Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome (zdnet.com) 104
Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.
This way... (Score:5, Insightful)
Re: (Score:2)
Yeah there's no other reason they want to do this, that I can think of. DNSSEC will do DNS over TLS, right? What is the advantage here except to Google?
Re:This way... (Score:4, Insightful)
What is the advantage here except to Google?
That's exactly my point. Google will be the only company to profit from this change. They'll use the DNS resolution data to send you targeted ads, and they'll be the only ones to possess this data cause you know, they're the one encrypting/decrypting it, thanks to their own browser...
Re: (Score:2)
They'll use the DNS resolution data to send you targeted ads
They'll be wasting their time. I use an ad blocker and even if I did see an ad, I never never never buy shit based on a banner ad.
Re: (Score:3)
The security issue isn't you seeing an ad. The issue is corporations building ad profiles on you based on sites you visit.
Congrats. You block the ads targeted to you. The database continues to exist and grow.
Re: (Score:2)
The database continues to exist and grow.
I hope the database grows to a zillion trillion kabillion rows; I'm still not going to buy anything.
I have the vast majority of the things I want and need; I can browse Amazon and eBay and every online store for days and still not find anything I really want. I buy things I need for maintenance and whatnot, but I can't remember the last time I saw anything in an ad or not and thought, "OMG I gotta have that!!"
Like I said, I have practically everything I want. Except Ecuador, I've always wanted Ecuador.
Re:This way... (Score:5, Informative)
DNSSEC will do DNS over TLS, right?
Well not really. DNSSEC provides an authentic answer, but it does not assure that no one else read the message. That is, the public key of the authority is all that is needed to decrypt the message. If the public key of the authority successfully decrypts the message, you can assure that it is indeed authentic, but so can everyone else who intercepts the message. What cannot be done is someone intercept the message, then modify it, and send it on to you as the authority's public key will no longer successfully decrypt the message.
Re: (Score:3)
Re:This way... (Score:4)
The only reason that I can think to do this is keep your isp from knowing what sites your pulling from their DNS server. Even then they are still going to know where you are going when you start connecting to the sites from the dns entries. So even now it's pretty much point less.
Re: (Score:2)
Most sites are served from shared IP addresses, often CDNs. At most your ISP gets an IP address. With HTTPS not even the domain name is exposed.
Re: This way... (Score:2)
Its the same racket as 'privacy' VPN services.
They insert themselves as a man-in-the-middle so every online action can be monetized... by themselves.
Re:This way... (Score:5, Interesting)
Get a plugin that resolves a couple hundred DNS names per second and poison their data well.
If you can't keep them from getting data, make sure that they can't tell data from noise.
Re: (Score:1)
Yes, surely Google with their massively clustered datacenters, near infinite computing resources, and incredibly strong abuse detection will be taken down by ::checks your comment again:: a couple hundred DNS requests per second.
Re: (Score:2)
I think you're confusing the intention here, it isn't to try and DoS them but instead have Google record lots of random websites mixed into your legitimate browsing history so that their targeting of 'who you are/what you're like' isn't accurate.
Re: (Score:2)
The goal is not to take them down or flood them. The goal is to make the data useless by adding a bunch of bogus DNS lookups to your real ones.
Re: (Score:2)
How's that gonna be different from now?
Ok, granted, the Pontiac ads would be kinda odd.
Re: (Score:1)
The good censor has to allow a site to be found?
Re: (Score:2)
That was my thought. I can use Google's DNS or not, however having your browser override your systems DNS entries, can make things very difficult. Say you are in a work environment where you institution has an internal DNS for intranet stuff. If google ignores that, wouldn't your intranet be cut off.
Now if ISP's and other sites have their own DoH servers, that you can point to, then it is just a more secure protocol, which is good.
Re: (Score:2)
Well for this to work, at least for the "test" they've configured, they need to know exactly which DNS servers they are talking to, specifically so they can use the new DoH protocol.
Any DNS service providers NOT on the list, would NOT go over that protocol, and that would include your internal DNS servers. So I don't think that would be an issue.
There are a lot of issues with doing this, including Google further locking down their monopoly, but intranet name resolution is not one of them.
Re: (Score:3)
Well for this to work, at least for the "test" they've configured, they need to know exactly which DNS servers they are talking to, specifically so they can use the new DoH protocol.
That's easy. They just use their own DNS servers, ignoring the ones configured in the operating system. That's what Firefox does. If you need the ones configured by the system administrator in order to resolve split-DNS intranet domains properly, well, that's just too bad. The burden is on you, the end user, to figure out how to disable DoH or configure your intranet's domains to be excluded.
Your way would make perfect sense except for the fact that approximately none of the ISP-provided DNS servers people
Re: (Score:2)
You can still use your company or local network DNS. If DoH can't resolve a site it will fall back to whatever DNS you configured. You can of course turn DoH off too, via Active Directory company policy if needs be.
Re: (Score:2)
You can use any DNS server you like that supports DoH, not just Google's. Your ISP might even offer one. There is also Cloudflare and it looks like OpenDNS should support it too.
BTW, who do you prefer for DNS?
Re: (Score:2)
I'm not opposed to the idea of DNS over https. It's just that there are no system or network mechanisms for controlling this. If the DHCP added a field to specify what DoH server to use on the local network, and if the OS had support for it through the built-in name resolution mechanisms, then I wouldn't have much problem with it. In the meantime, for a lot of enterprises with a lot of private infrastructure, this kind of thing being rolled out willy nilly, such as the way Firefox is doing it, is going to
Re: (Score:2)
Don't worry, if you're running certain AV software with web browser integration,
everyone will still know where you are going, not just google, because the AV software
will send the URLs it is checking against it's database in cleartext out to the Internet.
And base Browser or OS OCSP protections will usually be unencrypted and expose the
HTTPS certificates you try to validate.
So there are still plenty of ways for advertisers to get your behavioral data.
Re: (Score:2)
Really, I think they know that already.
Maybe this is more to keep anyone else from gathering such information, and thus increasing the value of what Google can offer to advertisers?
Re: (Score:2)
If the functionality is implemented in Chrome, Google can do the sh** they want with your DNS resolution data. I admin that they could do it before DoH, but now they will block all other prying eyes from knowing what you're doing, and will be the only ones sending you DNS-targeted ads.
They will probably be sending back home all your DNS resolution data in the form of "Telemetry" with no way to opt out. Google Chrome has become a giant marketing tool. I only use it when websites do not support FF (My employe
Re: (Score:3)
Sorry about your employers website, not much you can do about that. But generally speaking any site that doesn't let me use FF, or in a pinch old edge, I don't use. I signed up for a free trial of Directv-Now last year, before AT&T tried to stump train it behind the bar. Only would work with chrome, my 7 day free trial ended in an hour..
With the new edge going chrome I guess I'm stuck with FF.
Re: (Score:3)
Sorry about your employers website, not much you can do about that. But generally speaking any site that doesn't let me use FF, or in a pinch old edge, I don't use. I signed up for a free trial of Directv-Now last year, before AT&T tried to stump train it behind the bar. Only would work with chrome, my 7 day free trial ended in an hour..
With the new edge going chrome I guess I'm stuck with FF.
My 7 day free trial ended in a few minutes, and they dicked me over and refused to cancel my account and refund me for the year of service I had just paid for, claiming that the 7 day, "cancel anytime" free trial didn't apply when I purchased a year in advance. I showed them the fucking emails, their own website, and the start/end dates they had for my account (which clearly showed the 7 day free trial in effect), and they still told me to fuck off. They were claiming that there were no refunds for partia
Re: (Score:3)
I agree.
Fuck'em
Re: (Score:1)
FTA: "For this initial test, Google said it would switch to DoH instead of regular DNS only for a few DNS providers, and not all. The list of supported DNS providers includes Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, and Quad9.
For example, if a user is using DNS servers from Cloudflare for normal DNS requests, Chrome will automatically send DNS requests to Cloudflare's alternative DoH-compatible DNS resolver instead.
"The providers included in the list were selected for their strong stance on priva
Re: (Score:2)
So they agreed to participate. Whoop de fucking doo. Since I'm one of of the stakeholders, namely the poor sap who might use this, why wasn't I asked?
DNS over HTTPS (Score:2)
Two questions:
I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?
HTTPS doesn't work on IP addresses but only on domain names, isn't it?
Re: (Score:2)
Two questions:
I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?
HTTPS doesn't work on IP addresses but only on domain names, isn't it?
Why do you end your sentences with "isn't it"? isn't it?
English tag questions explained (Score:2)
I take an educated guess that fred6666 is trying to include one or more tag questions [wikipedia.org] in a comment while not being a native speaker of English.
Many languages end all tag questions with an invariant particle: "no?" in Italian and Spanish, "né?" in Portuguese and Japanese, "n'est-ce pas ?" in French, "da?" in Russian, "'kan?" in Indonesian. Tag questions in standard English, by contrast, inflect the tag question marker for the verb's tense, aspect, modality, and negation, the subject's number, person, an
Re: (Score:2)
Many languages end all tag questions with an invariant particle: "no?" in Italian and Spanish, "né?" in Portuguese and Japanese, "n'est-ce pas ?" in French, "da?" in Russian, "'kan?" in Indonesian.
Don't forget about Canadians, eh?
Re: (Score:2)
Two questions:
I guess you need a regular DNS to resolve the DNS over HTTPS server, isn't it?
Well you could have a configuration including a name and IP
HTTPS doesn't work on IP addresses but only on domain names, isn't it?
There's nothing in the specification to stop you creating a certificate for an IP address, in fact I have done so with certificates signed by an "organisational" Certificate Authority (CA). I don't think any public CAs would support this though.
Re:DNS over HTTPS (Score:4, Informative)
Do you need regular DNS to resolve a regular DNS server? No, you don't. You supply an IP address instead. Why should this be any different in that regard?
Re: (Score:2)
because I don't think any public CA would approve an SSL certificate to an IP address
but see this post for a possible solution to that problem
https://slashdot.org/comments.... [slashdot.org]
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
There's a reason for that. IP addresses get traded around all the time. If you have a certificate for 12.34.56.78, and then that block of IP addreses gets reallocated to someone else who puts a server there, you now have a certificate that can be plausibly used to impersonate their server.
Re: (Score:2)
According to this post, HTTPS can work on an IP address.
No CA on the planet trusted by any browser will issue them anymore.
Also, since it is a functionality included in the browser, Google Chrome can "preapprove" the IP addresses they want for TLS transport.
The possibilities are endless when it comes to Google. They have all the power in the world. They don't seem to have any issues leveraging their monopoly position to further entrench and enrich themselves.
Re: (Score:2)
1) you need to have a special server that ties into the web server that you have configured your browser to use for DoH. It uses its own port so a company could block that port to prevent it. also that port can be montiored to see if you are using it.
Once connected to the web server the DoH service then connects to a DNS server and waits for that to resolv the name.
cloudflare, google, and some of the other public resolvers support
Yuck (Score:3)
It's challenging enough to deal with DNS resolution issues sometimes, and worse with a browser that will now self-manage its DNS resolution internally, bypassing the many necessary local DNS kludges to make things work.
I get this might solve some problems dealing with authoritarian DNS snooping and maybe some public ISP tinkering with DNS results, but it also seems like a back door way for google to trip up ad blocking without crippling it in more obvious ways.
Re: (Score:2)
Why would it affect ad blocking? You can still configure it to use local DNS if you like, which you would have to do anyway for DNS based blocking.
Re: (Score:2)
Google allowing any local configuration for this will be complicated and temporary. I guarantee we'll be reading about this local bypass option disappearing.
Whether it affects ad blocking in-browser remains to be seen, but it seems very Google to somehow cause this to remove URL DNS awareness out of the realm where plug-ins can do anything.
Re: (Score:2)
I'm afraid I just don't buy this conspiracy theory. If Google wanted to use Chrome to take over this way they could just remove all ad-blockers from the Chrome Web Store, or have forced the use of their own DNS years ago.
Why would they do it this way, slowly and without stating the real reason? They do all the development in public, which is why the Manifest V3 stuff blew up (it was announced well in advance on their public dev site) and was eventually changed based on the feedback they got.
It just doesn't
There's really only one reason for this (Score:5, Informative)
Re: (Score:2)
Re:There's really only one reason for this (Score:4, Interesting)
Thankfully, Chrome isn't the only browser out there.
Windows, macOS, X11/Linux, and Android can all run Firefox, a Chromebook with Crostini can run Firefox for Linux, and iOS runs only Safari wrappers. This leaves two classes of devices that have a hard time running anything but Chrome: pre-Crostini Chromebooks, and devices without enough RAM to comfortably run Firefox for most browsing at the same time as Chrome for Skype and other Chrome-only web applications.
Re: (Score:2)
Re: (Score:2)
1) Why would you block DNS over https?
2) Who says your DNS Proxy server can't read this?
Re: (Score:2)
Oh yeah.
#3 - since when does it say Chrome is moving to DoH exclusively, and will not use standard OS provide DNS?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
With this, even if there's a way to bypass it, you also need to go to every single device and change the setting. It's not so bad to change all my computers, tablets, phones, etc. but now I have to do the same for my wife's and my children's devices. Not to mention that any gue
Re: (Score:2)
Google could offer a bypass certificate to its enterprise customers who pay per year, per device, or per device-year, so that home users don't end up adopting the enterprise bypass in mass.
We need more independent dns servers (Score:4, Interesting)
Re: (Score:1)
Re: (Score:3)
It's pretty easy to install Unbound as a local resolver to query the root servers directly. That helps.
Re: (Score:3)
We need more independent dns servers
It doesn't get any more independent than setting up your own and using the root servers list directly.
Not only does that take care of the selling your queries problem, but the DNS caching will also speed up your network a bit too.
If you always rely on other people to give you what you want, you'll always be subject to their wants instead.
Alternate way to view it, you can't reasonably expect others to put in -more- effort to giving you what you want, than the effort you are willing to put in yourself.
Nothing will change (Score:1)
TLS can detect forged responses (Score:2)
HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver. If an ISP tries this sort of forgery, watch its angry paying subscribers report the ISP's MITM attack to the ISP's tech support and to the public through another ISP.
Re: (Score:2)
HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver. If an ISP tries this sort of forgery, watch its angry paying subscribers report the ISP's MITM attack to the ISP's tech support and to the public through another ISP.
The "evil" ISP doesn't have to forge anything. They just need to block it while the browser silently switches back to DNS.
Re: (Score:2)
HTTPS includes TLS, which detects forgeries of responses from Google, Cloudflare, or any other public DoH recursive resolver.
Nonesense. Plenty of corporations (and countries) run re-encrypting transparent proxy servers that inspect (and can modify) all passing HTTPS traffic. All that's required is a single PKI certificate private key that happens to have a public key in your computer's Trusted Root or Trusted Intermediate certificate stores.
Re: (Score:2)
As for the corporate case, home users at least will not have already installed the ISP's certificate in their "computer's Trusted Root or Trusted Intermediate certificate stores." Newer versions of Android in fact hide TLS root certificates installed by the user from most applications, except for those applications (mostly web browsers) whose developer has opted in through the app's Network Security Config to using user certificates.
As for countries, attempts to require all residents of a country to install
Is it just me, or... (Score:5, Interesting)
...is this actually a huge man-in-the-middle attack by Google?
Re: (Score:1)
Re:Is it just me, or... (Score:4, Interesting)
Good point. If we allow Google to be in control of DNS lookups, that gives them authority to drop the DNS record of anyone who runs afoul of their "community guidelines" / code of conduct. We've all see how well that's been going on Google/Alphabet's YouTube: stifling freedom of speech, errant takedown automation. The last thing we should want is to give Google (or other massive players) even more power.
Re: (Score:1)
Its not just a one way connection.
Only the ad friendly browser finds the approved site.
The CoC passed site only responds to the ad friendly browser.
VPN detected? No connection.
Ad blocker in use?
Privacy just locked the internet into seeing a lot of ads.
Re: (Score:2)
Color me paranoid, but they could also simply pull a full-fledged man-in-the-middle attack. They create a site that looks like another, direct all HTTP requests to that decoy-site's IP, and steal your login credentials. I mean, DNS is a rather well-established protocol with oversight. What oversight would Google look up to?
Besides, how is this useful?
Re: (Score:3)
Besides, how is this useful?
It prevents DNS providers (such as your ISP) from building a profile based on what domains you're resolving by funneling all DNS resolution through a different company that's building a profile based on what domains you're resolving.
Re: (Score:2)
Have you checked Google's DNS servers lately? They don't block anything at all, unlike many ISPs who are forced to by court orders.
In fact Google's DNS servers first came to prominence during the Arab Spring when people were using them to evade DNS based blocks. More recently people have been using them in countries like Australia and the UK to get around ISPs blocking sites such as The Pirate Bay.
Re: (Score:2)
Yes, I hate this.
First it takes control away from the local network/system, ignoring local DNS and likely hosts file. You then have two different directions to troubleshoot when faced possible with DNS related problems.
But most noteworthy, it only hides/secures DNS from 1 party and giving that data to another. Never mind that the party you are hiding it from has a really good idea what site you are hitting based off IP you talk with. Now Google/Mozilla know what sites you hit via DNS request even if you a
Same as Firefox then (Score:4, Insightful)
Mozilla are pulling this stunt too now.
It seems to me that browser devs seem to think that they know better than all the people who've worked on the internets infrastructure over the decades.
It seems to me they're wrong. Very wrong.
Re: (Score:1)
A server will only accept requests from one ad brands browser product.
Then enjoy extra big ads.
Still trying with an ISP? A nice message to use the correct ad company browser..
VPN? No site will display at all..
Another browser with ad blocking? No site with an nice message to use an approved browser.
Any attempt at ad blocking in the approved browser? No site given the attempt to block ads....
Re: (Score:2)
Whilst good intentioned, I'm not sure they always think about what sort of effect this sort of tech could possibly have on society (sounds dramatic eh?), even if this is a natural path for it to take. I can easily see this pushing nation states further down the MITM road of mandated locally installed https certs etc.
Yes I know some have already started doing this, I just think this sort of tech could speed up the adoption of such techniques.
It might help if they allowed easy custom configuration so that yo
Re: (Score:2)
Would it be helpful to actually RTFA where this is mentioned?
Split DNS (Score:1)
For those of us that run large networks and do split DNS (internal intranet addresses as well as the public versions for a given domain depending on what network the user is connected to) - this will be a disaster. As soon as this is attemted at a DOD site or a fortune 500 it will see huge pushback.
Re: (Score:2)
How are you running this large network with split DNS if you don't RTFA? And don't understand how you can fallback from DoH to plain DNS?
Re: (Score:2)
I did read the article, and it isn't clear:
Chrome may use the associated DoH provider, and will fallback to the system private DNS upon error.
So what does that mean in a split-view setup? Because the DNS server isn't going to return an error, it's going to return the wrong IP address for someone on the local network.
Re: (Score:1)
I did RTFA and the linked one and the RFC... You are correct in that the test will fall back, and in fact will not run if you aren't already using one of the chosen DNS providers - but there is no provision for turning it off at a network level. The only option it appears is to run your own DoH server. Even then good luck with that since it just looks like ordinary TLS on port 443. I forsee large networks and ISPs commonly decrypting TLS to get around this. This will be a cluster.
Re: Split DNS (Score:2)
Non-authoritative queries, which is all your average workstation cares about, could go through your site's DoH server. Alternatively you can misconfigure a system to go through sime public server and have all your intranet queries broke. Users will know when they can't get to their corporate email.
Re: (Score:2)
It uses its own port so block that.
So for the corporate environment that is not an issue.
Re: (Score:2)
No brainer (Score:2)
This is a good idea, a no brainer. Doh!
Split view DNS (Score:5, Interesting)
One concern I have about browsers ignoring the system-wide configured DNS and using their own built-in DNS server is:
How would this work on a home or corporate LAN where you have split-view DNS? (e.g. internally mail.mydomain.com resolves to 10.100.0.1, and externally to 1.2.3.4. Or even worse, dev.mydomain.com only resolves internally.)
How does these browsers using DNS/TLS account for that? Do they auto-magically "do the right thing" or is this a new nightmare for IT helpdesks around the world?
Re:Split view DNS (Score:4, Insightful)
One concern I have about browsers ignoring the system-wide configured DNS and using their own built-in DNS server is:
How would this work on a home or corporate LAN where you have split-view DNS?
That is a very astute question. I also rely on split-horizon DNS and home and at work. It allows me to specify single FQDN that works on mobile devices whether they're inside the LAN or outside on the Internet.
But in a larger sense, anything that takes away my control over DNS resolution is a hijack, plain and simple.
And for what reason? To prevent anyone (other than Google) viewing what names I'm resolving? Personally I'm a hell of a lot less concerned about someone sniffing my DNS traffic than having it completely controlled / tracked by Google.
Re: (Score:2)
I believe both FF and chrome will check for use-application-dns.net, and if it fails to resolve, will respect the network DNS rather than use it's DNS.
This is there way to try and appease places of business that block sites.
But yes, this will be something that will bite lots, especially smaller home/business networks, but hopefully some big ones where they can force google/mozilla not to use as default.
Re: (Score:2)
Split-view DNS (and related tricks) will continue to work, because your OS is CURRENTLY not pointed at "one of the specified DNS providers"
Once this goes past the realm of an "experiment" and Chrome joins FF in FORCING your browser to use a DIFFERENT DNS than YOUR OS you will find that pretty much the entire internet will be fucked, troubleshooting issues will be ALMOST impossible, and everyone from the CEO to Your Mother is going to think TECH PEOPLE are incompetent.
Th
So how about discovery? (Score:2)
DHCP provides the ability to discover your DNS server. It seems that we are lacking a protocol for discovering a DNS over HTTPS server. The issue everyone is bringing up is that the browser manufacturer hard-codes a DNS server into the app. That makes no sense: DNS is provided by the OS for a reason. DNS over HTTPS isn't awful, it's just missing discovery protocols and OS support.
Comment (Score:2)
Meh, don't care. I don't use Chrome.
I realize you might quote that "And then they came for...." poem, and I guess you'd be right. So I should care. I can't hide behind my locally-compiled browser rpms and dpkgs with customized prefs.js files, because everybody's mums and dads have no clue what I just said and don't know how (and why) protect themselves online.
Have DNS offer HTTPS DNS (Score:2)
SOCKS (Score:2)
Doesn't SOCKS proxy also do the domain lookups through the proxy? If it's encrypted then really nothing new has been invented.
DNS adblock services (Score:3)
Does anyone have any familiarity with services like this? Care to offer any opinions or recommendations?
Re: (Score:2)
Another options is to run PiHole in a docker container on your local machine. If you have the ability to specify a remote server, you can point to the localhost.
Why google dns should be better than my ISP dns? (Score:1)
Please RTFA, FFS (Score:1)
Anyone who bothers to RTFA will learn that what Google is doing in Chrome is only upgrading to DoH if the DNS servers that you already have configured support it.
Unlike the Firefox+Cloudflare approach, Chrome isn't sending your DNS queries to anywhere they're not already going.
WTF are they thinking (Score:2)
Making your BROWSER (yes, one SINGLE application) "understand the internet" COMPLETELY differently to EVERY other application, the entire REST OF YOUR OS, is GOING to FUCK THINGS UP in a STUNNINGLY UNCONTROLLABLE manner.