost).

    Myself I am fine with DNS as is I have no need for TLS or HTTPS. Though I can certainly understand there are people in situations where they have a much higher need for privacy and for whatever reason a vpn may not work for them.

    SSL/TLS connections are difficult enough now to debug with encryption protocols and ciphers and versions and generally crappy logging on behalf of the applications.

    DNS in browsers is already a pain with the browser often caching DNS responses. Probably been 100s of times over the past decade I've had to tell users to restart their browsers to use another browser to clear their browser dns cache.

    My general bigger concern with the likes of firefox and probably other browsers wanting to use DNS over HTTPS how that might affect my services. e.g. users connect to a VPN, and that has DNS resources that resolve stuff for internal names. I would kind of expect/fear that if firefox and others are defaulting to a public DNS over HTTPS provider than it would break DNS queries for basically everything internal the user is trying to connect to. Time will tell I guess.

    Also of course more broadly along the same lines having inconsistent DNS behavior depending on whether or not the app is using DNS over HTTPS to a public resolver or the operating system's resolver.

    (and yeah not a fan of IPv6 either)

    1. Spazturtle Silver badge

      Re: where are the implimentations ?

      DoH doesn't attempt to resolve RFC 6762 (.local) domains and will refer those to the DNS server provided by the router. So this won't impact local domain names.

      1. Ben Tasker

        Re: where are the implimentations ?

        And what if you're doing split horizon routing? (Yeah, yeah, I know, I don't like it either).

      2. Nate Amsden

        Re: where are the implimentations ?

        .local I think is mainly used in windows and mac environments ? I've never used it in linux anyway. At the org I work for we have 47 domains hosted internally, some are both internal and external. All are .com or maybe .co.uk .de .fr etc.

        Used to have over 100 but cut it down by a bit last year.

        So saying .local isn't affected does nothing for what may be my situation at some point.

        1. Peter Mc Aulay

          Re: where are the implimentations ?

          Not only that, but .local clashes with zeroconf/mDNS.

  4. Jellied Eel Silver badge

    Cat herding

    That philosophical question is why internet engineers are so mad, and will likely continue to be for some time.

    It was ever thus. I'm in the camp with Vixie, on account of him knowing a bit about DNS, and making some good criticisms.

    The good news is as you say, this may never be widely implemented. RFCs are after all 'Requests For Comments', and most are too wooly to really be counted as standards. There's a far smaller and better defined set of STDs that shouldn't be ignored if one wants to play safely on the Internet.

    But I predict ICANN will lobby hard for implementation on account of a) They wrote it and b) It's part of the trust system for a secure DNS, and thus DNS. Which means trusting ICANN to hand out keys & stay central to the official Internet. Strange how that works.

    (and then of course avoiding governments thinking 'hey, if we legislate for this, the kiddies can surf safely through their trusted DNS. UK ISPs will still have to log connection requests anyway.)

    1. Tomato42

      Re: Cat herding

      I won't deny that Vixie knows a bit about DNS.

      I'm not so sure if his incentives align with Web (and thus DNS) users though.

      1. pmb00cs

        Re: Cat herding

        The Web isn't the only use of DNS though. Any service that needs to resolve a hostname to find which IP address to connect too, or what domain a connecting IP belongs too (assuming PTR records are appropriately updated) rely on DNS. The assumption that "The Web" == "The internet" needs to die.

        Yes "The Web" is an important service that many people use day in day out, but it is only one of many services that run over the internet.

      2. JohnFen

        Re: Cat herding

        "I'm not so sure if his incentives align with Web (and thus DNS) users"

        DNS is used by far more services than the web. All of them, in fact. All web users are DNS users, but not all DNS users are web users.

    2. Anonymous Coward
      Anonymous Coward

      Re: Cat herding

      Just because a DNS Researcher who happens to be employed by ICANN was involved in the authorship of this RFC doesn't in any way imply that ICANN corporately endorses the standard and will lobby for it.

      The big political issue with DoH is that the original elevator pitch for the protocol was as an ad-hoc means to secure your DNS lookups in environments where you can't trust that the local DNS resolver isn't messing with your queries (e.g. a coffee-shop Wi-Fi network). It would also allow for a standardised way for web applications to perform DNS lookups for arbitrary DNS data, something they can't currently do.

      What changed this were the public pronouncements from Mozilla engineers that they wanted to make DoH the default method for doing _all_ DNS lookups from inside the Mozilla browser, and that they would take it upon themselves to chose the default far-end resolver DNS service (initially Cloudflare) on your behalf.

      The WG charter text says: "The primary focus of this working group is to develop a mechanism that

      provides confidentiality and connectivity between DNS clients (e.g., operating system stub resolvers) and recursive resolvers". No-one expected that last clause to mean just a handful of massively aggregated (and centralised) resolver operators.

      1. Spazturtle Silver badge

        Re: Cat herding

        "What changed this were the public pronouncements from Mozilla engineers that they wanted to make DoH the default method for doing _all_ DNS lookups from inside the Mozilla browser, and that they would take it upon themselves to chose the default far-end resolver DNS service (initially Cloudflare) on your behalf."

        They didn't do that though, that is just for the opt-in test. Once DoH is added to Firefox stable it will use whatever DNS resolver you configure. Over time more and more DNS revolvers will add DoH support. DoH is just a protocol, it doesn't do anything in regards to centralisation or de-centralisation.

        There are already quite a few independent DoH revolvers to pick from.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cat herding

          They did _exactly_ that (https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/):

          "We’d like to turn this on as the default for all of our users".

          and if you don't manually configure your own (independent) DoH resolver, you'd get one of Mozilla's so-called "Trusted Recursive Resolvers".

          1. Spazturtle Silver badge

            Re: Cat herding

            The part where they say "We’d like to turn this on as the default for all of our users" is talking about DoH not TRR.

            From the TRR Bugzilla: "Provides an optional resolver mechanism for Firefox that allows running together with or instead of the native resolver."

            The actually mailing lists and bug trackers are the best way to find out what is actually going on.

          2. browntomatoes

            Re: Cat herding

            What’s worse, they’re also making other privacy enhancements (eg eSNI) reliant on turning on DoH. I’d like to try the experimental eSNI support using my own local recursive resolver (for which I can deal with where it gets its answers and how they’re privacy protected, thankyou very much) but they won’t let me without patching the code myself.

            I don’t think that’ll be the last privacy feature that won’t work without it either.

      2. Jellied Eel Silver badge

        Re: Cat herding

        Just because a DNS Researcher who happens to be employed by ICANN was involved in the authorship of this RFC doesn't in any way imply that ICANN corporately endorses the standard and will lobby for it.

        Nope, ICANN would never do that. ICANN has, and always will be the epitomy of good governance. Now, would you like to buy a TLD?

        But it is not a 'standard'. It's an RFC, not an STD. As such, it can be freely ignored. Or commented on by a wider audience than just the WG. That the WG didn't expect that it would hand traffic to the biggest abusers of confidentiality simply highlights the problems with the WG process. It might provide confidentiality for data in transit, but won't once it's hit the resolvers.. Or proxies, caches etc..

        But I've been pondering Vixie's comemnt about control plane security more. DNS currently is a simple process to write a plain text request and read a plain text response. So a client doesn't need much trust, other than how it passes the response to whatever has requested the connection. That session may then be encrypted between client-host and seperate to any hosts process. Requiring encryption presumably means the hosts process has to hook into the device's encryption routines at a higher trust level so a DNS attack could end up compromising the control-plane functions.

        Which can't be a good thing, especially as DNS is a function used by pretty much every Internet device, not just web browsers. Especially if there's pressure to make this a 'standard', or if the usual resolvers require it. It's been generally accepted that hard coding IP addresses into devices isn't best practice, and re-writing code for millions of IoT stuff will inevitably cause some to break, or become insecure.

      3. JohnFen

        Re: Cat herding

        "as an ad-hoc means to secure your DNS lookups in environments where you can't trust that the local DNS resolver isn't messing with your queries (e.g. a coffee-shop Wi-Fi network)"

        If you're using such an access point without also using a VPN, you have very serious exposure in more areas than just DNS lookups. For that use case, DoH is like spitting in the ocean.

  5. Anonymous Coward
    Anonymous Coward

    Not one to nitpick but...

    “Fans of the protocol point out that because the standard uses the same port as ordinary DNS traffic”

    I’m pretty sure that statement is incorrect. I’m assuming it was meant to say the same port as ordinary HTTPS traffic. What I can’t understand is, what is stopping DoT from using port 443 too? As far as I am aware, it would look no different to DoH (providing NPN extensions aren’t enabled), just without the completely unnecessary overhead of including a bunch of irrelevant plaintext header fields.

    Another question / issue I have with the claim that DoH will be better camouflage is: how are you expected to address the DoH server? I’m guessing, given that DNS is presumably out of the question, it will be by static IP? In which case, I would imagine that anyone wishing to block it could simply target TLS sessions with no SNI? Or obviously block known DoH server IPs.

    Fundamentally I cannot see the logic in involving HTTP. Was this wrapping in HTTP also proposed for SMTPS? Or FTPS? I suspect not, presumably because it makes no sense. My question is why it makes any more sense to do so with DNS? Finally, why is DoT not likewise called DNSS?

    1. Charles 9

      Re: Not one to nitpick but...

      Too easy to confuse with DNSSEC, which deals with authentication rather than integrity.

    2. Crypto Monad Silver badge

      Re: Not one to nitpick but...

      > what is stopping DoT from using port 443 too?

      Because HTTP and DNS are different protocols with different payload format. The whole point of a well-known port is that you know in advance which protocol you are supposed to speak, when you open or accept a connection.

      > block known DoH server IPs

      That's called whack-a-mole, and it doesn't work.

      Remember that the first provider of DoH services is CloudFlare. They could enable DoH on *all* their front IP addresses. In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)

      > I cannot see the logic in involving HTTP. ... why it makes any more sense to do so with DNS?

      In other words: why are some people pushing for DoH rather than DoT?

      Well, DNS is a request-response protocol which maps quite well to the HTTP request-response cycle (unlike SMTP or FTP).

      But the real reason is because it makes DoH almost impossible to block. Your site's DoH traffic is mixed in with your HTTPS traffic and it's very difficult to allow one but not the other. That makes it a real pain for network operators, who may use DNS query logs to identify virus-infected machines (calling home to C&C centres), or to filter out "undesirable" content such as porn.

      It's a question of whose rights prevail. Consider a university campus network. Does the network operator (who pays for the network) have the right to enforce an AUP, which says you can't use university resources for browsing porn? Or is this trumped by the rights of the student to use the Internet for whatever they like?

      This has national policy implications too. In the UK, large ISPs are required to provide "family-friendly" filters, and this is generally done by DNS filtering. If the mainstream browsers switch to DoH, those filters will be completely bypassed. The ISPs can switch to blocking by IP, but there will be much collateral damage as one IP address can host thousands of websites - and if the undesirable site is hosted on a CDN like Akamai or CloudFlare, this sort of filtering may be impossible.

      (Today you can also filter on TLS SNI, but SNI encryption is also on the near horizon)

      1. Anonymous Coward
        Anonymous Coward

        Re: Not one to nitpick but...

        "Remember that the first provider of DoH services is CloudFlare. They could enable DoH on *all* their front IP addresses. In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)"

        They could just declare that CloudFlare and the like are violating local sovereign laws and tell them to knock it off or get blockaded as a bloc: deal with the moles by burying the entire molehill. And tell any sites that use CloudFlare to consider alternatives tout suite or face becoming collateral damage in a sovereign struggle.

      2. JohnFen

        Re: Not one to nitpick but...

        "That's called whack-a-mole, and it doesn't work."

        It doesn't work well for sure, but if it's all you got...

        1. onefang
          Coat

          Re: Not one to nitpick but...

          '"That's called whack-a-mole, and it doesn't work."'

          'It doesn't work well for sure, but if it's all you got...'

          All I have is a hammer, so all problems look like moles.

      3. JohnFen

        Re: Not one to nitpick but...

        "In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)"

        True, but the way the web has been going over the past five or ten years, I'm not entirely sure that I'll be able to keep using it long-term anyway.

      4. JohnFen

        Re: Not one to nitpick but...

        "But the real reason is because it makes DoH almost impossible to block."

        That's correct, but I suspect that the real reason isn't to protect users at all, but to protect the ability of companies (particularly ad companies like Google) to continue to spy uninterrupted. DoH makes it much more difficult to use a firewall to protect your systems from accessing locations that are used to collect data about you and your systems.

        Removing this layer of protection is the primary reason that I view this as a bad move for everybody who isn't into surveillance.

      5. Charles 9

        Re: Not one to nitpick but...

        "Because HTTP and DNS are different protocols with different payload format. The whole point of a well-known port is that you know in advance which protocol you are supposed to speak, when you open or accept a connection."

        But what if that's EXACTLY what you're trying to avoid because you don't want people to know you're making a DNS connection for fear of it being tracked or at least blocked? A hostile government can attempt to hijack DNS for ill intent unless it can't tell HTTPS and DNS apart because they're simultaneously running on the same channel. How do you deal with such a scenario?

  6. Anonymous Coward
    Anonymous Coward

    big question

    So where does Daniel J. Bernstein stand on this? Controversy and DNS, djb can't be far behind.

    1. stiine Silver badge

      Re: big question

      Funny...

  7. Anonymous Coward
    Anonymous Coward

    Who do you trust?

    As a retired and now amateur techie I have been reading what I can since this issue raised its ugly head and in trying to boil it down to the essentials I think it is about the balance of trust and control.

    - DoH bundles DNS calls into the same ports as encrypted HTTPS traffic and observations by network admins can't see or control what is going on

    - DoT encrypts DNS calls. Admins and indeed anyone else with authority will not see the content of those calls but can see who is making them and track the effect.

    Living in the UK, given a choice I think I would opt for DoT. It would make it more likely that admins can run a reliable network. I have reasonable confidence that any of my web searches or connections to sites that give me information about, for example, the wisdom of Brexit will not result in a visit from the fingernail removal men.

    If I lived in a less stable society and were trying to find information about alternatives to my currently "elected" president/prime minister who wants the job for life I think I would choose DoH.

    It comes down to your point of view.

    An analogy. I read Theordore Rockwell's book about US Admiral Hiram Rickover and his key role in the development of the their nuclear submarines. There was a debate over the safety vs maintenance balance regarding possible leakage from the PWR design reactor with just a removable gasket sealed cover which gave better access, or adding welding the whole thing shut on top . Navy engineers wanted easily removable lids with gaskets. Gaskets suppliers emphasised the quality of their product. The general consensus was that removable lids with gaskets was a good idea because the benefits outweighed the risks.

    Rickover asked a different question of those involved.

    "Suppose your son were to serve on this submarine with his life dependent on its safe operation. Would you let his life depend on the continued integrity of the gasket to hold back every droplet of the highly radioactive water? or would you rather have a weld backing it up just in case.?"

    They all changed their minds and opted for welded up lids.

    Generally, when the benefits to me outweigh the risks to you, I will opt for the most benefits. When both the benefits and the risks apply to me I will tend to minimise the risks

    I am fairly sure that DoT is the better solution but if pushed I would opt for DoH.

    1. Spazturtle Silver badge

      Re: Who do you trust?

      "- DoH bundles DNS calls into the same ports as encrypted HTTPS traffic and observations by network admins can't see or control what is going on

      - DoT encrypts DNS calls. Admins and indeed anyone else with authority will not see the content of those calls but can see who is making them and track the effect."

      With DoH not only can they not detect it (other then seeing HTTPS traffic), but they cannot block it without blocking all HTTPS traffic.

      With DoT they can detect it and block it forcing the user to use unencrypted DNS.

      1. Giovani Tapini
        Unhappy

        Re: Who do you trust?

        i don't trust governments, not just oppressive regimes.

        Frankly I am quite sure regardless of choices of encryptions and protocols the gov'mint can, or will find a way to, eavesdrop anything I do. Making the internet more complex and (I am with Vixie here) breaking the usefulness of DNS in the same of privacy is not the right approach.

        Advert aggregators will start running DNS services for free so they can get DNS data regardless of encryption, this approach cannot end well. Google don't yet force you to use 8.8.8.8 but if they did they have probably more visibility on what you are doing than they had before, encryption be damned.

        Complete privacy on the internet, or any other shared resource is unlikely to be manageable or feasible without making the system chaotic. This is not really a good idea IMHO.

        as far as I can see, although a good idea, it is fixing the right problem, in the wrong place and overselling the long term effectiveness of the change too.

      2. JohnFen

        Re: Who do you trust?

        "they cannot block it without blocking all HTTPS traffic."

        Yes, they can, as long as DoH servers are being run from defined IP addresses. The use of HTTPS does not prevent routers from seeing where traffic is going to and blocking traffic to/from certain destinations.

        1. Charles 9

          Re: Who do you trust?

          Creates a part-and-parcel problem, though. If DoH and HTTPS both use the same port, suppose say Cloudflare simply piggybacks DoH on ALL its HTTPS addresses (which includes IPv6 ranges, meaning you can be talking quite a bit of Internet real estate). Then the only practical solution to blocking Cloudflare's DoH is to block Cloudflare, full stop. Only an inward-looking oppressive power (who would be against the likes of Cloudfare in any event) would dare to do that because anyone else risks collateral damage from blocking a provider as big as Cloudflare.

          1. browntomatoes

            Re: Who do you trust?

            Block cloudflare - or MITM all HTTPS traffic. Which has the side effect that they then MITM all the other traffic they didn’t before.

            I rather suspect therefore that DoT (when you consider the consequences of widespread implementation) is likely to be LESS enabling of privacy invasion in ‘nasty’ regimes. In ‘nice’ regimes it won’t make a difference either way.

            1. JohnFen

              Re: Who do you trust?

              "or MITM all HTTPS traffic"

              After looking at the options for how to deal with DoH on my home network, I've decided that this is the least harmful solution, so this is what I'm going to do.

          2. JohnFen

            Re: Who do you trust?

            "suppose say Cloudflare simply piggybacks DoH on ALL its HTTPS addresses (which includes IPv6 ranges, meaning you can be talking quite a bit of Internet real estate). Then the only practical solution to blocking Cloudflare's DoH is to block Cloudflare, full stop. "

            Yes, if Cloudflare were to do this, you're correct. If they do, then I will seriously consider blocking the entirety of Cloudflare from my own networks, even though the cost would be that I would no longer be able to access a lot of websites, including El Reg.

            1. Anonymous Coward
              Anonymous Coward

              @JohnFen - Re: Who do you trust?

              Seeing your determination I'm guessing you are a firewall admin. Being ready to block vast swathes of Internet is nice but have you thought about asking the business ? If I'm not mistaking it's not up to you to decide what are your organization's business goals and needs. Yes, you may bring it to their attention, advise them about the risk, offer to mitigate but you will not make the decision to cut them off just because you don't like DoH. With this attitude you risk being condemned to a long career in small mom and pop shops taking care of their 5 PCs or less.

              Don't hate me, just try to figure out how you would explain to a high ranking executive of a medium to large enterprise why one of the business critical application has suddenly stopped working. Oh, and try to convince him the block will stay in place whether he likes it or not.

              1. Anonymous Coward
                Anonymous Coward

                Re: @JohnFen - Who do you trust?

                "Oh, and try to convince him the block will stay in place whether he likes it or not."

                SImple. Because of real-world data leak concerns proscribed by law, we legally cannot remove the block. Or do YOU want to be the one to answer when the G-men come knocking on our door?

    2. DropBear

      Re: Who do you trust?

      As things are today I have precisely zero confidence in anyone down my line, starting where it exits my flat. I trust them to carry my traffic because I have no choice, but with absolutely nothing else beyond that - which is why anything that gives them less data about (and control over) me than something else has to be the automatic winner with me, by default. I do realize their priorities and therefore preferences will likely differ from mine, but that cannot possibly change that my interest lie with removing the maximum amount of control from them over what ideally should be just an amorphous mass of unintelligible bytes with a to/from label.

  8. onefang
    Joke

    I'll just change my DNS server to dns.doh, pronounced DNS DoT DoH. I just have to find out what the IP for that is. Oh wait. DOH!

  9. john.jones.name

    DoH no integrity Mozilla

    Mozilla is going for cheap engineering

    fine have your DNS over HTTPS but its pretty useless if you don't check the DNS answers

    (thats what DNSSEC does)

    Mozilla have constantly not implemented DNSSEC, there are even public patch's to NSS

    believing that you get more integrity from a HTTPS connection and that Man In The Middle HTTPS systems do not exist would be rather foolish

    1. Anonymous Coward
      Anonymous Coward

      Re: DoH no integrity Mozilla

      Erm, Mozilla's push is not about integrity. It's all about confidentiality, son. Not to mention that if you have an MITM in the path to your banking website you're in great danger irrespective of the kind of DNS you're using.

  10. A.P. Veening Silver badge

    DoH vs DoT

    DoH was developed specifically because the engineers couldn't be bothered to start on DoT. There was a need that just wasn't addressed. And now those same engineers are having a hissy fit because there pet system was judged lacking.

    I can see both sides of the argument and from a technical point of view, DoT is better. However, from a security (of the user) point of view, DoH is better. And as far as I am concerned, security trumps technic every single time.

  11. Anonymous Coward
    Anonymous Coward

    "accept [...] is dominated by a small number of big players [..] to improve everyone's privacy"

    Isn't this an oxymoron? How could you trust a small number of big players - which already demonstrated to be against privacy, to protect it?

    Also, they demonstrated already that to protect their huge profitability they are ready to sell citizens to governments - not only in China, but even in countries that should be "democratic". What stops them if you query 8.8.8.8 via DoH to route, once decrypted, all requests to the local Miniluv?

    1. Charles 9

      Re: "accept [...] is dominated by a small number of big players [..] to improve everyone's privacy"

      "What stops them if you query 8.8.8.8 via DoH to route, once decrypted, all requests to the local Miniluv?"

      Because it can't be decrypted until it's IN the actual 8.8.8.8, meaning it shouldn't be going anywhere once there. The only way around that is to either take over 8.8.8.8 itself (can't--out of the country) or obtain the top-secret decryption keys (a state-level espionage operation). At which point, it would be easier to just insert spy chips into all the local machines (enforceable at customs and local manufacturers) and perform outside-the-envelope attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: "accept [...] is dominated by a small number of big players [..] to improve everyone's privacy"

        Re-read what I wrote - it will be 8.8.8.8 itself (or its nearest CDN alias), probably in-country (it's just a matter of routing tables....) to deliver the content it has decrypted to Miniluv - because otherwise Miniluv will hurt the company profits, and remember, a company "must maximize shareholder value", that's the actual and real First Amendment.

        HTTPS is mostly safe against common criminals - against a determined state, and companies that for one reason or the other - usually profit - collude with them, is of little protection. Using a CA "forced" to help you you can also deliver ad-hoc fake certificates, as long as the ISP as well collaborates, not that difficult in many states.

        VPNs using end to end protection are a better choice, but their traffic can be identified, even when not decrypted. Let's see if DoH traffic can be identified as well - and some governments have little issues to ban whatever they believe it's "dangerous", and it will have the nice side effect to turn people towards local infrastructures easier to control - no surprise Baidu and Yandex dominate in their own countries.

        Having only a few DNS services run by huge corporations where profits trumps every other ethical decision will only make things worse.

  12. mnot

    Paul didn’t design the internet; that last paragraph is way too broad.

  13. Chris Hills

    Tough

    I am not a proponent of DNS-over-HTTPS, but on the other hand it is just another application that runs using the internet as transport. Users are free to use it if they want to, and it is not for network backbones to pick and choose what to allow. This is sadly why new protocols like SCTP have not been able to gain traction, because a lot of operators just block them. At the end of the day no one person or organization can make the decision for the rest of the internet. Every day I get more and more surprised it still works at all.

    1. Steve Button Silver badge

      Re: Tough

      "Users are free to use it if they want to"

      Wrong. Most users aren't going to notice when Firefox or Chrome automatically start using DoH first (if available) rather than your defined settings, and will only fall back to standard DNS if DoH fails.

      1. Chris Hills

        Re: Tough

        Nobody is forcing you to use Chrome or Firefox, and these are not the only applications that use DNS. You are incorrectly conflating web browsing with the whole internet. I can use whatever device and whatever software I choose so long as it adheres to the internet rfc's.

        1. tekHedd

          Re: Tough

          "Nobody is forcing you to use the municipal water supply, this is not the only source of water. You are incorrectly conflating piped water with the entire food supply ecosystem. I can drink whatever liquid from whatever vendor I choose, so long as it is purchased legally."

          Yeah, but when I need to boil some eggs, I go to the sink and turn on the tap.

          1. Charles 9

            Re: Tough

            You could always use bottled water or a well...

      2. Chronos

        Re: Tough

        Most users aren't going to notice when Firefox or Chrome automatically start using DoH first (if available) rather than your defined settings, and will only fall back to standard DNS if DoH fails.

        Already happening in Fx; see network.trr.* in about:config.

        What we really need is some opportunistic crypto that doesn't attempt to identify the endpoints. For a start, it'll make encrypting SNI so much easier. Once you have your secure channel, then do verification and close if it fails. You've only signalled your intended destination to one host rather than lit a huge neon sign for any old nosy bugger to slurp.

        Making Google, Cloudflare or Quad9 your one-stop shop for DNS really isn't protecting anyone's privacy, a problem which exists in both implementations.

        Disclaimer: Stubby user, so I'm probably biased against DoH, not that I can't see DoT is riddled with exactly the same issues.

        1. Charles 9

          Re: Tough

          "What we really need is some opportunistic crypto that doesn't attempt to identify the endpoints."

          You MUST identify the endpoints...otherwise, you CAN'T tell if it's Bob...or Mallory. No context = no means to authenticate, end of.

  14. IanRS
    Stop

    Too early to argue

    The Vi or Emacs debate needs to be settled first!

    1. John Robson Silver badge

      Re: Too early to argue

      Easy - A butterfly...

  15. David Nash Silver badge

    It seems there are two changes and the original article didn't emphasise enough the thing about browsers.

    As several comments here pointed out, HTTPS is just another way to get to a DNS server, and as several others have pointed out, this has certain advantages from a user security point of view.

    However why would the DNS server choice be part of such a standard? Currently browsers make calls to the OS or standard network libraries to resolve names, which will use configured addresses, whether they were static or obtained via DHCP. The same should apply to DOH, the change should be at the OS level, nothing to do with the browser.

    1. Charles 9

      DOH uses HTTPS for its base. Guess what protocol is supported in the browser and usually NOT in an OS network stack? And without HTTPS as an obfuscator, how can you get network requests through without a distinct risk of it being sniffed and/or altered by an oppressive power?

    2. stiine Silver badge

      And that's exactly why I configure the DNS settings in firefox to be disabled.

  16. gnarlymarley
    WTF?

    third parties?

    DoH or DNS-over-HTTPS is a way of encrypted DNS traffic to make it hard for third parties to see where people are coming from and where they are going to online.

    Just who are we kidding? The DNS provider will be able to log it on their side after it is unencrypted. This means that a "third party" will see what and where you go. Anyone that hacks in will see where you go.

    I will call this DNS encrypted farse what it is, security through obscurity.

    1. Charles 9

      Re: third parties?

      Any any oppressive power can just hack YOU (usually through pre-established channels enforced at manufacture/import) and perform outside-the-envelope attacks (that work PAST any obfuscation), in which case you're probably already screwed with no way to cover it up.

  17. nagyeger
    Flame

    kid control / smut filtering

    As a parent of teenagers and youger, it's quite handy knowing that my kids are not going to be able to do some involuntary bitcoin mining for nasty.smut.site without going to extreme measures, nor stumble on disturbing rubbish. Blocking DNS except via trusted (blacklisting) servers does that for me, has done that for me, and I hope will keep doing that for me.

    Except that firefox has now published a 4 step process to break that entire model.

    Given that practically everything uses SNI and so sends the destination host out as plain text these days, the 'poor guy in china' security red-herring is just that, unless he's also using a VPN. In which case, why are we having this conversation?

    To my mind this is at least 95% about ensuring that the smut industry can deliver their filth. I really cannot see any other party that benefits from it.

    1. Charles 9

      Re: kid control / smut filtering

      "Blocking DNS except via trusted (blacklisting) servers does that for me, has done that for me, and I hope will keep doing that for me."

      This presents a dual-use problem. If you can control your kids' Internet, then Big Brother can control YOUR Internet. The only way around that means your kids can get around your controls and pwn your LAN.

      Leaving you three choices: submit to Big Brother's Stateful Internet, accept the anarchy of an Anonymous Internet, or throw up your hands and go, "Stop the Internet! I wanna get off!"?

    2. JohnFen

      Re: kid control / smut filtering

      "I really cannot see any other party that benefits from it."

      Advertisers and other parties who are interested in being able to track you benefit from this.

    3. Anonymous Coward
      Anonymous Coward

      Re: kid control / smut filtering

      Surely blocking DNS only works if they don't know or cannot obtain IP addresses and set them up in the hosts file? Isn't that the issue with DNS filtering?

      NB Never underestimate the ingenuity of a teenage boy in heat.

      1. JohnFen

        Re: kid control / smut filtering

        "Surely blocking DNS only works if they don't know or cannot obtain IP addresses and set them up in the hosts file?"

        Not so much. If you know the IP addresses of interest and you can be sure they never change, then blocking the IP address is preferable.

        However, if and when the IP address that a domain name resolves to changes, your protection goes away. That's why you want to block by domain name -- so that such changes don't remove your block.

  18. Anonymous Coward
    Anonymous Coward

    The argument to simple to me

    DoH means the dev of every piece of software gets to decide what servers they're going to use for resolution, they don't care what the end user wants to use, the choice is hard coded in the app.

    You don't need any other reason to reject DoH as a secure idea for DNS.

    1. Claptrap314 Silver badge

      Re: The argument to simple to me

      Except that the mere existence of DoH servers anywhere on the net mean this. In fact, there is nothing stopping an application from implementing DNS over Telnet or any other port they want. When you are running an app, you are trusting the app do to anything it is allowed to do.

      If you are already paranoid, this is not going to help things. Sorry.

      1. Anonymous Coward
        Anonymous Coward

        Re: The argument to simple to me

        Your claptrap argument is as broken as DoH.

      2. rfrovarp

        Re: The argument to simple to me

        Yeah, it seems that if you are relying on attackers doing stupid stuff over DNS, you aren't covered. Granted many attackers are going to do the easy thing, and do it over normal DNS. But even without this standard, there was nothing preventing them from doing DNS type things over any protocol or port.

        1. Charles 9

          Re: The argument to simple to me

          Except straight-up DNS is a UDP protocol, while most Internet protocols with which people are familiar (including HTTP) are TCP-based, and their basic function is too different to be all that interchangeable, meaning it's not as simple as you make it out.

          1. Claptrap314 Silver badge

            Re: The argument to simple to me

            I'm pretty sure that DNS over some other protocol is NOT straight-up DNS.

      3. JohnFen

        Re: The argument to simple to me

        "In fact, there is nothing stopping an application from implementing DNS over Telnet or any other port they want. "

        Sure there is -- firewall rules.

        1. Charles 9

          Re: The argument to simple to me

          Piggyback your DNS over the basic traffic needed for the app to run. Block it, block the app, you have a paperweight. Indeed, what was stopping apps from eschewing DNS and keeping an internal IP list like Windows 10 does? Firewall-proof!

          1. JohnFen

            Re: The argument to simple to me

            Applications could certainly do this sort of thing, but it's pretty close to the behavior of malware. I would immediately blackball any application that I discovered or learned was engaging in this behavior.

            Generally, though, the only protection you have against this sort of thing is what you've always had: being very, very careful about running applications generally, and particularly applications that talk over a network. This sort of issue is one of the reasons why I avoid running any network-connected software that I don't have access to the source code for when at all possible.

            1. Charles 9

              Re: The argument to simple to me

              "I would immediately blackball any application that I discovered or learned was engaging in this behavior."

              Even if you discover it's a or the linchpin to your entire operation? More often than not, that's the case for many people, meaning going without is an existential risk, meaning it's either submit to Big Brother or curl up somewhere and die.

        2. Claptrap314 Silver badge

          Re: The argument to simple to me

          Apparently, I'm being slow here. Suppose I want to run DNS over port 3306 on some server out there, known as sneakydomain.com. Regular DNS resolves sneakydomain.com. You blocking that? Then I contact sneakydomain.com on port 3306, which is already being used for MySQL activity. What firewall rule blocks "SELECT * FROM DNSTABLE WHERE NAME = 'HOSTIWANTTOGETTO.COM' ;" ?

          I understand that network operators are going to be pulling their hair out over this sort of thing. I understand that malware operators (especially Big Social) are going to start abusing it. But this is going to take a lot more than the work that OpenRelay is doing to manage. Blacklisting is whackamole. Whitelisting is a netsplit of the entire Internet.

          Like all technologies, this can be used for good or ill. What I am trying to say is that it is technically unstoppable. Not a good day.

          1. Charles 9

            Re: The argument to simple to me

            How do you know how to contact sneakydomain.com for your DNS request if you need a DNS request to find out what IP address sneakydomain.com resolves to in the first place? Thus why DNS lists are always numbers. I've already mentioned Microsoft defeats DNS-based firewalling with an hardcoded IP list for its telemetry stuff (and IIRC the IPs also match those for the update system meaning blocking telemetry also blocks security updates--submit or be pwned). Plus, as someone already mentioned, it's possible for a rogue state-level router to perform IP-based rogue routing (making 8.8.8.8, for example, go where they want it to go instead of Google).

            Basically, if you're that paranoid, then the Internet is already screwed for you. In fact, ANY form of technology is probably already screwed for you if you live in that kind of world. After all, what's to stop them enforcing their regime at both local manufacturers AND at customs?

            1. Claptrap314 Silver badge

              Re: The argument to simple to me

              I'm pretty sure now that you're completely missing something.

              I've got an app. That app's job involves communication over the internet. On a port. To a server. I don't care what port is being used, if I control that server, I can run DNS over the connection to that port.

              And if you don't allow my app to connect to my server to ensure license compliance, it won't run.

          2. JohnFen

            Re: The argument to simple to me

            "Suppose I want to run DNS over port 3306 on some server out there, known as sneakydomain.com. Regular DNS resolves sneakydomain.com. You blocking that?"

            Am I blocking port 3306? Absolutely yes. I block all ports, both incoming and outgoing, by default and only enable specific ones as needed (and even then, only in the most restricted way I can while allowing the desired operation to take place).

  19. mark l 2 Silver badge

    I think whether is is DOH or DOT oppressive regimes are still going to find ways to monitor the web traffic of it's citizens.

    DOH will make it more difficult, but they will probably look at hard coding compromised DOH DNS servers into some apps/browsers and collecting the data that way.

  20. Trixr
    Headmaster

    "Administrated" is not a word

    There is, however, this really obscure word that will work pretty well in the context.

    The internet ... is increasingly being ADMINISTERED by a small number of very large companies.

    There you go.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Administrated" is not a word

      Care to prove that? Because last I checked, there ARE words "magister" and "magistrate" (both nouns) as well as "orient" and "orientate" (both verbs).

    2. diodesign (Written by Reg staff) Silver badge

      Re: Trixr

      Tsk - why leave a comment right at the end of the thread when you could have dropped us an email and had it fixed immediately? Only just seen your comment by random chance.

      Email corrections@theregister.co.uk if you see anything wrong.

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like