Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Chrome Google Security

Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome (zdnet.com) 104

Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.
This discussion has been archived. No new comments can be posted.

Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome

Comments Filter:
  • This way... (Score:5, Insightful)

    by courteaudotbiz ( 1191083 ) on Wednesday September 11, 2019 @09:53AM (#59180970) Homepage
    This way, only Google will know what DNS names you have resolved, so they'll send you ads accordingly... :-/
    • by kalpol ( 714519 )

      Yeah there's no other reason they want to do this, that I can think of. DNSSEC will do DNS over TLS, right? What is the advantage here except to Google?

      • Re:This way... (Score:4, Insightful)

        by courteaudotbiz ( 1191083 ) on Wednesday September 11, 2019 @10:14AM (#59181048) Homepage

        What is the advantage here except to Google?

        That's exactly my point. Google will be the only company to profit from this change. They'll use the DNS resolution data to send you targeted ads, and they'll be the only ones to possess this data cause you know, they're the one encrypting/decrypting it, thanks to their own browser...

        • They'll use the DNS resolution data to send you targeted ads

          They'll be wasting their time. I use an ad blocker and even if I did see an ad, I never never never buy shit based on a banner ad.

          • The security issue isn't you seeing an ad. The issue is corporations building ad profiles on you based on sites you visit.

            Congrats. You block the ads targeted to you. The database continues to exist and grow.

            • The database continues to exist and grow.

              I hope the database grows to a zillion trillion kabillion rows; I'm still not going to buy anything.

              I have the vast majority of the things I want and need; I can browse Amazon and eBay and every online store for days and still not find anything I really want. I buy things I need for maintenance and whatnot, but I can't remember the last time I saw anything in an ad or not and thought, "OMG I gotta have that!!"

              Like I said, I have practically everything I want. Except Ecuador, I've always wanted Ecuador.

      • Re:This way... (Score:5, Informative)

        by slack_justyb ( 862874 ) on Wednesday September 11, 2019 @10:41AM (#59181182)

        DNSSEC will do DNS over TLS, right?

        Well not really. DNSSEC provides an authentic answer, but it does not assure that no one else read the message. That is, the public key of the authority is all that is needed to decrypt the message. If the public key of the authority successfully decrypts the message, you can assure that it is indeed authentic, but so can everyone else who intercepts the message. What cannot be done is someone intercept the message, then modify it, and send it on to you as the authority's public key will no longer successfully decrypt the message.

      • My understanding is that DNSSEC is just a digital signature scheme. I might be wrong.
      • by jwhyche ( 6192 ) on Wednesday September 11, 2019 @12:05PM (#59181572) Homepage

        The only reason that I can think to do this is keep your isp from knowing what sites your pulling from their DNS server. Even then they are still going to know where you are going when you start connecting to the sites from the dns entries. So even now it's pretty much point less.

        • by AmiMoJo ( 196126 )

          Most sites are served from shared IP addresses, often CDNs. At most your ISP gets an IP address. With HTTPS not even the domain name is exposed.

      • Its the same racket as 'privacy' VPN services.

        They insert themselves as a man-in-the-middle so every online action can be monetized... by themselves.

    • Re:This way... (Score:5, Interesting)

      by Opportunist ( 166417 ) on Wednesday September 11, 2019 @10:32AM (#59181132)

      Get a plugin that resolves a couple hundred DNS names per second and poison their data well.

      If you can't keep them from getting data, make sure that they can't tell data from noise.

      • Yes, surely Google with their massively clustered datacenters, near infinite computing resources, and incredibly strong abuse detection will be taken down by ::checks your comment again:: a couple hundred DNS requests per second.

        • by Fusen ( 841730 )

          I think you're confusing the intention here, it isn't to try and DoS them but instead have Google record lots of random websites mixed into your legitimate browsing history so that their targeting of 'who you are/what you're like' isn't accurate.

        • The goal is not to take them down or flood them. The goal is to make the data useless by adding a bunch of bogus DNS lookups to your real ones.

    • by AHuxley ( 892839 )
      A CoC on what is not a sinful part of the internet?
      The good censor has to allow a site to be found?
    • That was my thought. I can use Google's DNS or not, however having your browser override your systems DNS entries, can make things very difficult. Say you are in a work environment where you institution has an internal DNS for intranet stuff. If google ignores that, wouldn't your intranet be cut off.

      Now if ISP's and other sites have their own DoH servers, that you can point to, then it is just a more secure protocol, which is good.

      • Well for this to work, at least for the "test" they've configured, they need to know exactly which DNS servers they are talking to, specifically so they can use the new DoH protocol.

        Any DNS service providers NOT on the list, would NOT go over that protocol, and that would include your internal DNS servers. So I don't think that would be an issue.

        There are a lot of issues with doing this, including Google further locking down their monopoly, but intranet name resolution is not one of them.

        • Well for this to work, at least for the "test" they've configured, they need to know exactly which DNS servers they are talking to, specifically so they can use the new DoH protocol.

          That's easy. They just use their own DNS servers, ignoring the ones configured in the operating system. That's what Firefox does. If you need the ones configured by the system administrator in order to resolve split-DNS intranet domains properly, well, that's just too bad. The burden is on you, the end user, to figure out how to disable DoH or configure your intranet's domains to be excluded.

          Your way would make perfect sense except for the fact that approximately none of the ISP-provided DNS servers people

      • by AmiMoJo ( 196126 )

        You can still use your company or local network DNS. If DoH can't resolve a site it will fall back to whatever DNS you configured. You can of course turn DoH off too, via Active Directory company policy if needs be.

    • by AmiMoJo ( 196126 )

      You can use any DNS server you like that supports DoH, not just Google's. Your ISP might even offer one. There is also Cloudflare and it looks like OpenDNS should support it too.

      BTW, who do you prefer for DNS?

      • by caseih ( 160668 )

        I'm not opposed to the idea of DNS over https. It's just that there are no system or network mechanisms for controlling this. If the DHCP added a field to specify what DoH server to use on the local network, and if the OS had support for it through the built-in name resolution mechanisms, then I wouldn't have much problem with it. In the meantime, for a lot of enterprises with a lot of private infrastructure, this kind of thing being rolled out willy nilly, such as the way Firefox is doing it, is going to

    • by skids ( 119237 )

      Don't worry, if you're running certain AV software with web browser integration,
      everyone will still know where you are going, not just google, because the AV software
      will send the URLs it is checking against it's database in cleartext out to the Internet.

      And base Browser or OS OCSP protections will usually be unencrypted and expose the
      HTTPS certificates you try to validate.

      So there are still plenty of ways for advertisers to get your behavioral data.

    • Really, I think they know that already.

      Maybe this is more to keep anyone else from gathering such information, and thus increasing the value of what Google can offer to advertisers?

  • Two questions:

    I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?

    HTTPS doesn't work on IP addresses but only on domain names, isn't it?

    • Two questions:

      I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?

      HTTPS doesn't work on IP addresses but only on domain names, isn't it?

      Why do you end your sentences with "isn't it"? isn't it?

      • I take an educated guess that fred6666 is trying to include one or more tag questions [wikipedia.org] in a comment while not being a native speaker of English.

        Many languages end all tag questions with an invariant particle: "no?" in Italian and Spanish, "né?" in Portuguese and Japanese, "n'est-ce pas ?" in French, "da?" in Russian, "'kan?" in Indonesian. Tag questions in standard English, by contrast, inflect the tag question marker for the verb's tense, aspect, modality, and negation, the subject's number, person, an

        • Many languages end all tag questions with an invariant particle: "no?" in Italian and Spanish, "né?" in Portuguese and Japanese, "n'est-ce pas ?" in French, "da?" in Russian, "'kan?" in Indonesian.

          Don't forget about Canadians, eh?

    • by Chrisq ( 894406 )

      Two questions:

      I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?

      Well you could have a configuration including a name and IP

      HTTPS doesn't work on IP addresses but only on domain names, isn't it?

      There's nothing in the specification to stop you creating a certificate for an IP address, in fact I have done so with certificates signed by an "organisational" Certificate Authority (CA). I don't think any public CAs would support this though.

    • Re:DNS over HTTPS (Score:4, Informative)

      by mwvdlee ( 775178 ) on Wednesday September 11, 2019 @10:01AM (#59181012) Homepage

      Do you need regular DNS to resolve a regular DNS server? No, you don't. You supply an IP address instead. Why should this be any different in that regard?

      • because I don't think any public CA would approve an SSL certificate to an IP address

        but see this post for a possible solution to that problem
        https://slashdot.org/comments.... [slashdot.org]

      • I use DoH with 1.1.1.1 currently via pihole, works fine. That is to say, the cert may be issued with a domain, but the connecting client is under no requirement to reject it without a domain reference on its side of the request. The cert itself can still be verified against the upstream certs, and via its ca certificate.
    • According to this post [stackoverflow.com], HTTPS can work on an IP address. Also, since it is a functionality included in the browser, Google Chrome can "preapprove" the IP addresses they want for TLS transport.
      • Sadly LetsEncrypt refuse to support SSL certificates for an IP address. This would have been a better way to support encrypted tls IMO (browser initiates regular TLS connection to IP address then negotiates a second TLS session to the domain name [kind of like EAP outer and inner], as opposed to the crazy dns-augmented method they decided on).
        • There's a reason for that. IP addresses get traded around all the time. If you have a certificate for 12.34.56.78, and then that block of IP addreses gets reallocated to someone else who puts a server there, you now have a certificate that can be plausibly used to impersonate their server.

      • According to this post, HTTPS can work on an IP address.

        No CA on the planet trusted by any browser will issue them anymore.

        Also, since it is a functionality included in the browser, Google Chrome can "preapprove" the IP addresses they want for TLS transport.

        The possibilities are endless when it comes to Google. They have all the power in the world. They don't seem to have any issues leveraging their monopoly position to further entrench and enrich themselves.

    • With the answers already provided I am filling in a few missing parts.

      1) you need to have a special server that ties into the web server that you have configured your browser to use for DoH. It uses its own port so a company could block that port to prevent it. also that port can be montiored to see if you are using it.
      Once connected to the web server the DoH service then connects to a DNS server and waits for that to resolv the name.
      cloudflare, google, and some of the other public resolvers support
  • by LostMyAccount ( 5587552 ) on Wednesday September 11, 2019 @09:58AM (#59180996)

    It's challenging enough to deal with DNS resolution issues sometimes, and worse with a browser that will now self-manage its DNS resolution internally, bypassing the many necessary local DNS kludges to make things work.

    I get this might solve some problems dealing with authoritarian DNS snooping and maybe some public ISP tinkering with DNS results, but it also seems like a back door way for google to trip up ad blocking without crippling it in more obvious ways.

    • by AmiMoJo ( 196126 )

      Why would it affect ad blocking? You can still configure it to use local DNS if you like, which you would have to do anyway for DNS based blocking.

      • Google allowing any local configuration for this will be complicated and temporary. I guarantee we'll be reading about this local bypass option disappearing.

        Whether it affects ad blocking in-browser remains to be seen, but it seems very Google to somehow cause this to remove URL DNS awareness out of the realm where plug-ins can do anything.

        • by AmiMoJo ( 196126 )

          I'm afraid I just don't buy this conspiracy theory. If Google wanted to use Chrome to take over this way they could just remove all ad-blockers from the Chrome Web Store, or have forced the use of their own DNS years ago.

          Why would they do it this way, slowly and without stating the real reason? They do all the development in public, which is why the Manifest V3 stuff blew up (it was announced well in advance on their public dev site) and was eventually changed based on the feedback they got.

          It just doesn't

  • by green1 ( 322787 ) on Wednesday September 11, 2019 @09:59AM (#59181000)
    Google has already started to neuter in-browser ad-blockers with manifest v3, now they want to neuter DNS level ones as well. Google wants to make sure nobody bypasses an ad.
    • by sinij ( 911942 )
      Thankfully, Chrome isn't the only browser out there. If Google breaks support for non-Chrome browsers then they will have to face retaliations (e.g. Chrome prevented from running on Windows) and anti-trust prosecution.
    • Comment removed based on user account deletion
      • 1) Why would you block DNS over https?
        2) Who says your DNS Proxy server can't read this?

        • Oh yeah.

          #3 - since when does it say Chrome is moving to DoH exclusively, and will not use standard OS provide DNS?

      • Google provide a manager distribution of Chrome for enterprises. It is likely that there will be provision for a company to use specific DNS settings. Perhaps proxy.pac autoconfiguration might also provide some standard way to set DoH configuration for any browser too in future.
    • Whilst they might try to do this for the masses, they'll need to leave a bypass option there for the enterprise customers. Otherwise they'll very quickly watch their browser share in the corporate controlled environments nose dive.
      • by green1 ( 322787 )
        Thing is, for residential use, DNS ad-blockers are extremely easy. Setup a pi-hole, tell your router to direct all DNS queries there, and every person in the house benefits. Doesn't matter what devices come and go, they all just work.

        With this, even if there's a way to bypass it, you also need to go to every single device and change the setting. It's not so bad to change all my computers, tablets, phones, etc. but now I have to do the same for my wife's and my children's devices. Not to mention that any gue
      • by tepples ( 727027 )

        Google could offer a bypass certificate to its enterprise customers who pay per year, per device, or per device-year, so that home users don't end up adopting the enterprise bypass in mass.

  • by xack ( 5304745 ) on Wednesday September 11, 2019 @10:05AM (#59181024)
    Ones that won't sell you to advertisers or censor results. Having the entire internet's dns go through two companies Google and Cloudflare is very bad, even more than having only two real browser engines. If Mozilla sets up their own dns instead of using Cloudflare they would have more credibility. I won't be surprised if Microsoft starts its own dns for Edge too..
    • by AHuxley ( 892839 )
      That was for an ISP to find not an ad company.
    • by kalpol ( 714519 )

      It's pretty easy to install Unbound as a local resolver to query the root servers directly. That helps.

    • by dissy ( 172727 )

      We need more independent dns servers

      It doesn't get any more independent than setting up your own and using the root servers list directly.
      Not only does that take care of the selling your queries problem, but the DNS caching will also speed up your network a bit too.

      If you always rely on other people to give you what you want, you'll always be subject to their wants instead.
      Alternate way to view it, you can't reasonably expect others to put in -more- effort to giving you what you want, than the effort you are willing to put in yourself.

  • This can still be easily blocked or poisoned. The IP addresses have to be hard coded. All that will happen is the businesses, providers, or even countries will block or forge the response from this address.
    • HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver. If an ISP tries this sort of forgery, watch its angry paying subscribers report the ISP's MITM attack to the ISP's tech support and to the public through another ISP.

      • HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver. If an ISP tries this sort of forgery, watch its angry paying subscribers report the ISP's MITM attack to the ISP's tech support and to the public through another ISP.

        The "evil" ISP doesn't have to forge anything. They just need to block it while the browser silently switches back to DNS.

      • HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver.

        Nonesense. Plenty of corporations (and countries) run re-encrypting transparent proxy servers that inspect (and can modify) all passing HTTPS traffic. All that's required is a single PKI certificate private key that happens to have a public key in your computer's Trusted Root or Trusted Intermediate certificate stores.

        • by tepples ( 727027 )

          As for the corporate case, home users at least will not have already installed the ISP's certificate in their "computer's Trusted Root or Trusted Intermediate certificate stores." Newer versions of Android in fact hide TLS root certificates installed by the user from most applications, except for those applications (mostly web browsers) whose developer has opted in through the app's Network Security Config to using user certificates.

          As for countries, attempts to require all residents of a country to install

  • Is it just me, or... (Score:5, Interesting)

    by BringsApples ( 3418089 ) on Wednesday September 11, 2019 @10:23AM (#59181088)

    ...is this actually a huge man-in-the-middle attack by Google?

    • by AHuxley ( 892839 )
      With a CoC on every site allowed to be found and displayed?
      • by thereitis ( 2355426 ) on Wednesday September 11, 2019 @11:11AM (#59181300) Journal

        Good point. If we allow Google to be in control of DNS lookups, that gives them authority to drop the DNS record of anyone who runs afoul of their "community guidelines" / code of conduct. We've all see how well that's been going on Google/Alphabet's YouTube: stifling freedom of speech, errant takedown automation. The last thing we should want is to give Google (or other massive players) even more power.

        • by AHuxley ( 892839 )
          Wait for the servers to only accept a connection from a short list of ad friendly borrowers too.
          Its not just a one way connection.
          Only the ad friendly browser finds the approved site.
          The CoC passed site only responds to the ad friendly browser.
          VPN detected? No connection.
          Ad blocker in use? ... the CoC ad powered internet stops for that user.
          Privacy just locked the internet into seeing a lot of ads.
        • Color me paranoid, but they could also simply pull a full-fledged man-in-the-middle attack. They create a site that looks like another, direct all HTTP requests to that decoy-site's IP, and steal your login credentials. I mean, DNS is a rather well-established protocol with oversight. What oversight would Google look up to?

          Besides, how is this useful?

          • Besides, how is this useful?

            It prevents DNS providers (such as your ISP) from building a profile based on what domains you're resolving by funneling all DNS resolution through a different company that's building a profile based on what domains you're resolving.

        • by AmiMoJo ( 196126 )

          Have you checked Google's DNS servers lately? They don't block anything at all, unlike many ISPs who are forced to by court orders.

          In fact Google's DNS servers first came to prominence during the Arab Spring when people were using them to evade DNS based blocks. More recently people have been using them in countries like Australia and the UK to get around ISPs blocking sites such as The Pirate Bay.

    • by G00F ( 241765 )

      Yes, I hate this.

      First it takes control away from the local network/system, ignoring local DNS and likely hosts file. You then have two different directions to troubleshoot when faced possible with DNS related problems.

      But most noteworthy, it only hides/secures DNS from 1 party and giving that data to another. Never mind that the party you are hiding it from has a really good idea what site you are hitting based off IP you talk with. Now Google/Mozilla know what sites you hit via DNS request even if you a

  • by Viol8 ( 599362 ) on Wednesday September 11, 2019 @10:52AM (#59181232) Homepage

    Mozilla are pulling this stunt too now.

    It seems to me that browser devs seem to think that they know better than all the people who've worked on the internets infrastructure over the decades.

    It seems to me they're wrong. Very wrong.

    • by AHuxley ( 892839 )
      Wait for the other end of the internet to catch up too :)
      A server will only accept requests from one ad brands browser product.
      Then enjoy extra big ads.

      Still trying with an ISP? A nice message to use the correct ad company browser..
      VPN? No site will display at all..
      Another browser with ad blocking? No site with an nice message to use an approved browser.
      Any attempt at ad blocking in the approved browser? No site given the attempt to block ads....
    • Whilst good intentioned, I'm not sure they always think about what sort of effect this sort of tech could possibly have on society (sounds dramatic eh?), even if this is a natural path for it to take. I can easily see this pushing nation states further down the MITM road of mandated locally installed https certs etc.

      Yes I know some have already started doing this, I just think this sort of tech could speed up the adoption of such techniques.

      It might help if they allowed easy custom configuration so that yo

  • For those of us that run large networks and do split DNS (internal intranet addresses as well as the public versions for a given domain depending on what network the user is connected to) - this will be a disaster. As soon as this is attemted at a DOD site or a fortune 500 it will see huge pushback.

    • How are you running this large network with split DNS if you don't RTFA? And don't understand how you can fallback from DoH to plain DNS?

      • I did read the article, and it isn't clear:

        Chrome may use the associated DoH provider, and will fallback to the system private DNS upon error.

        So what does that mean in a split-view setup? Because the DNS server isn't going to return an error, it's going to return the wrong IP address for someone on the local network.

      • by smammon ( 88123 )

        I did RTFA and the linked one and the RFC... You are correct in that the test will fall back, and in fact will not run if you aren't already using one of the chosen DNS providers - but there is no provision for turning it off at a network level. The only option it appears is to run your own DoH server. Even then good luck with that since it just looks like ordinary TLS on port 443. I forsee large networks and ISPs commonly decrypting TLS to get around this. This will be a cluster.

    • Non-authoritative queries, which is all your average workstation cares about, could go through your site's DoH server. Alternatively you can misconfigure a system to go through sime public server and have all your intranet queries broke. Users will know when they can't get to their corporate email.

    • It can be turned off via GPO.
      It uses its own port so block that.
      So for the corporate environment that is not an issue.
    • You run large networks and don't know how to block tcp/443 by IP address? Or use DPI to examine SNI in TLS packets for blocking?
  • This is a good idea, a no brainer. Doh!

  • Split view DNS (Score:5, Interesting)

    by Xenolith0 ( 808358 ) on Wednesday September 11, 2019 @11:22AM (#59181336)

    One concern I have about browsers ignoring the system-wide configured DNS and using their own built-in DNS server is:

    How would this work on a home or corporate LAN where you have split-view DNS? (e.g. internally mail.mydomain.com resolves to 10.100.0.1, and externally to 1.2.3.4. Or even worse, dev.mydomain.com only resolves internally.)

    How does these browsers using DNS/TLS account for that? Do they auto-magically "do the right thing" or is this a new nightmare for IT helpdesks around the world?

    • Re:Split view DNS (Score:4, Insightful)

      by nuckfuts ( 690967 ) on Wednesday September 11, 2019 @01:37PM (#59182014)

      One concern I have about browsers ignoring the system-wide configured DNS and using their own built-in DNS server is:

      How would this work on a home or corporate LAN where you have split-view DNS?

      That is a very astute question. I also rely on split-horizon DNS and home and at work. It allows me to specify single FQDN that works on mobile devices whether they're inside the LAN or outside on the Internet.

      But in a larger sense, anything that takes away my control over DNS resolution is a hijack, plain and simple.

      And for what reason? To prevent anyone (other than Google) viewing what names I'm resolving? Personally I'm a hell of a lot less concerned about someone sniffing my DNS traffic than having it completely controlled / tracked by Google.

      • by G00F ( 241765 )

        I believe both FF and chrome will check for use-application-dns.net, and if it fails to resolve, will respect the network DNS rather than use it's DNS.

        This is there way to try and appease places of business that block sites.

        But yes, this will be something that will bite lots, especially smaller home/business networks, but hopefully some big ones where they can force google/mozilla not to use as default.

    • For the purposes of this EXPERIMENT

      Split-view DNS (and related tricks) will continue to work, because your OS is CURRENTLY not pointed at "one of the specified DNS providers"

      Once this goes past the realm of an "experiment" and Chrome joins FF in FORCING your browser to use a DIFFERENT DNS than YOUR OS you will find that pretty much the entire internet will be fucked, troubleshooting issues will be ALMOST impossible, and everyone from the CEO to Your Mother is going to think TECH PEOPLE are incompetent.

      Th
  • DHCP provides the ability to discover your DNS server. It seems that we are lacking a protocol for discovering a DNS over HTTPS server. The issue everyone is bringing up is that the browser manufacturer hard-codes a DNS server into the app. That makes no sense: DNS is provided by the OS for a reason. DNS over HTTPS isn't awful, it's just missing discovery protocols and OS support.

  • Meh, don't care. I don't use Chrome.

    I realize you might quote that "And then they came for...." poem, and I guess you'd be right. So I should care. I can't hide behind my locally-compiled browser rpms and dpkgs with customized prefs.js files, because everybody's mums and dads have no clue what I just said and don't know how (and why) protect themselves online.

  • Wouldn't make more sense to have DNS providers provide a HTTPS option?
  • Doesn't SOCKS proxy also do the domain lookups through the proxy? If it's encrypted then really nothing new has been invented.

  • by twocows ( 1216842 ) on Wednesday September 11, 2019 @11:57AM (#59181540)
    I was thinking about setting up a Pi-hole [pi-hole.net] a while back. I may still do so. However, this story made me wonder if there are any public (ideally free) DNS adblocking services out there for people who may not have the resources to self-host. A quick search on Google (ironically) turned up AdGuard DNS [adguard.com] and Alternate DNS [alternate-dns.com], both of which seem to fill that role. I'm sure there are others out there, too; I spent all of five seconds looking that up.

    Does anyone have any familiarity with services like this? Care to offer any opinions or recommendations?
    • by AntEater ( 16627 )

      Another options is to run PiHole in a docker container on your local machine. If you have the ability to specify a remote server, you can point to the localhost.

  • My campus network runs a dns server. I trust it more than googleâ(TM)s for sure. My isp, that I PAY, run a dns server. I trust it more than googleâ(TM)s. My mobile provider, which I PAY, run a solid dns service. I trust it more than googleâ(TM)s one. Lucky Iâ(TM)m using safari... so I donâ(TM)t care. But this move is really fishing...
  • Anyone who bothers to RTFA will learn that what Google is doing in Chrome is only upgrading to DoH if the DNS servers that you already have configured support it.

    Unlike the Firefox+Cloudflare approach, Chrome isn't sending your DNS queries to anywhere they're not already going.

  • Repeat After Me: THE INTERNET IS MORE THAN JUST HTTP AND HTTPS

    Making your BROWSER (yes, one SINGLE application) "understand the internet" COMPLETELY differently to EVERY other application, the entire REST OF YOUR OS, is GOING to FUCK THINGS UP in a STUNNINGLY UNCONTROLLABLE manner.

If money can't buy happiness, I guess you'll just have to rent it.

Working...