41 comments

[ 20.4 ms ] story [ 148 ms ] thread
Tells me everything I ever wanted to know about ISPA. Did they even notice the juxtaposition of recognising Sir Tim Berners-Lee with an award for a campaign to "protect the open and free nature of the Internet" and simultaneously branding Mozilla a "villain" for their work on DoH?

Was glad to see my ISP (Netcalibre) is not a member and sponsors the Open Rights Group instead: https://twitter.com/lchost/status/1147090360226783233

AAISP should also be commended for donating an amount equal to the ISPA membership fees directly to Mozilla: https://twitter.com/aaisp/status/1146803916853645314

AAISP's twitter post on it was amazing ... snark personified, and why they are one of the best ISP's in the UK - technically brilliant management of their network and all around decent people.
There may be independent factions within that organization that each came up with their own nominations.

That's how you end up with that kind of apparent outward cognitive dissonance.

So they built a content-blocking feature based on a design flaw that can be trivially bypassed? And now the people who are bypassing the flaw are villains?

That's some top-notch work there, ISPA.

I’ve been gleefully watching DNS over HTTPS break all kinds of things that are terrible practices, including ISPs that hijack NXDOMAIN responses for SPAM search pages even when using other DNS providers.

Here’s to hoping someone comes up with better solutions for captive portal redirects, though.

I believe there's been a better solution to captive portal redirects for quite some time now, via the medium of DHCP and/or RAs - https://tools.ietf.org/html/rfc7710.

Unsure why we've not yet seen much adoption.

I've seen almost universal adoption of it (at hotels, airports, etc). Since around 2 years ago nearly all the networks I connect anounce their portals through DHCP.
Interesting to hear! Do you mind sharing your rough location?
I live in Brazil, on those last years I've also traveled to Mexico and Cabo Verde, visiting airports also on Panama and Portugal.

I've notice the DHCP announcements on all those places.

It's almost like the purpose of an ISP is to transmit internet traffic to the internet for you--not to filter traffic, block certain ports, lie about DNS responses, or otherwise have anything to do with the actual content of your communications. Imagine if the telephone company listened to you calls to block prohibited topics, replaced the other person's responses with ads, and opposed people who tried to talk in code.

It's definitely a Good Thing that technical measures are rendering this garbage unworkable.

Should be easy to work around in the short term. The browser just needs to request a well-known "test" domain (like example.com) and detect if it gets a redirect. Keeps portals working without compromising the privacy of real DNS lookups.
My go to: captive.apple.com
The problem is that if you're using something like stubby[1] then there's no easy way to temporarily tell it to use another DNS server to resolve the name you need to get to the captive portal. At least as far as I can tell, it doesn't offer that feature. You would need to be able to resolve whatever domain the captive portal is using as well, so you couldn't just hardcode it into `/etc/hosts` either.

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+...

My workaround for using captive portals with DoH is to authenticate on my phone first, then disable WiFI on the phone, then basically run this script to switch my laptop to my phone's MAC addr.

```

sudo systemctl stop NetworkManager wpa_supplicant avahi-daemon

sudo ifconfig <your_interface_name> down

sudo macchanger <your_interface_name> --mac="$1"

sudo systemctl start NetworkManager wpa_supplicant avahi-daemon

sudo ifconfig <your_interface_name> up

```

It's stupid and hacky, but it works perfectly 99% of the time.

Understandable. How are ISPs supposed to keep mining and monetizing browsing history if everyone starts using DoH?
DoH doesn't bring any privacy or censorship circumvention, it still allows ISPs to mine and monetize browsing history all they want, only creating temporary inconvenience. It lets more parties to get your data though and is more friendly to state mass surveillance.
Lots of claims here but no descriptions of how DoH is worse for end users
Try to search DoH on HN, these issues were discussed many times before. Essentially DoH leaks more data to more third parties, without being able to withhold that data from those who already can get it, hence violating privacy, not improving it.
Most vpns also contain DNS query so ISPs can't see them how is this any different?
VPN usage is very much a fringe activity compared to just browsing with Firefox.
There are other ways to protect the users. The people deciding on these awards should inform themselvs better on the whys of it. Instead of labeling perhaps ISPA should look into collaboration with Mozilla instead?
My biggest problem with Mozilla's DNS over HTTPS is their partnership with CloudFlare

Cloudflare is not a supporter for Free and Open Internet, and is just as much a danger to online privacy as the rest of the Large Technology Companies like Google and Facebook

Edit: The Undying Support for CloudFlare is amusing, reminds me of all the defenders of Google years ago until they turned evil... Power Corrupts, the key is to not give these companies the power. The amount of data the flows through CloudFlare's various products should be alarming to anyone that understand Computer Science, history, etc. Sad that many here are willfully ignorant to the threat CloudFlare poses

> and is just as much a danger to online privacy as the rest of the Large Technology Companies like Google and Facebook

how so?

[citation needed]
Cloudflare doesn't welcome you if you don't let it track you and run arbitrary code it injects. You can verify that by disabling javascript and/or using proxies, vpns, tor.
Bad headline by TechCrunch. This is not an "internet group" (which in context implies something like ICANN). It's a UK-specific business association of ISPs who have an interest in preventing browsers from assisting user privacy.
I cannot imagine a stronger endorsement of DNS-over-HTTPS than the content of this article. How do I set my router to proxy all outgoing DNS to HTTPS?
It varies depending on your router and what it's running. Cloudflare has instructions for OpenWRT
Your router is going to have to support it somehow. It's much easier to just run a local resolver like stubby + dnsmasq.

Apparently Cloudflare also has some kind of daemon you can run on Windows, but I don't know if I would recommend that route.

This is bad news for a lot of users in countries with censorship. The censors would end up blocking entire IP ranges if they can't block domains.
And then the censors' regimes fall back in technical and economical development, while they really can't stop true adversaries anyway.
Here are some great instructions on how to get set up with Stubby, which is a DNS over HTTPS resolver you can run on Linux. I was able to get it working fairly quickly. The instructions apply to pretty much any distro (I got it working on both Arch and Ubuntu). You can also easily set it up to work with dnsmasq to do caching.

https://wiki.archlinux.org/index.php/Stubby

After setting up dnsmasq I did not notice any performance hit, and in fact it worked more reliably than my previous DNS settings.

It's also possible (and I recommend) to set up the dns resolver for the LAN to be unbound (openbsd's recursive dns server, supports DNS over HTTPS), thus allowing all devices in the lan to transparently use DNS over HTTPS.

Alternatively, there's dnscrypt-proxy, but it's somewhat slow and eats way too much ram.

Oh yes, use DNS over HTTPS for your privacy. Just look at these organizations that oppose it. While I'm at it, you totally can't break into an Apple iPhone™ and all the cool pedophiles should be using that, for safety.

DNS over HTTPS does nothing for privacy and merely takes control from the DNS providers or user. Companies want to be able to run everything over HTTPS so you can't block any of it without blocking all of it. They can go to Hell.