I'm not sure how I feel about DoH. It seems like there a ton of unnecessary overhead added by placing the super lightweight DNS protocol on top of HTTP. My initial reaction is also that I might lose some control over my network and which domains hosts query on my network. Are things like DNS sinkholes and domain blacklisting still possible with DoH?
You don't get to control what my devices do just because you control a network they're transiting through. Even if DoH had never been standardised, clearly my devices can do this anyway.
On the other hand, if you actually control your devices DoH shouldn't be a problem, you can have them talk to whichever servers you prefer regardless of the protocol.
As to the lightweight thing. We get a few benefits from running DNS on top of HTTPS rather than say TLS (which also exists, as DoT)
1. HTTPS allows us to put parameters in the URL which are thus confidential (HTTPS will encrypt them) and have those control the DNS lookup. So dns-server.example can offer all its users their own URL, even though they all talk to the exact same server (dns-server.example.com) and a snoop can't tell that one device used the rank0 account while another device used the tialaramex account, those are encrypted in the URL, yet the actual server can see which is used and maybe my devices get "pure" answers while yours have ad-blocking or whatever.
2. DNS doesn't have a rich error vocabulary. For your ad-blocked domains, a traditional DNS server has to either lie (bogus answer) or claim no answer exists (NXDOMAIN or OK 0 answers) but HTTP has a rich variety of error codes. Maybe 403 Forbidden is appropriate for the Xian parent who doesn't want their teenager looking at pornhub.com and 451 Unavailable For Legal Reasons is appropriate for a DNS service which excludes Pirate Bay due to lawsuits.
> You don't get to control what my devices do just because you control a network they're transiting through.
And if I run a guest wifi in one of the many countries where I have legal obligations to take steps to block illegal traffic because I am ultimately responsible for the emissions of my network, what would you suggest I do?
> DNS doesn't have a rich error vocabulary. For your ad-blocked domains, a traditional DNS server has to either lie (bogus answer) or claim no answer exists (NXDOMAIN or OK 0 answers) but HTTP has a rich variety of error codes.
It's a good thing that DNS has a limited vocabulary of error codes. I want the garbage website to think it couldn't load the ad because of a mysterious DNS issue. Having a reason like "DNSHTTP 486: Blocked by Client" would just make it that much easier for the site to deny you access/track you/detect your blocking activity.
As with steps someone might have a legal obligation to take to prevent people from thinking negative things about the King or to prevent six from being an even number, you should do whatever you feel is appropriate. It might even make a difference. Perhaps you could put up a notice which says "I run guest WiFi here and I have legal obligations to block illegal traffic so, don't do anything illegal".
It's certainly weird to insist it's everybody's else's problem that you're subject to legal obligations that may be impossible to fulfil.
If the purpose of this "obligation" is to ensure nobody is technically compliant and so they can arrest, imprison or even execute whoever they want, it doesn't seem like that's my fault, or Mozilla's fault, or any of the authors and acknowledged contributors for RFC 8484. Any more than it's Giuseppe Peano's fault that six is even.
And if (as seems most likely) they're just covering their backside, the notice is probably sufficient.
> And if I run a guest wifi in one of the many countries where I have legal obligations to take steps to block illegal traffic because I am ultimately responsible for the emissions of my network, what would you suggest I do?
This is an oft overlooked part of these discussions. I manage a public network at a library (which is still the only access point for many people, unfortunately). DNS blacklisting certainly isn't the only tool in the toolkit, but it is one that DoH takes out. I'm genuinely conflicted on DoH because on one hand, I am a privacy advocate, but on the other I run a public network and that comes with certain obligations, both legal (we need to block filesharing) and to customers (we do traffic shaping because the budget it limited and bandwidth isn't cheap).
You do what every company does. Deploy industry standard methods and record your processes. And then when someone comes asking, you show them you did everything right and that is usually the end of it.
That's not the case in the US. Our ISP will absolutely be within their rights to cancel our service if someone on our network is violating their TOS. And we don't really have the money or the standing to fight it.
A world where it’s the local public network operator’s problem to filter client traffic came and went with TLS. You already live in a world where someone who wants to bypass your restrictions can do so trivially. So if you’re not in legal hot water today you won’t be tomorrow with DoH. You deploy whatever non-functional product your country requires for filtering and wash your hands of the responsibility.
> On the other hand, if you actually control your devices DoH shouldn't be a problem, you can have them talk to whichever servers you prefer regardless of the protocol.
I already do tell the devices I control which DNS servers to use via DCHP and IPv6 RA. Firefox is choosing to ignore that by default, and now I have to go through extra steps to solve a problem that Mozilla created by not simply re-using the previous solution (gethostbyname(3)).
At the very least if they had simply used the already existing DoT, instead of inventing a new protocol (DoH), I could have monitored port 953 traffic and see which devices were broken. Now I have to figure out devices trying to sneak through my policies.
It's good that they didn't use DoT, because then it would be too easy for adversaries who want to do censorship or surveillance to just block port 853.
Do you think that DoH prevents adversaries from doing censorship and/or surveillance?
> DoH encrypts precisely zero data that is not already present in unencrypted form. As it stands, using DoH only provides additional leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections still provide the rest. It is fake privacy in 2019.
> DoH encrypts precisely zero data that is not already present in unencrypted form.
What's the point in locking my front door if I leave my window open? And what's the point in closing my window while my front door is unlocked?
This argument is circular. If you want to secure something that is widely insecure, then you have to start somewhere. It's not like people are ignoring SNI and IP addresses. They're just being handled in separate efforts than DNS is.
> Think that ESNI will save you? Well that's being blocked
If you're working with the assumption that any serious attempt to secure hostnames will eventually be blocked, then what's the point of anything at all? Should we just completely give up on security/privacy because the state won't allow it?
We can address ESNI blocks as a separate effort from DNS. We don't have to do literally everything at the same time, it's OK for us to gradually move towards better security and address each problem one at a time.
> Do you think that DoH prevents adversaries from doing censorship and/or surveillance?
Given the amount of complaining I'm seeing from multiple network operators on this very article, yes, there's a pretty strong likelyhood that it helps. Because if it didn't, then network operators wouldn't be complaining about it.
How do you square "DoH is useless" with these kinds of comments in your own linked articles?
> In a paper published last month, the SANS Institute, one of the world's largest cyber-security training organizations, said that "the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls."
> "The trend is unmistakable: DNS monitoring will get harder," the Dutch agency said.
> The Internet Watch Foundation (IWF), a British watchdog group with a declared mission to minimize the availability of online child sexual abuse content, also criticized both Google and Mozilla, claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing illegal content.
Does DoH make blocking/monitoring content harder or not? Is the UK lying when it says that DoH will make it harder for them to block content at the ISP level?
Sounds like eSNI is useless waste of effort since its intended audience can't use it.
Meanwhile eSNI/ECH breaks network visibility into the networks I'm responsible for managing (at home and work). If I'm supposed to be a good netizen and make sure that I quickly hunt down malware that's gotten on my network(s), blocking tools and techniques to do just that seems… silly.
> Meanwhile eSNI/ECH breaks network visibility into the networks I'm responsible for managing (at home and work).
Well, don't worry about it, since apparently no one can use it and it'll get blocked, right?
I don't understand the simultaneous argument of "this won't be usable because governments will all block it" and "this is going to make it impossible for me to monitor my network." Both of those arguments can't be correct at the same time; if your government won't block eSNI, then it'll be a privacy boost in your country and it's a realistic path for privacy advocates to pursue. If your government does block eSNI, then why are your worried about your personal network?
_You_ are not in control of _your_ devices. Your television will use this technology to report what shows you're watching to the company that manufactured it; the web browser running on your computer will use this technology to report your activity and retrieve advertisements even if you've tried to block them elsewhere.
It amazes me how people think the worlds largest advertising company is pushing DoH out of alturism. That pihole you're running? That 'steals' money from google. DOH gets rid of that.
You can still use ad blocking with DoH. Just pick a DoH server that does so (or run your own) instead of using the default one. Or just use a browser extension like uBlock Origin instead. Nobody's trying to kill your Pi-hole with DoH. They're trying to kill your Pi-hole by serving ads from first-party domains.
You missed the point. OP is talking about app and IoT devs hard coding DoH servers into their products so that they can bypass any tracking, advertising, and privacy restrictions (aka piHole) you put in place.
Yeah there’s nothing about DoH that a Google or any IoT device maker couldn’t have done 10 years ago if they really wanted to bypass local DNS servers.
The companies willing to do this already made their products fail to load when their ad domains could not be reached. I tried pi hole for a week and found every ad infested service would just throw an error.
This also means nothing for firefox. Firefox can not use DoH and iot products can just implement it themselves.
How many people would be interested in an open DNS service, with the publicly configurable rules e.g. blocklists/custom dns configurations, or rule-lists like ublock origin? I am thinking of starting one.
If your television or browser are running proprietary software while having network access, you have already lost.
Anything that you can do as a network admin to control "your" devices, an ISP can do to control its users. The sane way to resolve this conundrum is to fix your network endpoints to run only Free software, as the alternative would be facilitating centralized control on the large scale.
Yep. The entire point is to make it impossible to block ads at the network level. And since ad companies control the application level too, they then have a complete end-to-end ad delivery stack that you can't tamper with.
Yep. Everything's going to be locked from the bootloader to the screen and you WILL watch the ads.
What I think will really happen is the same thing as everything else. They'll use tech to take away features / abilities we have right now and then rent it back to us as a subscription.
We are talking about Firefox, a web browser, that allows you the most control over your computer, has the best adblock technology, on which the author of Ublock origin has said his software runs the best, which comes with built-in anti tracking, which now comes with technology making it harder for public wifi to trick your computer into going to captive portals, often with ads.
And somehow you ad this up to making it impossible not to see ads and locked down computers.
Firefox's primary sponsor is still Google. And whether they are pushing it because of malice or just incompetence, DoH was designed and built by Google to protect ad companies from network security. Implementing it by default is a hostile act, and one Mozilla should reconsider.
i have a pihole and have been worried that DoH would break it. i checked the network settings in firefox and the DoH setting is there but it is disabled.
I doubt that chrome will allow one to disable DoH but at least firefox does for now.
I believe Pihole automatically put in the NXDOMAIN entry needed to disable DoH on Firefox for you. But who knows how long Firefox will respect that, since there's nothing stopping ISPs from employing the same strategy to disable DoH.
>the entire point is to make it impossible to block ads
the entire point is to make it impossible to modify DNS requests at the network level. this has a lot more serious consequences than just blocking ads. especially for the parties involved with this, none of whom are advertising companies. phishing and data security are actual big issues with financial implications that companies want to prevent. just because blocking ads is the consequence that will most immediately impact you personally, doesn't make it the whole point.
this accusation is especially rich on an article about mozilla, one of the few companies fighting to make sure that advertisers don't control the application level.
> phishing and data security are actual big issues with financial implications that companies want to prevent
These are issues exacerbated by DoH, not fixed by it. DoH assists in the circumvention of security and monitoring. We block ads because they're security problems.
>DoH assists in the circumvention of ... monitoring
yes, that's the point. I understand you want to monitor traffic within your network, but forcing clients to use insecure protocols to enable network-wide monitoring means you're enabling network-wide monitoring. and that's the opposite of security.
remember that your browser traffic crosses multiple networks before it hits the website you're trying to connect to. forcing that traffic to be observable and modifiable in your own network means it will also be observable and modifiable by your ISP.
> forcing that traffic to be observable and modifiable in your own network means it will also be observable and modifiable by your ISP
This is factually false. And represents a key part of the problem in the rollout browser vendors have designed: Browsers should not be implementing their own network stacks. It's the wrong place to begin encrypting network requests, but for the "if you're a hammer" crowd, everything looks like a nail.
If the browser respected the OS stack, the OS could decide to encrypt requests, but it isn't given the choice. If the browser respected the network it's in, the network could decide to encrypt requests at the border, but it isn't given the choice.
Browser vendors decided the right choice was to build a product purpose-built to bypass nearly every good method of restricting malware, phishing, and, oh of course, ads. Google and their ilk would happily install ransomware on every PC on the planet if it would guarantee Google Ads couldn't be blocked, and that ISPs couldn't compete with their well-established surveillance tools.
The latter is why any suggestion DoH is to protect user privacy is silly... the user's privacy was compromised by the browser application pre-encryption. They just need you to believe the ISPs are somehow a bad actor for tracking you, so that only they can track you.
It's not sufficient in itself, but it bears most of the load of network-wide management of harmful traffic. It's the 99% effective method.
Endpoint-level control is no longer possible, since ad companies are skipping the OS network stack and bringing their own. Application-level control is less efficient, and more difficult, particularly when the applications are designed by the same ad companies trying to circumvent DNS control as well. (See Manifest V3.)
Yes unfortunately this seems to be the reason. Earlier you could tell the resolver to look at files first and filter with your hosts file the ad and other sites. Now you have to do packet inspection. We are living on a planet that's revolving and evolving ...
Blocking ads at network level is very easy to circumvent. Just serve ads from your domain. It's impossible to block youtube video ads using DNS, for example, you must intercept their API queries and modify them on-the-fly which requires browser extensions or custom apps.
It's easy to circumvent if your ads are first party, as in YouTube's case. Most ads are not. Even most Google websites serve ads from ad-specific endpoints, as opposed to their own domain.
I think that's because those who care about blocking ads, will block them anywhere. And percentage of those who're using pihole or similar methods to block ads is negligible, so they don't really care about that.
You can't do that with a Chromecast. The goal here is to sell devices which can ensure they always talk to their own DoH endpoint with no ability to secure it.
Chromecast was already bypassing local DNS for years before DoH was even conceived.
Blocking people from using DoH isn't going to solve the problem you are describing, it will just weaken users' privacy. Big vendors like Google will just create their own workarounds.
> Chromecast was already bypassing local DNS for years before DoH was even conceived.
Before DoH though, my understanding is a good gateway appliance could just overwrite those DNS requests as it sees them. Now they'll be encrypted, and you'll have no way to tell the Chromecast where to connect (or even to where it is connecting).
If the possibility of having the DNS packets rewritten was a concern for them, any junior developer could have easily implemented a proprietary REST web service to get the IPs over HTTPS just like DoH. Standardization of DoH in browsers isn't really furthering that issue.
That problem isn't solved by DoH, you still need to hardcode the DoH server IP there too if you intend to bypass the network level settings. So a proprietary system would be no different.
All the major appliance vendors (Google, Amazon) already have huge fixed IP ranges to devote to this purpose, which are effectively unblockable because they might be shared with important cloud services.
> The entire point is to make it impossible to block ads at the network level.
The entire point is to make DNS secure. For every 1 person who uses DNS to block ads, there are many thousands who just use their ISP's DNS servers, and thus remain subject to surveillance, ads, redirects, and other malice. You can't possibly believe in good faith that the entire point or even the primary point of DoH is to hurt the small fraction of people who use DNS to block ads, rather than to protect the much larger set of people who are subject to the whims and financial interests of their ISP.
ISPs do not inject malware and phishing scams, Google Ads does. The benefit of blocking ISP tampering is vastly outweighed by protecting the bad behavior of a far more malevolent party.
Google ads (like most ads) are hosted by websites that intentionally put them there; install an adblocker. Google doesn't MITM sites; ISPs and malicious networks do. ISPs are also known to surveil traffic on their networks.
I'm not disputing that Google ads and tracking, like all other ads and tracking, should be blocked. Run a browser you trust, and run an adblocker. But the widespread use of unencrypted DNS is a problem that needs fixing. And DoH provides the most viable solution for that problem, by running DNS over an ordinary HTTPS connection.
> including weather, emergency broadcast, and police stations
These seem like reasonable uses of this technology. My ISP has tried to inject a copyright violation notice before. (This was hilarious, actually, because it went to a guest in my house's browser, not one of mine, and I almost didn't hear about it at all, because they only sent it that way once... and I had to ask them to send me an actual letter about it with the details, which would've been the straightforward way to tell me in the first place...) Irritations with copyright holders aside, that was a notification of a mark against my account, which is arguably information that needed to be delivered to me.
Meanwhile, Google is preserving their ability to send phishing sites unimpeded.
Pardon my ignorance, but can’t you simply host your own DoH server where you choose the domains you want to block, which in turn points to a DNS / DoH server you trust? I guess it wouldn’t be more difficult than hosting your own filtered DNS server like Pi-Hole.
Yes you (or we) can. But you need to manually alter the settings everytime a new ff version is out.
And other people can not.
Brave new world. BTW how is Brave at this chapter ?
Why would you need to manually change your settings every time a new Firefox version is out? Firefox has settings UI to point to the DoH server of your choice and that setting does not get reset by new Firefox versions:
Yes they are but you'd have to run your own DoH server or follow the instructions to disable DoH like an ISP would (the possibility of which makes one wonder what the whole point is.)
Even if they do, you're now sending all of your DNS queries to some external service. That's a pretty serious privacy violation, even worse than 8.8.8.8.
Still possible. The control moves from your home network, corporate network or local ISP to the default DoH resolvers defined in the browser. This can be changed, but we know most people outside of a corporation will not change this. So in this case, CIRA will be logging DNS requests and sink-holing undesirable domains presumably by Canadian standards.
People can still use browser add-ons to block domains, URL's, objects on sites, etc... uBlock is my favorite for this.
They aren't possible for the network to unilaterally impose on unwilling users. They're still possible if the user actually wants it, by just setting their client's DoH server to one that does them.
The tools to administer a home network, such as DNS blocking and DNS sinkholes, are the same tools nations use to administer their populaces. If the default in Firefox is to enable blocking and sinkholes for the home administrator's benefit, it will similarly be to the benefit of oppressive administrations.
Home administrators who control their endpoints can turn DoH off with relative ease. By comparison, most governments cannot.
It would be nice if it would check the resolver config files (like the hosts file) with it enabled though.
That was a really easy way to block harmful stuff or name things without requiring DNS. Having to choose between encryption and easy configuration is pretty poor UX.
Naively, that seems like something that could be a very useful configuration option to set! Though I can also see why you might default to having it off if you don't trust the host resolver very much in the country-administering-people case.
The vast majority of people don't run their own DNS server, or have any control over the DNS server they use.
Most people use their ISP's or organization's DNS server, and have no control over it; instead, it's something used against them. In many cases, that DNS server may do some combination of tracking, redirection to ads, or other things that make it undesirable to use.
DoH eliminates one of the last major unencrypted protocols on the Internet, and instead uses an encrypted protocol to talk exclusively to the intended server without the possibility of interception.
If you want to talk to your ISP's DNS server, you're free to do so. But that should be your choice, not your ISP's.
> DoH. It seems like there a ton of unnecessary overhead added
This. Why the hell everyone ignores DoT, much simpler one? Yes, China, censorship, but Canada? And I’m still unsure if there are http cookies in DoH, or not, or possibly maybe…
