Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Networking The Internet Google Government

Big ISPs Worry DNS-Over-HTTPS Could Stop Monitoring and Modifying of DNS Queries (arstechnica.com) 156

"Big Cable and other telecom industry groups warned that Google's support for DNS over HTTPS (DoH) 'could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues,'" reports Ars Technica.

But are they really just worried DNS over HTTPS will end useful ISP practices that involve monitoring or modifying DNS queries? For example, queries to malware-associated domains can be a signal that a customer's computer is infected with malware. In some cases, ISPs also modify customers' DNS queries in-flight. For example, an easy way to block children from accessing adult materials is with an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks use modified DNS queries as a way to redirect users to a network sign-on page. Some ISPs also use DNS snooping for more controversial purposes -- like ad targeting or policing their networks for copyright infringement. Widespread adoption of DoH would limit ISPs' ability to both monitor and modify customer queries.

It wouldn't necessarily eliminate this ability, since ISPs could still use these techniques for customers who use the ISP's own DNS servers. But if customers switched to third-party DNS servers -- either from Google or one of its various competitors -- then ISPs would no longer have an easy way to tell which sites customers were accessing. ISPs could still see which IP addresses a customer had accessed, which would give them some information -- this can be an effective way to detect malware infections, for example. But this is a cruder way to monitor Internet traffic. Multiple domains can share a single IP address, and domains can change IP addresses over time. So ISPs would wind up with reduced visibility into their customers' browsing habits.

But a switch to DoH would clearly mean ISPs had less ability to monitor and manipulate their customers' browsing activity. Indeed, for advocates that's the point. They believe users, not their ISPs, should be in charge... [I]t's hard to see a policy problem here. ISPs' ability to eavesdrop on their customers' DNS queries is little more than a historical accident. In recent years, websites across the Internet have adopted encryption for the contents of their sites. The encryption of DNS is the natural next step toward a more secure Internet. It may require some painful adjustments by ISPs, but that hardly seems like a reason for policymakers to block the change.

This discussion has been archived. No new comments can be posted.

Big ISPs Worry DNS-Over-HTTPS Could Stop Monitoring and Modifying of DNS Queries

Comments Filter:
  • That's precisely the point, fucking ISP morons.

    Cry me a fucking river.

    • My answer says it's a bad idea: https://www.zdnet.com/article/... [zdnet.com] for reasons stated in the article + more.

      • That article is bad and you should feel bad for posting it. I wrote a much longer reply [pastebin.com] but Slashdot claims it's spam. What a shit show.

      • I disagree with the article:

        DoH doesn't actually prevent ISPs user tracking

        That doesn't make it a bad idea. ISPs can track wit hand without it, so it's at worst neutral. In practice, it makes things harder and more annoying and does defeat the stuff that the ISPs are required to log in the UK.

        DoH bypasses enterprise policies

        I don't care, I've got personal privacy to worry about.

        Also no it doesn't. Firefox can be configured to not use DoH, or you can point it at the ISP's DoH resolver instead of cloudflare.

        D

  • by Kunedog ( 1033226 ) on Sunday October 06, 2019 @07:28PM (#59276856)
    Say what you will about ISPs, but by blacklisting Dissenter, Google and Mozilla proved themselves much more dangerous and likely to censor content, not just monitor it. Who really trusts them not to try to turn DNS into another walled garden?
    • "Who really trusts them not to try to turn DNS into another walled garden?"

      Anyone who understands that you don't need to be Google, Mozilla, etc. in order to have a DNS server that supports this protocol.

      • "Who really trusts them not to try to turn DNS into another walled garden?"

        Anyone who understands that you don't need to be Google, Mozilla, etc. in order to have a DNS server that supports this protocol.

        I think Russia and China have public facing DNS servers ... :-)

    • Hrm, it looks like Brave explicitly whitelists Dissenter

      https://github.com/gab-ai-inc/... [github.com]

    • What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.

      What do you think is going to happen next time a court rules a domain should be blocked? Although this might make it easier for your ISP to manipulate your traffic, do you think a centralized DNS service makes it harder or easier for the government to spy?

      • What some people may be missing about DoH is that Mozilla and Google are focusing your requests onto just a couple of providers.

        They're missing it because it's not true, at least, not of Google. Mozilla is sending all requests to Cloudflare. I have concerns about that. Google is sending requests to your ISP. If your ISP supports DNS-over-HTTPS, then it will use that. Otherwise it falls back to your ISP DNS over DNS by default. You can change it to use another provider.

        Mozilla is actually doing worse than Google here.

    • by ftobin ( 48814 )

      Do you have any problems installing the addon? It's available right at https://dissenter.com/ [dissenter.com] Easily accessible from Firefox, no censorship in sight.

      Oh, you wanted Mozilla to host content for you? That seems quite a bit different from "censorship".

    • Say what you will about ISPs, but by blacklisting Dissenter, Google and Mozilla

      Google and Mozilla didn't "blacklist" Dissenter, they just refused to distribute it.

    • by AmiMoJo ( 196126 )

      I can still access Dissenter on Chrome and Firefox.

      It's just the add-ons that were booted out of their web sites. You can side load them if you want. Mozilla and Google don't owe Dissenter/Gab a storefront for their extension. Google hasn't blocked their site or nerfed their fork of Chromium in some way, they just declined to actively help them.

      Freedom goes both ways, people are free not to help if you if they don't want to. If you disagree then I need your front lawn for my political adverts.

  • And do just as much spying and censorship as Mozilla, Google or any other evil empire!
    Now with more WhatWG batshit insanity! Yay!

    • Do you think that they won't take over "root zone" duty and force their own browser to use a pinned cert? They'll probably force you to ONLY use their DNS because they're not protecting you from the ISPs spying - they're just wanting to prioritize their own. And the excuse will be that ISPs will otherwise merely re-route the well-known DoH server IPs to their own implementation.

  • When I want to go to www.foo.com, I don't really want my ISP inserting ads, nor keeping track of which websites I visit.

    It's sad we need DNS over HTTPS, but, yeah. Here we are. And now the people abusing the system are the ones whining the most when we say "Um yeah. About that. How about you fuck right off".
    • by MeNeXT ( 200840 )

      Your ISP can't insert ads if it's HTTPS and they already know where you are going since the have to fetch it for you. Unless you use a VPN and then it defeats you whole comment.

      This just breaks network configuration.

    • Sigh.
      Your ISP isn't inserting ads on HTTPS traffic.
      99% of your ISPs concern (if your ISP isn't one of the big monopolies) with DNS is merely that we don't want you to call us and bitch about broken service because your external DNS provider is getting fucked by something.
      The other 1%, is we like to be able to tcpdump it when we are diagnosing problems with your service so that we have to interact with you as little as possible, because frankly, you don't know what you're doing, what you're talking about,
      • The concern in the UK is that they might be forced to actually spend money on filtering. We have a small amount of government-imposed censorship here - sites blocked by court order for copyright infringement, the super-secret list of child abuse that must be blocked, and a filter to block all pornography which must be turned on by default by law until the customer asks that it be turned off. The government only says what must be filtered though, not how, so ISPs generally get away with DNS filtering. The ch

  • This is Comcast worrier they cannot track and modify your requests.

    No further discussion necessary.

    If Comcast had cared about malware infection it would have blocked command and conyr servers, cut off infected customers and diligently shut down ddos nodes. This is t anything they have ever done.

    All that is left is profit.

    • by MeNeXT ( 200840 )

      If you are using HTTPS the can't modify your requests. They can still track you since they are the ones establishing the connection. Not sure what it adds to your security if you don't trust your ISP. It just breaks network configuration. If you really don't trust your ISP then you should at least be connecting by VPN.

  • by dheltzel ( 558802 ) on Sunday October 06, 2019 @07:30PM (#59276868)
    Another example of how the internet interprets censorship as damage and routes around it.
    Funny how outraged companies can get when their bad faith operations are threatened.
    • by Strider- ( 39683 )

      The problem si that this also defeats perfectly valid techniques that help protect our privacy. Things like Pi-Hole and so forth that blackhole tracking domains, advertising, and so forth at the DNS level. It's generally working at the DNS level that you can isoalte things that shouldn't be talking to the outside world in a relatively simple manner.

  • In a battle between Google's centralized control of everything (your browser, your phone, your DNS... everything going through their servers *by default*), *ANY* decentralized alternative is preferable.

    Most ISPs aren't tracking DNS queries in anything approaching the manner in which Google is. They primarily are dealing with abuse reports and trying to stop malware and botnets. Furthermore, there are opt-out mechanisms for all the services (eg, parental control/filtering, or Verizon Selects) that do require

    • If you only knew that by default Chrome will still use your ISP's DNS [arstechnica.com], and that Firefox uses Cloudflare's [mozilla.org], and that you can configure either to use any server you want, then you could have saved yourself the time it took to leave that comment, and us the trouble of reading it.

      • by MeNeXT ( 200840 )

        I have a protocol top configure my network. It's called DHCP. I don't need a third party who is known to lock users out of their settings because they believe they know better. I can't believe how naive people are. This offers very little additional security. Breaks existing standards. Concentrates all you data to the worst abuser out there. This is the worst privacy feature because it removes your privacy from Google. Now not only do they know what Google analytics encumbered sites you go to but also ALL t

        • I have a protocol top configure my network. It's called DHCP. I don't need a third party who is known to lock users out of their settings because they believe they know better.

          So use Chrome. It will respect your system DNS setting, unlike Firefox which will use Cloudflare's DNS-over-HTTPS servers.

          I don't need a third party who is known to lock users out of their settings because they believe they know better.

          Who are you talking about? Be specific instead of waving your hands.

          I can't believe how naive people are.

          Are you new?

          This offers very little additional security.

          It offers significant additional security when it comes to DNS queries that are currently being tampered with by ISPs.

          Breaks existing standards.

          It does no such thing. The existing standards continue to operate.

          Concentrates all you data to the worst abuser out there. This is the worst privacy feature because it removes your privacy from Google.

          You know nothing. Chrome a) already phones home every chance it gets so that would change nothing, and b) will use your ISP DN

  • Next time I go to a hotel, how will they be able to hijack my web query to ask me whether I agree to connect to their free complimentary wifi every 5 minutes?
    If I don't have that, I won't have the perfect excuse I always tell my boss when he sends me abroad and calls me after hours in my hotel room to work on the company servers:

    "Aaw man, sorry but I can't: my SSH connection keeps breaking every 5 minutes. I just can't do nothing from here. What a bummer eh? Oh well, I guess I'll just go down

    • by MeNeXT ( 200840 )

      You have bigger problems than that if they can hijack your web query.

    • Hold up...

      I install Guest WiFi Services and never touch DNS. We use a in line AP/Controller to redirect HTTP/HTTPS traffic via a NAT rules to our web server.

      basically Any/any:(HTTP/HTTPS) -> Original/GUEST-Server:(original port)

      So nothing will break as i understand... Even with no DNS at all you can just type 1.1.1.1 into your browser and it'll capture that and redirect.

  • belongs to me and me only.

    ideally (which is not really possible from what i understand ) even my IP should be by default unknown to my ISP.

    what i send to the internet is not their business.

    You take the packet. Does it belong to you? If yes read it, else forward it. That's it.

    switched over to dnsoverhttp (i do enjoy mixing acronyms and words) the *moment* thepiratebay was "blocked" in my country because it was somehow "illegal" ?! ... they can suck rancid floppy donkey dick...

    • by MeNeXT ( 200840 )

      Depending who is offering DNSOVERHTTP you may have just switched over more information to a central location. If you really don't trust your ISP the simple solution would have been a VPN. If your ISP was that stupid that they blocked thepiratebay just on the DNS level you don't have a very competent or dedicated ISP

      • by gTsiros ( 205624 )

        i wish i had the time to learn more about networking

        "If your ISP was that stupid that they blocked thepiratebay just on the DNS level you don't have a very competent or dedicated ISP"

        pretty much, yes.

        the greek equivalent of MPAA/RIAA got their money's worth of legislation to protect their interests... ... while i have no interest whatsoever into whatever trash they peddle

        so i can't get to tpb because they are afraid i might pirate... https://www.youtube.com/watch?... [youtube.com] whatever garbage that is.

  • Keep your damn dirty hands off my DNS, scum.

  • Neighborhood creep worries that curtains could obstruct his view of the hot divorce across the street...

  • by Gavino ( 560149 ) on Sunday October 06, 2019 @08:12PM (#59276950)
    As an ISP employee (and DNS admin) I've seen the change from content providers being hosted many hops away, to setting up inside the datacentre plugging directly into the ISP backbone. The ISP's DNS servers intelligently parses lookups based on IP source and sends the user to the closest cache. I.e. if you're a subscriber of the ISP and on the West Coast - you get the West Coast (Netflix, Akamai...etc .etc) IP addresses for their caching servers, and likewise for the East Coast. ISPs aren't scared about privacy. They're scared about customers using some third-party DNS server who will send the customer to the wrong coast, or even over Internnational links to get their content, when it's not necessary. And what do the users gain? They don't gain privacy. Some company or server has to see their lookups. They are just transferring that to Google or some other company, as if we can trust them?! No way. Contratuations dumb users - in your attempts to gain false privacy, you've just fucked up the Internet even more. Just because something has "SSL" in it - doesn't mean your data is private - it has to come out somewhere! If you want true privacy then just run your own recursive DNS server in the cloud.
    • NOTHING prevents 1.1.1.1 or any other DoH server from using the source IP address to optimize DNS resolutions.
      1.1.1.1 has pledged to preserve user privacy by limited logging and supports DNSSEC validation.

    • by AmiMoJo ( 196126 )

      ISPs created this problem for themselves by not respecting our privacy. I have no sympathy for them.

    • Comment removed based on user account deletion
  • We don't want you spying on our DNS queries or anything else. So far as I'm concerned the entire gods-be-damned Internet should be encrypted. All you bastards are supposed to be doing for the money we pay you is provide connectivity. The rest is bullshit and needs to stop.
  • by Ryzilynt ( 3492885 ) on Sunday October 06, 2019 @08:20PM (#59276966)

    The DOJ just got done "threatening" the big 4 (MAGA : Microsoft , Apple , Google, Amazon) with anti-trust.

    I think this move by Google means that 3 of the 4 have begun compliance ( Maybe even 4/4)

    The NSA needs a constant feed. And they will acquire it by any means necessary.

  • ISPs need to get their noses and grubby hands out of our private data - browsing history is none of their business.

  • that can only do on type of networking and expect networking never to change?
    Now that network use could change that is the fault of the user?
    The browser is evil?
    The role of the ISP is to move any/all data from the "user" to the "internet".
    Not to police, monitor, look for malware, study, sell, track, detect, stop copyright infringement.
    If the user is reported doing copyright infringement, that's for a court/nation/police and the users "account" not "network"
  • They should never have been fucking with it and snooping on it in the first place!

  • by 93 Escort Wagon ( 326346 ) on Sunday October 06, 2019 @08:56PM (#59277062)

    ... especially Firefox’s version. I love this quote of his:

    ”DoH is cause for alarm! but google's approach as documented here seems least-insane.”

  • Users always had, and with DoH, still have the ability to choose their DNS server. ISPs are just upset that DoH may change the _default_ DNS server from from one chosen by the ISP, to one chosen by a browser. Worse, the original DNS protocol, lacking encryption, can be easily perverted by the ISP, so that no matter what DNS server the user chooses, the ISP can put themselves in as man-in-the-middle. 1.1.1.1 has pledged to limit logging and preserve user privacy to a degree that goes far beyond what any ISP

    • DNSSEC is the solution for this. not DOH.
      But don't let your ignorance get in the way of your pontificating.
      Our primary concern about you using our local anycast servers, is that they are faster than external servers, and slow DNS is the #1 cause of you people calling us and asking for support. You, as a class, lack the knowledge to diagnose the problem as your external DNS server. We don't sell your fucking queries. It's just expensive to deal with you trying to figure out why your home network sucks.
  • System working as designed.

    News at 11.

  • That's the point, assholes!

  • Lat ISPs own DNS over TLS. Those who like the various redirects that they provide can use these. Those who don't can select an alternative.
  • As far as I know the "site blocking" done under the Australian anti-piracy laws is all done through DNS.

    I wonder if any widespread "on by default" use of DNS-over-HTTPS in popular browsers like Chrome or Firefox (where end users don't have to do anything and they automatically go to DNS servers located outside of Australia that aren't enforcing the DNS-based site blocks) will lead to pressure from Hollywood to tighten up the laws (e.g. forcing ISPs to implement site blocks via means that are harder to bypas

  • Just make multiple random background requests and use a local cache. Yeah it would they may be occasional DNS errors due to update lag but so what?

  • The ISPs can simply block HTTPS traffic to the DoH servers. The application will then fall back to using the OS provide DNS servers.

    It works. We do it on our corporate network.
  • I have switched on DNSoverHTTPS as soon as it was available in Firefox, and I didn't see any problem 'with the Internet'.

  • It does not really prevent your ISP from keep track where you are going, for they will be able to see what IP addresses you are connecting to. It will allow a few players (mostly Google and Cloudflare) to have a complete record of what it is that you are up to.

    DoH makes things far more tricky for legitimate security players, while opening up new vectors for the bad guys. For example, DNS tunnels are not difficult to detect and block with standard DNS. With DoH, they are impossible to block./p>

    DoH is a t

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...