Slashdot is powered by your submissions, so send in your scoop
Big ISPs Worry DNS-Over-HTTPS Could Stop Monitoring and Modifying of DNS Queries (arstechnica.com) 50
But are they really just worried DNS over HTTPS will end useful ISP practices that involve monitoring or modifying DNS queries? For example, queries to malware-associated domains can be a signal that a customer’s computer is infected with malware. In some cases, ISPs also modify customers’ DNS queries in-flight. For example, an easy way to block children from accessing adult materials is with an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks use modified DNS queries as a way to redirect users to a network sign-on page. Some ISPs also use DNS snooping for more controversial purposes — like ad targeting or policing their networks for copyright infringement. Widespread adoption of DoH would limit ISPs’ ability to both monitor and modify customer queries.
It wouldn’t necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP’s own DNS servers. But if customers switched to third-party DNS servers — either from Google or one of its various competitors — then ISPs would no longer have an easy way to tell which sites customers were accessing. ISPs could still see which IP addresses a customer had accessed, which would give them some information — this can be an effective way to detect malware infections, for example. But this is a cruder way to monitor Internet traffic. Multiple domains can share a single IP address, and domains can change IP addresses over time. So ISPs would wind up with reduced visibility into their customers’ browsing habits.
But a switch to DoH would clearly mean ISPs had less ability to monitor and manipulate their customers’ browsing activity. Indeed, for advocates that’s the point. They believe users, not their ISPs, should be in charge… [I]t’s hard to see a policy problem here. ISPs’ ability to eavesdrop on their customers’ DNS queries is little more than a historical accident. In recent years, websites across the Internet have adopted encryption for the contents of their sites. The encryption of DNS is the natural next step toward a more secure Internet. It may require some painful adjustments by ISPs, but that hardly seems like a reason for policymakers to block the change.
- Good!
- The ISP’s arguments, self-serving as they most certainly are, are not entirely without merit. They are completely correct that this may give Google a huge database of information about what sites people are accessing and unprecedented control over which sites will be easily accessible. Even if Google is, and remains, entirely benevolent it potentially means that the history of these DNS lookups will now be subject to US law which does not have the privacy protections present in many other countries.
Ultim
That’s precisely the point, fucking ISP morons.
Cry me a fucking river.
The point is not to stop spying or censorship.
The point is to MONOPOLIZE spying and censorship.
If you think Mozilla and Google won’t do that, you haven’t read their “Code of Conduct”.
- I think you meant monetize.
- Here’s how the ISP’s are going to handle these “painful” adjustments: Drop all outbound client IP traffic over port 53 that doesn’t terminate at the ISP’s DNS servers, and turn on recursion for client IP’s.
No problem at all.
I’d be OK with signed DNS traffic… but encrypted makes it a royal pain the posterior to actually troubleshoot network issues.
The whole thing’s barking mad, and if Google wasn’t basing their entire revenue stream on ads, this wouldn’t be such a hot-button issue for them.
That probably won’t help. DoH does the DNS request over 443 (aka https) so mucking about with UDP 53 won’t gain you much, and is pretty much exactly what DoH is designed to do away with.
My bigger worry is internal/split horizon DNS. We have a number of internal only services available on our network that aren’t accessible fromt he outside world, and thus aren’t in our public DNS records.
> My bigger worry is internal/split horizon DNS. We have a number of internal only services available on our network that aren’t accessible fromt he outside world, and thus aren’t in our public DNS records.
Mozilla’s implementation detects this and reverts to your local DNS servers. You can push enterprise policies if you want something different.
Mozilla’s implementation detects this and reverts to your local DNS servers. You can push enterprise policies if you want something different.
Yeah, it does that by counting on your local DNS servers to return NXDOMAIN for use-application-dns.net – which, to me, seems like a ridiculous kludge. You have to manually configure your DNS servers to do this, obviously.
https://support.mozilla.org/en… [mozilla.org]
Pi-hole kludged this crap into their code as well. I get it, but still… it’s a kludge.
We just have all internal systems use internal DNS servers that forward external requests. I don’t see the problem.
Depending on the environment, you could push out updates to the HOSTS file.
- How does DNS over HTTPS help Google serve ads?
- That is precisely the idea [getyarn.io]
My answer says it’s a bad idea: https://www.zdnet.com/article/… [zdnet.com] for reasons stated in the article + more.
That article is bad and you should feel bad for posting it. I wrote a much longer reply [pastebin.com] but Slashdot claims it’s spam. What a shit show.
- by Kunedog ( 1033226 ) on Sunday October 06, 2019 @08:28PM (#59276856)Say what you will about ISPs, but by blacklisting Dissenter, Google and Mozilla proved themselves much more dangerous and likely to censor content, not just monitor it. Who really trusts them not to try to turn DNS into another walled garden?
“Who really trusts them not to try to turn DNS into another walled garden?”
Anyone who understands that you don’t need to be Google, Mozilla, etc. in order to have a DNS server that supports this protocol.
Hrm, it looks like Brave explicitly whitelists Dissenter
https://github.com/gab-ai-inc/… [github.com]
What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.
What do you think is going to happen next time a court rules a domain should be blocked? Although this might make it easier for your ISP to manipulate your traffic, do you think a centralized DNS service makes it harder or easier for the government to spy?
What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.
They’re missing it because it’s not true, at least, not of Google. Mozilla is sending all requests to Cloudflare. I have concerns about that. Google is sending requests to your ISP. If your ISP supports DNS-over-HTTPS, then it will use that. Otherwise it falls back to your ISP DNS over DNS by default. You can change it to use another provider.
Mozilla is actually doing worse than Google here.
And do just as much spying and censorship as Mozilla, Google or any other evil empire!
Now with more WhatWG batshit insanity! Yay!Do you think that they won’t take over “root zone” duty and force their own browser to use a pinned cert? They’ll probably force you to ONLY use their DNS because they’re not protecting you from the ISPs spying – they’re just wanting to prioritize their own. And the excuse will be that ISPs will otherwise merely re-route the well-known DoH server IPs to their own implementation.
- When I want to go to www.foo.com, I don’t really want my ISP inserting ads, nor keeping track of which websites I visit.
It’s sad we need DNS over HTTPS, but, yeah. Here we are. And now the people abusing the system are the ones whining the most when we say “Um yeah. About that. How about you fuck right off”.
- by MeNeXT ( 200840 )
Your ISP can’t insert ads if it’s HTTPS and they already know where you are going since the have to fetch it for you. Unless you use a VPN and then it defeats you whole comment.
This just breaks network configuration.
This is Comcast worrier they cannot track and modify your requests.
No further discussion necessary.
If Comcast had cared about malware infection it would have blocked command and conyr servers, cut off infected customers and diligently shut down ddos nodes. This is t anything they have ever done.
All that is left is profit.
- by MeNeXT ( 200840 )
If you are using HTTPS the can’t modify your requests. They can still track you since they are the ones establishing the connection. Not sure what it adds to your security if you don’t trust your ISP. It just breaks network configuration. If you really don’t trust your ISP then you should at least be connecting by VPN.
- Another example of how the internet interprets censorship as damage and routes around it.
Funny how outraged companies can get when their bad faith operations are threatened.The problem si that this also defeats perfectly valid techniques that help protect our privacy. Things like Pi-Hole and so forth that blackhole tracking domains, advertising, and so forth at the DNS level. It’s generally working at the DNS level that you can isoalte things that shouldn’t be talking to the outside world in a relatively simple manner.
- If you’re running Pi-hole, then you should be running Unbound right alongside it. It’s effortless. [pi-hole.net]
In a battle between Google’s centralized control of everything (your browser, your phone, your DNS… everything going through their servers *by default*), *ANY* decentralized alternative is preferable.
Most ISPs aren’t tracking DNS queries in anything approaching the manner in which Google is. They primarily are dealing with abuse reports and trying to stop malware and botnets. Furthermore, there are opt-out mechanisms for all the services (eg, parental control/filtering, or Verizon Selects) that do require
If you only knew that by default Chrome will still use your ISP’s DNS [arstechnica.com], and that Firefox uses Cloudflare’s [mozilla.org], and that you can configure either to use any server you want, then you could have saved yourself the time it took to leave that comment, and us the trouble of reading it.
- by MeNeXT ( 200840 )
I have a protocol top configure my network. It’s called DHCP. I don’t need a third party who is known to lock users out of their settings because they believe they know better. I can’t believe how naive people are. This offers very little additional security. Breaks existing standards. Concentrates all you data to the worst abuser out there. This is the worst privacy feature because it removes your privacy from Google. Now not only do they know what Google analytics encumbered sites you go to but also ALL t
Next time I go to a hotel, how will they be able to hijack my web query to ask me whether I agree to connect to their free complimentary wifi every 5 minutes?
If I don’t have that, I won’t have the perfect excuse I always tell my boss when he sends me abroad and calls me after hours in my hotel room to work on the company servers:“Aaw man, sorry but I can’t: my SSH connection keeps breaking every 5 minutes. I just can’t do nothing from here. What a bummer eh? Oh well, I guess I’ll just go down
- Someone should invent the hosts file!
Hmm no: many free wifis will actually break your connections until you go to their stupid web page and click accept. The DNS hijacking part comes in when you try to go to any website and you’re redirected to the wifi provider’s page. But a hosts file won’t help you there: if you don’t click on the damn button, no internet.
- It is called a captive portal. They don’t intercept SSH traffic, only HTTP(s) and DNS. You can SSH just fine with an entry in your hosts file.
- by MeNeXT ( 200840 )
You have bigger problems than that if they can hijack your web query.
Just buy Cloudflare and DoH is yours!
belongs to me and me only.
ideally (which is not really possible from what i understand ) even my IP should be by default unknown to my ISP.
what i send to the internet is not their business.
You take the packet. Does it belong to you? If yes read it, else forward it. That’s it.
switched over to dnsoverhttp (i do enjoy mixing acronyms and words) the *moment* thepiratebay was “blocked” in my country because it was somehow “illegal” ?!
- by MeNeXT ( 200840 )
Depending who is offering DNSOVERHTTP you may have just switched over more information to a central location. If you really don’t trust your ISP the simple solution would have been a VPN. If your ISP was that stupid that they blocked thepiratebay just on the DNS level you don’t have a very competent or dedicated ISP
Keep your damn dirty hands off my DNS, scum.
Neighborhood creep worries that curtains could obstruct his view of the hot divorce across the street…
- As an ISP employee (and DNS admin) I’ve seen the change from content providers being hosted many hops away, to setting up inside the datacentre plugging directly into the ISP backbone. The ISP’s DNS servers intelligently parses lookups based on IP source and sends the user to the closest cache. I.e. if you’re a subscriber of the ISP and on the West Coast – you get the West Coast (Netflix, Akamai…etc
- We don’t want you spying on our DNS queries or anything else. So far as I’m concerned the entire gods-be-damned Internet should be encrypted. All you bastards are supposed to be doing for the money we pay you is provide connectivity. The rest is bullshit and needs to stop.
The DOJ just got done “threatening” the big 4 (MAGA : Microsoft , Apple , Google, Amazon) with anti-trust.
I think this move by Google means that 3 of the 4 have begun compliance ( Maybe even 4/4)
The NSA needs a constant feed. And they will acquire it by any means necessary.
Using DNS over HTTPS sounds sort of like systemd. Next it’ll be IMAP or HTTPS or NTP or HTTPS.
If you want to get around the ISPs modifying your DNS queries then the solution is easy. Just use a VPN and the ISP just becomes a carrier of data packets.
ISPs need to get their noses and grubby hands out of our private data – browsing history is none of their business.
- that can only do on type of networking and expect networking never to change?
Now that network use could change that is the fault of the user?
The browser is evil?
The role of the ISP is to move any/all data from the “user” to the “internet”.
Not to police, monitor, look for malware, study, sell, track, detect, stop copyright infringement.
If the user is reported doing copyright infringement, that’s for a court/nation/police and the users “account” not “network”
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Related Links Top of the: day, week, month.
- 974 commentsFacebook Bans Alex Jones, Yiannopoulos, Other Far-Right Figures
- 940 commentsCloudflare Terminates 8chan
- 781 commentsStack Exchange Removes Moderator For Preferred Pronouns Policy
- 774 commentsJordan Peterson Announces Free Speech, Anti-Censorship Platform ‘Thinkspot’
- 725 commentsRichard Stallman Resigns From MIT
Slashdot Top Deals
- Get more comments
- 50 of 50 loaded
WARNING TO ALL PERSONNEL: Firings will continue until morale improves.
