Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday October 05 2019, @07:11PM   Printer-friendly
from the can't-see-where-you're-going dept.

Submitted via IRC for chromas

Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.

The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.

Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.

Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.

By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.

Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.

Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.

Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Saturday October 05 2019, @10:10PM (2 children)

    by Anonymous Coward on Saturday October 05 2019, @10:10PM (#903219)

    Namecoin? There have been alternate roots for almost as long as there has been DNS.

    The recent court case over NN could have fixed this whole thing by acknowledging that DNS is a switching algorithm (not unlike a routing protocol) that just happens to use readable glyphs (not unlike vanity phone numbers). But being federal courts they've decided in the most unconstitutional way possible. Nice legacy that.

    I am confident that in my own case (I use foreign DNS) that the carrier is intercepting DNS which isn't even destined to their servers. I checked by running a series of DNS queries without any other traffic, and found that over time, yes my advertising did change to reflect those lookups. Of course many domain names are trademarked, so the use of them by the carrier by means of surveillance to generate revenue is defacto trademark infringement. But hey, the Federal courts said: "FUCK YOU, YOUR TRADE MARKS, YOUR PRIVACY AND YOUR INTELLECTUAL PROPERTY YOU MOTHERFUCKERS!" to the entire Internet in no uncertain terms just the other day. (yes they said it in all caps.)

    TOR moved in the right direction, but it didn't have a workable economic model. There really isn't a reason DNS couldn't be re-engineered to be P2P and crypto-hopped like TOR is. It is only one datagram, so running DNS TOR-style is way way cheaper than running all traffic over TOR. IMHO the best scheme is to have a block chained crypto-hopped p2p resource-lookup with an integrated session-key exchange. That way nameservice was 100% validated, but traffic only needs a single cipher thickness (instead of 3 like TOR uses). A system like that would deprecate both DNS and HTTP at the same time.

    Orchidprotocol is working on a nice solution that has an integrated economic model. There is some question as to whether their model will scale.

    Protocol dev isn't that hard. It is amazing more people don't do it. I've done it in Perl, which pretty much just uses the C socket handles directly for packet munging. My C isn't very good, so I've never done it in C or C++.

    In the case of DNS, the hard part is getting past the requirement for prior knowledge (as in key exchange) for validating the root. If a system is P2P and consensus based, then there is no root. So how do you validate original registration? Blockchain does that, but it won't save you from trademark nazi's. Though now the Fed has basically said that DNS is a state level problem. So then trademarks as domains shouldn't even be adjudicatable at the federal level anymore. Bet those motherfuckers didn't cogitate on that now did they?

    Anyhow, happy end of the world. I'm stocking up beer and peanuts. CNN will be running drones over the wreckage of the country, and the cable cabal will have online betting on the victor. That is when you can get CNN. Mostly you'll only get the "United Comcastia News" most of the time since there will be no more United States. That is the direction the judiciary is taking us in. It is unfathomable.

    DNS caching is the residual bathroom fart of Internet engineering. But apparently to the courts, it means that extending the sovereign right to appropriate intellectual property onto a few megacorps is totally different than extending the sovereign right to incarcerate onto cotton farmers. It isn't unreasonable to call the carriers defacto agencies of state at this juncture. The courts are saying that the carriers can have their cake and eat it to. Jefferson Davis had similar thoughts.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Sunday October 06 2019, @02:02PM

    by Anonymous Coward on Sunday October 06 2019, @02:02PM (#903360)

    Very interesting, thank you! Your own experiment is fascinating and one I think I ought to try, too. It ought to be 'contagious' across all devices at a given IP as the ISP's data is fed into the identity graphs of advertisers, who will have more granular per-device data. That per-device is much more per-identity than the IP, but without going into common correlations, which would be computationally probably not profitable in this prequantumcomputingusedforadvertising* world, only timing data would be needed. By only emitting the spurious DNS requests when whatever devices are connected and have traffic over a threshold I guess that could be feigned. Then eg. making Bob start getting ads for the /strangest/ things might be feasible? Hm!

    Though, at one point I was... surprised. I'm nodding, nodding...

    Protocol dev isn't that hard. It is amazing more people don't do it.

    ..nodding...

    I've done it in Perl

    ...uuuuunh. Perl works so ridiculously cleanly for this. And yet it feels so wrong, I guess in part because it's essentially restricted to host layer (or even application layer).

    *from the German

    PS - excellent use of 'unfathomable'.

  • (Score: 0) by Anonymous Coward on Sunday October 06 2019, @09:29PM

    by Anonymous Coward on Sunday October 06 2019, @09:29PM (#903498)

    It's easy to run DNS queries over Tor. You'll be limited to UDP traffic. That limitation still allows you to get IP addresses, just not extended DNS info.

    That will hide where the query came from. However, a bad exit server could send you dangerous results.

    Tor needs a way for clients to specify which DNS servers to hit. Not easy to securely avoid evil exit servers. On a server you own, you can specify a list of acceptable DNS servers and block all others with a firewall. I never use Google or Cloudflare. Sadly, even OpenDNS thinks it knows best. I don't use them either.

    We need all DNS servers to adopt DoT and DoH DNS traffic. DoT could be useful for resolving servers to contact authoritative servers that support DNSSEC and DANE.