A cartoon intro to DNS over HTTPS (2018)

I&#x27;ll say what has been said time and time again in the past: CF should not be the default server. There shouldn&#x27;t be a default server. Have an onboarding flow that says &quot;choose DNS server&quot; and allow the user to choose between clearly-unencrypted endpoints (ISP&#x2F;router, Google, quad9, etc) and encrypted endpoints that use DoH.<p>And again, Google&#x27;s DoH solution is infinitely less controversial: an upgrade list[0] so that, if your computer&#x2F;router advertises 1^4, it uses Cloudflare&#x27;s DoH. If it advertises 8^4, it uses <a href="https:&#x2F;&#x2F;dns.google" rel="nofollow">https:&#x2F;&#x2F;dns.google</a>. It even works for a provider known as clean browsing[1] that filters DNS.<p>0: <a href="https:&#x2F;&#x2F;blog.chromium.org&#x2F;2019&#x2F;09&#x2F;experimenting-with-same-provider-dns.html" rel="nofollow">https:&#x2F;&#x2F;blog.chromium.org&#x2F;2019&#x2F;09&#x2F;experimenting-with-same-pr...</a><p>1: <a href="https:&#x2F;&#x2F;github.com&#x2F;chromium&#x2F;chromium&#x2F;blob&#x2F;711b1ba2735f8af4bd6359c6292e1875412df74f&#x2F;net&#x2F;dns&#x2F;dns_util.cc#L146-L217" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;chromium&#x2F;chromium&#x2F;blob&#x2F;711b1ba2735f8af4bd...</a>

I have a concern.<p>DNS over HTTPS feels to me like we&#x27;re edging towards end-to-end encryption for DNS. This seems like a good thing, but even though it will protect against ISP and state level observations of DNS, will it not reduce ones control over DNS locally?<p>My threat model remains web site operators and the malware and tracking inserted at that point. Additionally devices on the network that may observe locally and communicate externally like TV boxes and games consoles.<p>To manage those threats I use Pi-Hole. But once we start end-to-end encrypting, and especially when we start verifying those ends, how do I locally intercept and manage DNS for my privacy and security?<p>Is this a genuine concern about DNS over HTTPS? Or is the plan to enable systems like Pi-Hole to be a trusted and configurable resolver too so that consumers retain the ability to control their own systems like this?

I don&#x27;t really understand what kind of improvement is the DNS over HTTPS.<p>Yes some middle parties won&#x27;t be able to tamper with my DNS queries. At what price? Total control for the people providing the DOH endpoints. So chrome for sure will be using Google DNS for this, and with their efforts to remove ad blocking this fits nicely that you won&#x27;t be able to use simply DNS based blocker.

One of the big concerns here is that this is another instance of &quot;making the internet less decentralized by leaning on Cloudflare.&quot;<p>Someone once pointed out that if the NSA wanted to build a front company whose goal was to make hoovering up the internet easier, it would probably look a lot like Cloudflare. I&#x27;m generally not much of a conspiracy theorist, but this one has been frustratingly difficult to shrug off.

So they start with talking about ESNI and then kinda completely gloss over it afterwards. Yeah you can reuse the TLS session if several sites are using the same CDN, however, this is again relying on centralization for privacy.<p>The cool thing about DNS architecture is the fact that it is decentralized. Mozilla&#x27;s plan with DoH tries to fix missing features in DNS by getting rid of arguably the biggest killer feature DNS has.<p>Furthermore, several governments use DNS right now to block websites deemed illegal in their country. Not just authoritarian states that attempt to censor material critical to the regime, but also western countries (copyright infringement, child porn, gambling, etc). Does Mozilla and Cloudflare seriously think they will just go &quot;oh ok, I guess everything is unblocked again now&quot;. No, they will either force Cloudflare to do the same or force local ISPs to implement even stronger filtering controls.

Over the year of discussions in regard to DNS over HTTPS I find the best illustration is to look at email. Your email client on the phone or PC send to a email over SMTP to a email server, the server look at the address and contact the recipient server and delivers the request. In email it is client-&gt;MTA-&gt;server-recipient. In DNS it is client-&gt;Resolver-&gt;Authoritive-server with the answer traveling back in the chain.<p>A little historical similarity, ISP used to provide a default MTA servers just like they do with resolver. Now days it most people use a email provider of choice.<p>So lets now imagine we solved the plain text problem of email by having the client use a default list of trusted MTA, with thunderbird defaulting to partner with gmail, and just sent it there over HTTPS. Gmail would take the email and forward it in plaintext to the recipient-server.<p>Email security did not follow that path. There we collectively decided to first encrypt communication between the client and the MTA using TLS, addressing the first step in the chain. Then the communication between MTA and recipient server got encrypted. In order to prevent downgrade attacks there is also currently two competing standards, one based on DNS and the other on HTTPS side channel. Looking at email, we are also almost done converting the plain text protocol to encrypted: <a href="https:&#x2F;&#x2F;transparencyreport.google.com&#x2F;safer-email&#x2F;overview" rel="nofollow">https:&#x2F;&#x2F;transparencyreport.google.com&#x2F;safer-email&#x2F;overview</a><p>The general question is then, why not just copy the success of email? The answer it seem is about money. No company got more users or data when email protocols got encrypted. Cloudflare however will benefit if everyone route their DNS through them as that gives them a comparable performance benefit when people use them as a hosting provider. They also say they won&#x27;t sell data, but people who move their domain hosting to cloudflare and pay for Pro, Business and Enterprise plan can get access to DNS analytics.

As another post on HN argued a few weeks ago and as is stated in this article again:<p>&gt; <i>After you do the DNS lookup to find the IP address, you still need to connect to the web server at that address. To do this, you send an initial request. This request includes a server name indication, which says which site on the server you want to connect to. And this request is unencrypted.</i><p>Note that, until encrypted SNI is in place, DoH does not actually increase your privacy. Your ISP can still track all domains you connect to by analyzing the SNI header. The only thing they cannot do anymore is block or redirect any of the domains.

My problem is that this is highly overhyped by the Mozilla&#x2F;Cloudflare PR teams, and both companies stand to make money out of it.<p>A better solution would be DoT+DNSSEC: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;jschauma&#x2F;status&#x2F;1184483451111727106" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;jschauma&#x2F;status&#x2F;1184483451111727106</a><p>I don&#x27;t trust Mozilla anymore, especially after becoming a VPN vendor and partnering with Cloudflare. They now have commercial interests in pushing standards down on everybody, similar to Google.

Previous discussion:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=17196415" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=17196415</a>

&gt; So how do we fix these?<p>&gt; Avoid untrustworthy resolvers by using Trusted Recursive Resolver.<p>If it&#x27;s to trust a resolver just 1.1.1.1 (or whatever)<p>&gt; Protect against on-path eavesdropping and tampering using DNS over HTTPS.<p>This is the only real change but it is useless for everything outside a CDN Whit is basically everything that matters for users<p>&gt; Transmit as little data as possible to protect users from deanonymization.<p>QNAME minimization can be done already, it is not a DoH thing

Firefox could make a long-need replacement for DNS, but they chose to spend all this effort on adding more ducktape to the current system, while also contributing to its centralization (more control to Cloduflare, yay).<p>DNS was a passable solution in the 80s, but right now it&#x27;s absolute shit.

This is really exciting for security. Lin, you are so talented!!! Great work explaining this, wow!

Why is there no Google container extension?<p>Sometimes it feels that Mozilla is just paying token lip service to the idea of privacy.

This is why I love Cloudflare. Makes everything secure and faster... for free (not to mention how easy it is to make records and go into developer mode to purge caching for a bit)