Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Encryption Firefox Privacy

DNS Over HTTPS: Not As Private As Some Think? (sans.edu) 83

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.

Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
This discussion has been archived. No new comments can be posted.

DNS Over HTTPS: Not As Private As Some Think?

Comments Filter:
  • by ron_ivi ( 607351 ) <sdotno@NOSpAM.cheapcomplexdevices.com> on Saturday December 21, 2019 @09:38PM (#59546252)

    Bets for privacy would be to tunnel DNS through Tor (like Torbrowser does).

    And assuming your system caches DNS results performance shouldn't matter much at all.

    Most DNS-over-HTTPs proposals are bad in so many ways. The guys pushing for DNS-over-HTTPs are the worst privacy offenders out there (Google, Cloudflare). Also, they tend to be proposals to make browser DNS different from system DNS - where DNS should really be a system setting, not a browser setting. I think DNS-over-HTTPs is mostly a way for Google to gather more data on people; and to avoid things like pi-hole based add blockers.

    • by AHuxley ( 892839 )
      When an ad company offers "free" privacy.. thats quality privacy for their paying ads.
    • by rewardian ( 4469141 ) on Sunday December 22, 2019 @03:21AM (#59546758)

      When I think of Cloudflare, I don't think "privacy offender". Other than the 8chan decable a few months ago, which was questionable, I can't think of anything else. My point is that Cloudflare may be the best public option (resolver, DNS proxy, etc.). If I'm wrong, please let me know!

      • Re: (Score:3, Interesting)

        by Anonymous Coward
        It's not Cloudflare's fault.

        Despite the best efforts, they're forced to spy - and forced with gag letters to not tell you:

        https://www.techdirt.com/artic... [techdirt.com]

        Privacy depends on technological solutions.

        No matter how well intentioned a company is - they still need to abide by the laws of everwhere they do business. For large companies (including Cloudflare) that means China, the US, Russia, and all the other major countries.

    • by AmiMoJo ( 196126 ) on Sunday December 22, 2019 @04:32AM (#59546828) Homepage Journal

      Mozilla, the first to implement DoH in a browser, are very privacy focused. They screw up sometimes but are also by far the best option available.

      DoH is better than what we have now (nothing) and is actually happening which is more than you can say for the other options.

      • by serviscope_minor ( 664417 ) on Sunday December 22, 2019 @06:50AM (#59546954) Journal

        Well, basically yes.

        I mean the headline is trivially true: I'm sure you could fine at least two people in the world who overestimate the security therefore making it "less secure than some think". But while it's not prefect, in the UK it prevents the May spying machine from recording every DNS query you make and in the US it stops shitty companies like Verizon, AT&T, etc doing the same to sell your data to advertisers.

        Not prefect but a lot better than nothing.

        • by AmiMoJo ( 196126 )

          Sad to think that May was relatively benevolent compared to this lot...

          • Yes, indeed. She was awful, secretive and rigid. But what we have now...

            Corbyn would tear down everything in the quest of his socialist utopia. Johnson would do the same out of pure spite.

            • by AmiMoJo ( 196126 )

              I just can't see as Corbyn would have been that bad. Certainly the good would have outweighed the bad, and given the country a rebalancing that it needs.

              Anyway we are fucked now. The UK is finished.

              • I just can't see as Corbyn would have been that bad.

                I'm not that sure. The one thing I'm glad about in the previous election is apparently anti semitism really doesn't fly in the UK, and for that I am glad. I think Corbyn with a strong majority would have been equally dangerous if not more so. I think about half of what he says is really good and the other half is really not, but I think he has a quasi religious zeal. However there was never any chance of him getting a strong majority and the Johnson govern

                • by AmiMoJo ( 196126 )

                  The main thing Corbyn had going for him was that he genuinely cares about people. Even if you disagree with his methods you can't really argue that he isn't try to make things better for people.

                  I don't know if I'll be okay. I will probably lose my job but at least for the moment there are plenty more. It's much worse for the rest of my family. Glad you are okay though.

                  • The main thing Corbyn had going for him was that he genuinely cares about people. Even if you disagree with his methods you can't really argue that he isn't try to make things better for people.

                    Well cares for people except arguable the Jews. Ahem. That dig aside, yes I agree. I think he is trying to make things better, I think unlike Johnson what he wants to do, he wants to do for the people. Unfortunately, intent doesn't really matter and I think both would be capable of immense damage.

                    I don't know if I'll

        • by UpnAtom ( 551727 )

          Thought May's spying was curtailed by the EU (twice).

          https://arstechnica.com/tech-p... [arstechnica.com]

          I checked and Opera has some version of DOH.

          https://blogs.opera.com/deskto... [opera.com]

          As for BoJo and Brexshit, I'm planning to migrate.

      • DoH is better than what we have now (nothing)

        Huh, no. We don't have "nothing".
        Privacy wise, we already have "better" options, as the top poster noted: we already have Tor.

        • by AmiMoJo ( 196126 )

          You think integrating Tor into the browser for DNS lookups is a good idea? You aren't concerned about the performance and load on the Tor network?

          • You think integrating Tor into the browser for DNS lookups is a good idea?

            Whenever using a socks5 proxy, the default browser behaviour (at least in firefox) is already to proxy the dns requests too.
            There are even sub parts or tor exit nodes howto about how to setup a good descent and secure dns.

            You aren't concerned about the performance and load on the Tor network?

            It's not the 00ies anymore.
            Tor network has reached excellent level of load-balancing.
            In all my regular experience, the performance of the Tor network is pretty decent for anything that isn't high bandwidth time critical (i.e.: you might not easily do real-time 4k video calls, but otherwis

    • The system doesn't do any DNS caching, because the browser is doing it independently - it isn't going through the OS's API at all. The browser does its own caching.

      Eventually this might well become an OS function - applications wouldn't even see any difference. I'm sure Microsoft would love the excuse to 'protect user privacy' by making sure they alone can monitor DNS queries, given how much telemetry Windows 10 sends back already.

    • by thegarbz ( 1787294 ) on Sunday December 22, 2019 @06:06AM (#59546900)

      I think DNS-over-HTTPs is mostly a way for Google to gather more data on people; and to avoid things like pi-hole based add blockers.

      Okay stop right there. Google's implementation in Chrome has nothing to do with gathering more data. THEY ALREADY OWN YOUR SYSTEM. They can already gather any data they want. They already collect a trove of data from Chrome and at any time can push out a software update to change what they collect. Your comment makes absolutely no sense what so ever and comes across as conspiracy nuttery.

      But let's step back for a moment. You said worst "privacy offenders". Let's discuss that term. What way is Google offending? They collect you data in troves. "Worst privacy datahoovers? That makes a lot of sense". But what is offensive about it? Google has shown over the past 20 years that despite collecting everything about everyone they don't actually pass that data onto others, they only pass other's information your way and sell aggregate statistics.

      Google and Cloudflare pushing DoH is still a net win because I trust both entities far more than than actual "offenders", namely ISPs who have shown to sell data wholesale to anyone with a credit card. Those are the true "privacy offenders".

      • Google and Cloudflare pushing DoH is still a net win because I trust both entities far more than than actual "offenders", namely ISPs who have shown to sell data wholesale to anyone with a credit card. Those are the true "privacy offenders".

        You are deluded if you think that your ISP does not know what sites you are visiting when you use DoH. As for your trust in Google and Cloudflare, that's nothing short of weird and misplaced.

    • 1) good luck getting Microsoft to put DoH into Windows. They won't - unless its to "seamlessly" allow you to choose any one of Microsoft's own DNS servers...

      2) Google hates the idea, they're being forced to do it, but they'd never have if it wasnt for Mozilla.

      3) You can change which DoH provider in the browser. So its not any different to the current DNS networking entry.

      4) performance is not an issue - every page on every site you look at is over https. So the odd DNS lookup isn't going to impact anything.

  • I do not know why firefox or other DoH clients do not verify the DNS answers to their query... its like they trust the DNS servers and do not think they could be possible intercepted or manipulated....

       

    • Comment removed based on user account deletion
    • What would you verify against? If you already know what the DNS record is going to tell you there's no reason to perform the query; but if you don't you can't determine much beyond whether the answers you are getting are correctly formatted or not.

      You could try just making more queries and checking them against each other; but that isn't obviously more resistant to an attacker who you are concerned might be able to tamper with your traffic, including HTTPS, and will likely come up with a lot of false pos
  • going to have to pay for secure VPN tech...
  • by carlhaagen ( 1021273 ) on Saturday December 21, 2019 @09:45PM (#59546276)
  • The entire HTTPS infrastructure depends on a certificate web of trust which is well beyond the average person's ability to audit and manage. It's all but certain that the NSA and other governments and potentially non-government organizations have ingratiated themselves into this web, performing what Bruce Schneier calls a "compelled certification attack."
    • What does it protect against? A MITM attack? Seems like signed DNS entries is a better way to go.
    • The "Compelled certification attack" is when men from the government turn up and calmly explain that you *will* sign their certificate, and if you ever mention this request to any other person then you will be thrown into the type of prison that doesn't keep records.

  • by Gravis Zero ( 934156 ) on Saturday December 21, 2019 @10:17PM (#59546352)

    Considering ISPs started going bonkers over DoH then it seems very clear that they are selling your information. Even if your DoH provider is selling your information, they will have to work harder to positively identify you.

    Sure, it's like going into battle with just a shield but it's better than going into battle stark naked.

    • by msauve ( 701917 )
      "Considering ISPs started going bonkers over DoH then it seems very clear that they are selling your information."

      What's needed (and would be a simple thing) is an application which would do DNS lookups on random domains, all the time. Pollute their feed and it becomes worthless. I'd certainly give up 1 Mbps to not only mess with their surveillance but to work their server at the same time.

      (It probably already exists, and someone will step in to point it out.)
    • by Solandri ( 704621 ) on Saturday December 21, 2019 @11:37PM (#59546420)

      Considering ISPs started going bonkers over DoH then it seems very clear that they are selling your information.

      They're not selling your information. The fact that nearly all sites are https means the only thing DNS tells your ISP is what domain you're trying to visit. They don't even know the full URL. DoH doesn't change this - after the site's domain has been resolved into an IP address, your browser still has to request data from that IP address. Your ISP can see this data request since your computer needs to tell their network where to send your data packets. So a quick reverse DNS lookup tells them what domain you're visiting even if you use DoH.

      The reason ISPs are opposed to DoH is because most people never change their DNS server away from the default, so end up using the ISP's DNS server. When you make a typo in a URL and ask for a nonexistent domain, instead of the browser displaying a "no such domain found" error message, your ISP's DNS server redirects you to a landing page they've set up with search terms based on what they think you were trying to type. They sell space on these landing pages to websites.

      DoH would completely dry up this revenue stream, since the browser's DNS (over HTTP) would override the ISP's DNS server. Apparently the revenue the ISPs get from these error landing pages is substantial enough that it's worth it for them to try to block DoH.

      • by DeSigna ( 522207 )

        They sell space on these landing pages to websites. DoH would completely dry up this revenue stream.

        It's definitely nothing to do with traffic engineering and/or efficient peering with CDNs and content providers. It's not like most large CDNs combine DNS and BGP to load balance requests and localise traffic to the most efficient paths.

        It could never be less efficient CDN utilisation forcing use of orders-of-magnitude more expensive paid transit rather than local peering arrangements, or even forcing the big boys to push exponentially growing traffic levels long distance rather than servicing it locally.

      • by AmiMoJo ( 196126 ) on Sunday December 22, 2019 @04:54AM (#59546838) Homepage Journal

        Just the domain name is incredibly valuable. If you spend a lot of time on OnlineCasino.com or RivalBank.com there are people who would love to know.

        An IP addresses doesn't let them identify a site. It leads them to a CDN in most cases.

        And in the end, it's definitely better than nothing.

      • by thegarbz ( 1787294 ) on Sunday December 22, 2019 @06:15AM (#59546914)

        DoH doesn't change this - after the site's domain has been resolved into an IP address, your browser still has to request data from that IP address.

        False. DoH does change it, just not completely. There's a big difference between knowing:
        a) Solandri visited http ://www.pornhub.com/kinky-girls-doing-nasty-stuff/
        b) Solandri visited server www.pornhub.com and initiated a secure connection.
        c) Solandri visited 66.254.114.41 an IP owned by a CDN that serves www.pornhub.com, www.fluffykittens.com, www.cathloicpuritanchurch.com

    • by AHuxley ( 892839 )
      Re "Considering ISPs started going bonkers"
      That could just be cover for the police and gov level logs they have to keep and now cant with the exiting logs...
      Without having to invest in new tech again...
    • by Retired ICS ( 6159680 ) on Sunday December 22, 2019 @01:06AM (#59546622)

      ISPs are "going bonkers" because the only reason that they are an "Information Service" and not a "Telecommunications Service" (and therefore subject to Common Carrier rules and so-called Net Neutrality) is because they provide DNS. If they no longer provide DNS then they are no longer providing anything at all except a "Telecommunications Service" and the various challenges of Ijit Pie's classification of ISPs as an "Information Service" would be successful, and the ISPs do NOT want that in any way shape or form. They want to be able to sell you various packages of Web Sites for varying prices.

      • ISPs are "going bonkers" because the only reason that they are an "Information Service" and not a "Telecommunications Service" (and therefore subject to Common Carrier rules and so-called Net Neutrality) is because they provide DNS.

        Except they can still provide DNS service even if few use it.

    • They went a level beyond bonkers here, and started warning that DoH was a tool for pedophiles.

  • Yeah. (Score:4, Funny)

    by msauve ( 701917 ) on Saturday December 21, 2019 @11:01PM (#59546382)
    "most current DoH services,"

    When did Homer Simpson become a network engineer?
  • by eggman9713 ( 714915 ) on Sunday December 22, 2019 @01:02AM (#59546610)
    "But there are some kinks in the armor." Come on, if you're not going to use the actual saying, then don't use it at all. By the context it wouldn't be a slur. Stop with the overly politically correct nonsense. Mod me offtopic if you must.
  • To put people off using anything that increases their privacy....
  • Isn't this pointless? Your ISP knows, and sells, where you go to anyway. As does the web site possibly, too.

    • The point is that Google/CloudFare doesnt always know, but they'd like to also know.
    • >"Isn't this pointless? Your ISP knows, and sells, where you go to anyway."

      If they only know the IP address, they don't really know where you are going. Many servers have tens, hundreds, or thousands of different websites that have nothing to do with each other, all on the same address but with different site/domain names.

      So yes, they know which street you are driving on, but not necessarily which house you are visiting, unless that is the only house on that street. Or another analogy would be they mig

      • Fire up wireshark on port 443 and see if you can figure out where your browser is taking you.

        From just opening a new tab on FF, I can see that it's making an HTTPS request to 'snippets.cdn.mozilla.net' (as specified in the 'Client Hello' TLS message under the server name extension). And I didn't need to break the encryption or anything - this is part of the handshake before encryption begins.

        Maybe TLS 1.3 starts encryption earlier. If not, maybe later versions will. But at the moment, it's trivial to see wh

  • In the security arms race, the stakes are constantly rising. Will DNS over HTTPS solve some security problems? Probably. Will it solve them all? No.

    We've seen most Web sites move to HTTPS. Does this fix all the security problems for Web sites? Hardly.

  • First, your ISP will still know what sites you are visiting. Second, your DoH server will know what names you are resolving. Third, more likely than not, your DoH server will be controlled by some company, like Google or Cloudflare, that will be only too keen to monetize that data. Fourth, DoH is a malware boon - protocol encapsulation over DNS tunnels, which is not that difficult to detect and block with standard DNS, becomes effectively undetectable and unblockable when DoH is used.

    DoH does not grant end

  • Padding or random padding, this is very basic.

After the last of 16 mounting screws has been removed from an access cover, it will be discovered that the wrong access cover has been removed.

Working...