Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.
This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.
[...] At some point in the near future, Firefox users subscribed to Comcast will use the ISP's DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.
[...] Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.
ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."
Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.
(Score: 1, Touché) by Anonymous Coward on Friday June 26 2020, @11:17PM (16 children)
And, no lie, I just donated to Mozilla today. I hope I can get my credt card company to reverse that!
(Score: 1, Touché) by Anonymous Coward on Friday June 26 2020, @11:26PM
Hello Corporatism, hello Fascism, hello Mozilla, hello Google, hello Comcast, Hello Visa, Hello Mastercard!
Donate to Black Lives Matter [wikipedia.org] today, the revolution can only be realized by a Marxist organization with near 100% corporate support.
(Score: 0) by Anonymous Coward on Friday June 26 2020, @11:39PM
aaactually, yes, yes you can. Within at least 10 days since date of the transaction or so.
Do a chargebaaaaaaaaack. CB.
These are bad for merchants credit rating, and might make their credit card acquirer "offer" the merchant longer settlemnt times, and higher % on transactions.
Enough of these, and im pretty sure they lose their 3d secure by mastercard and safekey by amex and whatever visa has to justify that extra fee in the acquirers price package...
(Score: 4, Insightful) by Anonymous Coward on Friday June 26 2020, @11:53PM (12 children)
Here are real reasons to chargeback:
https://blog.mozilla.org/blog/2020/06/24/were-proud-to-join-stophateforprofit/ [mozilla.org]
https://blog.mozilla.org/blog/2020/06/18/first-steps-toward-lasting-change/ [mozilla.org]
(Score: -1, Flamebait) by Anonymous Coward on Saturday June 27 2020, @12:09AM (11 children)
Are they going to fire pink-hair transgenders to make room for all these Black and Latinx quota hires, or is the goal to completely replace all the competent employees?
(Score: -1, Flamebait) by Anonymous Coward on Saturday June 27 2020, @12:30AM (1 child)
It doesn't matter what you identify as. Black is now at the top of the stack.
(Score: 0, Informative) by Anonymous Coward on Saturday June 27 2020, @12:47AM
^ White fragility in action. I identify as black and lesbian, lick my ballsack!
(Score: 0, Insightful) by Anonymous Coward on Saturday June 27 2020, @12:34AM (7 children)
Obligatory fuck you racist dickbag
(Score: 2, Informative) by Anonymous Coward on Saturday June 27 2020, @12:44AM (3 children)
Obligatory hiring people based on skin color instead of qualifications is racism, you racist dickbag.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @01:16AM
Not if you're doing it to fuck the white man. #BLM
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @04:56AM (1 child)
Maybe if you and your community weren't racist assholes pushing harmful policies, disenfranchising minority voters, and cheering on police brutality THEN we could get rid of affirmative action.
AA is a lame solution to a big problem, but assholes like yourself are busy saying there is no problem while police continue to murder and minorities are still screwed out of their Constitutional rights.
But sure, be a whiny little bitch and take no responsibility for your community or your shitty beliefs which prevent you from getting jobs with reasonable people.
(Score: -1, Troll) by Anonymous Coward on Saturday June 27 2020, @05:41PM
"racist" is a loaded term, which assumes that being a racialist is a bad thing. No matter who uses it, the underlying propaganda (that protecting or promoting your race is wrong) is still being re-enforced. The people who devised this propaganda won't be mixing their genes, but if you don't, you're evil.
I don't want to live in a multicultural society, but while i still do, i have no desire for races other than my own to be treated *unfairly*. "Unfairly" does not mean i agree to be stolen from to "help" someone else. I don't owe other races anything and i will use overwhelming, merciless force to protect my/my people's holdings.
Police murder whites more than anyone else, and we are all slaves in the government and their henchmen's eyes: not just "minorities" (another propaganda term). People who cower to federal anti-discrimination law are not "reasonable people" but simply dumb, brainwashed slaves. I've hired people of different races, but it's always been based on merit and what the business needs, not what some globalist communist tells me to do. Now i prefer to do business with my own people when possible. If that causes someone else somewhere to have less, that is not my fucking problem.
Assuming you're white, you better educate yourself on Jewish Supremacy, The Holodomor, the truth about ww2, and the White Genocide which is well under way now, while you still can. You think the people you are so worried about give a shit about you? Just look at what happens at the protests, chaz/chop, etc to get a glimpse of your future, Right before they chop your white head off, of course.
(Score: 0, Troll) by Anonymous Coward on Saturday June 27 2020, @01:27AM (1 child)
In the not-too-distant future, you are going to be cleaning toilets for a nice middle class Chinese family. And when you think about how you arrived at that sorry state, you'll realize what a sucker you were for falling for SJW nonsense. #WLM
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @01:46AM
https://www.washingtonexaminer.com/news/cambridge-university-defends-and-promotes-professor-who-says-white-lives-dont-matter [washingtonexaminer.com]
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @04:29PM
I didn't know transgender is a race.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @09:05AM
Literally where have you been for the past 21ish years Mozilla has existed? Competency hasn't existed there in that entire time.
Hell they only survived long enough to JIT javascript because some non-mozilla developer created Phoenix nee Firefox using GTK(2?) for the UI allowing the gecko browser engine to run fast enough and with low enough memory to gain mindshare before they bloated it back up with a 'fresh' XUL UI, albeit one much reduced from the disastrous mess that was the AOL-Netscape XUL browser.
And quite frankly anyone who has used Seamonkey in the past decade can vouch that it is actually smaller in both disk usage and memory footprint than a modern iteration of Firefox despite having Mail, News, Composer and IRC built in!
Mozilla as an organization has been fucked up for 2 decades, and anyone who has been donating in that time really hasn't paid attention to their conduct at a professional level.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @06:47AM
Under the rules, probably not unless you get really creative. Practically, probably because they won't care enough to fight it.
(Score: 1, Interesting) by Anonymous Coward on Friday June 26 2020, @11:18PM (1 child)
You can get fucked by Comcast and Firefox at the same time, or you can get fucked by Google once.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @12:03AM
https://brave.com/ [brave.com]
(Score: 3, Insightful) by SomeGuy on Friday June 26 2020, @11:47PM (10 children)
This whole DNS over HTTPS stuff just doesn't make much sense. A client's DNS query should normally go to a DNS sever provided by the ISP. There should be little need to encrypt that, as this should only travel over the ISP's network.
Now, the main reason to use a non-ISP DNS server is to avoid intentionally corrupted DNS servers that redirect to advertising. Why such poisoned DNS servers are even legal is just one small example of how fucked up this world is. But what prevents DNS over HTTPS providers from doing the same thing? Nothing?
Unless you intentionally use another DNS, the ISP already has your DNS browsing data anyway, so why shouldn't they also provide a DNS over HTTPS server in addition to DNS? (Please tell me nobody is planning to drop DNS any time soon).
(Score: 0, Insightful) by Anonymous Coward on Saturday June 27 2020, @12:12AM (5 children)
》 There should be little need to encrypt that
Do you really want your ISP knowing that you visit chickenlovers.com? And selling that info to the highest bidder?
(Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (2 children)
But your ISP already knows you're going to the IP address that chickenlovers.com resolves to... unless there's some sort of name-based virtual hosting going on such that totallynotchickenlovers.com resolves to the same IP address, your ISP already knows you're going to chickenlovers.com... Even in the case of name-based virtual hosting, they can probably guess, which should be good enough for selling to the highest bidder.
(Score: 2) by Subsentient on Sunday June 28 2020, @05:58AM (1 child)
Exactly. Secure DNS doesn't help much, they can just use reverse DNS on whatever IP addresses you visit.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Monday June 29 2020, @02:25AM
They don't even have to do that. Most protocols in use today, including HTTP, SMTP, IMAP, and TLS, send the domain name of the server you are communicating with in the clear.
(Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (1 child)
If you are using your ISP's DNS/resolver/whatever then THEY ALREADY KNOW THAT and are selling that data.
If you are using someone else's DNS/resolver/whatever then SOMEONE ELSE now knows that and is selling that data.
HTTPS does NOT CHANGE THAT.
HTTPS does not prevent you from connecting to a server that does bad things.
HTTPS does not protect your data once it reaches that remote server.
HTTPS is not not fucking magic.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @06:00PM
Some of us live in real world, as opposed to the world of sunshine and rainbows where government don't like to command what you should and should not watch.
(Score: 3, Informative) by deimtee on Saturday June 27 2020, @01:27AM
For those not in the USA, the most common reason for using non-ISP DNS is to bypass blocking. Those of us in "less free" countries see only a big legal notice advising that we seek legal copies if we use ISP DNS to go to, for instance, The Pirate Bay. [thepiratebay.org]
Change to GoogleDNS or OpenDNS and these silly notices go away.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @01:39AM
You skipped a step.
The DNS request goes to the local DNS server FIRST.
This is exceedingly important in both home networks and corporate enterprises.
Home use: I just want to connect to my NAS - why is my request going FIRST to an external 3rd party? DoH is LESS privacy secure in this way.
Enterprise: The security implications are tremendous using the home example. In addition, if I host say, my_website, I don't want my Internal traffic going to my border router and then routing back internally. I tell my DNS server to send requests for my_website to an internal IP. Maybe I want to set up a DNS alias... all of this is less efficient and *clearly* a constant and impressive data leak.
Malware writer: I effing LOVE THIS! Everyone has to go through tremendous hoops just even think of blocking me...
I also guarantee you that the 5-eyes, 3-letter agencies are tapping these places to harvest all kind of information. Sure, they don't record it, but they don't have to. There's a closet that no one is allowed access to that has 3-letter agency equipment tapping directly in to the servers to log the info.
(Score: 2, Informative) by fustakrakich on Saturday June 27 2020, @02:59AM
This whole DNS over HTTPS stuff just doesn't make much sense.
Take a tour of the marketing department.
And don't you think the spies would prefer one stop shopping instead of having to snoop around all those ISPs?
Our only hope is to convert the internet from client/server to ad hoc, turn the ISPs' routers into switches, kinda like old fashion POTS
La politica e i criminali sono la stessa cosa..
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @09:46AM
1. It's mostly Cloudflare (So DNS-over CLoudflare, DoCF), the company is known from fighting user's privacy. So I think Moz may get some part from it.
2. It prohibits blocking trackers and ads using hosts file - it is impossible to install a domain-based blocking on such low level in DoCF.
3. So now the blockers are in "as-an-addon" phase where they cannot effectively catch all connections like system does (this can be seen by Firefox phoning home every run). This is the third phase of Mozilla's killing useful features. First - as option, then - as about:config item, then - as add-on and finally API breaks it.
4. It increases user passivity - instead of voting with wallet and choosing good provider, user is taught to fight with windmills (and you think why I still chosen to have 4MBit link?).
(Score: 5, Interesting) by Username on Saturday June 27 2020, @12:14AM (9 children)
I have a feeling this whole encrypted DNS thing is to bypass DNS based ad blocking and create a way for them to directly insert their approved ads.
Luckily I have DDWRT and a brain, and just routed their https server's IP address to a loopback. Now to counter this, they're adding more servers to get around my blocking of their one server. Pretty soon I'm going to have a dns block list of advertising names and ip block list of DNS bypassing addresses.
(Score: 4, Informative) by Anonymous Coward on Saturday June 27 2020, @02:21AM (5 children)
No,
What should have been apparent the minute that DNS/HTTPS was even suggested, was that this was going to be used to turn the Internet into a layer 4 service ONLY. This is about Mozilla accepting that the future of the Internet is a walled garden only service, and making alliances to insure it has a position in that market.
In the 90's the world experienced the greatest global expansion of civil rights in history. My guess is by 2035 there will be political reeducation camps in the U.S.. That is the direction we are heading, and it isn't a partisan thing. The right is calling for martial law, and the left is calling on the abolishment of the 1st amendment. That is pretty much what happened in the 1930's in Germany.
The systematic disassembly of free interchange, is the crystalnacht of the Internet. Mozilla just broke a shit ton of windows. Congratulations motherfuckers.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @08:28AM
True. Every corporation seems to be heading the same direction, so it doesn't really matter what the stooges on the Hill think.
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @11:52AM (2 children)
You're confusing the internet with the world wide web.
(Score: 2, Informative) by Anonymous Coward on Saturday June 27 2020, @03:23PM (1 child)
Apparently you didn't read: "OSI layer 4". What DNS/HTTPS does is constrains the transport of layer 3 datagrams into a layer 4 tunnel that is isolated by browser vendors. It doesn't actually matter where you think they are sending your resolver data. The fact that it isn't being done at layer 3 means they can send it ANYWHERE they want once it is in the tunnel.
It is compulsory-by-ignorance opt-out theft of data that is "papers, and effects" from a constitutional standpoint. What they are doing constrains choice. It constrains trade. It restricts diagnostic capacity. It surveills without informed consent. It makes it easier for ISP's to filter. But worst of all, it makes it easier for the carriers to call the Internet an "information service", rather than the "Internet" (big I, there is a difference).
That has severe legal ramifications in terms of the restoration of civil rights, and it mitigates the consumer view that the the Internet is a distributed service. Most people have the view that the Internet is all port 80,443. By aggregating DNS it puts the carriers in a position where they can filter everything but 80,443, and most people won't notice. This is a HUGE problem.
There is a correct way to fix DNS. DNS/HTTPS isn't it. DNS/HTTPS is a lazy approach to security. Which is to say it constrains, without taking any consideration of long term effects. Particularly the civil rights of the general public.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @05:47PM
hear, hear!
(Score: 2) by VLM on Saturday June 27 2020, @08:39PM
Just call them college campuses
(Score: 4, Interesting) by darkfeline on Saturday June 27 2020, @02:58AM (2 children)
DNS based ad blocking is hilariously stupid and useless anyway. You do realize that the only thing needed to bypass it is to use IP addresses instead of hostnames, or for the application to not use the name resolution facilities provided by the OS?
Join the SDF Public Access UNIX System today!
(Score: 2) by Username on Saturday June 27 2020, @10:53AM
Ok, change my browser's DNS settings. I'll wait.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @04:05AM
That is one reason why the better firewalls out there let you filter any IP address not resolved by your DNS server.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @03:14AM (8 children)
i don't care if dns lookups are in cleartext and can be seen on "the wall of sheep".
what is not cool however is if the "cleartxt" lookup can be uniquely tied to me (my ip address).
now i don't pretend to understand this DoH but i assume that whatever doh enabled server is used that it doesn't know all and each mapping of domain name-2-ip.address. thus this server has to ask another.
now if i understand half-assed correctly, the doh server needs to ask another server thus it needs to understand the content of the request. unless everything in the chain is just hashes then somewhere in the chain the encryption needs to be stripped, processed ("is the request for .org or .net" for example) and then maybe re-encrypted.
in any case, the problem (seee above unique mapping of dns lookup request to unique ip.address) is not solved. all that is done is painting the isp dark black and awarding a "big, central,easly subpony-ed" entity with thrust... which is bad.
i recommend to smartly read all configuration options in torrc.
(Score: 1, Insightful) by Anonymous Coward on Saturday June 27 2020, @04:28AM (7 children)
If I go to www.Google.com a DNS server returns Google's IP address to my computer and my web browser connects to said IP address.
If there is an eavesdropper and the DNS traffic is encrypted they won't be able to see what websites I am sending to the DNS server or the IP address that's being returned back to my computer.
But when my computer gets the IP address back and my browser actually connects to said IP address then they would be able to see that I connected to Google's IP address and hence I must have requested www.Google.com. So .... they can still see what websites I am connecting to ... what's the point of encrypting DNS server traffic ... am I missing something?
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @05:47AM
DNS hasn't been fit for the modern internet for a long while. Unfortunately, alternatives that have a chance of being accepted will probably be some google-NSA spy protocol.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @10:13AM (2 children)
There may be multiple websites being hosted at that IP address. If your DNS queries are encrypted the eavesdropper won't know which site you're visiting.
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @09:30PM (1 child)
Er, no, virtual hosting only works at all on HTTPS because modern web browsers send the domain name unprotected during the TLS handshake (Server Name Indication). This is required because the hostname is an essential part of the TLS authentication process and typically the server must select different certificates for different hostnames. Prior to SNI virtual hosting was basically impossible with HTTPS unless you had a single certificate to cover every domain.
Even if the server name was protected, assuming the websites hosted at that IP address are public and known to the eavesdropper then an eavesdropper who can monitor your encrypted HTTPS traffic will be able to determine exactly which website you visited on that server with very high confidence.
This is because HTTPS does effectively nothing to obscure any of (a) the server to which you are communicating, nor (b) how much data is transferred, nor (c) the timing of the various resource requests made by your web browser.
Those details, taken together, have high probability of being unique not just for different websites, but also individual pages within those websites. It is therefore pretty reasonable to assume that an eavesdropper will be able to know which pages you are visiting without too much trouble, even if they cannot decrypt any of your traffic.
This is why projects like Tor exist, which actually do attempt to hide who is communicating with whom.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @05:04AM
Exactly. DNS, HTTP, and HTTPS were never intended to hide meta data. Encrypting the DNS traffic doesn't change this.
TOR was intended to hide such information. As you said, TOR even introduces artificial traffic delays to make it somewhat more difficult (though not impossible) to track traffic based on timing.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @02:07PM (2 children)
there's a possibility that intercepting dns requests allows a middle man to redirect your request to that resolved ip to another ip (via routing) ...
so if i can control routing and i see you resolved "google.com", and you got "1.2.3.4” i can redirect you to my 1.2.3.4 ... if i have zero day i can pawn you (some dude with scissor hands said l3tters can do this).
they do this on the stock market too and it seems to work...
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @09:29PM (1 child)
With a MTM attack you can see that I'm connecting to Google's IP address and redirect the traffic regardless.
That's why, hopefully, my computer already has the necessary and correct information needed to verify that I'm connecting to Google. I can check the certificate path and make sure it's valid.
(Score: 0) by Anonymous Coward on Sunday June 28 2020, @05:12AM
Errr .. an MITM attack. * I didn't realize /I forgot that the in was part of the acronym
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @01:03PM (6 children)
Are there any significant advantages of running my own BIND and having it do DoH to some encrypted DNS site (Cloudflare or 8.8.8.8 or whatever)? Does that take my ISP out of it at least?
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @01:47PM (2 children)
I was wondering about your own DNS as well.
If you had the whole DNS database locally, then search requests might be both private and not redirected.
Perhaps the first step would be to log DNS and see how bad things are.
(Score: 2) by jasassin on Saturday June 27 2020, @09:01PM (1 child)
I can't imagine how big that table would be. Anyone here have any idea (assuming it was possible).
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 0) by Anonymous Coward on Thursday July 02 2020, @07:00AM
There are 1511 public TLDs, according to IANA. Domain names have an arbitrary combination of 3 to 63 characters at a single level. Ignoring ccSLDs in specific, that would give you 1511 * sum(37 ** x for x in range(3, 64)) total domain names for just one level. There are restrictions like ccSLDs and punycode that would limit the number of SLDs, but they are such a small number compared to the overwhelming possibility of names available that it wouldn't make as large of a difference as you would think.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @03:26PM
For DNS maybe. You're still being routed through hardware controlled by an ISP (maybe not the one you're paying though), so how much privacy you actually have from them is a question of debate.
(Score: 0) by Anonymous Coward on Saturday June 27 2020, @05:49PM
don't use bind and clouflare/google. use dnscrypt-proxy, dnsmasq and a mom and pop dns upstream resolver. see the arch wiki.
(Score: 2) by corey on Sunday June 28 2020, @03:57AM
I'm running Unbound on my FreeBSD server, which is a small caching DNS server. It uses DNSSEC with TLS to root servers (I think I have it set to CloudFlare). Works well. So my ISP sees nothing. Nothing to see anyway.