Advice Request DNS-over-HTTPS (DoH) is the wrong solution

[Ink]

ENCRYPTION DOESN’T STOP TRACKING

The idea of also encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 2000s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH).

DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application. It also doesn’t do anything to hide the IP address of the website that you just looked up — you still go to visit it, after all.

And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

DNS and privacy are important topics, so we’re going to dig into the details here.

WRITTEN IN OCTOBER 2019 - TAKE A READ HERE -

DNS-over-HTTPS Is The Wrong Partial Solution

Openness has been one of the defining characteristics of the Internet for as long as it has existed, with much of the traffic today still passed without any form of encryption. Most requests for HT…

hackaday.com

 

[TairikuOkami]

DoH was never meant to replace the real encrypted DNS, it serves merely as a backup, since port 443 can not be blocked as easily as DoT or DNScrypt.

 

[ForgottenSeer 85179]

Encrypted DNS was never designed to protect against tracking.

The article is also misleading. A VPN doesn't protect against tracking.

 

[SeriousHoax]

While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms to monitor DNS spoofing and it moves the responsibility for a critical networking function from the operating system into an application.

I think this is literally the only downside of DoH which doesn't mean anything for normal users. DoH does what it's supposed to do. I read this article before and it's totally misleading.

 

[blackice]

Many providers offer DoH, and Chrome and Firefox allow for manual entry of whatever you want.

 

[SeriousHoax]

Many providers offer DoH, and Chrome and Firefox allow for manual entry of whatever you want.

I know about Firefox but does chrome let you manually use another one now?

 

[Brahman]

If you are about protecting your privacy by only using either doh or dot I would say you are doomed. If the government agencies want to really track you, they will get to you eventually even if you use tor network on a most secure vpn. Recently in India some person accused of child pornography were arrested and these accused persons were using telegram as a medium to propagate videos.(Kerala police busts online child pornography, arrests 47)They also were using vpn to mask their real ip numbers. But they were caught and it was done on information from Unicef and interpol. Telegram is an end to end encrypted service, yet agencies were able to decrypt these messages and was able to find persons using it. So nothing is 100% guaranteed, neither doh nor vpn.

 

[TairikuOkami]

So nothing is 100% guaranteed, neither doh nor vpn.

It is just like with AV, rather than relying on basics, the user should focus on details, even VPN can leak, when user has IPv6 enabled, that was its purpose.

Encrypted DNS provides a basic level of privacy from ISP, VPN from the webpages and the government as it makes it a little harder to get a warrant, but not impossible. People forget about IPv6, scripts and that every login/purchase can be tracked, even when using bitcoin. It leaves a trail of breadcrumbs.

 

[Ink]

All sorts of security and privacy options are partial solutions to be a problem that cannot be resolved, because the World Wide Web was never designed to be private or secure.

Monitization of the Web through any means.

 

[Brahman]

All sorts of security and privacy options are partial solutions to be a problem that cannot be resolved, because the World Wide Web was never designed to be private or secure.

Monitization of the Web through any means.

No one needs to be a 100%, take the case of child pornography, if these basta**s get total privacy it will turn a lot of children's life into hell. we as a mature society will not be able to protect our kids from these sh** holes.. That is real bad. To some extent the state's vigil on net and dark net is good for law abiding citizens. Human rights activists in certain countries might object, but such blatant human rights violations can only be seen in a few ( may 4 or 5) countries. In all other nations people can live with some degree of tracking by Governments.

 

[blackice]

I know about Firefox but does chrome let you manually use another one now?

Yep

 

[Ink]

No one needs to be a 100%, take the case of child pornography, if these basta**s get total privacy it will turn a lot of children's life into hell. we as a mature society will not be able to protect our kids from these sh** holes.. That is real bad. To some extent the state's vigil on net and dark net is good for law abiding citizens. Human rights activists in certain countries might object, but such blatant human rights violations can only be seen in a few ( may 4 or 5) countries. In all other nations people can live with some degree of tracking by Governments.

I never implied the WWW should be 100% privacy or security focused. I'm saying all the privacy enhanced browsers, VPN, DNS, Antivirus are useless, because the WWW is flawed by design.

If you're looking for 100% anonymity, you cannot.

I have zero experience with Dark Web/Tor, but I heard it is still traceable.

 

[blackice]

I never implied the WWW should be 100% privacy or security focused. I'm saying all the privacy enhanced browsers, VPN, DNS, Antivirus are useless, because the WWW is flawed by design.

If you're looking for 100% anonymity, you cannot.

I have zero experience with Dark Web/Tor, but I heard it is still traceable.

I would even say flawed isn’t the right word. As you implied it wasn’t designed for privacy, it was designed to connect people like a digital public place.

 

[TairikuOkami]

I have zero experience with Dark Web/Tor, but I heard it is still traceable.

Just like those 2 hackers using Tails (a god of privacy), yet they got busted. What about commoners like me, who can install TOR an that is about it.

 

[blackice]

Also interestingly I don't think Firefox has implemented DoH properly. I am not intelligent enough, or have the time, to figure out why. But my router which filters malware sites by DNS will not flag Chrome going to wicar.org test pages, but it does flag malware when I use Firefox. dnsleaktest.com shows no leaks, but even with ESNI on it seems to be allowing the router to see something.

Edit: I take that back. Seems to be a bizarre function of Chrome. The router filters by IP, not DNS. Even with DNS encryption on it sees where Chrome is going but unlike in FF doesn't block the wicar.org test sites/files. It may be somehow related to order of processing, because none of the parental controls work in FF, just malware filtering.

Forget all of that. Firefox DoH doesn't work properly with Quad9's manual entry. Changing to cloudflare works as expected...very odd.

 

[Brahman]

Also interestingly I don't think Firefox has implemented DoH properly. I am not intelligent enough, or have the time, to figure out why. But my router which filters malware sites by DNS will not flag Chrome going to wicar.org test pages, but it does flag malware when I use Firefox. dnsleaktest.com shows no leaks, but even with ESNI on it seems to be allowing the router to see something.

Edit: I take that back. Seems to be a bizarre function of Chrome. The router filters by IP, not DNS. Even with DNS encryption on it sees where Chrome is going but unlike in FF doesn't block the wicar.org test sites/files. It may be somehow related to order of processing, because none of the parental controls work in FF, just malware filtering.

Forget all of that. Firefox DoH doesn't work properly with Quad9's manual entry. Changing to cloudflare works as expected...very odd.

In about: config ...Set network.trr.mode to 3.

 

[blackice]

In about: config ...Set network.trr.mode to 3.

I’ll give that a shot in the morning.

 

[blackice]

In about: config ...Set network.trr.mode to 3.

This was the issue. After looking into that setting I see what was happening. Thanks for the tip.

 

[Kongo]

Probably a dumb question for most of you, but is it possible to connect to a VPN while having DoH enabled, or does it have any bad effects? I have the Adguard Windows version, and they implemented DoH there recently and it would be quite demanding turning it off whenever connecting to the VPN.

 

[SpiderWeb]

Btw they are working on standardizing encrypted SNI. It was renamed to Encrypted Client Hello (ECH/ECHO).

TLS Encrypted Client Hello

This document describes a mechanism in Transport Layer Security (TLS) for encrypting a ClientHello message under a server public key. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at...

datatracker.ietf.org

No encryption: Q&A - DNS-over-HTTPS (DoH) is the wrong solution
DoH/DoT: https://malwaretips.com/**encrypted**
ECHO: https://**encrypted**

QUIC/HTTP/3 + ECHO + DoT/DoH make blocking Internet content for ISPs and governments near impossible unless they block the entire HTTP/3 protocol.
I think what DoH and DoT did is make people more aware that they can change their DNS servers. I have never seen something being adopted so quickly by the public.