Google, UK ISPs and Gov Battle Over Encrypted DNS and Censorship April 22, 2019 https://www.ispreview.co.uk/index.p...battle-over-encrypted-dns-and-censorship.html
DNS over HTTPS is coming whether ISPs and governments like it or not April 24, 2019 https://nakedsecurity.sophos.com/20...-whether-isps-and-governments-like-it-or-not/
Mozilla Nominated for 'Internet Villain' by Angry ISPs Shaming of Mozilla Over Secure DNS Raises Security Community Eyebrows July 5, 2019 https://www.bankinfosecurity.com/mozilla-nominated-for-internet-villain-by-angry-isps-a-12726
I was wondering where is this title familiar to me from? I just looked at something like this the other day... Ah this is where https://www.reddit.com/r/netsec/comments/c8mga8/first_malware_known_to_have_used_dns_over_https/
This is FUD. Yes, the Qihoo 360 Labs report several times mentions DNS over HTTPS. But obviously the are not talking about the DNS-over-HTTPS protocol. Rather, the report is about a malware that sends DNS requests encapsulated in encrypted HTTP requests. That malware can use encrypted data channels to disguise its DNS requests has always been possible. It has nothing to do with DoH. All those reports suggesting this are misleading. This is also what Daniel Sternberg, the well-known curl developer, points out.
Mozilla: No plans to enable DNS-over-HTTPS by default in the UK But there's nothing stopping users from enabling the DNS-over-HTTPS feature in Firefox on their own, though July 6, 2019 https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/
How to enable DNS-over-HTTPS (DoH) in Firefox https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
Mozilla introduces encrypted DNS for masses and UK spys & ISPs throw a fit? Bah... encrypting DNS has been possible for long time already: 1) Own Android phone that can get Pie 9 update? Google made it possible to use DNS-over-TLS from the settings in that version. 2) Own Android phone that can't get Pie? Install Intra (https://play.google.com/store/apps/details?id=app.intra) from Google Play. 3) For laptops & Desktops theres more choices: VPN, Tor, Unbound, DNScrypt, SSH tunneling etc.... all which can be used to bypass ISPs DNS snooping.
I can't believe that that they're censoring stuff based on DNS. That's just so bloody primitive. And so easily circumvented. And then they have the nerve to complain?
ISPA Pulls UK Internet Villain Category Over Mozilla DoH Fallout July 10, 2019 https://www.ispreview.co.uk/index.p...illain-category-over-mozilla-doh-fallout.html
Almost as embarrassing as the UK political debacles, although I'd say, nobody's that stupid. It was always the case that any DNS monitoring was embarrassingly face-saving rather than functional, trapping the inept. What is clear is that subversion of DNS was too easy before, and is now slightly harder. The spooks now just need to apply to Google etc.
Huh. So maybe ISPs loved it because it was easy, and didn't require much work. And if authorities move to IP-based filtering, that'll require actual work by ISPs.
It's also that the authorities wanted the ISPs to collect - at great cost - "Internet Connection Records", which was required of them by the Investigatory Powers Act. While the term was absurd and woolly, what it meant was that the ISPs already collect the websites their customers visited and the time when they do so. Therefore any scheme which renders this more difficult (including requiring reverse DNS lookups), is going to be resisted. The delay in the implementation of things like the UK porn site access illustrates similar problems, namely that politicians wanted instant fixes regardless of reality. But these things are chickens coming home to roost.
DoH! Mozilla assures UK minister that DNS-over-HTTPS won't be default in Firefox for Britons September 24, 2019 https://www.theregister.co.uk/2019/09/24/mozilla_backtracks_doh_for_uk_users/
OK. So people in UK who use VPN services will get it? Also, I note that there's considerable concern about using Cloudflare for all those DNS lookups.
Who knows whether it'll use source IP or system locale. But I don't see how it can really do either if we're talking Linux repos? I guess it's more localisation than we're used to.... Perhaps time to examine the repo sources and locales I use. I'm actually one who doesn't want default DoH behavior - DoT on pfSense works just fine and gives more control, and DoH on the clients is going to interfere. The reality is that reliance on monitoring DNS queries (and the silly ICRs) was always a flawed approach. But then, they shouldn't be doing the mass surveillance. I'm very unhappy with third parties storing this stuff because they cannot keep it safe, and if nothing else, it tends to expose things like the financial institutions you use and makes it easier for an attacker who has that information.
you can now (starting from mid November version 72 I think) enable DoH in Chrome: chrome://flags/#dns-over-https "Secure DNS lookups" set enabled check with https://1.1.1.1/help then perhaps "Anonymize local IPs exposed by WebRTC" set enabled
Beginning with Chrome 78 (I tested it on Slimjet where it works fine), you can enable Cloudflare DoH by adding the syntax below to the shortcut: From M78: To use Cloudflare’s DoH service via POST with fallback, you can run Chrome with --enable-features="DnsOverHttps<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:Fallback/true/Templates/https%3A%2F%2Fcloudflare-dns.com%2Fdns-query" You can use Quad9 instead by replacing the URL above with this one: https%3A%2F%2Fdns%2Equad9%2Enet%2Fdns-query
