Malaysia Orders ISPs To Reroute DNS Traffic (theedgemalaysia.com) 66
The Malaysian Communications and Multimedia Commission, which regulates online and broadcast media in the Asian nation, has instructed internet service providers in the country to redirect DNS traffic that uses third-party servers back to their own DNS servers, according to local media reports. From a report: MCMC in a statement tonight said this is to ensure that users continue to benefit from the protection provided by the local ISP's DNS servers and that malicious sites are inaccessible to Malaysians. As a commitment to protecting the safety of Internet users, MCMC has blocked a total of 24,277 websites between between 2018 to Aug 1, classified into various categories, which are online gambling (39 per cent), pornography/obscene content (31 per cent), copyright infringement (14 per cent), other harmful sites (12 per cent), prostitution (two per cent) and unlawful investments/scams (two per cent). Further reading: MCMC orders DNS redirection for businesses, govts, enterprises by Sept 30, according to Maxis FAQ.
D'oH! (Score:5, Insightful)
This, despite all the utter whinging from people supposed nerds who can't figure out how to do basic firefox configuration is WHY firefox defaults to DoH.
Re: (Score:1, Flamebait)
Your comment makes me happy. I came here to say exactly this and am glad to see that not only the first post on Slashdot says this, but that it also already is modded up. I have hope for this site yet - despite the best efforts of the whiners out there who are unable to process change.
Re: (Score:2)
LOL saying I have hope for this site on a comment modded up got me modded down. I guess the lobotomised people with modpoints finally woke up.
Re: (Score:2)
Looks like your hopes may have waned already and were very short-lived.
Re: (Score:1, Troll)
Just because there are benefits, not just downsides, to that decision doesn't mean that this is why it was made. Yours is a typical nanny-state argument, and those inevitably end up resulting in power-grabs. "Think of the children" and likewise appeals to emotion may be well-intentioned, but ultimately lead down a path of dependence. If we have every program going around the local name resolver configuration, that's a loss of control over the behavior of your own system. This is particularly painful as DNS
Re:D'oH! (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
1.1.1.1 is quite a bit faster than 8.8.8.8.
Re:D'oH! (Score:5, Insightful)
>"1.1.1.1 is quite a bit faster than 8.8.8.8"
And has the bonus of not being Google.
If you actually care at all about privacy/control, you shouldn't be using Google's DNS, Google-based browsers (which are pretty much all of them except Firefox and Safari), Google's search (use something like DuckDuckGo or StartPage), or be signed into a Google account when browsing. Plus you should be using something like uBlock origin, which blocks Google Analytics and also redirects its scripts to a local/fake version (to prevent site breakage).
I would actually avoid Gmail as well, if you can. At least try not to put all your eggs in one basket.
Re:D'oH! (Score:4, Interesting)
Yeah, use Cloudflare's 1.1.1.1. Being able to read a big chunk of all web traffic unencrypted because they "terminate" TLS for countless web sites, big and small, means they know what you're looking at anyway. Put all your eggs in that basket instead, I say.
Re: (Score:3)
Re: (Score:2)
Read this [trincoll.edu]
There's also this famous quote from Cloudflare's CEO Matthew Prince:
Matthew: Back in 2003, Lee Holloway and I started Project Honey Pot as an open-source project to track online fraud and abuse. The Project allowed anyone with a website to install a piece of code and track hackers and spammers.
We ran it as a hobby and didn't think much about it until, in 2008, the Department of Homeland Security called and said, "Do you have any idea how valuable the data you have is?" That started us thinking abo
Re: (Score:2)
Unfortunately, DuckDuckGo and StartPage both have shitty search results.
Re: (Score:2)
StartPage *is* Google search results, just anonymized. DuckDuckGo is mostly Bing with a bit of extra stuff added.
Re: (Score:2)
It just doesn't feel like Google search results.
Re: (Score:2)
You clearly never used startpage, or like being inside a google bubble, startpage uses google, duckduckgo uses bing, both do more or less the same and you get results outside your common profile bubble... so if you search always the same topics, you may see different results, but even if different, it may open your eyes for different sites you didn't know in the google bubble
Re: (Score:2)
I haven't used it recently, no. If it always used Google's results, then something about it felt shitty back when I did try it ~10 years ago. Then I forgot about it and never heard it mentioned again until today. Everyone goes with DDG as their anti-Google recommendation, and I hate it even more. Their indexing, along with Bing's and Yahoo's, in general, is just bad.
I will give StartPage another shot though. I don't like the bubble, but I know what I'm searching for and where it's going to be on Google. It
Re: (Score:1)
Re: (Score:2)
1.1.1.1 is quite a bit faster than 8.8.8.8.
Looks like 7.7.7.7 times faster. :-)
Re: (Score:3)
1.1.1.1 is quite a bit faster than 8.8.8.8.
I suggest 9.9.9.9, dns9.quad9.net. Take a look https://en.wikipedia.org/wiki/... [wikipedia.org] to learn about it. I use the encrypted connection (DNS over TLS). Anycast from several global location and headquartered in Switzerland where they take privacy seriously!
Re: (Score:3)
Also, are they seriously going to redirect 8.8.8.8 to their own ISP DNS servers? There is no way that is going to backfire. You have basically setup the world's largest DOS attack pointed at your own ISP's DC
They will redirect only for their customers, so is not "world's largest", just the same amount of traffic as if those customers would use the ISP provided DNS.
Re: D'oH! (Score:2)
Re: (Score:2)
Quad9 censors too. You dumbasses really don't get it, do you? Don't use centralized services. You're hellbent on making almost everyone use one of a handful of public DNS resolvers and you think you're helping people. STOP IT!
Re: D'oH! (Score:2)
Of course, for every website you use, you should probably bookmark any onion domains they provide, and you should probably also look into whether the content you download has an official torrent available, and use that to keep things goin
Re: (Score:2)
Quad9 has an uncensored set of servers
No, they really don't. They are required by law to censor and they do. But even if they did actually offer uncensored DNS, that's not what people recommend, is it? 9.9.9.9 [slashdot.org] isn't their most free DNS. It is even advertised as a filtered DNS service.
Re: (Score:2)
Running your own DNS server(s) is where it's at, for sure...but I do have Cloudflare's and Quad9's as backups
Re: (Score:2, Troll)
Yours is a typical nanny-state argument,
Lol OK dude. Not trusting the government is somehow a "pro nanny state" argument. And your solution to not be part of a nanny state is to instead be part of a nanny state.
But really, I think the reason some people so despise the nanny state is because they (a la Rees-Mogg) think only the rich should get to have nannies. The poors can suck it.
and those inevitably end up resulting in power-grabs.
Like the Malaysian government?
If we have every program going around the l
Re: (Score:2, Troll)
If you can't figure out
Project much? I can dive into the Firefox configuration or break its insubordination in other ways, and I have, but I shouldn't have to. If I want a secure and private resolver, I can do that and have that work for all the programs. Only those which defy the local configuration need special treatment, like that "we know better than you" asshole Firefox. Why am I even replying to this moron.
Re: (Score:3)
I can dive into the Firefox configuration
Well clearly not if you're complaining about one of the easiest configuration options.
break its insubordination in other ways, and I have,
Insubordination, LOL! It's an inanimate piece of software.
but I shouldn't have to.
No one is obliged to cater specifically to your desires, especially when the options you want are trivially available.
"we know better than you"
For 99.99% of their users, the ones who haven't got a clue what DNS is, they do know better. For the remai
Re: (Score:1)
Yeah, I get it, "whinging from people supposed nerds who can't figure out how to do basic firefox configuration" is worthy of upmods, but I'm clearly a troll... How low this site has sunk.
Re: (Score:3)
Just because there are benefits, not just downsides, to that decision doesn't mean that this is why it was made.
Except this scenario is literally why this decision was made. As in the literal meaning of the word literal, not the "I don't know what the word figurative means" meaning. The whole premise for setting DoH by default was exclusively to prevent DNS poisoning and redirection, and all those people claiming some corporate conspiracy should be reminded that DoH is configurable to any server and by default doesn't actually to a server controlled by Mozilla or Google.
If we have every program going around the local name resolver configuration, that's a loss of control over the behavior of your own system. This is particularly painful as DNS is just replaced with another centralized system that is prone to manipulation.
It's configurable on literally every program. F
Re:D'oH! (Score:4, Interesting)
DoH is a great solution in this case, clearly.
But do you want it if your country isn't a censorship hellhole? I'm not so sure myself.
It boils down to this: do you believe your ISP doesn't monetize your DNS queries, or do you believe Mozilla's "carefully chosen partners" don't monetize your DNS queries?
In both case, the answer is "fat chance": both your ISP and Mozilla's partners monetize your DNS queries.
How do I know that? Easy: the latter doesn't say anything on the matter so they do, and Mozilla promises the latter won't, so they do.
So in both case, it's matter of whether you prefer your ISP or Mozilla's partners abusing your DNS data. And I'd rather it was my ISP, because I don't know who Mozilla's partners are, but I assume they're awful because Mozilla chose then. Also, I can switch ISP or switch DNS provider, while I basically funnel all my DNS queries to the same set of sumbitches with DoH regardless of how I connect to the internet.
So unless you live in Malaysia or you have a damn good reason to use DoH, just stick to normally-abusive DNS servers and regularly rotate them rather than willingly serve up all your data to Mozilla's sketchy DNS providers.
Re: (Score:3)
But do you want it if your country isn't a censorship hellhole?
At this point it's easier to name the countries that aren't already, or aspiring to be, censorship hellholes. So you should probably want it.
Re: (Score:3)
But do you want it if your country isn't a censorship hellhole? I'm not so sure myself.
You're not sure, but you're not sure you don't want it either. Sounds like the worst case is "maybe not", and the best case is "definitely yes".
It boils down to this: do you believe your ISP doesn't monetize your DNS queries, or do you believe Mozilla's "carefully chosen partners" don't monetize your DNS queries?
Well it doesn't because there are also plenty of times one might use a rando network (cafes, airports, etc). Do
Re: (Score:2, Troll)
It's cloudflare. They have "nextDNS" set up as an option already configured
Oh okay thanks. I missed that one.
Well then, if it's Cloudflare, I definitely won't want it. Fuck Cloudflare with a wire brush even harder than Google. Even if was safer than using your ISP's resolver - and I'm almost certain it isn't, because Cloudflare - there's no way I'm supporting Cloudflare in any way shape or form.
Again, fuck Cloudflare.
Or you can add your own DoH provider
That's actually an attractive proposition. I'm gonna look into that right now. Thanks!
Re: (Score:2)
by the way, there are many free or paid DoH services in the internet, both simple or with ads/mallware/family features, you choose... or deploy your own, if you like, there are several DoH docker images or software... or simpy install bind (or similar) as a local DNS server with direct root calls (no forward) and apply whatever rules you like
Re: (Score:3)
Replying to you again about this:
Turns out my Librewolf installation was messed up somehow. The options didn't show up in the menu. I reinstalled it and now I see the options:
- Cloudflare indeed, as you mentioned (and fuck that for sure)
- Quad9
- Quad9 + ECS
- Custom
I looked up Quad9 [wikipedia.org] and it looks pretty good actually. So I picked Quad9 without ECS and I'll give that a go for a while, see how it fares.
Thanks for your post, which is a lot more insightful than mine. I wish I had mod points.
Re: (Score:2)
Well, thanks! sorry I over reacted a little. I should not remember that not every reply on the topic is from the same person :)
Re:D'oH! (Score:4, Informative)
No you were right: my answer was kind of shit (not the Cloudflare bit though, not trusting Cloudflare is always a valid comment :))
I've looked into this some more and in the end, I've disabled DoH in Librewolf and installed it system-wide with the dnss proxy [github.com]. It's super easy:
- Install the package /etc/default/dnss to add "--https_upstream=https://9.9.9.9/dns-query" (that's the Quad9 IP) otherwise it default to Google, which is just as heinous as Cloudflare obviously
- Disable systemd-resolved
- Edit
- Enable the dnss service
- Check that it works by visiting on.quad9.net [quad9.net], and also by opening the local monitoring page at localhost:9981 [localhost]
That's all there is to it.
I'll see how well this works over time.
Re: (Score:1)
I think most people are not aware that FF does his own DNS bullshit.
If I had downloaded FF yesterday, I had not remembered that as well.
Perhaps I should try FF again, as my Appartement complex has DNS issues.
But I am not sure if I want that shit Browser on my computer again :(
Re: (Score:2)
I think most people are not aware that FF does his own DNS bullshit.
Firefox, chrome and edge all do it by default.
Re: (Score:1)
My chrome on windows? If he does so, then his error messages are wrong. He claimed he can not resolve the DNS result instead of saying no internet.
I will check later.
Re: (Score:2)
Re: (Score:2)
This is an example of "Moving the Goalposts".
You are introducing a new problem and complaining that it is not addressed by the solution presented... because it is not the problem being addressed. It serves only as a distraction from the issue at hand.
The issue is not whether or not the DNS provider is "monetizing your DNS queries". They just want to navigate the internet.
Re: (Score:2)
You can use any DoH capable server you like, including your own.
By the way, Mulvad offer DNS to everyone, not just users of their VPN. It's good and trustworthy.
Re: (Score:2)
so your argument is that you don't believe in neither your ISP and Mozilla, so both MUST be lying... and probably also think that everyone is against you and you can't trust anyone but yourself! So if you are not paranoid, keep reading... if you are, you will not trust me anyway, so don't bother
Go read cloudflare 1.1.1.1 pages and they already report they do not track the DNS queries, mozilla is using cloudflare and audit it before choosing it as default DoH
Even if you don't trust cloudflare, you can choose
Re: (Score:2)
TL;DR: DoH is just another target, and it can be compromised very easily. We'll know if groups like Lightspeed Systems suddenly get a large order from Kuala Lumpur.
Re: (Score:2)
Especially those that can ban any HTTPS traffic that they cannot decrypt, or can mandate the inclusion of a CA that they control that issues new certificates on the fly. (FYI: That last one already exists as commercial hardware and it's used in the good ol' USofA as per federal law against school children.)
HTTPS decryption with dynamic generation of certificates from a private CA is available in basically every modern firewall. You cannot really do IPS without it.
I do not agree that it can be compromised very easily. Getting a CA certificate onto every device and dealing with certificate pinning and other protections generally makes it unviable except for the most controlling of organizations. It is easier to mandate that filtering software is installed locally on every device and sidestep the whole issue.
Re: (Score:2)
For Firefox Mobile to enable about:config:
open chrome://geckoview/content/config.xhtml, set general.aboutConfig.enable to true
open about:config, set dom.private-attribution.submission.enabled to false
Theocracies (Score:2)
This is what you get in theocracies, religion imposing their wicked views and moralizing concepts on everyone.
The US will do the exact same thing if those crazy evangelists get their man in the white house
Re: (Score:3)
The US will do the exact same thing if those crazy evangelists get their man in the white house
"Will" do?
Numerous porn sites are already unavailable in Texas, North Carolina, Montana, Mississippi, Virginia, Arkansas, and Utah.
On the other hard, in a state like Texas, in the 2022 election, 78% of eligible voters aged 18-30 sat on the couch instead of voting. So I suppose in the end they don't really care.
Re: (Score:2)
"78% of eligible voters aged 18-30 sat on the couch instead of voting."
The answer they would give is "meh. Both choices suck, and there was no TikTok video telling me to vote in the primaries."
Re: (Score:2)
Ditto Val Demings vs. Marco Rubio.
Re: (Score:2)
Re: (Score:3, Informative)
calling true facts 'malinformation' and Harris on video saying free speech is a privilege that should be revoked in Musk's case?
Sure, Mr dumbass misinformed idiot
https://www.nytimes.com/2024/0... [nytimes.com]
https://apnews.com/article/kam... [apnews.com]
https://leadstories.com/hoax-a... [leadstories.com]
Re: (Score:3)
clap, clap, clap, this is the perfect response for this kind of posts, post facts and proofs that they are inside a weird bubble of fake news
who you use as DNS provider (Score:2)
Re: who you use as DNS provider (Score:2)
I run my own DNS that links to the root servers to avoid crippled dns answers from the ISP.
Online casinos have rich 'friends' (Score:2)
It's interesting how every country demanding every (local) shop stop criminals buying stuff, doesn't stop online casinos 'selling' stuff. All those laws to make sure criminals can't hide their money, doesn't affect online casinos. There's world-wide compliance to the USA's TSA rules but no rules about online casinos.
Online casinos are a scourge upon the world that benefit very, very small number of people: If countries wanted to eliminate them, they could easily do that. Look at all the work they do t
Don't be delusional (Score:2)
Firefox is going to benevolently protect you from big bad other Co?
Apple is better than Microsoft?
Let me catch my breath from laughing so hard at your naivety.
All commercial products are compromised.
Regular DNS lookups are the Holy Grail of surveillance, because among other reasons, it is ubiquitous, it is clear text, and "people" don't and can't understand abstract ideas. Which works out great for every company because surveillance and data gathering is the
Keep the faith (Score:2)