Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Technology

Malaysia Orders ISPs To Reroute DNS Traffic (theedgemalaysia.com) 66

The Malaysian Communications and Multimedia Commission, which regulates online and broadcast media in the Asian nation, has instructed internet service providers in the country to redirect DNS traffic that uses third-party servers back to their own DNS servers, according to local media reports. From a report: MCMC in a statement tonight said this is to ensure that users continue to benefit from the protection provided by the local ISP's DNS servers and that malicious sites are inaccessible to Malaysians. As a commitment to protecting the safety of Internet users, MCMC has blocked a total of 24,277 websites between between 2018 to Aug 1, classified into various categories, which are online gambling (39 per cent), pornography/obscene content (31 per cent), copyright infringement (14 per cent), other harmful sites (12 per cent), prostitution (two per cent) and unlawful investments/scams (two per cent). Further reading: MCMC orders DNS redirection for businesses, govts, enterprises by Sept 30, according to Maxis FAQ.
This discussion has been archived. No new comments can be posted.

Malaysia Orders ISPs To Reroute DNS Traffic

Comments Filter:
  • D'oH! (Score:5, Insightful)

    by serviscope_minor ( 664417 ) on Saturday September 07, 2024 @01:56AM (#64769886) Journal

    This, despite all the utter whinging from people supposed nerds who can't figure out how to do basic firefox configuration is WHY firefox defaults to DoH.

    • Re: (Score:1, Flamebait)

      by thegarbz ( 1787294 )

      Your comment makes me happy. I came here to say exactly this and am glad to see that not only the first post on Slashdot says this, but that it also already is modded up. I have hope for this site yet - despite the best efforts of the whiners out there who are unable to process change.

      • LOL saying I have hope for this site on a comment modded up got me modded down. I guess the lobotomised people with modpoints finally woke up.

    • Re: (Score:1, Troll)

      Just because there are benefits, not just downsides, to that decision doesn't mean that this is why it was made. Yours is a typical nanny-state argument, and those inevitably end up resulting in power-grabs. "Think of the children" and likewise appeals to emotion may be well-intentioned, but ultimately lead down a path of dependence. If we have every program going around the local name resolver configuration, that's a loss of control over the behavior of your own system. This is particularly painful as DNS

      • Re:D'oH! (Score:5, Insightful)

        by sfcat ( 872532 ) on Saturday September 07, 2024 @03:28AM (#64769958)
        I think the other posters just don't understand that DNS poisoning is a thing and why you might not want to use the ISP's DNS server. Also, are they seriously going to redirect 8.8.8.8 to their own ISP DNS servers? There is no way that is going to backfire. You have basically setup the world's largest DOS attack pointed at your own ISP's DC. Only requires someone to change some routing tables and chaos would ensue.
        • Lock and load, motherfuckers.
        • by e3m4n ( 947977 )

          1.1.1.1 is quite a bit faster than 8.8.8.8.

          • Re:D'oH! (Score:5, Insightful)

            by markdavis ( 642305 ) on Saturday September 07, 2024 @06:44AM (#64770104)

            >"1.1.1.1 is quite a bit faster than 8.8.8.8"

            And has the bonus of not being Google.

            If you actually care at all about privacy/control, you shouldn't be using Google's DNS, Google-based browsers (which are pretty much all of them except Firefox and Safari), Google's search (use something like DuckDuckGo or StartPage), or be signed into a Google account when browsing. Plus you should be using something like uBlock origin, which blocks Google Analytics and also redirects its scripts to a local/fake version (to prevent site breakage).

            I would actually avoid Gmail as well, if you can. At least try not to put all your eggs in one basket.

            • Re:D'oH! (Score:4, Interesting)

              by TheNameOfNick ( 7286618 ) on Saturday September 07, 2024 @07:00AM (#64770118)

              Yeah, use Cloudflare's 1.1.1.1. Being able to read a big chunk of all web traffic unencrypted because they "terminate" TLS for countless web sites, big and small, means they know what you're looking at anyway. Put all your eggs in that basket instead, I say.

              • While you make a reasonable point for some situations, at least cloudflare's actual business model isn't data mining that data to manipulate you, like google's is. Running a targeted advertising business is not automatically evil, running a business storing personal information is not evil. It is doing the two things at the same time under unclear terms that is evil. This is pretty much literally what the "don't be evil" slogan was about. But that is long gone. Cloudflare is not a datamining+advertisin
                • Read this [trincoll.edu]

                  There's also this famous quote from Cloudflare's CEO Matthew Prince:
                  Matthew: Back in 2003, Lee Holloway and I started Project Honey Pot as an open-source project to track online fraud and abuse. The Project allowed anyone with a website to install a piece of code and track hackers and spammers.
                  We ran it as a hobby and didn't think much about it until, in 2008, the Department of Homeland Security called and said, "Do you have any idea how valuable the data you have is?" That started us thinking abo

            • by Bahbus ( 1180627 )

              Unfortunately, DuckDuckGo and StartPage both have shitty search results.

              • StartPage *is* Google search results, just anonymized. DuckDuckGo is mostly Bing with a bit of extra stuff added.

              • by higuita ( 129722 )

                You clearly never used startpage, or like being inside a google bubble, startpage uses google, duckduckgo uses bing, both do more or less the same and you get results outside your common profile bubble... so if you search always the same topics, you may see different results, but even if different, it may open your eyes for different sites you didn't know in the google bubble

                • by Bahbus ( 1180627 )

                  I haven't used it recently, no. If it always used Google's results, then something about it felt shitty back when I did try it ~10 years ago. Then I forgot about it and never heard it mentioned again until today. Everyone goes with DDG as their anti-Google recommendation, and I hate it even more. Their indexing, along with Bing's and Yahoo's, in general, is just bad.

                  I will give StartPage another shot though. I don't like the bubble, but I know what I'm searching for and where it's going to be on Google. It

          • 1.1.1.1 is quite a bit faster than 8.8.8.8.

            Looks like 7.7.7.7 times faster. :-)

          • Re:D'oH! (Score:4, Informative)

            by kevmeister ( 979231 ) on Saturday September 07, 2024 @07:51PM (#64771242) Homepage

            1.1.1.1 is quite a bit faster than 8.8.8.8.

            I suggest 9.9.9.9, dns9.quad9.net. Take a look https://en.wikipedia.org/wiki/... [wikipedia.org] to learn about it. I use the encrypted connection (DNS over TLS). Anycast from several global location and headquartered in Switzerland where they take privacy seriously!

        • Also, are they seriously going to redirect 8.8.8.8 to their own ISP DNS servers? There is no way that is going to backfire. You have basically setup the world's largest DOS attack pointed at your own ISP's DC

          They will redirect only for their customers, so is not "world's largest", just the same amount of traffic as if those customers would use the ISP provided DNS.

        • Or if you believe in a free and open Internet you can use Quad9 [quad9.net] at 9.9.9.9
          • Quad9 censors too. You dumbasses really don't get it, do you? Don't use centralized services. You're hellbent on making almost everyone use one of a handful of public DNS resolvers and you think you're helping people. STOP IT!

            • Quad9 has an uncensored set of servers which allow everything as it is meant to be, including known malicious sites and non-seized domains blocked by court orders. They provide this on principle because they are a non-profit which actually wants a free and open Internet.

              Of course, for every website you use, you should probably bookmark any onion domains they provide, and you should probably also look into whether the content you download has an official torrent available, and use that to keep things goin
              • Quad9 has an uncensored set of servers

                No, they really don't. They are required by law to censor and they do. But even if they did actually offer uncensored DNS, that's not what people recommend, is it? 9.9.9.9 [slashdot.org] isn't their most free DNS. It is even advertised as a filtered DNS service.

            • Running your own DNS server(s) is where it's at, for sure...but I do have Cloudflare's and Quad9's as backups

      • Re: (Score:2, Troll)

        Yours is a typical nanny-state argument,

        Lol OK dude. Not trusting the government is somehow a "pro nanny state" argument. And your solution to not be part of a nanny state is to instead be part of a nanny state.

        But really, I think the reason some people so despise the nanny state is because they (a la Rees-Mogg) think only the rich should get to have nannies. The poors can suck it.

        and those inevitably end up resulting in power-grabs.

        Like the Malaysian government?

        If we have every program going around the l

        • Re: (Score:2, Troll)

          If you can't figure out

          Project much? I can dive into the Firefox configuration or break its insubordination in other ways, and I have, but I shouldn't have to. If I want a secure and private resolver, I can do that and have that work for all the programs. Only those which defy the local configuration need special treatment, like that "we know better than you" asshole Firefox. Why am I even replying to this moron.

          • I can dive into the Firefox configuration

            Well clearly not if you're complaining about one of the easiest configuration options.

            break its insubordination in other ways, and I have,

            Insubordination, LOL! It's an inanimate piece of software.

            but I shouldn't have to.

            No one is obliged to cater specifically to your desires, especially when the options you want are trivially available.

            "we know better than you"

            For 99.99% of their users, the ones who haven't got a clue what DNS is, they do know better. For the remai

      • Yeah, I get it, "whinging from people supposed nerds who can't figure out how to do basic firefox configuration" is worthy of upmods, but I'm clearly a troll... How low this site has sunk.

      • Just because there are benefits, not just downsides, to that decision doesn't mean that this is why it was made.

        Except this scenario is literally why this decision was made. As in the literal meaning of the word literal, not the "I don't know what the word figurative means" meaning. The whole premise for setting DoH by default was exclusively to prevent DNS poisoning and redirection, and all those people claiming some corporate conspiracy should be reminded that DoH is configurable to any server and by default doesn't actually to a server controlled by Mozilla or Google.

        If we have every program going around the local name resolver configuration, that's a loss of control over the behavior of your own system. This is particularly painful as DNS is just replaced with another centralized system that is prone to manipulation.

        It's configurable on literally every program. F

    • Re:D'oH! (Score:4, Interesting)

      by Rosco P. Coltrane ( 209368 ) on Saturday September 07, 2024 @03:24AM (#64769956)

      DoH is a great solution in this case, clearly.

      But do you want it if your country isn't a censorship hellhole? I'm not so sure myself.

      It boils down to this: do you believe your ISP doesn't monetize your DNS queries, or do you believe Mozilla's "carefully chosen partners" don't monetize your DNS queries?

      In both case, the answer is "fat chance": both your ISP and Mozilla's partners monetize your DNS queries.

      How do I know that? Easy: the latter doesn't say anything on the matter so they do, and Mozilla promises the latter won't, so they do.

      So in both case, it's matter of whether you prefer your ISP or Mozilla's partners abusing your DNS data. And I'd rather it was my ISP, because I don't know who Mozilla's partners are, but I assume they're awful because Mozilla chose then. Also, I can switch ISP or switch DNS provider, while I basically funnel all my DNS queries to the same set of sumbitches with DoH regardless of how I connect to the internet.

      So unless you live in Malaysia or you have a damn good reason to use DoH, just stick to normally-abusive DNS servers and regularly rotate them rather than willingly serve up all your data to Mozilla's sketchy DNS providers.

      • by Tailhook ( 98486 )

        But do you want it if your country isn't a censorship hellhole?

        At this point it's easier to name the countries that aren't already, or aspiring to be, censorship hellholes. So you should probably want it.

      • But do you want it if your country isn't a censorship hellhole? I'm not so sure myself.

        You're not sure, but you're not sure you don't want it either. Sounds like the worst case is "maybe not", and the best case is "definitely yes".

        It boils down to this: do you believe your ISP doesn't monetize your DNS queries, or do you believe Mozilla's "carefully chosen partners" don't monetize your DNS queries?

        Well it doesn't because there are also plenty of times one might use a rando network (cafes, airports, etc). Do

        • Re: (Score:2, Troll)

          It's cloudflare. They have "nextDNS" set up as an option already configured

          Oh okay thanks. I missed that one.

          Well then, if it's Cloudflare, I definitely won't want it. Fuck Cloudflare with a wire brush even harder than Google. Even if was safer than using your ISP's resolver - and I'm almost certain it isn't, because Cloudflare - there's no way I'm supporting Cloudflare in any way shape or form.

          Again, fuck Cloudflare.

          Or you can add your own DoH provider

          That's actually an attractive proposition. I'm gonna look into that right now. Thanks!

          • by higuita ( 129722 )

            by the way, there are many free or paid DoH services in the internet, both simple or with ads/mallware/family features, you choose... or deploy your own, if you like, there are several DoH docker images or software... or simpy install bind (or similar) as a local DNS server with direct root calls (no forward) and apply whatever rules you like

        • Replying to you again about this:

          Turns out my Librewolf installation was messed up somehow. The options didn't show up in the menu. I reinstalled it and now I see the options:

          - Cloudflare indeed, as you mentioned (and fuck that for sure)
          - Quad9
          - Quad9 + ECS
          - Custom

          I looked up Quad9 [wikipedia.org] and it looks pretty good actually. So I picked Quad9 without ECS and I'll give that a go for a while, see how it fares.

          Thanks for your post, which is a lot more insightful than mine. I wish I had mod points.

          • Well, thanks! sorry I over reacted a little. I should not remember that not every reply on the topic is from the same person :)

            • Re:D'oH! (Score:4, Informative)

              by Rosco P. Coltrane ( 209368 ) on Saturday September 07, 2024 @07:15AM (#64770132)

              No you were right: my answer was kind of shit (not the Cloudflare bit though, not trusting Cloudflare is always a valid comment :))

              I've looked into this some more and in the end, I've disabled DoH in Librewolf and installed it system-wide with the dnss proxy [github.com]. It's super easy:

              - Install the package
              - Disable systemd-resolved
              - Edit /etc/default/dnss to add "--https_upstream=https://9.9.9.9/dns-query" (that's the Quad9 IP) otherwise it default to Google, which is just as heinous as Cloudflare obviously
              - Enable the dnss service
              - Check that it works by visiting on.quad9.net [quad9.net], and also by opening the local monitoring page at localhost:9981 [localhost]

              That's all there is to it.

              I'll see how well this works over time.

        • I think most people are not aware that FF does his own DNS bullshit.

          If I had downloaded FF yesterday, I had not remembered that as well.

          Perhaps I should try FF again, as my Appartement complex has DNS issues.

          But I am not sure if I want that shit Browser on my computer again :(

          • I think most people are not aware that FF does his own DNS bullshit.

            Firefox, chrome and edge all do it by default.

            • My chrome on windows? If he does so, then his error messages are wrong. He claimed he can not resolve the DNS result instead of saying no internet.

              I will check later.

      • Or use anonymized DNSCrypt. Although if you live in Malaysia, it might be risky if the censors know what DNSCrypt is.
      • This is an example of "Moving the Goalposts".

        You are introducing a new problem and complaining that it is not addressed by the solution presented... because it is not the problem being addressed. It serves only as a distraction from the issue at hand.

        The issue is not whether or not the DNS provider is "monetizing your DNS queries". They just want to navigate the internet.

      • by AmiMoJo ( 196126 )

        You can use any DoH capable server you like, including your own.

        By the way, Mulvad offer DNS to everyone, not just users of their VPN. It's good and trustworthy.

      • by higuita ( 129722 )

        so your argument is that you don't believe in neither your ISP and Mozilla, so both MUST be lying... and probably also think that everyone is against you and you can't trust anyone but yourself! So if you are not paranoid, keep reading... if you are, you will not trust me anyway, so don't bother

        Go read cloudflare 1.1.1.1 pages and they already report they do not track the DNS queries, mozilla is using cloudflare and audit it before choosing it as default DoH
        Even if you don't trust cloudflare, you can choose

    • DoH isn't secure from governments. Especially those that can ban any HTTPS traffic that they cannot decrypt, or can mandate the inclusion of a CA that they control that issues new certificates on the fly. (FYI: That last one already exists as commercial hardware and it's used in the good ol' USofA as per federal law against school children.)

      TL;DR: DoH is just another target, and it can be compromised very easily. We'll know if groups like Lightspeed Systems suddenly get a large order from Kuala Lumpur.
      • by amorsen ( 7485 )

        Especially those that can ban any HTTPS traffic that they cannot decrypt, or can mandate the inclusion of a CA that they control that issues new certificates on the fly. (FYI: That last one already exists as commercial hardware and it's used in the good ol' USofA as per federal law against school children.)

        HTTPS decryption with dynamic generation of certificates from a private CA is available in basically every modern firewall. You cannot really do IPS without it.

        I do not agree that it can be compromised very easily. Getting a CA certificate onto every device and dealing with certificate pinning and other protections generally makes it unviable except for the most controlling of organizations. It is easier to mandate that filtering software is installed locally on every device and sidestep the whole issue.

    • by Z00L00K ( 682162 )

      For Firefox Mobile to enable about:config:

      open chrome://geckoview/content/config.xhtml, set general.aboutConfig.enable to true

      open about:config, set dom.private-attribution.submission.enabled to false

  • This is what you get in theocracies, religion imposing their wicked views and moralizing concepts on everyone.
    The US will do the exact same thing if those crazy evangelists get their man in the white house

    • The US will do the exact same thing if those crazy evangelists get their man in the white house

      "Will" do?

      Numerous porn sites are already unavailable in Texas, North Carolina, Montana, Mississippi, Virginia, Arkansas, and Utah.

      On the other hard, in a state like Texas, in the 2022 election, 78% of eligible voters aged 18-30 sat on the couch instead of voting. So I suppose in the end they don't really care.

      • "78% of eligible voters aged 18-30 sat on the couch instead of voting."

        The answer they would give is "meh. Both choices suck, and there was no TikTok video telling me to vote in the primaries."

        • Yeah, well then they're morons. Is Beto O'Rourke perfect? Far from it. But to suggest he sucks as bad as Greg Abbott is ludicrous.

          Ditto Val Demings vs. Marco Rubio.
      • Malaysia doesn't just block porn like some Americans would like to do in the US. They block anything critical of Islam or the Malaysian government and anything that might reflect badly on either. The religious types in the US are mostly interested in blocking porn and information about abortion and so forth. What the Malaysian government does is block political dissent and social commentary, which is much more serious. Trump and some of his followers would like to do that do, but it isn't mostly coming fro
  • should be the individuals choice. State, government or corporate bulling should not be allowed! As most know, whomever provides your DNS has a log of every site you visit.
  • ... online gambling (39 per cent) ...

    It's interesting how every country demanding every (local) shop stop criminals buying stuff, doesn't stop online casinos 'selling' stuff. All those laws to make sure criminals can't hide their money, doesn't affect online casinos. There's world-wide compliance to the USA's TSA rules but no rules about online casinos.

    Online casinos are a scourge upon the world that benefit very, very small number of people: If countries wanted to eliminate them, they could easily do that. Look at all the work they do t

  • What? You think Cloudflare is better than Google?
    Firefox is going to benevolently protect you from big bad other Co?
    Apple is better than Microsoft?

    Let me catch my breath from laughing so hard at your naivety.
    All commercial products are compromised.

    Regular DNS lookups are the Holy Grail of surveillance, because among other reasons, it is ubiquitous, it is clear text, and "people" don't and can't understand abstract ideas. Which works out great for every company because surveillance and data gathering is the
  • Knowing the religious leanings of that part of the world, it's easier to make ISPs in their home country 'keep the faith' than foreign companies. So this helps to ensure that sites can be DNS blocked so users don't lose their faith. I don't know if they are actively doing this, but it makes it much easier for when it comes time to lock things up so people don't stray from the faith.

Pause for storage relocation.

Working...