Sign in / up

back to article It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

Last week, amid some acrimony, the Internet Engineering Task Force (IETF) formally adopted a new encryption standard for the internet naming systems. But far from the approval of RFC 8484, better known as DNS-over-HTTPS or DoH, putting the issue to bed, it has stirred up a hornet's nest of upset among internet engineers that …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

  1. JohnFen

    The whole thing is just utterly depressing

    I view DoH as a bad thing overall, and it is yet another step in the degradation and corporatization of the internet. The DNS system certainly needs fixing, but it should be fixed rather than bring DoH into the mix.

    But it looks like we're going to get stuck with this bullshit.

    30 2 Reply
    1. Spazturtle Silver badge
      Reply Icon

      Re: The whole thing is just utterly depressing

      " and it is yet another step in the degradation and corporatization of the internet."

      What do you mean by this? All it is is a new protocol for connecting to DNS resolves, it doesn't change anything beyond that.,

      5 9 Reply
      1. JohnFen
        Reply Icon

        Re: The whole thing is just utterly depressing

        I say this because of two things it simultaneously does -- it makes it necessary to rely on a large provider for your DNS resolution, and it makes it less likely that the problems with DNS will actually get resolved in a manner that maintains decentralization.

        It's also a security problem, because it only addresses browser use. People are likely to think that all DNS queries will be secure, when that's not the case at all. It also encourages the terrible tendency for people to think that the web and the internet are the same thing, a factor which is, in my opinion, terrible for the internet.

        On top of all that, this is shoving yet another unrelated thing through the HTTPS port. Doing this is also a security problem because it makes it difficult-to-impossible to selectively block services you don't want your network to be interacting with.

        But please understand, if DoH were the only objectionable thing to come down the pike, I wouldn't react so strongly to it. But it just the latest thing in a series of moves that I think is harming the internet as a whole, so there's a bit of "straw that broke the camel's back" going on for me.

        21 1 Reply
        1. Michael Wojcik Silver badge
          Reply Icon

          Re: The whole thing is just utterly depressing

          this is shoving yet another unrelated thing through the HTTPS port

          Indeed. Schneier and others pointed to the various security problems with "just run it over HTTP" back when Microsoft assaulted the world with SOAP twenty years ago. They're still pertinent, but everyone seems to want to shove every damn thing into HTTP messages anyway.

          I swear, some of these people would probably run all their application traffic in a GRE-over-HTTPS VPN, given the opportunity.

          7 0 Reply
      2. stiine Silver badge
        Reply Icon
        Facepalm

        Re: The whole thing is just utterly depressing

        re: Spazturle

        What it really does is take control of DNS out of local administrators' hands and forces even tiny companies to use https proxies to prevent this traffic from reaching its end-point.

        In one network I manage, they use OpenDNS. In order to insure that every machine in the company uses the opendns proxies, only the DC's and those proxies are allowed to make dns queries to the internet, everyone else will get a timeout. if they move to DoH, I'll have to stand up a https proxy and then reject DoH traffic.

        8 1 Reply
        1. Spazturtle Silver badge
          Reply Icon

          Re: The whole thing is just utterly depressing

          @JohnFen

          DoH is not browser only, my system's DNS process has already been updated with DoH support, so my whole system can use DoH.

          "Doing this is also a security problem because it makes it difficult-to-impossible to selectively block services you don't want your network to be interacting with."

          That is an issue for the network operator not for the user, DoH is designed to protect the user from the network operator by preventing them from seeing what the user is doing and/or blocking it.

          @stiine

          I'm sorry but that is the exact purpose of DoH, to take control away from the network operator and give it to the user, and to make inspection harder and more expensive.

          In your case as you are the one doing the snooping it is going to make things harder, but that doesn't make DoH bad for users.

          When designing a secure protocol you can't make it secure and also make it easy for the network operator to manage and inspect, they are mutually exclusive.

          6 11 Reply
          1. Ben Tasker
            Reply Icon

            Re: The whole thing is just utterly depressing

            > I'm sorry but that is the exact purpose of DoH, to take control away from the network operator and give it to the user, and to make inspection harder and more expensive.

            >

            > In your case as you are the one doing the snooping it is going to make things harder, but that doesn't make DoH bad for users.

            And how's that aim going to be achieved when networks at Schools, Universities and Businesses all start intercepting HTTPS traffic?

            If you haven't got their CA installed, you'll get a cert warning and have a choice - proceed with everything visible to a man in the middle, or don't access whatever you were trying to access. If you have got their CA installed, you won't even get that.

            From a user's perspective, I'd say that's a pretty fucking bad outcome either way.

            And as a home user, I potentially still don't gain anything. My ISP partners with Google and has some of their kit on-net, so when my DoH request hits that PoP, and a plain query then goes out from that (with ECS information attached, so they can see which subnet the query originated from), they're still going to know what I was querying if they're bothering to watch.

            8 1 Reply
          2. JohnFen
            Reply Icon

            Re: The whole thing is just utterly depressing

            "my system's DNS process has already been updated with DoH support, so my whole system can use DoH."

            That's well and good for people like you and I. It doesn't help people who are less sophisticated, and those are exactly the people who are more likely to get tripped up on this point.

            "That is an issue for the network operator not for the user"

            Fair enough, but it's precisely why I think this is a bad thing. I am both a network operator (of my home network) and user. This leaves me with very few options, outside of beginning to blacklist DoH providers (which, I read, is what a lot of ISPs are planning to do).

            What disturbs me about this is mostly that this is bad for the internet in general. All the time and effort put into this could have been put into actually addressing the underlying problem, rather than coming up with a band-aid that is likely, in the long run, to be detrimental to us all.

            7 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              @JohnFen - Re: The whole thing is just utterly depressing

              And what is the exact underlying problem in your opinion ? This DoH/DoT story is intended to prevent snooping on end-user traffic so what would be your proposition on this ? If your shady provider would set up interception, they will be able to look into your traffic no matter if it's DoH or DoT.

              0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Doh.....

    Not on my networks.

    7 2 Reply
    1. Steve Button Silver badge
      Reply Icon

      Re: Doh.....

      ... and how exactly are you going to stop that? shut down Https?

      9 1 Reply
      1. Ben Tasker
        Reply Icon

        Re: Doh.....

        For all the "but it looks like HTTPS" arguments, it's still fairly trivial to block the ones that are most likely to be used by the majority of people (i.e. Cloudflare etc). Block TCP 443 to 1.1.1.1 and any others you can find on the net.

        You don't, for a second, have to block everything. If you block enough to be inconvenient then users will likely start turning TRR off.

        I'm not saying I support that approach, just that claims it's unblockable because it just looks like https are crap. A good traffic profiler will probably be able to start picking out likely TRR destinations too, so you could even auto-populate an ACL if you're willing to accept occasional overblocking.

        11 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          @Ben Tasker - Re: Doh.....

          And VPNs too ?

          0 0 Reply
  3. Nate Amsden

    where are the implimentations ?

    I'll admit I haven't followed this closely. Just looking now at DNS over HTTPS for example, other than some web browsers, and Cloudflare (maybe some other public recursive systems) where are the other implementations of this? (specifically looking for server implementations, not stuff that is locked away by a service provider black box like Cloudflare). Speaking as someone who has run recursive and authoritative name servers for 22 years now(and still does today).

    Wikipedia's info on it is pretty void of info https://en.wikipedia.org/wiki/DNS_over_HTTPS

    Recently I looked into DNS over TLS(was just curious), specifically for BIND anyway and came across this page https://kb.isc.org/docs/aa-01386 , which talks about using stunnel in front of bind for DNS over TLS. Which to me is just a hack. I'd expect to see native TLS support in something like BIND, at least so you have full visibility into the IPs that are sending requests(with a proxy like stunnel that information would get lost).

    Myself I am fine with DNS as is I have no need for TLS or HTTPS. Though I can certainly understand there are people in situations where they have a much higher need for privacy and for whatever reason a vpn may not work for them.

    SSL/TLS connections are difficult enough now to debug with encryption protocols and ciphers and versions and generally crappy logging on behalf of the applications.

    DNS in browsers is already a pain with the browser often caching DNS responses. Probably been 100s of times over the past decade I've had to tell users to restart their browsers to use another browser to clear their browser dns cache.

    My general bigger concern with the likes of firefox and probably other browsers wanting to use DNS over HTTPS how that might affect my services. e.g. users connect to a VPN, and that has DNS resources that resolve stuff for internal names. I would kind of expect/fear that if firefox and others are defaulting to a public DNS over HTTPS provider than it would break DNS queries for basically everything internal the user is trying to connect to. Time will tell I guess.

    Also of course more broadly along the same lines having inconsistent DNS behavior depending on whether or not the app is using DNS over HTTPS to a public resolver or the operating system's resolver.

    (and yeah not a fan of IPv6 either)

    24 0 Reply
    1. Spazturtle Silver badge
      Reply Icon

      Re: where are the implimentations ?

      DoH doesn't attempt to resolve RFC 6762 (.local) domains and will refer those to the DNS server provided by the router. So this won't impact local domain names.

      1 9 Reply
      1. Ben Tasker
        Reply Icon

        Re: where are the implimentations ?

        And what if you're doing split horizon routing? (Yeah, yeah, I know, I don't like it either).

        4 1 Reply
      2. Nate Amsden
        Reply Icon

        Re: where are the implimentations ?

        .local I think is mainly used in windows and mac environments ? I've never used it in linux anyway. At the org I work for we have 47 domains hosted internally, some are both internal and external. All are .com or maybe .co.uk .de .fr etc.

        Used to have over 100 but cut it down by a bit last year.

        So saying .local isn't affected does nothing for what may be my situation at some point.

        2 0 Reply
        1. Peter Mc Aulay
          Reply Icon

          Re: where are the implimentations ?

          Not only that, but .local clashes with zeroconf/mDNS.

          1 0 Reply
  4. Jellied Eel Silver badge

    Cat herding

    That philosophical question is why internet engineers are so mad, and will likely continue to be for some time.

    It was ever thus. I'm in the camp with Vixie, on account of him knowing a bit about DNS, and making some good criticisms.

    The good news is as you say, this may never be widely implemented. RFCs are after all 'Requests For Comments', and most are too wooly to really be counted as standards. There's a far smaller and better defined set of STDs that shouldn't be ignored if one wants to play safely on the Internet.

    But I predict ICANN will lobby hard for implementation on account of a) They wrote it and b) It's part of the trust system for a secure DNS, and thus DNS. Which means trusting ICANN to hand out keys & stay central to the official Internet. Strange how that works.

    (and then of course avoiding governments thinking 'hey, if we legislate for this, the kiddies can surf safely through their trusted DNS. UK ISPs will still have to log connection requests anyway.)

    14 1 Reply
    1. Tomato42
      Reply Icon

      Re: Cat herding

      I won't deny that Vixie knows a bit about DNS.

      I'm not so sure if his incentives align with Web (and thus DNS) users though.

      8 5 Reply
      1. pmb00cs
        Reply Icon

        Re: Cat herding

        The Web isn't the only use of DNS though. Any service that needs to resolve a hostname to find which IP address to connect too, or what domain a connecting IP belongs too (assuming PTR records are appropriately updated) rely on DNS. The assumption that "The Web" == "The internet" needs to die.

        Yes "The Web" is an important service that many people use day in day out, but it is only one of many services that run over the internet.

        16 0 Reply
      2. JohnFen
        Reply Icon

        Re: Cat herding

        "I'm not so sure if his incentives align with Web (and thus DNS) users"

        DNS is used by far more services than the web. All of them, in fact. All web users are DNS users, but not all DNS users are web users.

        4 1 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Cat herding

      Just because a DNS Researcher who happens to be employed by ICANN was involved in the authorship of this RFC doesn't in any way imply that ICANN corporately endorses the standard and will lobby for it.

      The big political issue with DoH is that the original elevator pitch for the protocol was as an ad-hoc means to secure your DNS lookups in environments where you can't trust that the local DNS resolver isn't messing with your queries (e.g. a coffee-shop Wi-Fi network). It would also allow for a standardised way for web applications to perform DNS lookups for arbitrary DNS data, something they can't currently do.

      What changed this were the public pronouncements from Mozilla engineers that they wanted to make DoH the default method for doing _all_ DNS lookups from inside the Mozilla browser, and that they would take it upon themselves to chose the default far-end resolver DNS service (initially Cloudflare) on your behalf.

      The WG charter text says: "The primary focus of this working group is to develop a mechanism that

      provides confidentiality and connectivity between DNS clients (e.g., operating system stub resolvers) and recursive resolvers". No-one expected that last clause to mean just a handful of massively aggregated (and centralised) resolver operators.

      7 0 Reply
      1. Spazturtle Silver badge
        Reply Icon

        Re: Cat herding

        "What changed this were the public pronouncements from Mozilla engineers that they wanted to make DoH the default method for doing _all_ DNS lookups from inside the Mozilla browser, and that they would take it upon themselves to chose the default far-end resolver DNS service (initially Cloudflare) on your behalf."

        They didn't do that though, that is just for the opt-in test. Once DoH is added to Firefox stable it will use whatever DNS resolver you configure. Over time more and more DNS revolvers will add DoH support. DoH is just a protocol, it doesn't do anything in regards to centralisation or de-centralisation.

        There are already quite a few independent DoH revolvers to pick from.

        3 6 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Cat herding

          They did _exactly_ that (https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/):

          "We’d like to turn this on as the default for all of our users".

          and if you don't manually configure your own (independent) DoH resolver, you'd get one of Mozilla's so-called "Trusted Recursive Resolvers".

          6 2 Reply
          1. Spazturtle Silver badge
            Reply Icon

            Re: Cat herding

            The part where they say "We’d like to turn this on as the default for all of our users" is talking about DoH not TRR.

            From the TRR Bugzilla: "Provides an optional resolver mechanism for Firefox that allows running together with or instead of the native resolver."

            The actually mailing lists and bug trackers are the best way to find out what is actually going on.

            3 1 Reply
          2. browntomatoes
            Reply Icon

            Re: Cat herding

            What’s worse, they’re also making other privacy enhancements (eg eSNI) reliant on turning on DoH. I’d like to try the experimental eSNI support using my own local recursive resolver (for which I can deal with where it gets its answers and how they’re privacy protected, thankyou very much) but they won’t let me without patching the code myself.

            I don’t think that’ll be the last privacy feature that won’t work without it either.

            1 0 Reply
      2. Jellied Eel Silver badge
        Reply Icon

        Re: Cat herding

        Just because a DNS Researcher who happens to be employed by ICANN was involved in the authorship of this RFC doesn't in any way imply that ICANN corporately endorses the standard and will lobby for it.

        Nope, ICANN would never do that. ICANN has, and always will be the epitomy of good governance. Now, would you like to buy a TLD?

        But it is not a 'standard'. It's an RFC, not an STD. As such, it can be freely ignored. Or commented on by a wider audience than just the WG. That the WG didn't expect that it would hand traffic to the biggest abusers of confidentiality simply highlights the problems with the WG process. It might provide confidentiality for data in transit, but won't once it's hit the resolvers.. Or proxies, caches etc..

        But I've been pondering Vixie's comemnt about control plane security more. DNS currently is a simple process to write a plain text request and read a plain text response. So a client doesn't need much trust, other than how it passes the response to whatever has requested the connection. That session may then be encrypted between client-host and seperate to any hosts process. Requiring encryption presumably means the hosts process has to hook into the device's encryption routines at a higher trust level so a DNS attack could end up compromising the control-plane functions.

        Which can't be a good thing, especially as DNS is a function used by pretty much every Internet device, not just web browsers. Especially if there's pressure to make this a 'standard', or if the usual resolvers require it. It's been generally accepted that hard coding IP addresses into devices isn't best practice, and re-writing code for millions of IoT stuff will inevitably cause some to break, or become insecure.

        4 2 Reply
      3. JohnFen
        Reply Icon

        Re: Cat herding

        "as an ad-hoc means to secure your DNS lookups in environments where you can't trust that the local DNS resolver isn't messing with your queries (e.g. a coffee-shop Wi-Fi network)"

        If you're using such an access point without also using a VPN, you have very serious exposure in more areas than just DNS lookups. For that use case, DoH is like spitting in the ocean.

        4 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Not one to nitpick but...

    “Fans of the protocol point out that because the standard uses the same port as ordinary DNS traffic”

    I’m pretty sure that statement is incorrect. I’m assuming it was meant to say the same port as ordinary HTTPS traffic. What I can’t understand is, what is stopping DoT from using port 443 too? As far as I am aware, it would look no different to DoH (providing NPN extensions aren’t enabled), just without the completely unnecessary overhead of including a bunch of irrelevant plaintext header fields.

    Another question / issue I have with the claim that DoH will be better camouflage is: how are you expected to address the DoH server? I’m guessing, given that DNS is presumably out of the question, it will be by static IP? In which case, I would imagine that anyone wishing to block it could simply target TLS sessions with no SNI? Or obviously block known DoH server IPs.

    Fundamentally I cannot see the logic in involving HTTP. Was this wrapping in HTTP also proposed for SMTPS? Or FTPS? I suspect not, presumably because it makes no sense. My question is why it makes any more sense to do so with DNS? Finally, why is DoT not likewise called DNSS?

    15 0 Reply
    1. Charles 9
      Reply Icon

      Re: Not one to nitpick but...

      Too easy to confuse with DNSSEC, which deals with authentication rather than integrity.

      3 2 Reply
    2. Crypto Monad Silver badge
      Reply Icon

      Re: Not one to nitpick but...

      > what is stopping DoT from using port 443 too?

      Because HTTP and DNS are different protocols with different payload format. The whole point of a well-known port is that you know in advance which protocol you are supposed to speak, when you open or accept a connection.

      > block known DoH server IPs

      That's called whack-a-mole, and it doesn't work.

      Remember that the first provider of DoH services is CloudFlare. They could enable DoH on *all* their front IP addresses. In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)

      > I cannot see the logic in involving HTTP. ... why it makes any more sense to do so with DNS?

      In other words: why are some people pushing for DoH rather than DoT?

      Well, DNS is a request-response protocol which maps quite well to the HTTP request-response cycle (unlike SMTP or FTP).

      But the real reason is because it makes DoH almost impossible to block. Your site's DoH traffic is mixed in with your HTTPS traffic and it's very difficult to allow one but not the other. That makes it a real pain for network operators, who may use DNS query logs to identify virus-infected machines (calling home to C&C centres), or to filter out "undesirable" content such as porn.

      It's a question of whose rights prevail. Consider a university campus network. Does the network operator (who pays for the network) have the right to enforce an AUP, which says you can't use university resources for browsing porn? Or is this trumped by the rights of the student to use the Internet for whatever they like?

      This has national policy implications too. In the UK, large ISPs are required to provide "family-friendly" filters, and this is generally done by DNS filtering. If the mainstream browsers switch to DoH, those filters will be completely bypassed. The ISPs can switch to blocking by IP, but there will be much collateral damage as one IP address can host thousands of websites - and if the undesirable site is hosted on a CDN like Akamai or CloudFlare, this sort of filtering may be impossible.

      (Today you can also filter on TLS SNI, but SNI encryption is also on the near horizon)

      8 2 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Not one to nitpick but...

        "Remember that the first provider of DoH services is CloudFlare. They could enable DoH on *all* their front IP addresses. In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)"

        They could just declare that CloudFlare and the like are violating local sovereign laws and tell them to knock it off or get blockaded as a bloc: deal with the moles by burying the entire molehill. And tell any sites that use CloudFlare to consider alternatives tout suite or face becoming collateral damage in a sovereign struggle.

        4 0 Reply
      2. JohnFen
        Reply Icon

        Re: Not one to nitpick but...

        "That's called whack-a-mole, and it doesn't work."

        It doesn't work well for sure, but if it's all you got...

        2 0 Reply
        1. onefang
          Reply Icon
          Coat

          Re: Not one to nitpick but...

          '"That's called whack-a-mole, and it doesn't work."'

          'It doesn't work well for sure, but if it's all you got...'

          All I have is a hammer, so all problems look like moles.

          2 0 Reply
      3. JohnFen
        Reply Icon

        Re: Not one to nitpick but...

        "In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)"

        True, but the way the web has been going over the past five or ten years, I'm not entirely sure that I'll be able to keep using it long-term anyway.

        1 0 Reply
      4. JohnFen
        Reply Icon

        Re: Not one to nitpick but...

        "But the real reason is because it makes DoH almost impossible to block."

        That's correct, but I suspect that the real reason isn't to protect users at all, but to protect the ability of companies (particularly ad companies like Google) to continue to spy uninterrupted. DoH makes it much more difficult to use a firewall to protect your systems from accessing locations that are used to collect data about you and your systems.

        Removing this layer of protection is the primary reason that I view this as a bad move for everybody who isn't into surveillance.

        2 0 Reply
      5. Charles 9
        Reply Icon

        Re: Not one to nitpick but...

        "Because HTTP and DNS are different protocols with different payload format. The whole point of a well-known port is that you know in advance which protocol you are supposed to speak, when you open or accept a connection."

        But what if that's EXACTLY what you're trying to avoid because you don't want people to know you're making a DNS connection for fear of it being tracked or at least blocked? A hostile government can attempt to hijack DNS for ill intent unless it can't tell HTTPS and DNS apart because they're simultaneously running on the same channel. How do you deal with such a scenario?

        0 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    big question

    So where does Daniel J. Bernstein stand on this? Controversy and DNS, djb can't be far behind.

    7 0 Reply
    1. stiine Silver badge
      Reply Icon

      Re: big question

      Funny...

      1 0 Reply
  7. Anonymous Coward
    Anonymous Coward

    Who do you trust?

    As a retired and now amateur techie I have been reading what I can since this issue raised its ugly head and in trying to boil it down to the essentials I think it is about the balance of trust and control.

    - DoH bundles DNS calls into the same ports as encrypted HTTPS traffic and observations by network admins can't see or control what is going on

    - DoT encrypts DNS calls. Admins and indeed anyone else with authority will not see the content of those calls but can see who is making them and track the effect.

    Living in the UK, given a choice I think I would opt for DoT. It would make it more likely that admins can run a reliable network. I have reasonable confidence that any of my web searches or connections to sites that give me information about, for example, the wisdom of Brexit will not result in a visit from the fingernail removal men.

    If I lived in a less stable society and were trying to find information about alternatives to my currently "elected" president/prime minister who wants the job for life I think I would choose DoH.

    It comes down to your point of view.

    An analogy. I read Theordore Rockwell's book about US Admiral Hiram Rickover and his key role in the development of the their nuclear submarines. There was a debate over the safety vs maintenance balance regarding possible leakage from the PWR design reactor with just a removable gasket sealed cover which gave better access, or adding welding the whole thing shut on top . Navy engineers wanted easily removable lids with gaskets. Gaskets suppliers emphasised the quality of their product. The general consensus was that removable lids with gaskets was a good idea because the benefits outweighed the risks.

    Rickover asked a different question of those involved.

    "Suppose your son were to serve on this submarine with his life dependent on its safe operation. Would you let his life depend on the continued integrity of the gasket to hold back every droplet of the highly radioactive water? or would you rather have a weld backing it up just in case.?"

    They all changed their minds and opted for welded up lids.

    Generally, when the benefits to me outweigh the risks to you, I will opt for the most benefits. When both the benefits and the risks apply to me I will tend to minimise the risks

    I am fairly sure that DoT is the better solution but if pushed I would opt for DoH.

    24 0 Reply
    1. Spazturtle Silver badge
      Reply Icon

      Re: Who do you trust?

      "- DoH bundles DNS calls into the same ports as encrypted HTTPS traffic and observations by network admins can't see or control what is going on

      - DoT encrypts DNS calls. Admins and indeed anyone else with authority will not see the content of those calls but can see who is making them and track the effect."

      With DoH not only can they not detect it (other then seeing HTTPS traffic), but they cannot block it without blocking all HTTPS traffic.

      With DoT they can detect it and block it forcing the user to use unencrypted DNS.

      5 1 Reply
      1. Giovani Tapini
        Reply Icon
        Unhappy

        Re: Who do you trust?

        i don't trust governments, not just oppressive regimes.

        Frankly I am quite sure regardless of choices of encryptions and protocols the gov'mint can, or will find a way to, eavesdrop anything I do. Making the internet more complex and (I am with Vixie here) breaking the usefulness of DNS in the same of privacy is not the right approach.

        Advert aggregators will start running DNS services for free so they can get DNS data regardless of encryption, this approach cannot end well. Google don't yet force you to use 8.8.8.8 but if they did they have probably more visibility on what you are doing than they had before, encryption be damned.

        Complete privacy on the internet, or any other shared resource is unlikely to be manageable or feasible without making the system chaotic. This is not really a good idea IMHO.

        as far as I can see, although a good idea, it is fixing the right problem, in the wrong place and overselling the long term effectiveness of the change too.

        4 3 Reply
      2. JohnFen
        Reply Icon

        Re: Who do you trust?

        "they cannot block it without blocking all HTTPS traffic."

        Yes, they can, as long as DoH servers are being run from defined IP addresses. The use of HTTPS does not prevent routers from seeing where traffic is going to and blocking traffic to/from certain destinations.

        2 1 Reply
        1. Charles 9
          Reply Icon

          Re: Who do you trust?

          Creates a part-and-parcel problem, though. If DoH and HTTPS both use the same port, suppose say Cloudflare simply piggybacks DoH on ALL its HTTPS addresses (which includes IPv6 ranges, meaning you can be talking quite a bit of Internet real estate). Then the only practical solution to blocking Cloudflare's DoH is to block Cloudflare, full stop. Only an inward-looking oppressive power (who would be against the likes of Cloudfare in any event) would dare to do that because anyone else risks collateral damage from blocking a provider as big as Cloudflare.

          2 0 Reply
          1. browntomatoes
            Reply Icon

            Re: Who do you trust?

            Block cloudflare - or MITM all HTTPS traffic. Which has the side effect that they then MITM all the other traffic they didn’t before.

            I rather suspect therefore that DoT (when you consider the consequences of widespread implementation) is likely to be LESS enabling of privacy invasion in ‘nasty’ regimes. In ‘nice’ regimes it won’t make a difference either way.

            1 0 Reply
            1. JohnFen
              Reply Icon

              Re: Who do you trust?

              "or MITM all HTTPS traffic"

              After looking at the options for how to deal with DoH on my home network, I've decided that this is the least harmful solution, so this is what I'm going to do.

              1 0 Reply
          2. JohnFen
            Reply Icon

            Re: Who do you trust?

            "suppose say Cloudflare simply piggybacks DoH on ALL its HTTPS addresses (which includes IPv6 ranges, meaning you can be talking quite a bit of Internet real estate). Then the only practical solution to blocking Cloudflare's DoH is to block Cloudflare, full stop. "

            Yes, if Cloudflare were to do this, you're correct. If they do, then I will seriously consider blocking the entirety of Cloudflare from my own networks, even though the cost would be that I would no longer be able to access a lot of websites, including El Reg.

            1 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              @JohnFen - Re: Who do you trust?

              Seeing your determination I'm guessing you are a firewall admin. Being ready to block vast swathes of Internet is nice but have you thought about asking the business ? If I'm not mistaking it's not up to you to decide what are your organization's business goals and needs. Yes, you may bring it to their attention, advise them about the risk, offer to mitigate but you will not make the decision to cut them off just because you don't like DoH. With this attitude you risk being condemned to a long career in small mom and pop shops taking care of their 5 PCs or less.

              Don't hate me, just try to figure out how you would explain to a high ranking executive of a medium to large enterprise why one of the business critical application has suddenly stopped working. Oh, and try to convince him the block will stay in place whether he likes it or not.

              0 0 Reply
              1. Anonymous Coward
                Reply Icon
                Anonymous Coward

                Re: @JohnFen - Who do you trust?

                "Oh, and try to convince him the block will stay in place whether he likes it or not."

                SImple. Because of real-world data leak concerns proscribed by law, we legally cannot remove the block. Or do YOU want to be the one to answer when the G-men come knocking on our door?

                0 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like