DNS over HTTPS is possibly going to be good for public sites although, if it’s not used all the way up, then you’re still going to transition to regular DNS over UDP somewhere. Although your ISP won’t be able to see where you are going, someone upstream from Cloudflare would.
My second point is the enterprise DNS would break. The domain controller of a Windows network isn’t going to be public so, if we had an internal application that relied on the DC as it’s identity provider, systems relying on AD would break.
1 Like
Is there some reason why the OS can’t be smarter here? Some simple pattern matching should allow you to choose a different DNS for intranet versus internet.
Yeah seems weird to go so far as to use DoH Quad9, modify the configuration but then disregard all other DNS queries.
IMO if the big ISPs are saying “this is bad” thats a pretty clear signal to me that it probably should happen. The internet is always evolving, it can adjust to DoH.
I don’t like it in the browser since that will bypass my pi-hole server which can use DoH or DNSCrypt to all the versious DNS providers. I like the idea that Chrome had to check what DNS the system is using then use its’ secure lookup. But I image that will make Chrome an even bigger RAM and CPU hog.
1 Like
Hahaha no doubt Chrome will need MORE RAM now!
But think of it from a normal users perspective. Most folks will not implement proper privacy practices unless it is done for them. From a consumer viewpoint, browser implementation is likely the best idea.
Thinking about it; I suppose you could simply use the .lan extension for internal things and if it sees that it’ll switch to your in-house DNS server. The other alternative would be for Microsoft to build DoH support into their DNS offering and let admins set that as default
I like the idea of DoH. Nobody needs to know what I do while on line. I am not into illegal stuff and never will be, but it is my business and no one else’s, unless I tell them. If DoH will provide me with the privacy that we all deserve, then I am all for it. IPS’s make enough money off of their billing system, they don’t need to make anymore from me by selling my info to advertisers.
To be clear, DoH is a step in a direction, but is not a panacea. In the end, the DNS query resolves to an IP address, and your ISP still gets this information to route your packets… and all those packets contain useful metadata, even if fully encrypted from end to end.
1 Like
I was talking about people, governments, Advertisers, IPS’s spying, that manipulate this information for their benefit and no thought of the consequences of the user.
Packets don’t snoop, people DO.
It is unclear to anyone outside of the ISP what data is being captured and how much of a hinderance DoH will really be…but as you said it’s a step.
Out in public, it is good, you are protecting your privacy, to a certain extent. The DNS service still talks you.
At home, I have a Pi-hole and this pulls DNS over TLS with DNSSec from a privacy oriented provider and the Pi-hole itself caches the sites I visit regularly and it blocks around 2.5 million tracking, malware and malvertising sites, including 1,500 Facebook domains.
If Firefox bypasses that, it is going against my wishes.
I have set up rules in my firewall to block HTTPS to Google and Cloudflare DNS servers.
1 Like
Nobody should monitor DNS queries and they definitely shouldn’t be changing them!
1 Like
Okay, I want to make sure I’m extremely clear here. Here’s an analogy:
If you’re among a group of people who all speak English and you and another also speak, say German, and you try to hide your conversation by speaking to that other person exclusively in German, then the other members of the group may be excluded from understanding what you talk about, but they are not excluded from knowing that you are talking (and knowing they are excluded) and they also can still see when you laugh, smile or frown.
So in this metaphor, encryption is like speaking a different language, and the metadata is the fact that you can still be observed talking even if the substance of the conversation is unclear.
Using DNSCrypt (DNS over TLS) has the same effect, without breaking anything. The local DNS server is there for a reason in a lot of circumstances and shouldn’t be overridden. I have mine in place to increase my privacy and security and to provide access to my local infrastructure.
A browser ignoring that and doing DoH will help protect my privacy, somewhat, but it will weaken my security and remove access to my local infrastructure. (Theoretically, entering a local address and ending it with a slash (/) will force the browser to drop back to normal DNS, once it has failed to find the address on the external DNS server. That means that, instead of it doing a local look-up first, it is sending information about my internal infrastructure to the external DNS service.
1 Like
I’m unclear if you’re missing my point or if you think that DNS is the beginning and end of it. DNS is one step. Once the device gets an IP address by whatever means (including having it supplied as an address instead of a domain name, completely bypassing DNS) it communicates with a remote host. This communication happens without any additional involvement of DNS, because the DNS communication is normally front loaded.
No matter what, the IP packets have to pass through your upstream provider (normally your ISP.) It may not be able to read the content of the data stream, if end to end encrypted, but they HAVE to be able to read the destination IP address. The destination IP address has deep meaning. It indicates who you’re talking to. The destination port may well indicate what service you are talking to. The size and frequency of the packets can indicate what’s going on.
All this data about data, aka metadata, can provide meaning to someone who is intent on profiling you. Yes, the DNS information would provide deeper insight, but I want to fully dispel the notion that securing DNS is a magic bullet. It’s a privacy improvement; certainly better done than not done. It is generally impossible to communicate someone without generating metadata, which indicates that you are talking to them and frequently why or what you’re talking about.
I don’t think anyone has suggested that DoH, or DNS encryption in general, is a “solution”. Let’s not let perfect be the enemy of good and all agree that it’s a step in the right direction?
1 Like
Without the translation from IP address to domain name, they can’t always tell that much. Just look at the attempts by the UK Government, Kazakhstan and a few others to ban individual sites by blocking the IP address. They blocked the address of, for example, a pr0n site, only to find out that several thousand other sites disappeared, including some schools’ websites, because the IP address is shared.
Facebook, Google, Microsoft and Co. have their own dedicated IP addresses but millions of sites share the same IP address and it is only the combination of the IP address and the DNS name that lets you get to the site you want. If you just enter the IP address, you will land on the hoster’s page, if you are lucky.
You are correct, hiding DNS is not the complete solution, but taking it out of the equation makes it harder to track someone, because you only have part of the address. It is like seeing a person go into a skyscraper, you know they went in that building, but there are hundreds or thousands of people in that building, which one are they visiting?
1 Like
Yes but this enables you to create your own DNS instrastructure with your own cloud servers. This is what I’ll end up doing.
The main benefit I’ve seen is scalability and increased efficiency of protocol use, far better than the privacy arguement.
No, that’s not how it works. The connection is between the user and the DNS server and it’s encrypted. That’s where it ends, it doesn’t go “up”.
Were you thinking of QoS?
1 Like
I think you misunderstand the point or, perhaps, I did. My thinking was you are sending the query over a secure channel but, at some point, it has to transition to DNS over UDP.
It seems to me that, if it isn’t encrypted all the way up to the root DNS servers, you would just be able to watch the endpoint where it transitions whereas if you encrypt the entire chain up to the root then that would prevent law enforcement from spying on your DNS query.
I suppose you could, of course, not keep logs of who asked for what