SoylentNews

Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

posted by Fnord666 on Saturday October 05 2019, @07:11PM   
from the can't-see-where-you're-going dept.

upstart writes:

Submitted via IRC for chromas

Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.

The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.

Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.

Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.

By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.

Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.

Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.

Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."

---

Original Submission

• Re:This is pathetic. (Score: 3, Interesting) by zocalo on Saturday October 05 2019, @10:09PM

  by zocalo (302) on Saturday October 05 2019, @10:09PM (#903218)

  Try thinking about it from the perspective of a luser or corporate network admin that expects their security package to prevent browsers from inadvertantly visiting harmful sites. Typically, these tools work by intercepting DNS requests and URLs, comparing them with the security vendor's blacklists, and allowing/denying access on the fly, with (normally) the ability for a user to whitelist sites if they really want to. Unless you're prepared to let your security software install a fake root CA or some kind of plug-in into the browser (both of which have their own pros and cons). DoH kills that functionality and leaves you entirely reliant on you DoH provider(s) to provide any such filtering, while making whitelists rather more awkward - if not impossible - to implement. There's also no guarantee they won't be issued with an NSL or similar requiring them to capture your DNS requests and hand them over.
  
  Sure, preventing your ISP, government, or any other MitM, from intercepting and listening in on your DNS lookups is a definite plus (in some places much more than others), but DoH is definitely not without its problems and absolutely not a universal panacea for DNS security and privacy concerns. As always, if you *really* care about your privacy and security, then you need to roll your own solution. In this case, getting *nix box running a local recursive DNS/DoH resolver, or a Raspberry Pi running Pi-Hole, would probably be a much better part of a defence in depth solution that just blindily relying on your browser and someone like Cloudflare.

  --
  UNIX? They're not even circumcised! Savages!

  Parent

  Starting Score:	1		point
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		3