Big ISPs aren’t happy about Google’s plans for encrypted DNS

While I don&#x27;t particularly trust Google all that much anymore, the fact that ISPs even have an <i>opinion</i> on this is a smoking gun that they&#x27;re doing sketchy things with DNS data. There is no actual technical reason why they should care if you use their DNS servers or something else, even a private, encrypted DNS service.

I&#x27;m fine with encrypted DNS as long as it&#x27;s from <i>my</i> router to the (encrypted) DNS provider of <i>MY</i> choice.<p>Interference from browsers with network level operations is my real worry. As far as I&#x27;m concerned, as long as the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers, no problem. I&#x27;m worried about the &quot;to protect the users we&#x27;ve hijacked their DNS directly via the browser&quot; possibility though.<p>I know it used to be that using ISP DNS servers gave you access to some of their local caching and such. I don&#x27;t hear that talked about much in these discussions. Is that no longer a thing, and thus we truly don&#x27;t need ISP DNS?

I&#x27;m usually very skeptical of Google&#x27;s plan for anything, but if it&#x27;s pissing off big ISPs then sign me up.

What I <i>fear</i> will happen in several years is that local ISPs will also begin offering DoH by default (if you can&#x27;t beat the competition, join them) and continue snooping on your traffic, just like Google or Cloudflare could do now technically, if they wanted to. Ultimately this boils down to which entity you trust more, your ISP or some other provider. Today Google&#x2F;Cloudflare et al are by far the more trustworthy options for DNS at least. But this may not remain forever this way. The price for privacy&#x2F;security is eternal vigilance, something end users don&#x27;t (or can&#x27;t) want to do.

&gt; the company has no plans to switch Chrome users to its own DNS servers.<p>Meanwhile, the Chromecast inexplicably ignores DHCP&#x2F;NDP-provided DNS servers and uses 8.8.8.8 for all queries.

I may not have the technical expertise to understand this fully but right now I&#x27;m doing adblocking by using adguard&#x27;s DNS IPs in my router (1).<p>It kinda works everywhere but for some apps like Chromecast I have to null route two IP addresses (8.8.8.8 and 8.8.4.4) otherwise it doesn&#x27;t work. Those are both Google&#x27;s IPs afaik.<p>So my question is: will I be able to keep doing it after this? I am asking because I am extremely suspicious of Google these days and wondering if they have an ulterior motive to prevent users from doing such host based adblocking in future?<p>(1) <a href="https:&#x2F;&#x2F;adguard.com&#x2F;en&#x2F;adguard-dns&#x2F;overview.html" rel="nofollow">https:&#x2F;&#x2F;adguard.com&#x2F;en&#x2F;adguard-dns&#x2F;overview.html</a>

Haha Big ISPs...there’s absolutely no reason why regular HTTP requests&#x2F;responses should be TLS encrypted while DNS queries should not...they go hand in hand for maintaining end-user privacy and YOUR integrity.

It&#x27;s pretty clear that the ISPs drafted their letter before Google made it clear that they would not be forcing the transition to their own DNS servers. The complaints are entirely about centralization.<p>Google has attempted to allay some of these concerns, but their initial blog post [1] makes it lear that only certain whitelisted DNS providers would be permitted to participate. That does imply a degree of centralization regardless of Google&#x27;s assurances to the contrary.<p>[1] <a href="https:&#x2F;&#x2F;blog.chromium.org&#x2F;2019&#x2F;09&#x2F;experimenting-with-same-provider-dns.html" rel="nofollow">https:&#x2F;&#x2F;blog.chromium.org&#x2F;2019&#x2F;09&#x2F;experimenting-with-same-pr...</a>

If this prevents ISPs from making even a penny on data mined from DNS queries of their users, even in an aggregated and anonymized manner then so be it because ISPs are supposed to be dumb pipes. And there is nothing creepier than someone mining what I search for. Just fulfill the contract of giving me the internet for my 75USD a month.

Is there a way to set up a big list of round-robin DNS servers in Linux, to at least minimize the amount of navigation history any one DNS provider knows about you?

With the statement &quot;could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues&quot; they are actually lying and misrepresenting the issue. In reality there is not much &quot;to interfere&quot; - especially not so much, that you would need to contact the Congress...

I guess this means no more DNS based ad blocking for devices like the Chromecast which ignore the DNS info provided by DHCP and are instead hard coded to use Google’s server?

How exactly encrypted DNS will reduce spying? ISPs will still be able to observe IP addresses users connect to and even particular host names in SSL handshakes.

Death to big ISPs.

There have been several articles in the past few days whinging about both mozilla and chrome incorporating DNS over TLS. Someone seems to be REALLY unhappy about this and those people seem to be trying to use the press as a microphone.<p>It seems like it&#x27;s touching a nerve and advertisers and governments are really sweating losing their ability do low effort snooping.

Google defaulting to ignore system settings and use Google DNS server is an issue.<p>But it&#x27;s cute how ISPs are trying to mash deploying of DoH support and default to Google server into one issue.<p>The last paragraph absolutely seems like fearmongering:<p><i>Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; and (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors. Google’s centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.</i><p>I don&#x27;t see how IoT management is going to be affected by DNS resolution made by a browser. CDN&#x27;s DNS server in any case sits upstream and should be able to perform needed optimization. Google&#x27;s or any other US DNS provider is not exempt from complying with the US law and court orders.

Something I’ve wondered: It isn’t quite clear from the various articles how they’re doing this monitoring. I can totally see how they could monitor their own caching resolvers. They might even passively monitor popular internet resolvers (1.1.1.1, 8.8.8.8). But if I run my own caching resolver at home, is that data being mined? I am aware it’s unencrypted and possible to do so, but is it actually happening? DoH sounds nice, but it brings me back to using a shared caching resolver which I’m not a huge fan of.

I am a bit stuck here. I know it is a bit insane, but I run a simple system at home because I think, so if I drop dead tomorrow how is my wife going to sort this. If I am dead, internet still needs to work so my kid can do her home work. So despite my geek love, I do not run my own DNS, etc. the other part is I use unblock-us so iPlayer (BBC) works here in the US. I would love to set everything up so everything is encrypted but ... yah. Sorry depressive.

Does this mean that ad-blocking HW&#x2F;SW that uses DNS to filter remote sites (Pi-Hole?) will stop working?<p>That&#x27;s the only reason I see Google will try a move like that.

Strange these isps seem to have entirely ignored pihole, which for me is blocking around 30% of my DNS queries and overrides ISP DNS servers entirely.

It sounds a lot like a non issue.<p>If providers want to keep vacuuming personal data they can provide DNS over HTTPS and they&#x27;ll capture the same amount of data.

At the request from some less technical friends I cooked up a solution for using encrypted DNS and Pi-hole together nicely wrapped in a docker-compose config that supports both x86_64 and ARM (RaspberryPi) deployments.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;benke&#x2F;docker-dnscyrpt-pihole" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;benke&#x2F;docker-dnscyrpt-pihole</a>

&gt; DNS over HTTPS means ISPs can’t spy on their users<p>The ISP can still do a reverse look up of the IP address to see where the traffic is going.

Frankly the ISPs can go fuck themselves. They&#x27;re a bit too comfortable in the role of bullying gatekeeper to the Internet.

&gt;Firefox[...]whether or not their existing DNS provider supports it.<p>Wait what? Hows that gonna play with my existing pihole setup?

I work for a large retailer ecommerce office and over the years found the business purchase huge lists of subscriber names plus domains from ISP customer browsing. Att and Verizon selling that I know about, maybe more that I dont know. With the amount of money involved that Im sure they aren&#x27;t happy.

&gt;Big ISPs aren’t happy<p>As my mom said - if you cry enough to fill a tank I&#x27;ll buy you a goldfish.

Google probably isn&#x27;t happy I won&#x27;t be using their encrypted DNS, either.

Yandex Browser has been supporting encrypted DNS since 2016....

I guess everyone who cares about privacy should run his own DNS server&#x2F;cache somewhere on the internet. Same as mail, really.

“data competition”. lol. the ISPs are literally complaining that google will now have the DNS data, <i>and they won’t</i>.

Although it&#x27;s going to spark an ISP anti-privacy arms race, this demonstrates why encrypted DNS is necessary.

Thankfully, ISPs being upset about it is a really good way to determine if it&#x27;s a good thing.

If ISPs are against it I am for it. I’ve worked in the SP market for 15 of the last 20 years.

All we ever wanted was a dumb fat pipe. All we ever got was triple play. No pity.

In the land where GDPR exists, I can see why ISPs are a little annoyed.<p>Directing users to local CDN instances has now got harder, which means its going to cost more for things like netflix<p>In the US, yes, that means that ISP can&#x27;t mine youre data, however, you are handing more information to google.

I see news about DNS every single day now!

This is a boon for Indians.

In many economies, ISPs have legal immunity from acts done by users (customers) because of laws associated with &#x27;common carrier&#x27; status.<p>But that status is fragile. The ISP has to act like it knows its obligations in law, and there are things ISPs have been doing to work with LEA for a long long time, which they won&#x27;t be able to do as simply, or as well, or in some cases at all.<p>As a customer its easy to assume the <i>only</i> answer is &quot;good&quot; but in fact, its more complex. Society depends on law, and the application of law around what people do online is not trivial, and does not reduce down to &#x27;all snooping is always bad all the time&#x27; -Warrants exist to do things, and warrant canaries are a reaction to them but not one which says warrants don&#x27;t exist: they say silent warrants should not be obligated on the receiver of the interception: They&#x27;re a position on secret law, not a position on law in itself.<p>TL;DR DoH and DoT are challenging established law in telecoms and big ISPs who have common-carrier defence depend on interception in DNS and DPI and the like, to perform their role facing LEA demands from the state <i>which in many cases are entirely normal and justified</i><p>Not all DoH and DoT stories are good stories for society at large.<p>Please don&#x27;t reduce this to a libertarian vs everyone else debate, I would invite you to think about what an ISP is, and what we want from ISPs as a whole, not just as customers seeking pirate bay, but as a society investing in a telecommunications-rich future.<p>The first casualty of war is the truth. The second (in WWI and WWII) was the deep sea telecommunications cables.

From Google&#x27;s perspective being able to block ads with your hosts file is a bug, not a feature.

Google wants the whole internet to go through them. Starting with the bloody DNS ... nice plan ... probably needs quite a bit lobbying and bad-mouthing other actors to succeed though ...<p>Absolutely. You can find a dishonest ISP. The difference is that there are thousands of them. And not just one big opaque entity.