Big ISPs Worry DNS-Over-HTTPS Could Stop Monitoring and Modifying of DNS Queries

"Big Cable and other telecom industry groups warned that Google's support for DNS over HTTPS (DoH) 'could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues,'" reports Ars Technica.

But are they really just worried DNS over HTTPS will end useful ISP practices that involve monitoring or modifying DNS queries? For example, queries to malware-associated domains can be a signal that a customer's computer is infected with malware. In some cases, ISPs also modify customers' DNS queries in-flight. For example, an easy way to block children from accessing adult materials is with an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks use modified DNS queries as a way to redirect users to a network sign-on page. Some ISPs also use DNS snooping for more controversial purposes -- like ad targeting or policing their networks for copyright infringement. Widespread adoption of DoH would limit ISPs' ability to both monitor and modify customer queries.

It wouldn't necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP's own DNS servers. But if customers switched to third-party DNS servers -- either from Google or one of its various competitors -- then ISPs would no longer have an easy way to tell which sites customers were accessing. ISPs could still see which IP addresses a customer had accessed, which would give them some information -- this can be an effective way to detect malware infections, for example. But this is a cruder way to monitor Internet traffic. Multiple domains can share a single IP address, and domains can change IP addresses over time. So ISPs would wind up with reduced visibility into their customers' browsing habits.

But a switch to DoH would clearly mean ISPs had less ability to monitor and manipulate their customers' browsing activity. Indeed, for advocates that's the point. They believe users, not their ISPs, should be in charge... [I]t's hard to see a policy problem here. ISPs' ability to eavesdrop on their customers' DNS queries is little more than a historical accident. In recent years, websites across the Internet have adopted encryption for the contents of their sites. The encryption of DNS is the natural next step toward a more secure Internet. It may require some painful adjustments by ISPs, but that hardly seems like a reason for policymakers to block the change.

Murderers worry the police could send them to jail

[ZombieCatInABox]

That's precisely the point, fucking ISP morons.

Cry me a fucking river.

It isn't though.

[BAReFO0t]

The point is not to stop spying or censorship.

The point is to MONOPOLIZE spying and censorship.

If you think Mozilla and Google won't do that, you haven't read their "Code of Conduct".

Re:

[stabiesoft]

I think you meant monetize.

Re:

[DavidRawling]

A little from column A, and a little from column B.

Re:It isn't though.

[AmiMoJo]

Have you actually looked at Google's implementation? It's open source, you can go check it yourself if you don't believe me.

All they have done is enable DoH for servers that support it. Servers that don't support DoH still use normal unencrypted DNS. It doesn't change your settings or force you to use a Google DNS server or break local DNS.

That is the idea, yes

[locater16]

That is precisely the idea [getyarn.io]

Re:

[postbigbang]

My answer says it's a bad idea: https://www.zdnet.com/article/... [zdnet.com] for reasons stated in the article + more.

Re:

[drinkypoo]

That article is bad and you should feel bad for posting it. I wrote a much longer reply [pastebin.com] but Slashdot claims it's spam. What a shit show.

Re:

[serviscope_minor]

I disagree with the article:

DoH doesn't actually prevent ISPs user tracking

That doesn't make it a bad idea. ISPs can track wit hand without it, so it's at worst neutral. In practice, it makes things harder and more annoying and does defeat the stuff that the ISPs are required to log in the UK.

DoH bypasses enterprise policies

I don't care, I've got personal privacy to worry about.

Also no it doesn't. Firefox can be configured to not use DoH, or you can point it at the ISP's DoH resolver instead of cloudflare.

D

More of a Threat from the Browser-Makers

[Kunedog]

Say what you will about ISPs, but by blacklisting Dissenter, Google and Mozilla proved themselves much more dangerous and likely to censor content, not just monitor it. Who really trusts them not to try to turn DNS into another walled garden?

Re:

[Zero__Kelvin]

"Who really trusts them not to try to turn DNS into another walled garden?"

Anyone who understands that you don't need to be Google, Mozilla, etc. in order to have a DNS server that supports this protocol.

Re:

[fahrbot-bot]

"Who really trusts them not to try to turn DNS into another walled garden?"

Anyone who understands that you don't need to be Google, Mozilla, etc. in order to have a DNS server that supports this protocol.

I think Russia and China have public facing DNS servers ... :-)

Re: More of a Threat from the Browser-Makers

[bill_mcgonigle]

Hrm, it looks like Brave explicitly whitelists Dissenter

https://github.com/gab-ai-inc/... [github.com]

Not only the browser-makers, but the government

[DigitAl56K]

What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.

What do you think is going to happen next time a court rules a domain should be blocked? Although this might make it easier for your ISP to manipulate your traffic, do you think a centralized DNS service makes it harder or easier for the government to spy?

Re:

[drinkypoo]

What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.

They're missing it because it's not true, at least, not of Google. Mozilla is sending all requests to Cloudflare. I have concerns about that. Google is sending requests to your ISP. If your ISP supports DNS-over-HTTPS, then it will use that. Otherwise it falls back to your ISP DNS over DNS by default. You can change it to use another provider.

Mozilla is actually doing worse than Google here.

Re:

[drinkypoo]

Firefox has DNS-over-HTTPS right there in the preferences. You can easily disable it or change it to a custom provider by opening your preferences and type "dns".

Yes, and you can change Chrome's DNS-over-HTTPS preferences, too. However, Mozilla's default is to send everyone to Cloudflare, while Chrome's default is to send everyone to their ISP DNS. There is no question that Mozilla is doing worse than Chrome in this case. Not even slightly.

Re:

[ftobin]

Do you have any problems installing the addon? It's available right at https://dissenter.com/ [dissenter.com] Easily accessible from Firefox, no censorship in sight.

Oh, you wanted Mozilla to host content for you? That seems quite a bit different from "censorship".

Re:

[swillden]

Say what you will about ISPs, but by blacklisting Dissenter, Google and Mozilla

Google and Mozilla didn't "blacklist" Dissenter, they just refused to distribute it.

Re:

[AmiMoJo]

I can still access Dissenter on Chrome and Firefox.

It's just the add-ons that were booted out of their web sites. You can side load them if you want. Mozilla and Google don't owe Dissenter/Gab a storefront for their extension. Google hasn't blocked their site or nerfed their fork of Chromium in some way, they just declined to actively help them.

Freedom goes both ways, people are free not to help if you if they don't want to. If you disagree then I need your front lawn for my political adverts.

Why, they can offer their own DNS-over-HTTPS!

[BAReFO0t]

And do just as much spying and censorship as Mozilla, Google or any other evil empire!
Now with more WhatWG batshit insanity! Yay!

Re:

[omnichad]

Do you think that they won't take over "root zone" duty and force their own browser to use a pinned cert? They'll probably force you to ONLY use their DNS because they're not protecting you from the ISPs spying - they're just wanting to prioritize their own. And the excuse will be that ISPs will otherwise merely re-route the well-known DoH server IPs to their own implementation.

Isn't that kinda the point?

[Snotnose]

When I want to go to www.foo.com, I don't really want my ISP inserting ads, nor keeping track of which websites I visit.

It's sad we need DNS over HTTPS, but, yeah. Here we are. And now the people abusing the system are the ones whining the most when we say "Um yeah. About that. How about you fuck right off".

Re:

[MeNeXT]

Your ISP can't insert ads if it's HTTPS and they already know where you are going since the have to fetch it for you. Unless you use a VPN and then it defeats you whole comment.

This just breaks network configuration.

Re:

[iCEBaLM]

They know the IP address of the server you're connected to, that's it. They don't know the hostname or URL of the page requested. which is what they really want.

Re: Isn't that kinda the point?

[oobayly]

Doesn't SNI leak the hostname of the site you're requesting?

Re:

[DamnOregonian]

Sigh.
Your ISP isn't inserting ads on HTTPS traffic.
99% of your ISPs concern (if your ISP isn't one of the big monopolies) with DNS is merely that we don't want you to call us and bitch about broken service because your external DNS provider is getting fucked by something.
The other 1%, is we like to be able to tcpdump it when we are diagnosing problems with your service so that we have to interact with you as little as possible, because frankly, you don't know what you're doing, what you're talking about,

Re:

[SuricouRaven]

The concern in the UK is that they might be forced to actually spend money on filtering. We have a small amount of government-imposed censorship here - sites blocked by court order for copyright infringement, the super-secret list of child abuse that must be blocked, and a filter to block all pornography which must be turned on by default by law until the customer asks that it be turned off. The government only says what must be filtered though, not how, so ISPs generally get away with DNS filtering. The ch

Be Honest

[Cylix]

This is Comcast worrier they cannot track and modify your requests.

No further discussion necessary.

If Comcast had cared about malware infection it would have blocked command and conyr servers, cut off infected customers and diligently shut down ddos nodes. This is t anything they have ever done.

All that is left is profit.

Re:

[MeNeXT]

If you are using HTTPS the can't modify your requests. They can still track you since they are the ones establishing the connection. Not sure what it adds to your security if you don't trust your ISP. It just breaks network configuration. If you really don't trust your ISP then you should at least be connecting by VPN.

Censorship as damage

[dheltzel]

Another example of how the internet interprets censorship as damage and routes around it.
Funny how outraged companies can get when their bad faith operations are threatened.

Re:

[Strider-]

The problem si that this also defeats perfectly valid techniques that help protect our privacy. Things like Pi-Hole and so forth that blackhole tracking domains, advertising, and so forth at the DNS level. It's generally working at the DNS level that you can isoalte things that shouldn't be talking to the outside world in a relatively simple manner.

Re:Censorship as damage

[Known Nutter]

If you're running Pi-hole, then you should be running Unbound right alongside it. It's effortless. [pi-hole.net]

Great! Google is the enemy

[Etcetera]

In a battle between Google's centralized control of everything (your browser, your phone, your DNS... everything going through their servers *by default*), *ANY* decentralized alternative is preferable.

Most ISPs aren't tracking DNS queries in anything approaching the manner in which Google is. They primarily are dealing with abuse reports and trying to stop malware and botnets. Furthermore, there are opt-out mechanisms for all the services (eg, parental control/filtering, or Verizon Selects) that do require

Re:

[drinkypoo]

If you only knew that by default Chrome will still use your ISP's DNS [arstechnica.com], and that Firefox uses Cloudflare's [mozilla.org], and that you can configure either to use any server you want, then you could have saved yourself the time it took to leave that comment, and us the trouble of reading it.

Re:

[MeNeXT]

I have a protocol top configure my network. It's called DHCP. I don't need a third party who is known to lock users out of their settings because they believe they know better. I can't believe how naive people are. This offers very little additional security. Breaks existing standards. Concentrates all you data to the worst abuser out there. This is the worst privacy feature because it removes your privacy from Google. Now not only do they know what Google analytics encumbered sites you go to but also ALL t

Re:

[drinkypoo]

I have a protocol top configure my network. It's called DHCP. I don't need a third party who is known to lock users out of their settings because they believe they know better.

So use Chrome. It will respect your system DNS setting, unlike Firefox which will use Cloudflare's DNS-over-HTTPS servers.

I don't need a third party who is known to lock users out of their settings because they believe they know better.

Who are you talking about? Be specific instead of waving your hands.

I can't believe how naive people are.

Are you new?

This offers very little additional security.

It offers significant additional security when it comes to DNS queries that are currently being tampered with by ISPs.

Breaks existing standards.

It does no such thing. The existing standards continue to operate.

Concentrates all you data to the worst abuser out there. This is the worst privacy feature because it removes your privacy from Google.

You know nothing. Chrome a) already phones home every chance it gets so that would change nothing, and b) will use your ISP DN

That is indeed worrying

[Rosco P. Coltrane]

Next time I go to a hotel, how will they be able to hijack my web query to ask me whether I agree to connect to their free complimentary wifi every 5 minutes?
If I don't have that, I won't have the perfect excuse I always tell my boss when he sends me abroad and calls me after hours in my hotel room to work on the company servers:

"Aaw man, sorry but I can't: my SSH connection keeps breaking every 5 minutes. I just can't do nothing from here. What a bummer eh? Oh well, I guess I'll just go down

Re:

[MeNeXT]

You have bigger problems than that if they can hijack your web query.

Re:

[elzurawka]

Hold up...

I install Guest WiFi Services and never touch DNS. We use a in line AP/Controller to redirect HTTP/HTTPS traffic via a NAT rules to our web server.

basically Any/any:(HTTP/HTTPS) -> Original/GUEST-Server:(original port)

So nothing will break as i understand... Even with no DNS at all you can just type 1.1.1.1 into your browser and it'll capture that and redirect.

Re:

[Rosco P. Coltrane]

Hmm no: many free wifis will actually break your connections until you go to their stupid web page and click accept. The DNS hijacking part comes in when you try to go to any website and you're redirected to the wifi provider's page. But a hosts file won't help you there: if you don't click on the damn button, no internet.

Re:

[DamnOregonian]

Bingo.
We don't just redirect your DNS. We won't route your traffic until you're whitelisted.

Re:

[Rosco P. Coltrane]

Not the captive portals I've seen: they block all traffic to any address but the portal's until you click accept.

Re:

[DamnOregonian]

No. Only on a very shitty captive portal.
Generally, when an unknown client connects, they have 2 allowed classes of traffic: DNS, and HTTP/S.
Those are DNATted to a server that handles the captive interaction so that it doesn't really matter what IP you use, you end up there.

If you can actually get around one with a hosts file, it was designed by a fucking idiot.

at LEAST the data *i* send

[gTsiros]

belongs to me and me only.

ideally (which is not really possible from what i understand ) even my IP should be by default unknown to my ISP.

what i send to the internet is not their business.

You take the packet. Does it belong to you? If yes read it, else forward it. That's it.

switched over to dnsoverhttp (i do enjoy mixing acronyms and words) the *moment* thepiratebay was "blocked" in my country because it was somehow "illegal" ?! ... they can suck rancid floppy donkey dick...

Re:

[MeNeXT]

Depending who is offering DNSOVERHTTP you may have just switched over more information to a central location. If you really don't trust your ISP the simple solution would have been a VPN. If your ISP was that stupid that they blocked thepiratebay just on the DNS level you don't have a very competent or dedicated ISP

Re:

[gTsiros]

i wish i had the time to learn more about networking

"If your ISP was that stupid that they blocked thepiratebay just on the DNS level you don't have a very competent or dedicated ISP"

pretty much, yes.

the greek equivalent of MPAA/RIAA got their money's worth of legislation to protect their interests... ... while i have no interest whatsoever into whatever trash they peddle

so i can't get to tpb because they are afraid i might pirate... https://www.youtube.com/watch?... [youtube.com] whatever garbage that is.

No Shit

[drinkypoo]

Keep your damn dirty hands off my DNS, scum.

Rephrased

[sjames]

Neighborhood creep worries that curtains could obstruct his view of the hot divorce across the street...

ISP content caches about to get screwed over

[Gavino]

As an ISP employee (and DNS admin) I've seen the change from content providers being hosted many hops away, to setting up inside the datacentre plugging directly into the ISP backbone. The ISP's DNS servers intelligently parses lookups based on IP source and sends the user to the closest cache. I.e. if you're a subscriber of the ISP and on the West Coast - you get the West Coast (Netflix, Akamai...etc .etc) IP addresses for their caching servers, and likewise for the East Coast. ISPs aren't scared about privacy. They're scared about customers using some third-party DNS server who will send the customer to the wrong coast, or even over Internnational links to get their content, when it's not necessary. And what do the users gain? They don't gain privacy. Some company or server has to see their lookups. They are just transferring that to Google or some other company, as if we can trust them?! No way. Contratuations dumb users - in your attempts to gain false privacy, you've just fucked up the Internet even more. Just because something has "SSL" in it - doesn't mean your data is private - it has to come out somewhere! If you want true privacy then just run your own recursive DNS server in the cloud.

Re:

[craighansen]

NOTHING prevents 1.1.1.1 or any other DoH server from using the source IP address to optimize DNS resolutions.
1.1.1.1 has pledged to preserve user privacy by limited logging and supports DNSSEC validation.

Re:

[AmiMoJo]

ISPs created this problem for themselves by not respecting our privacy. I have no sympathy for them.

Re:

[account_deleted]

Comment removed based on user account deletion

Tough fucking shit, ISPs

[Rick Schumann]

We don't want you spying on our DNS queries or anything else. So far as I'm concerned the entire gods-be-damned Internet should be encrypted. All you bastards are supposed to be doing for the money we pay you is provide connectivity. The rest is bullshit and needs to stop.

Missing the bigger picture.

[Ryzilynt]

The DOJ just got done "threatening" the big 4 (MAGA : Microsoft , Apple , Google, Amazon) with anti-trust.

I think this move by Google means that 3 of the 4 have begun compliance ( Maybe even 4/4)

The NSA needs a constant feed. And they will acquire it by any means necessary.

It's none of their business

[Nocturrne]

ISPs need to get their noses and grubby hands out of our private data - browsing history is none of their business.

ISP have a lot of stuff

[AHuxley]

that can only do on type of networking and expect networking never to change?
Now that network use could change that is the fault of the user?
The browser is evil?
The role of the ISP is to move any/all data from the "user" to the "internet".
Not to police, monitor, look for malware, study, sell, track, detect, stop copyright infringement.
If the user is reported doing copyright infringement, that's for a court/nation/police and the users "account" not "network"

GOOD!!!!

[MikeDataLink]

They should never have been fucking with it and snooping on it in the first place!

Re:GOOD!!!! nope ALSO BAD

[iggymanz]

Except the proposed solution is to have google or others monitoring... and google has their own way of manipulating what you see in browser with 3rd party links

Vixie doesn’t like it

[93 Escort Wagon]

... especially Firefox’s version. I love this quote of his:

”DoH is cause for alarm! but google's approach as documented here seems least-insane.”

DNS over HTTPS (DoH)

[hcs_$reboot]

Doh!

ISP BS

[craighansen]

Users always had, and with DoH, still have the ability to choose their DNS server. ISPs are just upset that DoH may change the _default_ DNS server from from one chosen by the ISP, to one chosen by a browser. Worse, the original DNS protocol, lacking encryption, can be easily perverted by the ISP, so that no matter what DNS server the user chooses, the ISP can put themselves in as man-in-the-middle. 1.1.1.1 has pledged to limit logging and preserve user privacy to a degree that goes far beyond what any ISP

Re:

[DamnOregonian]

DNSSEC is the solution for this. not DOH.
But don't let your ignorance get in the way of your pontificating.
Our primary concern about you using our local anycast servers, is that they are faster than external servers, and slow DNS is the #1 cause of you people calling us and asking for support. You, as a class, lack the knowledge to diagnose the problem as your external DNS server. We don't sell your fucking queries. It's just expensive to deal with you trying to figure out why your home network sucks.

System working as designed.

[ledow]

System working as designed.

News at 11.

Yes. You get it.

[Opportunist]

That's the point, assholes!

Easy solution

[Chrisq]

Lat ISPs own DNS over TLS. Those who like the various redirects that they provide can use these. Those who don't can select an alternative.

Australian anti-piracy

[jonwil]

As far as I know the "site blocking" done under the Australian anti-piracy laws is all done through DNS.

I wonder if any widespread "on by default" use of DNS-over-HTTPS in popular browsers like Chrome or Firefox (where end users don't have to do anything and they automatically go to DNS servers located outside of Australia that aren't enforcing the DNS-based site blocks) will lead to pressure from Hollywood to tighten up the laws (e.g. forcing ISPs to implement site blocks via means that are harder to bypas

Multiple random

[backslashdot]

Just make multiple random background requests and use a local cache. Yeah it would they may be occasional DNS errors due to update lag but so what?

Simple fix for the ISPs

[FaxeTheCat]

The ISPs can simply block HTTPS traffic to the DoH servers. The application will then fall back to using the OS provide DNS servers.

It works. We do it on our corporate network.

I don't believe it

[nospam007]

I have switched on DNSoverHTTPS as soon as it was available in Firefox, and I didn't see any problem 'with the Internet'.

DoH is a PoS

[OneHundredAndTen]

It does not really prevent your ISP from keep track where you are going, for they will be able to see what IP addresses you are connecting to. It will allow a few players (mostly Google and Cloudflare) to have a complete record of what it is that you are up to.

DoH makes things far more tricky for legitimate security players, while opening up new vectors for the bad guys. For example, DNS tunnels are not difficult to detect and block with standard DNS. With DoH, they are impossible to block./p>

DoH is a t

Re:

[Strider-]

That probably won't help. DoH does the DNS request over 443 (aka https) so mucking about with UDP 53 won't gain you much, and is pretty much exactly what DoH is designed to do away with.

My bigger worry is internal/split horizon DNS. We have a number of internal only services available on our network that aren't accessible fromt he outside world, and thus aren't in our public DNS records.

Re: "painful adjustments"...?

[bill_mcgonigle]

> My bigger worry is internal/split horizon DNS. We have a number of internal only services available on our network that aren't accessible fromt he outside world, and thus aren't in our public DNS records.

Mozilla's implementation detects this and reverts to your local DNS servers. You can push enterprise policies if you want something different.

Re: "painful adjustments"...?

[Known Nutter]

Mozilla's implementation detects this and reverts to your local DNS servers. You can push enterprise policies if you want something different.

Yeah, it does that by counting on your local DNS servers to return NXDOMAIN for use-application-dns.net - which, to me, seems like a ridiculous kludge. You have to manually configure your DNS servers to do this, obviously.

https://support.mozilla.org/en... [mozilla.org]

Pi-hole kludged this crap into their code as well. I get it, but still... it's a kludge.

Re:

[dgatwood]

And what stops ISPs from doing the same?

The right way to solve this is with an enterprise-specific whitelist. Provide a list of specific domains to go to the local DNS servers. Everything else goes over a secure connection to a DNS server. Either that or get DNSSEC deployed more broadly and then make it mandatory. Either way.

Re:

[dgatwood]

... unless you (the GP) meant that the subdomain that should be served internally needs to have a public record with that in it, in which case that's a whole different problem (leaking internal subdomains to the general public).

Re:

[dhammabum]

We just have all internal systems use internal DNS servers that forward external requests. I don't see the problem.

Split horizon needs to die

[Cyberax]

Split horizon DNS just needs to die. It's bad. Just create a company-internal subdomain (int.company.com) with nameservers accessible only from your internal network.

Re:

[omnichad]

Depending on the environment, you could push out updates to the HOSTS file.

Re:

[phantomfive]

How does DNS over HTTPS help Google serve ads?

Re:

[DavidRawling]

It means you can't redirect all their advertising and tracking domains to a pi-hole, alternative DNS filtering service etc. If you don't block the DNS, there's a much better chance the ads and tracking will continue to work.

Re: "painful adjustments"...?

[HumanEmulator]

By itself it doesn't, but they're trying to move DNS out of the OS and into the web browser (ie. Chrome) so they have control over.

Which means that companies that purchase your interests based on browser history will have fewer options because ISPs can be kicked out of the market. This makes the data Google already collects worth more.

Re: "painful adjustments"...?

[Wycliffe]

ATT basically already does this and it sucks. My devices kept losing their DNS for some unknown reason. I finally got sick of it and created my own local DNS server proxy that connected to an outside dns over a different port. Itâ(TM)s idiotic that I had to resort to something like this because ATT was hijacking port 53 and not letting me connect to the dns provider of my choosing.

Re:

[fahrbot-bot]

ATT basically already does this and it sucks. My devices kept losing their DNS for some unknown reason.

DNS normally uses UDP for name queries, which is an "unreliable" transport, so it's possible that either your queries or replies got dropped somewhere. I know this sounds weird, but a colleague who worked at an ISP told me about this exact situation (a long time ago) happening internally because their pipes had bandwidth caps and sometimes they would exceed them and their DNS queries went missing. They apparently reconfigured their internal DNS servers to always use TCP for all name queries and the problem

Mixed Reaction

[Roger W Moore]

The ISP's arguments, self-serving as they most certainly are, are not entirely without merit. They are completely correct that this may give Google a huge database of information about what sites people are accessing and unprecedented control over which sites will be easily accessible. Even if Google is, and remains, entirely benevolent it potentially means that the history of these DNS lookups will now be subject to US law which does not have the privacy protections present in many other countries.

Ultimately what protects us is freedom of choice because if anyone gets too bad we can change. What we need are OS's to grow the ability to configure a DoH server just like they do now for DNS. That way we can always choose to change the server to one we feel comfortable with. If Google and others start hardwiring their DoH server into apps in ways that make it hard or impossible to change then we could have an issue.

Re:

[LostMyAccount]

I can't help but agree with this. The ISPs are self dealing on this issue to be sure, but their arguments have merits.

I almost thing it's a commerce regulation issue. If Google wants to use DoH in their browser, it needs to be opt-in and provide clear and effective ways of being managed, both for individuals and for organizations.

It'd be great if there was an OS standard for DoH that everyone supported and Google was simply using the user's DoH settings, preserving the actual hierarchy of name resolution.

Re:

[fahrbot-bot]

The ISP's arguments, self-serving as they most certainly are, are not entirely without merit. They are completely correct that this may give Google a huge database of information about what sites people are accessing and unprecedented control over which sites will be easily accessible.

Of course you mean the data the ISPs are currently collecting using traditional DNS ... so, ya, they'd loath to lose that.

Currently, my main objection to DoH is that using it means your browser is using one source for DNS while your OS and other applications are using another. Technically, this shouldn't matter with properly configured DNS servers, but that's just "technically". As the old adage goes, "A person with one watch knows the time, a person with two is never sure."

Re:

[Cederic]

Redundancy and failover.

Of course, three would be better.

Re:

[gl4ss]

Google operates in EU(why is mentioning a-f-rica triggering lameness filter???).

Also here in Thailand google dns server queries are transparently intercepted and messed with, which sucks. the strange thing is that it's not just ALL dns queries that are messed with it's just those to a long list of dns servers, although it's possible to find dns servers which aren't on that list. this is done for censorship purposes.

Some thai isp's transparently intercept http calls as well if they're unencrypted. the config

Re:

[johnsie]

What other DNS are you going to use though? And how do you know they aren't as 'evil' as Google?Sounds like you're just going to give your data to some other people out of spite, but not really solving the problem.

Re:

[Zocalo]

I'm planning on using the same DNS servers I've been using for many years now: my own. Spinning up a recursive DNS server on a *NIX box, a Raspberry Pi, or on a VM in the cloud (whichever your preference) is trivial and will pretty much just work as soon as you start the service - as a bonus, you can also host your own local domains and/or DNS-based blocklists on it. If you're self-hosting locally though then keep in mind that your ISP can still snoop on your server's recursive DNS requests; it's just not

Re:

[OneHundredAndTen]

You are aware that DoH bypasses your DNS settings, are you?

Re:

[Zocalo]

If you mean the OS's configured DNS servers, then yes, I'm well aware that DoH configuration is currently down to the specific app. e.g. in Firefox if I enable DoH, I get the option to switch from the default (Cloudflare) to Custom, at which point I can enter whatever DNS/DoH server IP(s) I want Firefox to use. Clearly if an app decides to hardcode some DoH servers into their binaries then there's not a lot I can do about that unless I can recompile from source, use some ugly hack, or just opt not to use

Re: Good

[orlanz]

Totally agree. The ISPs DNS sucks anyway.

The default set up of ATT fiber (1Gbps) is slower than Comcast's 50Mbps. All because page and resource resolution takes seconds instant of milliseconds. By setting up my own DNS backed by Google or someone else the speed difference in both is so obvious.

And the tracking is also very apparent, go incognito and see the lookups act like it's the first time visiting a site for every load.

The ISPs are in a position to do a lot of good. But the simple fact is that they repeatedly abuse, neglect, and misuse their position. I am glad that entities exist to scrub their butts down to the dumb connection lines they should be.

Re:

[DamnOregonian]

DNSSEC prevents rewriting, which you will find is very much supported by ISPs.

Re:

[johnsie]

Might as well just turn all your internet connected devices off then, you parnoid cockwongle

Re:

[FaxeTheCat]

For companies requiring the use of internal DNS servers (who would not? Nobody should publish internal DNS externally) will need to block https traffic to the DoH servers. The applications will then fall back to using the DNS servers configured in the OS.

Re:

[ledow]

All that does is knock the problem one level further up on the chain.

Over that VPN, what are you using for DNS? Still Google? Still some random? You're own server in a datacentre talking to a known-good nameserver? Still all those people can monitor your DNS.

It's like having a transparent postbox for sending letters - everyone in the village can see who you're writing to, and you can't disguise some parts because you need the letter to arrive at the right place.

Having some proxy in another town that you

Re:

[AmiMoJo]

But VPNs are not free. Even the free ones make you pay somehow.

Privacy is a right, it shouldn't have a pricetag.

DNS over HTTPS is a great thing, but widely misunderstood. For example in Chrome it's supported by Chrome will still use your preferred DNS server. It just checks if it supports HTTPS and if so uses it, otherwise it sticks with normal DNS.

Re:

[swillden]

Using DNS over HTTPS sounds sort of like systemd. Next it'll be IMAP or HTTPS or NTP or HTTPS. /s

If you want to get around the ISPs modifying your DNS queries then the solution is easy. Just use a VPN and the ISP just becomes a carrier of data packets.

IMAP and HTTPS are already over TLS. NTP isn't really critical anyway; no one can phish your passwords by manipulating NTP, for example.

As for VPNs, they don't solve the problem but just move it from the ISP to the VPN provider. Of course, encrypted DNS also just moves it, from the ISP to the DoH provider. But keep in mind that the ISP can still see the actual destination IP addresses, so DoH isn't so much about keeping your browsing destinations secret from your ISP as it is to prevent them -- or anyon

Re:

[johnsie]

how much do you actually know about the people behind cloudfire though?