SoylentNews is people
SoylentNews
from the and-everyone-else-on-the-network dept.
Arthur T Knackerbracket has found the following story:
Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.
"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.
Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.
Also at:
Mozilla Blog
The Register
Previously:
Firefox Begins Enabling DNS-over-HTTPS for Users
(Score: 2) by edIII on Thursday February 27 2020, @01:33AM (1 child)
Configure the router to DROP all packets if they're related to DNS, and then DROP all packets to know DNS servers. Just like we create RBLs for other purposes, we could have lists for hosts & domains that serve DNS. I'm creating a small list right now.
Once that is thoroughly blocked, create your own recursive DNS server. I already have one running in PFsense, and it has fully functioning SSL/TLS DNS query support.
The only issue though is.... where does it get its' own DNS queries resolved? So unfortunately you're still left with DNS queries that can be scraped from the traffic data. I don't know of any public trustworthy DNS servers that also serve SSL requests. Not at least any that are free, and you still need to trust the provider. You can go to VeriSign today and purchase SSL DNS service, and they CLAIM they would never, ever, ever violate your privacy for profit. They sound just like AT&T, Verizon, and all the fuckwads that did exactly that. There is ZERO reason to trust any large corporation about they say to do, and every reason to trust that it's just a PR campaign that has nothing to do with the decision making of toxic c-suites and greedy board members.
What you're left with is running a router in the cloud, or a data center, and then operating your own SSL/TLS DNS resolver. Which is what I do. I route normal and SSL DNS queries from multiple locations to a SSL/TLS DNS resolver in a data center, using SSL/TLS to protect the packets in transit. Queries are resolved against the DNS servers I'm provided with there. All I've accomplished is in concentrating the queries into one place, to be resolved in a way that could still be monitored. That being said, I think you could trust a data center more. Volume is much higher, and data centers themselves don't seem to have any real interest in data collection at the moment. I'm sure that's a consequence of them serving businesses and not consumers, as businesses tend to get funny about business data being slurped up without compensation.
It's very similar to Bayesian poisoning with shopping reward cards. The more people using the same card, and the more diverse and eccentric their purchases are, the less they're able to resolve about you in particular. That, and just for fun, occasionally, I'll buy some Chicklets, Saran Wrap, Exlax, Toilet Plunger, and beef bouillon. Figure that shit out marketers :)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Fishscene on Thursday February 27 2020, @03:58PM
Thanks for posting this list!
As for your question of the DNS resolver...
My DNS chain is:
PiHole > Gateway router > External DNS provider
The trick is in the internal logic of the gateway router itself:
Gateway Router LAN > Gateway Router itself > Gateway Router WAN
My firewall is set to block all DNS traffic that originates from the Router LAN port destined for the Internet. This allows the gateway router itself to send/receive DNS packets.
Basically, if you aren't using *MY* DNS server on my internal network, you're not using anyone's.
Now for DNS over HTTPS. I don't have a real solution for that yet, so I've resorted to just blocking https traffic to known locations. But lets be honest, this is going to be an ever-growing game of whack-a-mole.
I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.