> ISPs are trying to undermine the standard simply because they want continued access to users' data, Erwin said. Unencrypted DNS helps them target ads by tracking your web habits, and it's harder to thwart DNS tracking than cookies and other typical approaches.
Is there any other serious argument against encrypting DNS? The only other one I heard was it makes filters harder such as child protection filters on the ISP level.
It would be very ironic if ISPs are successful in making our communications less secure by using anti-Google sentiment and anti-trust laws.
There aren't necessarily serious arguments against encrypting DNS but there are serious arguments against implementing it at the individual application level instead of honoring the system DNS settings configured by the system owner.
System owners are now going to have to be concerned about configuring and locking down DNS settings in multiple locations. Troubleshooting issues caused by DNS problems will be more difficult as different applications may use different DNS settings.
Filters such as child protection filters are more difficult not only on the ISP level but at the home and corporate network level also. I fear the reaction to this is going to be more https interception on corporate networks as traditional DNS interception and filtering becomes less useful.
> Is there any other serious argument against encrypting DNS?
In DNS over HTTPS, requests are still going to a single, potentially untrustworthy entity. Encryption by itself only offers privacy against eavesdroppers, and can give a false sense of security to the unaware. Although not a fault of the technology, people in the EU have been encouraged / defaulted to use DoH provided by US companies on the grounds of privacy, where data privacy law in their own countries may be relatively strong.
I think we should be working towards DNS with a stronger privacy model than DNS over HTTPS. There is no need for centralised resolvers which get to see who are making which requests. Name resolution is a service which could be provided by a distributed network, with authority provided by cryptographically signed records.
With DNS over HTTPS you can't. You can't even intercept DNS and reroute it to your own DNS server.
Suppose a device, let's say a RoKu (or many other) wants to use a DNS that you cannot block, it could use Google's DNS over HTTPS to a private name server of its choosing. Your DNS, and your hosts file doesn't matter. This makes it significantly harder to block anything (probably ads, but not necessarily only ads).
You could try to intercept these requests, but how do you know an HTTPS request is for DNS? And for what name it is being requested?
Taken further, a device, say an Apple TV, hypothetically, could even use a proprietary DNS protocol to talk to its own mother ship.
You could make the same arguments to say that these devices should be speaking HTTP instead of HTTPS for the purposes of allowing the use of a proxy to inspect, redirect, and provide custom responses for requests.
Ultimately if a device in your network is your adversary and you’re giving it an open connection the internet then it’s game over. If there was actually a significant portion of people who blocked ads with DNS vendors would have implemented DoT with certificate pinning a long time ago.
I am more concerned that they are using the idea that this "would give the internet giant an unfair advantage by denying access to users' data" as a pretext for "We will no longer be able to spy and spoof efficiently on our customers".
In my opinion, the telecoms and government give us a lot more reasons for concern than google. Its not in googles best interest to become known for censorship, customers will just use another browser and search engine (some already have), but you don't have the same degree of recourse with government and telecom control.
After this and this [1] I must say I'm in favor of DoH.
I know for sure every major application/game on every device/platform will also hijack DNS queries with their own DoH client and redirect them to their own DNS resolver.
I know for sure that by the time OS implementations are here every application will already have their DoH client built-in up and running for so long nobody will no care anymore.
I know IPSs are just being lazy. I know they will bypass DoH in a couple of months by filtering IPs or deep package inspection or something else.
But is good to see them pissed of once in a while.
If DNS is encrypted, would that make it easier to route casual internet traffic through china, russia or another foreign nation which would have an easier time intercepting and monitoring communications without being noticed?
9 comments
[ 12.7 ms ] story [ 715 ms ] threadIs there any other serious argument against encrypting DNS? The only other one I heard was it makes filters harder such as child protection filters on the ISP level.
It would be very ironic if ISPs are successful in making our communications less secure by using anti-Google sentiment and anti-trust laws.
System owners are now going to have to be concerned about configuring and locking down DNS settings in multiple locations. Troubleshooting issues caused by DNS problems will be more difficult as different applications may use different DNS settings.
Filters such as child protection filters are more difficult not only on the ISP level but at the home and corporate network level also. I fear the reaction to this is going to be more https interception on corporate networks as traditional DNS interception and filtering becomes less useful.
In DNS over HTTPS, requests are still going to a single, potentially untrustworthy entity. Encryption by itself only offers privacy against eavesdroppers, and can give a false sense of security to the unaware. Although not a fault of the technology, people in the EU have been encouraged / defaulted to use DoH provided by US companies on the grounds of privacy, where data privacy law in their own countries may be relatively strong.
I think we should be working towards DNS with a stronger privacy model than DNS over HTTPS. There is no need for centralised resolvers which get to see who are making which requests. Name resolution is a service which could be provided by a distributed network, with authority provided by cryptographically signed records.
With DNS over HTTPS you can't. You can't even intercept DNS and reroute it to your own DNS server.
Suppose a device, let's say a RoKu (or many other) wants to use a DNS that you cannot block, it could use Google's DNS over HTTPS to a private name server of its choosing. Your DNS, and your hosts file doesn't matter. This makes it significantly harder to block anything (probably ads, but not necessarily only ads).
You could try to intercept these requests, but how do you know an HTTPS request is for DNS? And for what name it is being requested?
Taken further, a device, say an Apple TV, hypothetically, could even use a proprietary DNS protocol to talk to its own mother ship.
Ultimately if a device in your network is your adversary and you’re giving it an open connection the internet then it’s game over. If there was actually a significant portion of people who blocked ads with DNS vendors would have implemented DoT with certificate pinning a long time ago.
In my opinion, the telecoms and government give us a lot more reasons for concern than google. Its not in googles best interest to become known for censorship, customers will just use another browser and search engine (some already have), but you don't have the same degree of recourse with government and telecom control.
I know for sure every major application/game on every device/platform will also hijack DNS queries with their own DoH client and redirect them to their own DNS resolver.
I know for sure that by the time OS implementations are here every application will already have their DoH client built-in up and running for so long nobody will no care anymore.
I know IPSs are just being lazy. I know they will bypass DoH in a couple of months by filtering IPs or deep package inspection or something else.
But is good to see them pissed of once in a while.
[1] https://news.ycombinator.com/item?id=20358300