DNS-over-HTTPS: Privacy and Security Concerns

Discussion in 'privacy technology' started by mood, Sep 7, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    DNS-over-HTTPS: Privacy and Security Concerns
    September 6, 2019
    http://www.circleid.com/posts/20190906_dns_over_https_the_privacy_and_security_concerns
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    914
    Location:
    Member state of European Union
    IMHO some of these concerns are valid, especially in context of corporate networks, but some are not. Also some things are simplifications. Even at the beginning: no, DNS is not only UDP, RFC requires DNS servers to respond to queries via TCP protocol.
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,659
    Location:
    UK
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    DNSSEC has been around for some time. It also can be regarded as a failure due to lack of implementation: https://blog.apnic.net/2017/06/28/isnt-everyone-using-dnssec/

    I have been using DoH in FireFox for sometime and have zip issues with it. Also since I use an AV that performs SSL/TLS protocol scanning, I am assured that the DoH traffic is being also scanned.
     
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    79
    Location:
    USA
    "...in a blog post, Mozilla said it surprised them to know 70k users already explicitly enabled DoH in Firefox release version," according to Techdows News, Sept. 7. Interesting that it's not way higher than that.

    I've been using it since I first read about it, last year sometime. In March this year, I went ahead with a bootstrapAddress for mode 3 and settled on the cloudflare-dns rather than the mozilla.cloudflare-dns.

    I toyed with other servers and would like to use Quad9, but Cloudflare's use of ESNI is a plus FWIW at this point in time.
     
    Last edited: Sep 9, 2019
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla's Faces Criticism
    https://www.bleepingcomputer.com/ne...over-https-doh-plan-mozillas-faces-criticism/
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    Encrypted DNS could help close the biggest privacy gap on the Internet. Why are some groups fighting against it?
    September 12, 2019
    https://www.eff.org/deeplinks/2019/...gest-privacy-gap-internet-why-are-some-groups
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    UK ISP Andrews & Arnold Trial DNS over HTTPS (DoH) and DoT
    September 19, 2019
    https://www.ispreview.co.uk/index.p...-arnold-trial-dns-over-https-doh-and-dot.html
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    A&A are one of the "good guys" in the UK, and have opposed the government's mass surveillance measures, particularly the retention of ICRs in the Investigatory Powers Bill. I imagine DoH and DoT would be rather nice for them since they can say, sorry, nothing to log per policy. Though, if the LE were crazy enough, they could attempt to compel them to do so.
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    914
    Location:
    Member state of European Union
    I think it is great talk about pros and cons of DoT, DoH by cloud service providers. In a nutshell:
    ISPs and OS vendors (my note: especially desktop/laptop OS) failed to deploy encrypted DNS, so browser vendors teamed up with cloud service providers to do it anyway.
    @deBoetie
    NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert
    https://www.youtube.com/watch?v=pjin3nv8jAo
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Thanks @reasonablePrivacy - entertaining and agree with most of it. Couple of other thoughts:

    • metadata leakage matters a lot, he's right to want to avoid it
    • one of the bigger risks one faces is unfortunately your own government - they have the power to lock you up, or subject you to investigation. To that extent, you're better off with provider jurisdiction with a hostile foreign government!
    • the biggest problem - as ever - is the fact of mass surveillance and mass data collection (it's on a disk and can be stolen even if it's never officially looked at), and the problems of false positives, means that there's every personal incentive to make it difficult to monitor one's traffic - it's just basic prudence to reduce your attack surface. Unfortunately this means more work for everyone - I wouldn't mind so much that warranted specific investigations could see my data and communications, it's the fact that I can be wrongly picked up based on rubbish or indiscriminate selectors and automated flagging systems (as happened to Hubert) or have data stolen, from the mass collection of DNS records.
    Anyway, I'll stick with DoT on pfSense for now.

    Do you know any mitigations relating to OCSP privacy leakage?
     
  13. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,780
    Do you mean those made by your browser? Currently only major browser do this is Firefox, and you can turn this off by setting security.ocsp.enabled to 0 in about:config. OCSP stapling do not has privacy exposure by itself.
     
    Last edited: Sep 29, 2019
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Thanks, aware of the FF config setting. My understanding was that the certificate would be checked routinely by FF, and that would be in plaintext; and because the certificate signature would be site specific or at least organisation specific, that was a pretty damaging exposure.

    Presumably, turning off OCSP stapling would make you more vulnerable to MitM type attacks?

    Presumably, you could also block OCSP at the router/firewall control point.
     
  15. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    489
    It blows my mind how the UK can actively fight DoH on the basis of "Think of the children!"
     
  16. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    79
    Location:
    USA
    I could stand to be corrected, but my simple understanding, on the privacy side of things, is in favoring DoH over DoT is that it's on port 443 which is "everything," blending into the far-flung, endless shuffling masses. And DoT, it's "Look, over there. They're on that Port 853..."

    Like the huge New Year's Eve crowds with a colloquially attired group on a mission vs an equally huge demonstration where an anonymous group is wearing bright yellow shirts.
     
    Last edited: Sep 29, 2019
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    @Surt - yes, that's right, DoT is obvious in the same way that VPN typically is. However, I don't think it's in any way exceptional to use DoT on a router that serves a business it'd be standard practice. If "they" want to know more, then they can get a warrant (as it should be).

    If you wanted more stealth, then you're better off with doing it all, not just DNS with an obfuscated VPN access.
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    Google faces scrutiny from Congress, DOJ over plans to encrypt DNS
    Officials are concerned it might give Google an unfair advantage
    September 29, 2019
    https://www.engadget.com/2019/09/29/congress-doj-scrutinze-google-encrypted-dns/
     
  19. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    489
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,780
    @deBoetie
    All your understanding is right. Of note, Mozilla has changed the default behavior of OCSP request on Firefox mobile to fetch it only on EV-SSL websites ("2" for security.ocsp.enabled).

    Making firewall rules is certainly possible. Soon after I've joined to Wilders, I installed an addon called CSFire which monitors & blocks all browser requests, foreground or backgroud, unless allowed. At that time I was naively believing OCSP is good thing, so I allowed every OCSP request and soon I got dozens of OCSP rules. While most of them have obvious name like "ocsp.verisign.com" (some were started from "ocsp2"), there were some oddballs. You can probably do it more efficiently, say, setting security.ocsp.enabled to 1 & turn OCSP stapling off, setting up whatever network monitoring tool you like (uBO will be able to do too if you remove default background rules.), clear browser cache and visit bunch of SSL websites.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    Why big ISPs aren’t happy about Google’s plans for encrypted DNS
    October 1, 2019
    https://arstechnica.com/tech-policy...me-feature-will-stop-them-from-spying-on-you/
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,159
    Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
    October 4, 2019
    https://www.bleepingcomputer.com/ne...xplains-the-risks-behind-dns-over-https-move/
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,801
    Location:
    UK
    Regarding the NCSC, certainly uncontrolled client defaults to DoH is troublesome, but then, so is any BYOD client. As far as DoT is concerned, yes, that's some effort but necessitated by the very damaging and foolish mass surveillance and potential subversion of DNS by ISPs and governments. Yes, a royal PITA but essentially self-inflicted.

    In fact, ignoring DoH, setting up DoT on a pfsense router is a doddle, and this includes policy filtering under your own - as opposed to some other entity you don't trust - control. It does NOT render security controls ineffective, the opposite.

    This additional work by skilled people who have much better things to do with their lives has been specifically caused by the iatrogenics of uncontrolled and unregulated spying.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,403
    Location:
    Here
    DNS-over-HTTPS causes more problems than it solves, experts say
    https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
     
  25. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    489
    Meh, no one has ever said it's perfect. But it's a massive step up from the standard, unencrypted DNS. Preferably, I would like to see Microsoft/Apple/Google implement DNSCrypt into their operating systems so that this becomes a thing of the past.

    But that's never gonna happen. And I can't even get it on Windows myself because of the stupid Simple DNSCrypt bug.

    https://github.com/bitbeans/SimpleDnsCrypt/issues/251
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.