DNS-over-HTTPS: Privacy and Security Concerns September 6, 2019 http://www.circleid.com/posts/20190906_dns_over_https_the_privacy_and_security_concerns
IMHO some of these concerns are valid, especially in context of corporate networks, but some are not. Also some things are simplifications. Even at the beginning: no, DNS is not only UDP, RFC requires DNS servers to respond to queries via TCP protocol.
Headache for UK ISPs as Firefox Adopt DNS Over HTTPS by Default. https://www.ispreview.co.uk/index.p...-firefox-adopt-dns-over-https-by-default.html
Not just a headache for ISPs. Here's a few threads on how to disable using a canary domain on pfsense unbound (it would also affect pfblockerng dbnsl which many like). https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https https://forum.netgate.com/topic/133...-trusted-recursive-resolver-trr-in-firefox/11 Yet again, browsers exceeding their mandate and causing problems.
DNSSEC has been around for some time. It also can be regarded as a failure due to lack of implementation: https://blog.apnic.net/2017/06/28/isnt-everyone-using-dnssec/ I have been using DoH in FireFox for sometime and have zip issues with it. Also since I use an AV that performs SSL/TLS protocol scanning, I am assured that the DoH traffic is being also scanned.
"...in a blog post, Mozilla said it surprised them to know 70k users already explicitly enabled DoH in Firefox release version," according to Techdows News, Sept. 7. Interesting that it's not way higher than that. I've been using it since I first read about it, last year sometime. In March this year, I went ahead with a bootstrapAddress for mode 3 and settled on the cloudflare-dns rather than the mozilla.cloudflare-dns. I toyed with other servers and would like to use Quad9, but Cloudflare's use of ESNI is a plus FWIW at this point in time.
Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla's Faces Criticism https://www.bleepingcomputer.com/ne...over-https-doh-plan-mozillas-faces-criticism/
Encrypted DNS could help close the biggest privacy gap on the Internet. Why are some groups fighting against it? September 12, 2019 https://www.eff.org/deeplinks/2019/...gest-privacy-gap-internet-why-are-some-groups
UK ISP Andrews & Arnold Trial DNS over HTTPS (DoH) and DoT September 19, 2019 https://www.ispreview.co.uk/index.p...-arnold-trial-dns-over-https-doh-and-dot.html
A&A are one of the "good guys" in the UK, and have opposed the government's mass surveillance measures, particularly the retention of ICRs in the Investigatory Powers Bill. I imagine DoH and DoT would be rather nice for them since they can say, sorry, nothing to log per policy. Though, if the LE were crazy enough, they could attempt to compel them to do so.
I think it is great talk about pros and cons of DoT, DoH by cloud service providers. In a nutshell: ISPs and OS vendors (my note: especially desktop/laptop OS) failed to deploy encrypted DNS, so browser vendors teamed up with cloud service providers to do it anyway. @deBoetie NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert https://www.youtube.com/watch?v=pjin3nv8jAo
Thanks @reasonablePrivacy - entertaining and agree with most of it. Couple of other thoughts: metadata leakage matters a lot, he's right to want to avoid it one of the bigger risks one faces is unfortunately your own government - they have the power to lock you up, or subject you to investigation. To that extent, you're better off with provider jurisdiction with a hostile foreign government! the biggest problem - as ever - is the fact of mass surveillance and mass data collection (it's on a disk and can be stolen even if it's never officially looked at), and the problems of false positives, means that there's every personal incentive to make it difficult to monitor one's traffic - it's just basic prudence to reduce your attack surface. Unfortunately this means more work for everyone - I wouldn't mind so much that warranted specific investigations could see my data and communications, it's the fact that I can be wrongly picked up based on rubbish or indiscriminate selectors and automated flagging systems (as happened to Hubert) or have data stolen, from the mass collection of DNS records. Anyway, I'll stick with DoT on pfSense for now. Do you know any mitigations relating to OCSP privacy leakage?
Do you mean those made by your browser? Currently only major browser do this is Firefox, and you can turn this off by setting security.ocsp.enabled to 0 in about:config. OCSP stapling do not has privacy exposure by itself.
Thanks, aware of the FF config setting. My understanding was that the certificate would be checked routinely by FF, and that would be in plaintext; and because the certificate signature would be site specific or at least organisation specific, that was a pretty damaging exposure. Presumably, turning off OCSP stapling would make you more vulnerable to MitM type attacks? Presumably, you could also block OCSP at the router/firewall control point.
I could stand to be corrected, but my simple understanding, on the privacy side of things, is in favoring DoH over DoT is that it's on port 443 which is "everything," blending into the far-flung, endless shuffling masses. And DoT, it's "Look, over there. They're on that Port 853..." Like the huge New Year's Eve crowds with a colloquially attired group on a mission vs an equally huge demonstration where an anonymous group is wearing bright yellow shirts.
@Surt - yes, that's right, DoT is obvious in the same way that VPN typically is. However, I don't think it's in any way exceptional to use DoT on a router that serves a business it'd be standard practice. If "they" want to know more, then they can get a warrant (as it should be). If you wanted more stealth, then you're better off with doing it all, not just DNS with an obfuscated VPN access.
Google faces scrutiny from Congress, DOJ over plans to encrypt DNS Officials are concerned it might give Google an unfair advantage September 29, 2019 https://www.engadget.com/2019/09/29/congress-doj-scrutinze-google-encrypted-dns/
@deBoetie All your understanding is right. Of note, Mozilla has changed the default behavior of OCSP request on Firefox mobile to fetch it only on EV-SSL websites ("2" for security.ocsp.enabled). Making firewall rules is certainly possible. Soon after I've joined to Wilders, I installed an addon called CSFire which monitors & blocks all browser requests, foreground or backgroud, unless allowed. At that time I was naively believing OCSP is good thing, so I allowed every OCSP request and soon I got dozens of OCSP rules. While most of them have obvious name like "ocsp.verisign.com" (some were started from "ocsp2"), there were some oddballs. You can probably do it more efficiently, say, setting security.ocsp.enabled to 1 & turn OCSP stapling off, setting up whatever network monitoring tool you like (uBO will be able to do too if you remove default background rules.), clear browser cache and visit bunch of SSL websites.
Why big ISPs aren’t happy about Google’s plans for encrypted DNS October 1, 2019 https://arstechnica.com/tech-policy...me-feature-will-stop-them-from-spying-on-you/
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move October 4, 2019 https://www.bleepingcomputer.com/ne...xplains-the-risks-behind-dns-over-https-move/
Regarding the NCSC, certainly uncontrolled client defaults to DoH is troublesome, but then, so is any BYOD client. As far as DoT is concerned, yes, that's some effort but necessitated by the very damaging and foolish mass surveillance and potential subversion of DNS by ISPs and governments. Yes, a royal PITA but essentially self-inflicted. In fact, ignoring DoH, setting up DoT on a pfsense router is a doddle, and this includes policy filtering under your own - as opposed to some other entity you don't trust - control. It does NOT render security controls ineffective, the opposite. This additional work by skilled people who have much better things to do with their lives has been specifically caused by the iatrogenics of uncontrolled and unregulated spying.
DNS-over-HTTPS causes more problems than it solves, experts say https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
Meh, no one has ever said it's perfect. But it's a massive step up from the standard, unencrypted DNS. Preferably, I would like to see Microsoft/Apple/Google implement DNSCrypt into their operating systems so that this becomes a thing of the past. But that's never gonna happen. And I can't even get it on Windows myself because of the stupid Simple DNSCrypt bug. https://github.com/bitbeans/SimpleDnsCrypt/issues/251
