Google's DNS-Over-HTTPS Plans Scrutinized By US Congress (engadget.com) 130
Google's plans to implement DNS over HTTPS in Chrome are being investigated by a committee in the U.S. House of Representatives, while the Justice Department has "recently received complaints" about the practice, according to the Wall Street Journal.
An anonymous reader quotes Engadget: While Google says it's pushing for adoption of the technology to prevent spying and spoofing, House investigators are worried this would give the internet giant an unfair advantage by denying access to users' data. The House sent a letter on September 13th asking if Google would use data handled through the process for commercial purposes... Internet service providers are worried that they may be shut out of the data and won't know as much about their customers' traffic patterns. This could "foreclose competition in advertising and other industries," an alliance of ISPs told Congress in a September 19th letter...
Mozilla also wants to use the format to secure DNS in Firefox, and the company's Marshall Erwin told the WSJ that the antitrust gripes are "fundamentally misleading." ISPs are trying to undermine the standard simply because they want continued access to users' data, Erwin said. Unencrypted DNS helps them target ads by tracking your web habits, and it's harder to thwart DNS tracking than cookies and other typical approaches.
An anonymous reader quotes Engadget: While Google says it's pushing for adoption of the technology to prevent spying and spoofing, House investigators are worried this would give the internet giant an unfair advantage by denying access to users' data. The House sent a letter on September 13th asking if Google would use data handled through the process for commercial purposes... Internet service providers are worried that they may be shut out of the data and won't know as much about their customers' traffic patterns. This could "foreclose competition in advertising and other industries," an alliance of ISPs told Congress in a September 19th letter...
Mozilla also wants to use the format to secure DNS in Firefox, and the company's Marshall Erwin told the WSJ that the antitrust gripes are "fundamentally misleading." ISPs are trying to undermine the standard simply because they want continued access to users' data, Erwin said. Unencrypted DNS helps them target ads by tracking your web habits, and it's harder to thwart DNS tracking than cookies and other typical approaches.
Fight of sumbitches over us suckers' data (Score:5, Insightful)
The damn government sumbitches want to put the populace under surveillance. The damn Google monopoly sumbitches want to know everything about everybody and milk the data for all it's worth. The damn ISP sumbitches want to profit from their captive userbase even more.
Who'll lose? Us.
Re:Fight of sumbitches over us suckers' data (Score:4, Insightful)
I suspect that they want to be able to reject the SSL signed certificates for domains such as wikileaks.com.
Re: (Score:2)
Re: (Score:2)
I was told that Chrome sent every URL, every keystroke, a live video feed from my webcam and every file on my system to Google anyway. At least this way only Google gets to spy and the ISPs are cut out of the loop.
It's the devil and the deep blue sea but overall anything which pushes ISPs towards becoming dumb pipes is probably a good thing.
Re: (Score:2)
No me; I'm Amish.
What a question (Score:2)
"The House sent a letter on September 13th asking if Google would use data handled through the process for commercial purposes..."
hahahahahahahahahahahahahhhahaha! Maybe next Congress should ask if Google will make it always obvious that a user is visiting an AMP page...
I'm sure Google will couch their answer in technical jargon though, and make it seem like they're saying something else. Google's proven itself a master at dancing around a question.
Headline is wrong. Google isn't doing DNS https (Score:5, Informative)
Google isn't doing DNS over https. Only Firefox and their partner Cloudflare are proposing that. Google and many others propose DNS over TLS (RFC 7858).
DNS over TLS is a technically reasonable proposal. It's regular DNS, over a standard TLS connection. Just pipe socat to your favorite DNS server and you have DNS over TLS.
Firefox is proposing bloating the shit out of it and making things much slower by pointlessly adding HTTP, so that you have to do http requests in order to get IPs, inorder to do another round of http requests. Oh and by the way it requires http/2, so it's fundamentally incompatible with most currently deployed servers and clients.
DNS over TLS is an entirely reasonable protocol proposal, from a technical perspective, while DNS over http/2 is a "wtf" idea.
Re:Headline is wrong. Google isn't doing DNS https (Score:5, Informative)
Google isn't doing DNS over https.
Nope - Chrome will also be rolling out DNS-over-HTTPS [zdnet.com]. This is separate from their DNS-over-TLS project.
Re:Headline is wrong. Google isn't doing DNS https (Score:4, Interesting)
Why are these browser makers pushing doing DNS over HTTPS instead of the much more sane DNS over TLS anyway?
What's the supposed advantage of DNS over HTTPS (there has to be one otherwise the browser makers wouldn't be using it)
Re:Headline is wrong. Google isn't doing DNS https (Score:5, Insightful)
Why are these browser makers pushing doing DNS over HTTPS instead of the much more sane DNS over TLS anyway?
What's the supposed advantage of DNS over HTTPS (there has to be one otherwise the browser makers wouldn't be using it)
They want another excuse to get everyone's browsing history because they feel they don't quite have enough baked into their software already.
Re: (Score:3)
Re: (Score:3)
They already have everything they need to get everyone's browser histories.
If I understand you are essentially making the argument there is already a hole in the bottom of the boat therefore it matters not that a new one is being drilled? Is this fair or did I misunderstand?
This isn't going to give them access to everyone's DNS histories
Personally I refuse to believe this scheme of bypassing local name resolution is driven by anything other than a desire to collect DNS data from countless millions of people.
I refuse to believe the existence of these naming bypass schemes will ultimately serve as anything other than a means to further abuse en
Re: (Score:2)
"Personally I refuse to believe this scheme of bypassing local name resolution is driven by anything other than a desire to collect DNS data from countless millions of people."
Of course that is the point. Whenever you are dealing with Criminals simply follow the money. Easy Peasy!
"I refuse to believe the existence of these naming bypass schemes will ultimately serve as anything other than a means to further abuse end users at scale."
However, it will only "abuse end users" who are willing to be abused. Th
Re: (Score:2)
Personally I refuse to believe this scheme of bypassing local name resolution is driven by anything other than a desire to collect DNS data from countless millions of people.
Well, OK I guess if you refuse to believe it then there's literally nothing I could do to persuade you otherwise.
Back in the real world, Moilla isn't google and are a much more trustworth organisation. And many governments including my own (fuck you May) have already got wide scale DNS snooping and logging going on. Flipping on DoH in f
Re: (Score:2)
If I understand you are essentially making the argument there is already a hole in the bottom of the boat therefore it matters not that a new one is being drilled? Is this fair or did I misunderstand?
If you are paranoid and assume that Chrome already sends every URL, every keystroke and a live webcam feed to Google anyway then it's more like your boat already sank and the sharks are already chewing on your leg.
If you take a more pragmatic view then it's obviously far worse for your ISP to get your DNS queries, because your ISP knows exactly who you are and where you live. Google just sees an IP address making a query, and quite likely a shared IP address at that. At most they could try to associate it w
Re: (Score:2)
If I understand you are essentially making the argument there is already a hole in the bottom of the boat therefore it matters not that a new one is being drilled? Is this fair or did I misunderstand?
The flow of data is binary: it is either flowing or it isn't. Having door A or door B through which the same can pass at leisure is not different than having only door A.
Re: (Score:2)
I assume you've entered your credit card info online at some point.
Since that data has already flowed, please post it here as well.
Re: (Score:2)
It hasn't flowed to you; but Amazon already has it. Were Amazon to require me to re-enter it each time I use it, that would not multiply my risk of exposing my credit card to Amazon, as Amazon could be storing it and not telling me, and my credit card number has already been exposed to Amazon.
Similarly, Google already receives each URL you visit or enter into the Chrome location bar, as it's sent to their auto-complete service and to their malware screening service. To send the DNS lookup to Google as
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Same reason there is webSockets... (Score:2)
... for sockets,
webGL for OpenGL,
web$Anything for $Anything.
Because "web!". ... not only do they not have a reason ... they also don't even see why one would need one. As far as I can tell, they are just plain insane. I just don't know which illness it is yet.
No, I really checked. Not only do the What(TF)WG guys (basically browser makers who wanted to go back to the incompatible spaghetti code spec days of HTML 3.x)
Re: (Score:2)
The problem with 'regular' DNS is that it is easy to intercept and thus many providers, government and corporate entities can block the encrypted connection very easily and force the OS to downgrade it. If you're in a place like China, not using the 'approved' methods is likewise easy to detect.
Running stuff over HTTP/HTTPS is hard to detect intent of the connection, let alone intercept and block without blocking everything else, especially once TLSv1.3 with encrypted SNI is commonplace and tampering with t
Re: (Score:3)
The RFC explains it: https://tools.ietf.org/html/rf... [ietf.org]
One major advantage of HTTPS is that it's hard to block it. DNS over TLS can be blocked just by firewalling off the port. HTTPS is much trickier, especially since many of the servers offering DoH also offer web sites. For example one popular way around the Great Firewall of China is to route VPN traffic over HTTPS to a server in the Microsoft or Amazon clouds. Preventing ISPs and governments from dicking around with DNS is a major design goal.
The GP is w
Re: (Score:2)
Oh and by the way it requires http/2, so it's fundamentally incompatible with most currently deployed servers and clients
Just to put a number behind that statement. Current deployment of HTTP/2 on the top 10 million sites is at 41%. [w3techs.com]
Re:Headline is wrong. Google isn't doing DNS https (Score:5, Interesting)
The other reason is that oppressive governments can block, filter or record DNS over TLS, but DNS over HTTPS will be buried in the traffic.
Instantly recognizeable (Score:3)
Gee, before each page load, instead of sending a standard DNS query, this client sends a request to Cloudflare's DNS server. A request that just happens to be the same size as a DNS request. Gee I wonder what those requests could be?
It's sent every time you need a DNS request.
It's sent to the DNS server
It's the size of a DNS request.
Guess what? That's the DNS request. Not at all hard to recognize.
In fact, suppose some junior network admin had never heard of DNS over http. For the very first time ever, h
Re: (Score:3)
It doesn't have to be a 'known' DNS server, you could easily set up an HTTPS server somewhere else that only responds to 'your' DNS requests and otherwise throws the Goatse picture.
Moreover, encryption uses blocks, even if that wastes some space in padding, it makes sure that even if your message has a different size response (within the block) it is indistinguishable from other types of calls (otherwise virtually all of HTTPS could be broken simply by looking at the length and searching for the correspondi
128 bits. 16 bytes. Not kilobytes (Score:2)
> Your browser does a lot of small calls that fit in blocks of 16kB
An AES block is 16 bytes. Not kilobytes.
> It doesn't have to be a 'known' DNS server
It doesn't matter whether it is, and it is. We do in fact know which DNS server Firefox uses. If we didn't, it would take - oh roughly ONE page request to notice which server it queries (for DNS) before it loads a page. We'd see this pattern:
1-block request/response to ABCD
A bunch of traffic back and forth to CNN.com
1-block request/response to ABCD
tr
Re: (Score:2)
So they know that ABCD is a DNS server, something they probably already did know because the addresses of DNS servers are hardly a state secret, pretty much by design and requirement. What then? They still cannot tamper with the resolution itself.
Re: (Score:2)
> What then? They still cannot tamper with the resolution itself.
Which is precisely the same result as DNS over TLS.
Adding http has gained you nothing. Just made the requests bigger, aka slower.
Re: (Score:2)
You are missing the point. They can see you are making DNS requests, using the default server that your web browser comes configured for. So are millions of other people. They can't see what domains you are requesting.
That is clearly better than having full access to your unencrypted DNS queries.
It's also much harder to block. In China one popular way to get around the Great Firewall is to set up a VPN connection to an Amazon or Microsoft cloud server over HTTPS. Blocking HTTPS requests to those clouds woul
Re: (Score:2)
> They can't see what domains you are requesting.
> That is clearly better than having full access to your unencrypted DNS queries.
Which is precisely the same result as DNS over TLS.
Adding http has gained you nothing. Just made the requests bigger, aka slower.
> China one popular way to get around the Great Firewall is to set up a VPN connection to an Amazon or Microsoft cloud server over HTTPS.
VPNs use TLS, not https. Once you have a TLS connection, the adversary can't see the contents, so they coul
Re: (Score:2)
DNS over HTTPS is usually faster than over TLS, especially if the server supports HTTP/2.
VPNs are routed over HTTPS to disguise them. TLS to commercial VPN providers or outside the Great Firewall, and similar stuff like connections to known Tor nodes, is all blocked. HTTPS is blocked to certain known addresses, but so far they have been unable to block access to major cloud services because it breaks too many sites.
Https is http over TLS. Blocking TLS blocks https (Score:2)
Https is http over TLS. In other words, making an https request involves two steps:
1. Set up a TLS connection
2. Send a http request over that connection
You can't block TLS and allow https, because https is simply the practice of sending http requests over a TLS connection. A TLS connection is the first step of a https request.
Re: (Score:2)
Right, but the Great Firewall looks at the port number and if the server is known to be a VPN endpoint, and maybe some other metrics. As I say, bypassing by using what appear to be HTTPS connections to the cloud works. I've used it myself in China.
Re: (Score:2)
If I'm understanding you correctly, you are saying allow TLS connections to port 443, correct?
And we agree that once the TLS connection is made, they can't see what is transferred through that TLS connection (unless they hack the cert). Therefore they can't tell if that TLS connection is carrying http(s), ftp, burrito order protocol, or DNS. They can only see that the connection is made to a port number that many people use for http over TLS. Correct?
Ahhh... (Score:5, Insightful)
And now we come to the crux of the biscuit.
It's not really about Google snooping (others could also implement secure DNS), but about denying ISPs the ability to snoop. Fuck them.
Re: Ahhh... (Score:4)
more likely the ISPs are worried about the large sums ghcq and the NSA pay them for access to the data.
Re: (Score:2)
more likely the ISPs are worried about the large sums ghcq and the NSA pay them for access to the data.
Do you have any evidence that that happens? AFAICT, the closest thing we have to evidence is the extensive cooperation between AT&T and the NSA, but in that case it appears AT&T was doing it for free.
Re: Ahhh... (Score:2)
NSA alone is known to give them at least $250m a year according to the Snowden leaks.
"for free" what are you, some kind of commit bastard? no one does anything for free.
Re: (Score:2)
Ah, but instead of paying $250 million to each of a few hundred ISPs, you only need to pay $250 million each to Google, Mozilla, and Cloudflare. Far more efficient and cost effective. The primary method of defense against spying is to make is too expensive for the spys to carry out effectively. So for relatively little expenditure the spys are getting Total Information Awareness. It is information only about those in the shallow end of the gene pool, but those are the ones that need the closest attentio
Re: Ahhh... (Score:2)
awww bless your naive cotton socks.
https://youtu.be/DIGdWsxHJlM [youtu.be]
Re: (Score:2)
NSA alone is known to give them at least $250m a year according to the Snowden leaks.
I stand corrected, thanks. I had somehow missed that part of the Snowden info.
Did you literally skip the whole Snowden leaks! (Score:2)
Seriously, how deluded are you?
It was basically the key point of the entire leaks.
You remind me of holocaust deniers. Or of NSA sock puppets.
XKeyScore.
Need I say more? If yes, then read up on how it works.
Re: Did you literally skip the whole Snowden leaks (Score:2)
->NSA sock puppets.
And their dupes/useful idiots, pondscum the lot of them.
I reckon they outnumber legitimate commentary by quite a wide margin. Have done since the "you dont need encryption" days and only expropriated more US/UK tax payer budget since then.
How else do they protect themselves from the kids of all the parents they had murdered over the last few decades.
Re: Ahhh... (Score:2)
Re: (Score:2)
That's the thing, at least in the UK GCHQ doesn't pay them very much at all. The ISPs are just required to log everything and hand it over on demand at their own expense. Not just GCHQ either, the police make hundreds of thousands of requests per year too. They must go through a lot of rubber stamps.
Because of that the ISPs have set up automated systems to handle the requests and let the security services "regulate" themselves. It's still a cost burden for them though.
Re: Ahhh... (Score:2)
-> It's still a cost burden for them though
Id argue the UK is even worse.
UK ISPs and telcos were selling browsing data to anyone willing to pay - up until the EU stepped in with GDPR.
Re: Ahhh... (Score:2)
As far as i know police/ law enforcement buy most of it from the intelligence agencies rather than direct from the isps. otherwise they would have to go one by one to each isp. There has been quite a stink around isps bypassing them and selling direct to bailiffs.
Re: (Score:2)
Does anybody not need stuff they can sell to the highest bidder?
Re: (Score:2)
Who to root for? (Score:5, Insightful)
Internet service providers are worried that they may be shut out of the data and won't know as much about their customers' traffic patterns
This is like being asked to weep over the damage to local crooks when the mafia move in ...
Re: (Score:2)
Actually, it's almost EXACTLY like being asked to weap over the damage to the telephone company from being unable to tap your phone, listen to your conversations to find out what you're shopping for, and put your number on a list to sell to temarketers running scams purporting to
For nobody. False n-chotomy. (Score:2)
What you root for, in these scenarios, that they bash each others' heads in, while you fuel the fire, until there is only one entity left, weaened enough to finish off.
You don't need to be a giant to fight a giant.
You only need to make him believe the other giant is the one fighting him. And vice versa.
Not Congress Business (Score:2)
IP has been provided free of licenses for over 50 years. Congress has no oversight into what PEOPLE choose to do with it [IP specifically, TCP as well, and I'm not advocating for application-layer stuff that violates a law].
So if PEOPLE want to INSTALL an APPLICATION that uses any layer of networking software to do whatever they want -- provided it's legal -- Congress has no purvey about this.
Is it LEGAL to pick and choose your DNS servers? Yes.
Is it LEGAL to select your choice of protocol (UDP, TCP, HTTP
So Let Me Get This Straight (Score:3)
So let me get this straight:
The local ISPs are complaining that they won't be able to continue getting customer data for sales and advertising purposes now because Google is getting the customer data for sales and advertising purposes.
Seems to me that I'm being left out on wanting Nobody getting my data for sales and advertising purposes.
Am I missing anything here?
It's called shifting the discussion. (Score:2)
When suddenly, it's not even discussed anymore, if starting war or torturing people is acceptable, but only by whom and how much is acceeptable.
Nevermind there never being a "controversy" about starting a war or torturing people in the first place. It's not acceptable. Period.
Ditto here. Spying on my data is not acceptable. Period. Trying to manipulate me into wasting money or picking an inferior choice ("advertisement") is not acceptable. Period.
Prison shall be the sentence. Including for those that were i
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
They sell it to the highest bidder.
Re: (Score:2)
Google already has full access to your browser history if you use its browser
I wish someone would offer some proof of this. I'd love to be the guy who submitted the GDPR complaint that cost Google 4% of its global turnover and forced it to change the way Chrome works.
Re: (Score:2)
Locked out by paywall. Why do you link to them? (Score:2)
I'll have to assume this is a bipartisan thing in Congress? Of course protecting the "right" to spy would be the kinds of things they agree on.
Vote them all out!
And/Or let's make DNS obsolete with ad hoc real P2P networking, something to save all this stupid arguing. I wouldn't trust Cloudflare or Google with my queries any more than my ISP anyway.
Cancer on all sides! (Score:3)
Advertisers ... basically legalized crime. ... evil mobopolists. ... a corporate oligarchy of traitors. ... Funneling all your name resolving through an advertiser data kraken's mouth, or alternatively, becoming Mozilla's bitch.
ISPs
The "government"
DNS over HTTP
Who to root for?
That they will all bash each others' heads in, and the last man standing is weak enough to finish off easily.
Who's next? (Score:4, Interesting)
So yesterday we had an article here about the UK being pissed at Firefox for DNS over HTTPS [slashdot.org] and today it's Google getting collared by Congress for DNS over TLS.
Given the EU's privacy policies and regulations (e.g GDRP [wikipedia.org]) it wouldn't surprise me if they went the opposite direction and made secure DNS a legal requirement.
Of course the BRICS [wikipedia.org] will no doubt come down even harder on this.
This is going to be a very interesting cat and mouse game between technology and political agendas.
My money's on tech as it is always quicker to evolve than governmental policy and legislation.
The NSA should compete on this (Score:2)
Re: (Score:2)
Re: The NSA should compete on this (Score:2)
Just transfer my packets (Score:2)
It is the sort of complaint that makes you say “fuck you all, just transfer my packets. “
That's ripe (Score:2)
>"Google says it's pushing for adoption of the technology to prevent spying[...]"
If you are using Chrom* [which is most every browser except Firefox and Safari] then it is apparent you already don't care about spying.
If Google is pushing it (Score:2)
Then you already know it is to their benefit to do so.
The field of competition for user data gets a lot smaller when only a few folks are allowed to see it.
How much money will others pay to see that data once they're locked out of the cookie jar I wonder.
Will your ISP block connections to other known DNS servers other than their own ?
( I would suspect that will be a possibility once Google / Mozillas idea is no longer an optional one )
Don't you just love it? (Score:2)
It's a bit like two crooks discussing with the police which of the two should be allowed to rob you.
Except you don't. (Score:4, Insightful)
Chrome and Firefox ignore your OSs name resolver, and use their own.
So you can set your name server all you want. They'll just circumvent it.
And going by past experience, probably hard-coded. Just like (prepare to raise all your hairs) some root CAs.
Re: (Score:2)
Chrome and Firefox ignore your OSs name resolver, and use their own.
So you can set your name server all you want. They'll just circumvent it.
And going by past experience, probably hard-coded. Just like (prepare to raise all your hairs) some root CAs.
EXACTLY!
I had to post because I don't have mod points -- I would have used those otherwise but wanted to make sure my affirmation of your point came through :-)
Re: (Score:3)
Firefox DOH is configurable and disabled by default. You can enable it under Network Settings.
Re: (Score:2)
Maybe, but for how long? The problem with automatic updates is that they can silently enable this at some point without any input from the users.
Re: (Score:3)
Chrome and Firefox ignore your OSs name resolver, and use their own.
Because it's incredibly likely that your current name resolver doesn't support DNS over HTTPS. However, if you know for sure that your provider uses DOH, you can setup your own provider. [mozilla.org] At least for Firefox. I have no idea about Chrome.
And going by past experience, probably hard-coded. Just like (prepare to raise all your hairs) some root CAs.
You can add your own provider without a recompile. You can add your own root CA but for incredibly good reasons is an involved process. [mozilla.org] The vast majority of users do not need to be mucking with their root CAs in any form or fashion. That's a sure fire way to unleash ho
Re: (Score:2)
They'll just circumvent it. And going by past experience, probably hard-coded.
Yeah let's all trust your completely unsubstantiated "past experience" instead of looking to how it actually works, you know how Firefox not only gives you a check box to enable or disable, but also allows you to chose the provider. https://support.mozilla.org/en... [mozilla.org] and while the Chrome release hasn't actually hit the dev branch yet you could look to Android as how it is already implemented and completely user configurable there.
Or you know, anti google rants. Free insightful mods because Google bashing, wh
Re: (Score:2)
Two things. First, you do not have to use the DNS servers provided by your ISP. It doesn't matter anyway, for your ISP will see your DNS traffic regardless. Second, with DoT and DoH, your ISP won't be able to see your DNS traffic - but your DoT or DoH servers will. Such as things are right now, this likely to be Google or Cloudflare.
Ultimately, no matter what you do, somebody will get to see your DNS traffic. DoT and DoH just change who is going to see it. Are you any happier sharing all of your DNS traffic
Re: (Score:2)
"Such as things are right now, this likely to be Google or Cloudflare."
Sorry, no it is not. I intercept and redirect all attempts to access any external DNS endpoints to my own resolvers. I also intercept and redirect all NTP to go to my own NTP infrastructure. This is done because there are a shit-ton of crap that insists on trying to use DNS and NTP endpoints of which I do not approve.
Re:Stupid (Score:5, Insightful)
I'd be happier if I had a list of thousands of DNS-Servers that get chosen randomly to resolve my requests.Preferably after being bounced a few times through a mesh network that mixes my DNS requests with those of millions of others.
Re: (Score:2)
It's been know for decades that any data going to/from a computer to anywhere else on the internet is as good as public. Nothing new there...
Re: (Score:2)
It's been know for decades that any data going to/from a computer to anywhere else on the internet is as good as public. Nothing new there...
But the whole point is if the traffic to and from the DNS server is encrypted, then it really isn't "as good as public", at least not to your ISP. As long as the DNS traffic is unencrypted, then it doesn't matter whether you use your ISP's DNS server or another one: they can still monitor your DNS requests. But if you encrypt, then your ISP is shut out, and that's the problem. Keep in mind, also, this is an important revenue stream for the ISP. If they lose that, expect that your Internet bill will go u
Re: Stupid (Score:5, Insightful)
Worst thing that can happen to DNS is that it is controlled by a single entity. I don't trust my ISP but I trust Google and Mozilla less. DNS over TLS is desireable, but configurable at the OS level not a default provider at the browser level.
Re: Stupid (Score:4, Informative)
Currently Google's plans are to use your existing DNS servers, just over a secure medium:
https://www.chromium.org/developers/dns-over-https [chromium.org]
For a first milestone, we are considering an auto-upgrade approach. [...]
[...] In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged.
Re: (Score:2)
[...] In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged.
The way that I understand that comment from their documentation is that they would upgrade to DoH if/when the client has a resolver that Chrome knows about and supports DoH. That most likely means that if the client uses 1.1.1.1 or 8.8.8.8 (for example) Chrome will transparently do that over DoH.
I don't see that as a huge problem since I, the user, have already decided to use a centralized DNS server and ceded my privacy. However, I don't want Chrome (or anyone) to silently choose to send my DNS requests th
Re: Stupid (Score:4, Insightful)
Worst thing that can happen to DNS is that it is controlled by a single entity.
That's not what this feature does. First of all, in the case of Mozilla the dns servers are run by partners in the trusted resolver program [mozilla.org] who contractually agree to abide by a number of policies as required conditions to join the program which mandate privacy and prohibit monetizing information about users, transparency, prohibit blocking and modification of dns responses.
Secondly: You can still configure in the browsers using advanced settings which entity your dns over https traffic will go to. The argument about Google or Moz being anticompetitive is highly suspicious as disingenuous, and is apparently over what default settings should be threatening isps sneaky traffic monetization efforts. Google could probably avoid a whole bunch of these lobbying shenanigans by creating and funding a separate nonprofit public charity to manage and operate the dns over https services.
Re: (Score:2)
That policy states quite clearly what the end-game is:
Privacy
2. The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.
Transparency
2. Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for
Re: (Score:2)
DNS resolvers, they will only have to issue legal process to one.
They can already do that today by going straight to the ICANN registry operator.
The DNS resolver operators, on the other hand, would have a strong argument over their systems not storing any data/acting as mere conduits to DNS reply messages with -- "No centralized capability to block or alter queries" - thus any order to assist in blocking are unlawful order presenting unreasonable burden
Anyways; nothing says the partner resolvers sho
Re: (Score:2)
I don't trust my ISP but I trust Google and Mozilla less.
I take it you don't use Chrome or Firefox, then, since they have access to everything you do through your browser, not just hostnames and IP addresses.
DNS over TLS is desirable, but configurable at the OS level not a default provider at the browser level.
I fail to see how that keeps anything -- at all -- secret from the browser maker.
Re: (Score:2)
DNS over TLS is desirable, but configurable at the OS level not a default provider at the browser level.
I fail to see how that keeps anything -- at all -- secret from the browser maker.
Yup.
TLS, transport level security, is like an armored car service. You're trusting the carrier between the two endpoints.
It says nothing at all about trusting the people sending it, or the people receiving it. In this case, that is Google or Mozilla on your end who access the data before giving it to the transporter, or the company providing DNS services on the other end.
It doesn't matter how good the armored car service is if the contents are already violated before being turned over to transport. In t
Re: (Score:2)
I don't trust my ISP but I trust Google and Mozilla less.
It's interesting that you chose to trust a company who will sell your data to any idiot that comes along over a company who is widely known to protect your data like the recipe to CocaCola and instead only sell anonymised access to it.
How did you reach your conclusions? Can you point to specific examples where Google's data has actively had a direct impact on doxing or otherwise de-anonymising users? Where users have been targetted as a result? I mean we've covered similar stories about ISPs before.
Bottom l
Re: Stupid (Score:3)
So, they can't see the DNS request, but theyll see the sockets open to an ip address soon as you use it. They will see that.
If you don't want them seeing it at all, use a VPN.
Re: (Score:2)
Lots of IP addresses support multiple websites. If you don't see the DNS request, you don't know which one is being accessed.
Re: (Score:2)
"Our production machines no longer allow access to the root account. This is quickly becoming the standard for prod machines."
Bullshit! Pure Bullshit. How is DNS a "revenue stream" for the ISP? More likely the ISP will simply decide that they no longer need to provide DNS services to their customers, just they decided to do away with e-mail hosting, usenet, IRC, and so on and so forth. This will save them a shit-ton of money and increase their profit margin significantly, since they will now be nothing
Re: (Score:2)
Re: (Score:2)
In the "olden days" e-mail sigs used to contain NSA and CIA "trigger words" on the theory that if they were capturing data, then giving them more than they could possibly cope with would be a good thing.
DNS "snooping" is obviously not a real threat since there are and never have been tools to generate a "background radiation" of DNS requests to overwhelm the snoopers. It would not be very difficult to write a daemon that did nothing more than generate a continual stream of DNS requests to overwhelm the sno
Re: (Score:2)
Well I mean a quick search shows this project: https://github.com/jankais3r/D... [github.com] which works with this project: https://github.com/DNSCrypt/dn... [github.com]
"Noone has bothered" therefore its not a problem? I mean nobody bothers to read terms of service documents either, i'm not sure how that can be put forth as a valid argument.
Re: Legislation (Score:2)
> I'm just glad to see that the House is not content to be google's bitch all day long.
Don't worry - they're the CIA/NSA's bitch. Feel better.