Advice Request DNS-over-HTTPS (DoH) is the wrong solution

Please provide comments and solutions that are helpful to the author of this topic.

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
ENCRYPTION DOESN’T STOP TRACKING
The idea of also encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 2000s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH).

DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application. It also doesn’t do anything to hide the IP address of the website that you just looked up — you still go to visit it, after all.

And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

DNS and privacy are important topics, so we’re going to dig into the details here.
WRITTEN IN OCTOBER 2019 - TAKE A READ HERE -
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application.
I think this is literally the only downside of DoH which doesn't mean anything for normal users. DoH does what it's supposed to do. I read this article before and it's totally misleading.
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
If you are about protecting your privacy by only using either doh or dot I would say you are doomed. If the government agencies want to really track you, they will get to you eventually even if you use tor network on a most secure vpn. Recently in India some person accused of child pornography were arrested and these accused persons were using telegram as a medium to propagate videos.(Kerala police busts online child pornography, arrests 47)They also were using vpn to mask their real ip numbers. But they were caught and it was done on information from Unicef and interpol. Telegram is an end to end encrypted service, yet agencies were able to decrypt these messages and was able to find persons using it. So nothing is 100% guaranteed, neither doh nor vpn.
 
Last edited:

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
So nothing is 100% guaranteed, neither doh nor vpn.
It is just like with AV, rather than relying on basics, the user should focus on details, even VPN can leak, when user has IPv6 enabled, that was its purpose.

Encrypted DNS provides a basic level of privacy from ISP, VPN from the webpages and the government as it makes it a little harder to get a warrant, but not impossible. People forget about IPv6, scripts and that every login/purchase can be tracked, even when using bitcoin. It leaves a trail of breadcrumbs.
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
All sorts of security and privacy options are partial solutions to be a problem that cannot be resolved, because the World Wide Web was never designed to be private or secure.

Monitization of the Web through any means.
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
All sorts of security and privacy options are partial solutions to be a problem that cannot be resolved, because the World Wide Web was never designed to be private or secure.

Monitization of the Web through any means.
No one needs to be a 100%, take the case of child pornography, if these basta**s get total privacy it will turn a lot of children's life into hell. we as a mature society will not be able to protect our kids from these sh** holes.. That is real bad. To some extent the state's vigil on net and dark net is good for law abiding citizens. Human rights activists in certain countries might object, but such blatant human rights violations can only be seen in a few ( may 4 or 5) countries. In all other nations people can live with some degree of tracking by Governments.
 
  • Like
Reactions: oldschool

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I know about Firefox but does chrome let you manually use another one now?
Yep (y)

1595680405561.png
 

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
No one needs to be a 100%, take the case of child pornography, if these basta**s get total privacy it will turn a lot of children's life into hell. we as a mature society will not be able to protect our kids from these sh** holes.. That is real bad. To some extent the state's vigil on net and dark net is good for law abiding citizens. Human rights activists in certain countries might object, but such blatant human rights violations can only be seen in a few ( may 4 or 5) countries. In all other nations people can live with some degree of tracking by Governments.
I never implied the WWW should be 100% privacy or security focused. I'm saying all the privacy enhanced browsers, VPN, DNS, Antivirus are useless, because the WWW is flawed by design.

If you're looking for 100% anonymity, you cannot.

I have zero experience with Dark Web/Tor, but I heard it is still traceable.
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
I never implied the WWW should be 100% privacy or security focused. I'm saying all the privacy enhanced browsers, VPN, DNS, Antivirus are useless, because the WWW is flawed by design.

If you're looking for 100% anonymity, you cannot.

I have zero experience with Dark Web/Tor, but I heard it is still traceable.
I would even say flawed isn’t the right word. As you implied it wasn’t designed for privacy, it was designed to connect people like a digital public place.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,730
Also interestingly I don't think Firefox has implemented DoH properly. I am not intelligent enough, or have the time, to figure out why. But my router which filters malware sites by DNS will not flag Chrome going to wicar.org test pages, but it does flag malware when I use Firefox. dnsleaktest.com shows no leaks, but even with ESNI on it seems to be allowing the router to see something.

Edit: I take that back. Seems to be a bizarre function of Chrome. The router filters by IP, not DNS. Even with DNS encryption on it sees where Chrome is going but unlike in FF doesn't block the wicar.org test sites/files. It may be somehow related to order of processing, because none of the parental controls work in FF, just malware filtering.


Forget all of that. Firefox DoH doesn't work properly with Quad9's manual entry. Changing to cloudflare works as expected...very odd.
 
Last edited:

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
Also interestingly I don't think Firefox has implemented DoH properly. I am not intelligent enough, or have the time, to figure out why. But my router which filters malware sites by DNS will not flag Chrome going to wicar.org test pages, but it does flag malware when I use Firefox. dnsleaktest.com shows no leaks, but even with ESNI on it seems to be allowing the router to see something.

Edit: I take that back. Seems to be a bizarre function of Chrome. The router filters by IP, not DNS. Even with DNS encryption on it sees where Chrome is going but unlike in FF doesn't block the wicar.org test sites/files. It may be somehow related to order of processing, because none of the parental controls work in FF, just malware filtering.


Forget all of that. Firefox DoH doesn't work properly with Quad9's manual entry. Changing to cloudflare works as expected...very odd.
In about: config ...Set network.trr.mode to 3.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,478
Probably a dumb question for most of you, but is it possible to connect to a VPN while having DoH enabled, or does it have any bad effects? I have the Adguard Windows version, and they implemented DoH there recently and it would be quite demanding turning it off whenever connecting to the VPN.
 
  • Like
Reactions: Protomartyr

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Btw they are working on standardizing encrypted SNI. It was renamed to Encrypted Client Hello (ECH/ECHO).

No encryption: Q&A - DNS-over-HTTPS (DoH) is the wrong solution
DoH/DoT: https://malwaretips.com/**encrypted**
ECHO: https://**encrypted**

QUIC/HTTP/3 + ECHO + DoT/DoH make blocking Internet content for ISPs and governments near impossible unless they block the entire HTTP/3 protocol.
I think what DoH and DoT did is make people more aware that they can change their DNS servers. I have never seen something being adopted so quickly by the public.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top