DNS-over-HTTPS

One of the many ways that ISPs and governments try to track what we do online is to monitor what sites we visit. There are ways to hide that, but we give ourselves away when our browsers look up the addresses of sites. The way they do that is via DNS requests. DNS over HTTPS encrypts those requests, closing that loophole. The Powers That Be aren’t happy. Prepare to enter the spin cycle.

Let me see if I get this. Spying on the sites a user visits and in some cases blocking those sites relies on intercepting plain text requests for DNS resolution. So some software is looking at encrypting the DNS request to prevent interrogation of DNS requests.

1. Doesn’t this rely on the DNS server decrypting the request? Does this mean the use of such encryption is under the control of the DNS server operators?

2. If you know the numerical IP address you don’t need to do a DNS lookup. Why isn’t that a simple way to defeat such surveillance and/or blocking?

From the article:

The couple of paragraphs below that provide more detail.

All DNS operations are under the control of the DNS server operators, whether they’re encrypted or not. One of the simplest forms of censorship is to replace the DNS entry of the targeted site, so requests are redirected.

That’s a big “If”.

How many IP addresses do you have memorised?

I agree though, it doesn’t seem to be that big a deal. It’s just implementing an IETF protocol, after all. The fact that The Powers That Be are making a big deal of it might indicate that I’m missing something.

None. But if you are running a site that wants to avoid surveillance, or whose clients do, couldn’t you discreetly circulate your numeric address? The users then keep a list in their little black books and give up the convenience of DNS lookup. Not a big price.

Aside from the technicalities involved this issue is another example showing that the same method of anonymisation and secrecy may be used by both white hats and black hats. The downtrodden citizen trying to expose the immoral and violent nature of the oppressive autocracy he suffers under and the terrorist can both take advantage of it.

We haven’t really come to grips with the social consequences of the medium and too often the problems gets obscured in trying to find technical solutions to socio-political and legal problems and vice versa.

Example one: spam phone calls were never a huge problem with the poles and wires phone system, now with VOIP they are. At the moment there is no wide scale effective solution only local and personal ones that frequently have drawbacks such as accidentally excluding genuine callers. The legal solutions (eg do not call register) are a failure, the problem needs a technical solution.

Example two: defamatory or hate speech on social media. The do-nothing camp says either “it’s free speech” or since there is no technical solution (yet) it would be wrong or impossible to apply a legal one. Operators continue to deny responsibility for hosted material and little can be done against anonymous content generators. This problem needs a legal solution at least and possible that to stimulate a technical one.

If you have a smallish list of commonly visited web addresses you can add them to your Hosts file as that will be used before any DNS request is made. If the address of the site ever changes you will need to update the entry or the site will not be found. To find out the resolved addresses for sites you may wish to enter you can use Powershell (Admin mode is not normally required) to enter an address and get the resolved addresses. Cloudflare DNS services however block all direct IP address access and others use redirects eg Microsoft uses msedge.net as a go between so it is hard to get to those address directly.

The Hosts file can also be used to block sites you do not want visited as you simply resolve them in the file to either 127.0.0.1 or 0.0.0.0 eg as a line in the Hosts file 127.0.0.1 badaddress.com (there is one space at least between the name and 127.0.0.1). If using IPv6 you may to need to allocate localhost as : :1 localhost and then point any address as : :1 “address you wish to block”. If you want to add a comment either after the entry or on a new line precede the comment with a # eg as in the previous example 127.0.0.1 badaddress.com #A bad address (with at least a space between the address and the # symbol).

You need to leave an empty line at the end of the Hosts file and you will need to remove ReadOnly access from the file before you edit it or you will not be able to edit and save any changes. You can reset the ReadOnly status after saving the changes. You will need Administrator access to the file.

Please note even though the address badadress tries to be a hyperlink here it is just an example address and should not be clicked to follow it.

Normally in Windows the Hosts file should be located in c:\windows\system32\drivers\etc\ (where c: is the drive where you have Windows installed).

In Apple or Linux the file can be opened in Terminal at etc/hosts. In Linux or Apple it will need sudo to open it as it is at root level. That is sudo vim /etc/hosts

If you don’t like Google you can use Cloudflare’s DNS over HTTPS resolver at 1.1.1.1

While the Hosts file or using DNS such as Googles isn’t a perfect solution there are a few DNS over HTTPS servers that are not your RSP/ISP DNS or Googles servers. As an example of these are a list at https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers (it does include Google but you can happily ignore it).

To enable the Cloudflare or any other DoH (just add the address found at the github link) option in Firefox you can find instructions at https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

Not quite seeing how this explains the fuss being made by the Powers That Be. I have a feeling we’re all missing something.

It isn’t about the fuss but it does help avoid having to constantly use DNS servers to get to addresses you commonly use. If you have the IP address in your Hosts file no government intrusion into what web sites you visit can be obtained from snooping the DNS over HTTPS or any other DNS servers. Why smallish? Because a very large Hosts file can impact the time it takes to access sites but if you are willing to accept some extra delay then you can have quite a large Hosts file. Mine is currently sitting at about 30k of entries both for blocking and finding, I am sure some have even larger file sizes.

Not the point. And not much help, if the IP address changes (which they do surprisingly often).

Ahh but my reply was to @syncretic’s post about keeping a list and it is about something that can be done (and yes it does require that you maintain the list and some sites are not able to be visited because of how the addressing is handled).

As to the fuss it is easy to explain a little why the Australian or any other Govt want access to your DNS requests. They want it to control what you see and do online, they also want to take action when something they don’t like rears it’s head ie they want absolute control and power. This is why the Australian Govt put in place legislation to require RSPs to break encryption when a user seeks to use that. This is also why the Australian Govt require the retention of all your metadata by your RSP. They tell us it is for our security and in some instances it may help them catch a “bad” person, but in the end who becomes a “bad” person is really about how the Govt defines “bad”.

30,000 entries or 30KB file size??

If 30,000 entries, I would be thinking: run your own DNS server. Your own DNS server can also cache real looked up DNS entries, thereby reducing the number of lookups and hence delaying the opportunity for government snooping or interference.

The article suggests that it is not the UK government that is complaining as such, but the UK ISPs. One reason why UK ISPs might be worried is that DNS-over-HTTPS may mean that the pissweak internet censorship that UK ISPs are doing will be ineffective and hence the UK government will legislate to force UK ISPs to take even more intrusive measures.

Criticism by UK ISPs / UK government of Mozilla / Chrome / browser-of-choice though is silly. Even though the article describes this as being an “app choice” and not implemented at the operating system level, there is no reason why it couldn’t be and won’t be implemented at the operating system level.

30,000 entries and yes I have run my own DNS server here (https://simpledns.com/). Trouble with home DNS servers is they mostly seek an external recursive resolver eg Google or OpenDNS or an authoritative name server to do updates and pass entries to automatically and I prefer hands on curation of those important entries that reside in my Hosts file. Many of my host entries are domains I never wish to visit or have links in visited pages access them. DNSSEC and DNS over HTTPS offer the best hope at the moment without having to build your own DNS server.

Certainly you can set at a system or router level DoH servers, it is trivial in most cases to use it.

There is already malware that uses DoH to hide it’s DNS queries as it avoids passive DNS monitoring that many security tools rely on. If you would like to read up about the malware see https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/. But is that a reason to stop DoH, I don’t think so, it just means the security tool/s has/have to become smarter on how it/they works/work.

I was just wondering whether, given 30,000 entries in a hosts file, you might get better performance by not having those entries in a hosts file and instead having them in a local DNS server. (It will still refer externally for domains not in the list of 30,000 e.g. to Google or OpenDNS if it is configured that way, or traverse from the DNS root if it is configured that way.) It all depends on whether the hosts file implementation is good enough to handle 30,000 entries and whether the DNS server implementation is any better when faced with that number of entries.

Back on topic: I see that some Linux distros already had DNS-over-HTTPS more than a year ago. So the UK can forget about venting against Mozilla. (DNS-over-TLS is also an option, albeit perhaps easier for snooping ISPs and governments to detect its use.) The operating system itself can already direct all DNS queries from all applications in a secure manner. If that is being done, it doesn’t really matter what Firefox or Chrome are doing (in fact, it would be unhelpful for them to be doing DNS-over-HTTPS since that is replicating work that could be done by the operating system).

Firefox by default does not have DoH enabled so if your system is already using DoH leaving Firefox alone is perfectly ok. The option for other users who are not likely to open their router to set DNS addresses or to set their system to use DoH then it is a simple procedure to enable it by a couple of clicks of a mouse on the browser. Better some security than none at all I feel as long as you don’t then get a false sense of that security, and take it always with that proverbial grain of salt.

So DNS over HTTPS inhibits Fascism? In that case, I’m all for it.

I agree. My observation was more directed at the rationale in the original article for UK ISPs getting all grumpy at Mozilla (when that is such short term and limited analysis).

For a bit of fun, a few clicks in Firefox could enable DoH at the operating system level rather than bother to have the DoH functionality itself built into and limited to Firefox. Ditto Chrome.

As far as I can tell, the only real problem with either DoT or DoH is that there are so few actual DNS servers supporting it (as distinct from whether the DNS server software supports it). Having to use one of a small number of public recursive DNS servers that support it could make security worse, not better (one reason why the UK government should not get too hysterical just yet).

The RFC number, 8484, was I imagine not chosen at random.

Just as HTTP status code 451 was not chosen at random.

This. Of course, the group rescinded the Mozilla nomination once it realised how idiotic it had made itself appear.

If you know how to set your own DNS lookups, I suggest going with 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google). If you’re running Android or iOS, the former requires that you install an app.

There is a longer list of public DNS resolvers on Wikipedia, which also includes comments about ‘extra features’ (such as filters you can use for a family-friendly Internet).

All of this is part of ‘the web is going dark’ that our spy agencies are panicking over because they’ve had 15-20 years of hitherto-undreamed-of access to all our most personal secrets.

It was possible to fake a phone number in analogue days, but it was much more difficult and was generally only done by ‘phreaks’.

The US is actually going to lead the world in preventing phone number faking - possibly because the problem has caused serious injury and death due to swatting. The proposed system uses caller ID (SHAKEN/STIR) authentication that is similar to the online authentication we use every day.

Edit: nearly forgot to mention - if you have nothing to hide you have nothing to fear. PM me with your passwords .

ISPAUK could start by implementing DoH themselves. Then the decision by the user would not be between insecure-DNS-with-the-ISP and DoH-with-external-provider but instead be between DoH-with-the-ISP and DoH-with-external-provider.

Some of the “demands” by ISPAUK are unreasonable because, I assume, the ISP provides no mechanism by which the external provider could know what the actual requirements of the service are. Perhaps the ISP could publish by reverse lookup on the user’s IP address all the needed information - but that would require yet another RFC in order to standardise it.

PS My password is secret1234 so please make sure you store that for me.

A bit of progress for Firefox. For us, a simple tick and it will resolve DNS at an HTTPS source.

I would like to repeat my comment from above.

Having to use one of a small number of public recursive DNS servers that support it could make security worse, not better (one reason why the UK government should not get too hysterical just yet)

Jumping in to this could see you creating the next Google or Facebook corporate snoop. The linked article show that you have a choice of just two providers out-of-the-box (Cloudflare and NextDNS). You can use a custom URL but few users will know how to set that up and fewer still how to set up their own DoH (or DoT) server. Hopefully many more providers will spring up very soon.

Some people may wish to use all of the available providers, binding a given domain to a previously selected provider and selecting a random provider for any domain not previously looked up.