DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Re: NIMBY

> but should use a default provided by the platform/OS

Yep, and there are solutions in the wild that allow you to do that with DoH already. For Android there's Intra (created by Google's sister company - Intra).

For desktop OS's there're stubs that accept UDP 53 and DoH it for you. Personally I like this one - https://github.com/m13253/dns-over-https - but there are things like cloudflared too.

Personally I'd never use Cloudflare's DoH service, and am similarly cagey about Google's, so I set up my own (I've linked to the docs a few times, so won't do it again here as I don't want to spam the comments :) ).

It means I've got the privacy benefits of DoH but backed by Pi-Hole filtering. That's win-win in my book.

Re: NIMBY

"At least as long as applications and platforms give users a genuinely free choice about which DNS supplier they want to use."

And there will be plenty (mostly ad-related) that won't do this.

Re: NIMBY

Aleternate take on the alternate take:

New legislation passes, all DoH providers move to France or elsewhere, out of the UK's reach. Since DoH tunnels through HTTP/S, how's the legislation going to be able to tell the difference (one of the key aspects of DoH, as any dedicated port can otherwise be hijacked wholesale by an ISP or anyone else upstream)?

Re: NIMBY

> but with new legislation requiring that the servers be hosted in the UK

I think a case can be made that DoH server providers satisfy the communication service provider criteria of the existing UK legislation.

Obviously, if they are located in the UK then it becomes easier for UK agencies to gain warrant-less access.

Re: NIMBY

Less and less. Google have been actively working against TLS interception for the past few years. Android defaults to ignoring user-supplied certificates, and the end user / device owner can't change that (without rooting the device).

Re: NIMBY

"What I don't like is it bypassing my local DNS server."

This is my entire problem with DoH, really. If it were possible to ensure that my own DoH resolver is always used, then I could live with everything else. But, by design, it is impossible to ensure that my own DoH resolver is always used.

Re: This has nothing to do with filters or illegal content..

Indeed there are benefits in the form of additional revenues, but the topic is being driven by concerns within Government which has the advantage of both existing and potential new primary and statute legislation as and when required.

Re: This has nothing to do with filters or illegal content..

... where 'anonymized' may or may not be true depending on:

(1) how well they understand and do anonymization

(2) who shows up with a secret warrant, court order, or friendly request

(3) who shows up with an envelope of cash for the custodian of the pre-anonymized data

(4) what resources an attacker can bring to bear for various high resource high/wide network access attacks

Re: Mozilla are only partly right

The problem is more complex than that though.

As a society we accepted the introduction of CleanFeed on the basis (as you say) that stopping paedophiles from finding things online is good.

However, Cleanfeed has long since stopped being *just* about that content. Because the infra was there and capable of doing so, the ISPs were ordered to use it to block Newzbin2 (a torrent site).

At that point, Cleanfeed's effectiveness was doomed because there was now an "acceptable" reason to be discussing how to circumvent it - prior to that decision those discussions could only happen if you were interested in looking for something very, very illegal.

It's not like it's stopped there either, we're now in a position where the Govt wants providers to track who watches what adult content, and with the threat of using that same infra to block sites that fail to comply with the requirements. Their aspirations don't end there either, have a search around and you'll see plans to bring in age verification for all kinds of things.

I agree that blocking the sites on the IWF's watchlist (when they don't screw it up, anyway) is a good thing. But it is the government, and industry who've moved us into the position we're in now.

Now, you've mentioned surveys to bolster your argument. In most surveys, most Brits didn't know about the impending (now delayed) porn block. Think they'll still support censorship when they're being asked to proof of identity before watching their chosen fetish? What about when a future Govt decides that dwarves are immoral and blocks any sites carrying them?

What about the Govt's self-confessed position that the porn-block may push users onto the darknet where they may be exposed to things that are much more extreme? (and yes, that includes CP).

The IWF wants this positioned as a fight against paedophiles, but it's not that simplistic, and not by a very, very long stretch. 15 years ago, it would have been, but the courts and the Govt have perverted the underlying system and it was a given that at somepoint their tower of cards was going to come crashing down.

Just one final point:

> paedophiles should not be able to trade images online, and is happy for Cleanfeed to exist.)

You do understand that Cleanfeed does precisely nothing to prevent this, and isn't even intended to do so right?

Cleanfeed exists to stop people accidentally stumbling onto this type of content. The aim being to prevent someone who's not yet into child porn (or marginally so), stumbling upon it and then exploring looking for more.

Those who are actively seeking it out already know about Cleanfeed, as well as the risks if they're caught and so take measures to bypass it. It was *always* understood that this would be the case.

I mention this primarily because the protection of Cleanfeed isn't nearly what you're trying to portray it as. Pictures still get circulated (unfortunately) Cleanfeed just helps keep it from the sight of the general population.

Re: Mozilla are only partly right

The problem with 'Cleanfeed' is the lack of transparency and the on-going urge for governments to feature-creep it beyond the original goal of stopping kiddy pornography (which AFIK is illegal in practically every country). First it was KP, then it was file-sharing, next it will be legal pr0n sites that don't follow the privacy-invading rules that the gov has proposed in response to red-top "readers". What next?

It would be very simple to allow, and indeed encourage, the KP filtering aspect of cleanfeed/IWF to be supported by any of the participants in the DoH system, but sadly it seems the lack of transparency and restrictions on access will get in that way.

But going back to basics, web browser DoH is a horrible kludge and a sad reminder that for many "internet access" is synonymous with web site, and ignoring ssh, pop/imap email, etc, etc. Really there ought to be a service in your router that translates UDP 53 requests to a secure query of the overall DNS system to avoid ISP-specific hacking about.

Oh well, there is always a VPN for that...

Re: Mozilla are only partly right

The issue is the old "slippery slope" though. Cleanfeed is a great idea for blocking child porn. But it isn't just used for that any more.

We have a system that is in place that is just begging to be abused by those who like to control the citizens more and more. Big brother and all that.

What happens when we get someone more autocratic in power who decides to label Extinction Rebellion as eco-terrorists and ban their content from the net? Or ban an opposition politician's speeches? All entirely possible via the laws in place for our current filtering setup. We've built the infrastructure for it already.

Re: Mozilla are only partly right

Cleanfeed is an acceptable trade-off between your right to have unfettered access to information and children's rights not to have pictures of their being raped handed around the Internet. Society, through the standard method of voting for things, agrees.

And yet multiple governments have totally failed to get Cleanfeed through Parliament. It's not even mandatory for ISPs to implement, let alone for customers to use; and the lack of transparency from its provider is the clearest indication one could possibly ask for that it doesn't do what you seem to think it does.

Re: Mozilla are only partly right

With the ease of getting VPN's, these ISP blocks are worse than useless. Worse, because they can no longer track someone who does look at illegal sick shit.

But that aside, anything that relies on DNS lookups to block sites is unbelievably weak, it deserves to be broken.

How is it an issue, anyway? Talk-Talk blocks sites by site accessed (DPI on the Host: header)

That at least slighty works. If they have to block, other ISPs should do similar..

Still, with things like eSNI and https everywhere, the government needs to realise that sooner or later they'll have to revert to the traditional way of catching perps.... No more police cuts to finance their vanity projects.

Re: Mozilla are only partly right

"...an acceptable trade-off between your right to do what you want and my right for you not to have a dangerous weapon."

Your *right* for *me* not to have something? Who the hell made you the arbiter of my possessions? And fyi, it's still perfectly legal for law-abiding citizens to own firearms in this country, with the appropriate certificates. And every kitchen has knives, whether *you* like it or not.

Re: Mozilla are only partly right

Stopping people accessing kiddie porn is nothing like stopping people from accessing guns. Kiddie porn is illegal in the UK; owning a gun isn't. I own several. The purpose of the firearms licensing regime is to ensure that only people who have been background checked, completed an appropriate course in safety/skills, have a legitimate reason to own a gun and are mentally suitable to hold that responsibility can do so. It also ensures traceability of weapons if it is suspected a crime has been committed. With these checks in place, I believe owning a gun is no more dangerous than being allowed to drive a car. Both can cause serious injury or death if used improperly or inappropriately. Gun owners are some of he most law abiding people I know as things like dangerous/careless driving, drink driving and multiple speeding convictions or anything that gives the impression you don't have respect for the law are likely to result in the loss of your firearms certificate; If you don't drive responsibly with regard to the effects of your behavior on others' safety, you can't be trusted to handle a gun responsibly and are unsuitable.

When I moved house, I only had a choice of one ISP that wasn't horrifically slow due to local cabling issues. They aren't particularly good. I have changed the resolver settings in my router away from my ISPs DNS. I didn't do this because I wanted to access illegal or unlawful content but because my ISP's DNS was crap (excessive latency and random failures plus they ignore the DNS TTL value which was a real pain in the arse when I was doing a server migration for one of the services I run and turned the TTL down to 15 minutes before changeover but they decided to return the old DNS record for 2 weeks anyway.)

I have a problem with the lack of transparency of the Cleanfeed system. It's run by the IWF as a closed system with, as far as I know, no independent oversight and it's a violation of the service agreement to open the blocklist and look at what's inside. The standard implementation I am aware of is to redirect blocked requests to a cache that doesn't return content so the user sees a timeout rather than knowing their request was blocked. I would be much more in favour of a system that returned a page stating the content was blocked. In my view, this would give an important safeguard against abuse of the list to block content that the IWF just doesn't like, such as articles critical of the IWF or content they don't agree with politically as it would make the blocking visible. I wouldn't shed any tears if someone leaked a copy of the list to a foreign security researcher who could do an independent audit of it to find out to what extent it may be being abused. I view whether I trust the current government as irrelevant. I have no idea who may be elected in 5 or 50 years so I don't know if they will be able to be trusted. This system mission creep is, in my view, ripe for abuse and has handed every future government an instrument of control if they're bad.

As is stated by others, I also believe that this system does nothing to stop those really intent on acquiring illegal content. Instructions on how to bypass it are almost certainly being circulated by these people as we speak.

Posted AC because part of responsible gun ownership is to not let it be widely known guns may be in my home which might encourage criminals to break in and try to steal them.

Re: Mozilla are only partly right

Cleanfeed is 100% irrelevant due to the existence of Tor and VPNs. Its only purpose is to allow the witless dullards in government to point to it and say "Look! Look! We're doing something!" If they were really serious about doing curtailing pedos, they would regulate Tor and VPNs.

Re: Mozilla are only partly right

We think that curtailing people's freedom to buy guns in the UK is an acceptable trade-off between your right to do what you want and my right for you not to have a dangerous weapon.

Unfortunately you have no such right. People can still routinely access shotguns, bladed weapons, clubs, etc etc With MMA or steroids they can make themselves the weapon. I'm genuinely puzzled why you think you might have such a right and why you might think you would want same.

Re: Mozilla are only partly right

Multi-hosting filtered via SNI means the illegal server can be hidden among legitimate ones, and just entering the IP won't work (it'll go to the default server instead).

Re: Mozilla are only partly right

What about the points BETWEEN you and your private DNS server? What's to stop them altering it midflight? Or, failing that, just blocking the traffic wholesale if it doesn't decrypt with the ISP's certificate? That's what DoH is designed to prevent while still being accessible to Facebook Pharkas.

What happens if the SNI is encrypted? Or will they ban TLS 1.3?

An organization that cares about DoH usage inside its network probably also has either HBSS or break-and-inspect; even without such measures, both Firefox and Chrome should use whatever DoH server the GPOs tell them to use.

Yep

The moment I heard about this I knew they were really missed because it will curtail their ability to sell data on their users if people's DNS queries are hidden from their view.

I'm surprised they didn't come out against browser plans to do 'HTTPS everywhere' since that's even worse for them. Or maybe they did and I missed it?

They do indeed have prior Phorm.

"Google doesn't bother me so much as it's "just ad business"

Do you believe that giving a corporation so much power about people's data is less dangerous? You are really naive, especially since it takes very little for a corporation with such power to get involved in political machinations and social engineering to increase its power and profits. And it could be far more opaque and less accountable.

Virgin. I'm with you on that, if this doesn't unblock sites then we are back to real issue they have which is snooping.

I've tried bypassing it before, it resolves the IP address but then blocks it.

For reference and if others wish to try,

Firefox > about:config

network.trr.mode set to 2

then network.trr.url set to one of the one's on this, https://github.com/curl/curl/wiki/DNS-over-HTTPS

Default option is https://cloudflare-dns.com/dns-query

Still no dice with EncryptedSNI on Virgin with DoH enabled.

(At least for VIrgin Media who I have checked, I assume other ISPs do the same as they use the same feeds...)

Yes, they do these days.

Time was that changing your DNS from BT's internal DNS to a third party provider (Google/OpenDNS) would get you back on TPB. Not these days. I assume when it got a point where they couldn't credibly argue that their "block" was even remotely effective they had to go from simply poisoning their DNS servers to actively inspecting headers/IPs and blocking traffic.

Re: Can someone explain:

I wonder if ISPs will be forced to go full encrypted proxy as a counter...

Re: Cognitive Conflict

I nominate ISPA for discouraging DNS security.

I don't believe they're required to effectively block politically unpopular sites. Because that would be impossible. They're just required to implement the approved scheme that claims, falsely, to do that. Which, of course, as is the nature of such things, works only for certain chosen circumstances.

Re: or with Corbyn should the worst come to the worst.

That fact you can look at bojo and cunt and then say that Corbyn is the worst outcome is telling.

Only one of those three is looking at Brexit as a chance to make things better for the plebs. Two of them are in it for the profit it'll make them and their mates.

So it's the idea of someone thinking of the proles that's so distressing?

Re: "they can't cache static content"

Not really, it's just that the model has changed. Nowadays, the ISPs partner with various CDNs to host delivery appliances on-net so that anything served by those CDN's doesn't hit their peering bandwidth (well, origin fetches aside). Because the CDNs are, to the end user, the origin of the content they terminate SSL.

Those are also impacted by VPNs

Re: Missing the point

The existence of DoH means that I now have to engage in MITM attacks on my own HTTPS connections in order to maintain security. How can I set up my system so that is no longer required?

===

Get a good VPN and use the VPN provider's DNS.

Re: El Reg, I love you

I assume you are a Sys Admin and not just stalking your former partners. It's still wrong.

A man in the middle attack is an attack. If you don't trust the people using your computers then do what my former employer did, put a CCTV camera facing every internet accessible computer. They had an excuse, what is yours?

For other people worried here by MITM attacks, Steve Gibson has a tool.

https://www.grc.com/fingerprints.htm