Rolling in DoH: Chrome 78 to experiment with DNS-over-HTTPS – hot on the heels of Firefox Only days after Mozilla said it plans to make DNS-over-HTTPS (DoH) available by default gradually for Firefox users in the US, Google announced its intention to test DoH in Chrome 78, due for beta release in the next two weeks. DoH wraps domain-name queries in a secure, encrypted HTTPS connection to a DNS server, rather than …
The whole point of DoH is that an application uses it INSTEAD of the system's resolver configuration. If you have DoH enabled on Firefox it will bypass your hosts file as well.
Of course Google has an evil reason for wanting DoH - this way they can bypass any controls on content that exist in the environment that might serve to block ads. Well, they would if it was more than 1% of people who use such methods to block ads, but this lets them control the whole experience instead of letting a router get in the way via DNS lookups. Honestly, if you care about privacy or your browsing experience you're an idiot if you use Chrome.
"...this way they can bypass any controls on content that exist in the environment that might serve to block ads."
Any? I can think of a counter example, a proxy using a service that categorizes destination FQDN's that are ad services and blocks them accordingly, which I assure you does exist.
Yes, there are places that block ad services per security policy as a potential source of malware. Because, what responsibility do ad services have to ensure that the ads their many customers feed them are free from malware.
The thing I'm wondering about is how this affects ad-blocking plugins.
This is not a pretty picture. They are going to bypass the O.S. resolver, which is what includes the hosts file, which then means that to include the hosts file... Well what? Are they going to check the resolver and their own mechanism and compare them? Do resolvers say when they get an IP address from the hosts file? Do these browsers expect to get read-only access to a host file, on a hardened system? Or, are they going to flip a coin between the resolver and their own mechanism? Um, they need to make this a little more clear.
I was pretty sure I updated my knowledge on this last week--because I needed to be sure I was interpreting my diagnostic indicators correctly--in one of those workplace support situations where arguments go askew if you haven't got your facts nailed down. They are definitely going to need to have a carefully written support page explaining exactly how they deal with the hosts file--written in multiple layers for all levels of expertise.
Seriously! In an enterprise environment if we can't support these browsers--according to organizational policy, the big wigs are going to take them away. Whaaaaaa!!!!!
Good point. This should be done at the OS level not the browser level.
Any Linux gurus want to describe how to implement this on DD-WRT and Open WRT so every device in my house uses it?
Not that I'm a terrorist or a reader of alt.sex.hamsters.duct-tape but its the principle of the government forcing ISPs to record everything we browse...
"Google is thus avoiding one of the concerns raised by Mozilla's approach, forcing Firefox users to change their chosen DNS provider for Cloudflare."
Funny, Google will honor Quad9, which promises privacy, but Firefox forces Cloudflare. Did I get that right?
How do we know Cloudflare will never turn evil? Do they have a statement like Quad9's? Which of us is going to take the plunge, and dig into their privacy statement?
(Also, there are enterprise concerns here, if anyone dares to dive into that can of worms.)
I thought Cloudflare was Firefox's default, but you could set your own?
Regardless, if Cloudflare "turns evil" no doubt Firefox would switch their default. At least Firefox is starting out non-evil in their DoH implementation (other than the fact it will be by default on) If you use Chrome you've already bought in "evil" hook line and sinker, and what DoH resolver you use makes as much difference as the color of shirt you wear in Hell.
"if Cloudflare "turns evil" no doubt Firefox would switch their default"
I'm not so sure about that, to be honest.
"Firefox is starting out non-evil in their DoH implementation"
In my view, DoH itself is, while not exactly evil, a blow to security and privacy regardless of how its implemented in Firefox.
It is only a (theoretical) blow to security/privacy for technically competent users, like El Reg readers. And such users are smart enough to flip the configuration switch to 'off'.
For the average person who doesn't know DNS DoH from Homer Simpson's D'oh, who uses a store bought router that never has a security update and takes the default ISP setting for DNS servers, it is a win. If someone hacks their router or their PC it won't have any effect on their DNS lookups from Firefox. They can't create a banking website "clone" of their real one to fool them, steal their Gmail password and often correctly guess that the same email/password combo is used at many other places, etc.
It is a HUGE WIN for the privacy and security of the 98% of internet users who don't understand any of this stuff we are debating!
"It is only a (theoretical) blow to security/privacy for technically competent users"
I disagree. DoH opens a hole that allows software to be able to phone home without the users being able to detect or control that. That's why it's forced me to MITM all HTTPS connections in my home network, so I can manage DNS.
"And such users are smart enough to flip the configuration switch to 'off'."
That doesn't solve the problem, because the problem is that DoH is effectively a standard. How any particular piece of software uses it, or the controls that software provides, is not relevant to the problem.
But this is all academic at this point. The damage is done.
Before DoH was a standard applications could manage their own DNS in whatever way they see fit, from hardcoded IP/hostname mappings in the app to sending out DNS requests on non standard ports to rolling their own version of "DoH".
How does DoH being a standard make it any worse? Evil apps are gonna evil. IMHO the risk of MITMing your connections is much higher than the risk of DoH. If a hacker gets access to your MITM device all your most sensitive data is exposed.
I thought Cloudflare was Firefox's default, but you could set your own?
Yes, I think I remember that you can. Wasn't it something like network.trr.uri in about:config?
Whether that needs specific protocol requirements of the DNS (provider) I don't know (sorry, no expert, but I'm sure somebody here will know).
There are no real fully enterprise managed system concerns here. They can use group policy settings to force this off on imstalled browsers and do it at the network border if they want it but still see / filter what is being accessed internally.
For BYOD and guest WIFI I expect there are also solutions.
And a quick Bing finds https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
DEVELOPERS
Search the docs...
1.1.1.1
Setting Up 1.1.1.1
What is 1.1.1.1?
DNS over HTTPS
DNS over TLS
Supporting IPv6-only Networks
Privacy
Cloudflare 1.1.1.1
Cloudflare Resolver for Firefox
Fun With DNS
The Nitty Gritty
Privacy
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your phone or computer does is ask its directory: where can I find this?
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads. Cloudflare, in partnership with APNIC, runs 1.1.1.1, a recursive DNS service that values user privacy. Even though most Internet users have no insight into the Recursive DNS process or the entities involved in that work, there are legitimate concerns about how personal information collected through the Recursive DNS process are used or repurposed.
Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:
Cloudflare will never sell your data or use it to target ads. Period.
All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:
Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.
Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
Um, not entirely. The opening paragraph introduces the topic of Google following Firefox. My point is that Google is offering an option that Firefox is not--as the article mentions. I am primarily pointing out that this appears to be the reverse of what is normally portrayed.
Unless things have changed, Cloudflare is just the default to begin with.
Mozilla's intention (IIRC) is to have regional defaults (i.e. if you're in the US, you might get Cloudflare, if you're somewhere else, someone else will be the default).
There's a long list of rules that you have to show you abide by in order to be included in the pool of defaults, including:
- clear statements on how you'll address privacy
- not filtering/tampering with results.
- Using QNAME Minimisation
- No ECS unless the upstream connection is encrypted
So, to answer your question:
- Yes Cloudflare have a statement on this (dedicated to this)
- Any other provider Firefox chooses would have to abide by the same rules
Which still skips over the following
- You can configure your own
- You're complaining about the privacy of Firefox in a thread about Google Chrome
as with a lot of commentards above me, this is messing up the distinction between application and OS. OK, so now a browser is using DoH. But howabout my email client ? My Usenet client ? Or any other applications I have which need to access the internet ?
Much prefer my current setup, where a piHole is looking after my DNS (using DoH) and all my devices, clients and apps go through that which I control.
In 2019, the idea of things being hardbaked into applications should be history. Instead, because applications can update in real time, it seems to be the default.
Which predictable results.
Much prefer my current setup, where a piHole is looking after my DNS (using DoH) and all my devices, clients and apps go through that which I control.
Cheers for the PiHole heads-up: out of curiosity I looked it up, thought it sounded damn neat, checked out where and how to install it, fired up a CentOS VM last night and had it cleaning up the local LAN browsers within an hour!
DoH seems to me to be an inefficient way to get applications to take on what should be an operating system problem: resolving host names.
Basically, DoH now means another place (or set of places) to maybe sort-of support IPv6 and obfuscate where your network naming is coming from.
Whoever thought this was a good idea is really an idiot.
I don't agree with baking DoH into applications as somebody said here as well, that should still be a system-wide setting.
However, I do not agree with people thinking DoH is the wrong choice. I absolutely have no idea why I would want my ISP to intercept and log whatever I'm doing with my Internet connection, therefore why I installed on my home pfSense a nice DoH client and use it as default DNS for my whole network.
And as the discussion for local company networks goes instead, there's not much else to say IMHO: it's your network, you can block the IPs of the DoH servers, run your own beloved DNS and live happily ever after.
The question is not to encrypt or not but how and where to encrypt and handle the name resolving.
This application is doing it In the browser and over http which the consensus here seems to agree is a bad idea as opposed to the OS doing it over an encrypted channel honoring the host file etc.
i.e. Name resolving is an OS job, not a job for the application.
The major reason for what is happening here is this in my opinion: there is a technology, people don't want to adopt it or it's very slow in adoption. Then, let me use that for myself and embed it into my application. It's like IPv6 guys, nobody gives a s**t about it, so people have been trying to invent absurd alternatives like 6in4 and such. If adoption is the problem and I want to use something in my product, I'll implement it on my own. I think this is exactly what happened here at Mozilla and Google. If tomorrow MS comes our with a native DoH/DoT client in Windows, rest assured that perhaps these guys would give you the option to keep going with the usual way.
"it's your network, you can block the IPs of the DoH servers"
Yeah, good luck with that. Anybody, including attackers, can easily set up their own DoH server and use that. Trying to block DoH servers via IP is a game of whack-a-mole that requires you to constantly monitor your router logs in order to suss them out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
