DNS-over-HTTPS: Privacy and Security Concerns

Discussion in 'privacy technology' started by mood, Sep 7, 2019.

  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
  2. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Most people can't even Google stuff. How are they supposed to know what a DNS even is?

    Anyway, I'm happy to use CloudFlare as the default on Firefox, even if I would prefer to use Cloud9 Quad9 as the default as that's a non-profit. However, they are both much better than my ISP getting it.
     
    Last edited: Jan 1, 2020
  3. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    28
    Location:
    A field
    There is more than 2 ways to encrypt your DNS. All have pros and cons.
    You can see a handy comparison chart here https://dnscrypt.info/faq

    The issue of software taking over and not respecting the OS is going to be a non-issue.
    What we currently have is a stopgap until the OS vendors have rolled encryption and authentication into the OS DNS service.
    Microsoft have thankfully taken the lead and are going to put it where it should be.

    In-app solutions will just lead us into a mess of security problems if every dev is doing it their way.
    They also bypass your HOSTS file, which is not good.

    I have been a happy user of DNSCrypt for a while and when DoH became the new messiah they simply added support for that.
    People can have DoH in the OS where it is supposed to be already.
    You get a huge list of resolvers to pick from and it automatically uses the fastest responding (including Quad9 and cloudflare)

    I have DoH even if I use Opera 12 or IE, because it is just there.

    Ultimately it is not a choice the ISPs have in it. They can sing and dance to their hearts content.
    Notice that the small ISPs that don't sell user data, or are under the threshold required by Gov to collect your data, are very happy with the idea of encrypted DNS.

    If you don't like what google and Mozilla are doing at the moment, I can understand, but you can have your cake and eat it if you use DNSCrypt instead.
    Ignore what they put in browsers and use a system that gives you a lot more control, and importantly you can use blocklists again.
     
  4. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I prefer DNSCrypt, but Simple DNSCrypt is basically abandonware which is really unfortunate.

    Edit: YogaDNS looks really interesting!
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,822
    Location:
    UK
    While I certainly don't want apps, particularly browsers making that call by default, nor do I want the OS to do so - my boundary router can do that, thank you very much. The issue for me is certainly one of defaults and ease of control, and whether the user gets to do so. But without the overhead of corporate style lockdown.
     
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    117
    Location:
    USA
    https://www.quad9.net/doh-quad9-dns-servers/

    Cox Communications is jumping into the ring, DoH and DoT...
    http://lists.encrypted-dns.org/scripts/wa-ENCDNS.exe?A2=ENCRYPTED-DNS;e879d721.1910&FT=&P=277415&H=&S=b
    174.68.248.77
    https://dohdot.coxlab.net/dns-query
     
  7. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I know. But I was thinking of having it as a default option in Firefox.

    Currently, I'm using Quad9 with YogaDNS.
     
  8. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    28
    Location:
    A field
    I don't know why you say abandonware. I would use this page as a better gauge of that https://github.com/bitbeans/SimpleDnsCrypt/releases

    The issue in that old bug report is not a bug in Simple DNSCrypt, but because of people trying to load the service while there is no network connection.
    If you change the service to run delayed it usually solves it.
    This is an issue with DNSCrypt proxy service, not the GUI software.

    Note: Simple DNSCrypt is a GUI for the proxy. It comes with the same binaries as you will find in the main repo.
    If the GUI software has not been updated there is nothing stopping you simply fetching the latest copy of DNSCrypt and updating it yourself.
    Disable the service copy to new one over and re-enable the service. I do this often as the GUI package is not updated as often as the core.

    You miss the point then.
    Once the OS deals with it just as it currently does on automatic, it will use your router just as it does now because that will be the responding DNS up the chain. If it lacks encryption and authentication it will just go without.

    You also have the option to flash DNSCrypt to most programmable routers, so you can have your cake and eat it.
     
  9. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    The app is called "Simple DNSCrypt" which implies it should be, well, simple, to use. Changing a service manually is madness if you want to reach the masses. I have no clue why the creator doesn't care about fixing it.

    Also, a keyword here is "usually".
    Judging by the GitHub, it's no guarantee. I haven't bothered with the program for over a year now, simply because I don't want to manually have to start a service.
     
    Last edited: Jan 1, 2020
  10. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    905
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    I just started using YogaDNS and I'm curious how you've set it up? For Cloudflare I entered Cloudflare DOH in the servers list, entered 1.1.1.1 in the IP address field, selected DNS over HTTPS and entered https://cloudflare-dns.com/dns-query. I also defined the default rule to process via Ethernet. Does that look right? Thanks!
     
  12. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I'm using Quad9 and not CloudFlare, and this is how I did it:

    Option 1:
    Download this configuration
    File->Autostart
    File->Import configuration->Choose the file you downloaded>Done!

    Option 2:

    File->Autostart
    Configuration->DNS Servers->Add->DNSCrypt->sdns:// then enter
    Code:
    sdns://AQEAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
    Enter a friendly name
    Click OK
    Click OK
    Configuration->Rules->Add:
    Name: Quad9
    Hostnames: *
    Action: Process
    DNS Server: Quad9


    Pictures of what everything should look like when you're done:

    YogaDNS should say something like
    Code:
    [01.02 00:40:04] tracing.spotify.net - process : server=Quad9 (DNSCrypt), rule=Quad9
    When it's working properly.


    Decided to try getting DoH to work with YogaDNS too. Here's the pictures of what you should write:

     
    Last edited: Jan 2, 2020
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Thanks for the details. I setup DoH for Quad9 and it works fine. I noticed that Quad9 has slower ping times for me, so I went back to CloudFlare DoH, but I don't know if the difference is significant over all - they both work well.
     
  14. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    The CEO of Quad9 has stated that for most people, the difference in speed is negligible if you live in the USA or Europe. Besides, Quad9 is a nonprofit while CloudFlare seemingly mines your data.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    That's a really useful read, thanks! By the way, what are you thoughts Re DNScrypt Vs DoH?
     
  16. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I've chosen to use DNSCrypt mostly "because". Don't really have a reason for it.

    The CEO of Quad9 seems to suggest that DNSCrypt is superior, unless you want to hide the fact that you're using an encrypted DNS.
    The official DNSCrypt website claims that they are all equally secure.
     
  17. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    259
    Location:
    Wonderland
    Adguard DOH working fine here. Good speed + some web blocking! :thumb::thumb: Quad9 didn't work out as well for me.
     
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,020
    Location:
    Member state of European Union
    Cloudflare's privacy policy states that they delete all data after 24 hours. Some data do not even hit persistent storage (SSDs, HDDs etc).
    Actually Quad9 gathers data, aggregates it, anonymizes it (that is why they state they do not collect PII) and sends to trusted threat intelligence partners.
     
    Last edited: Jan 2, 2020
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,020
    Location:
    Member state of European Union
    For my Cloudflare has slightly quicker DNS responses, but due to being privacy-oriented they disabled geographic location oriented optimization features such as EDNS Client Subnet. Cloudflare responses sometimes point me to servers that responds to my location a lot slower than Quad9 or ISPs DNS.
     
  20. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    28
    Location:
    A field
    @Beyonder
    Yes "usually" just like usual applies anywhere in computing.
    How can we know how long it takes for someone elses connection to be available before the service runs ?
    This is why I suggest changing the service to delayed start which will fix the problem for anyone that does not have some other issue (hence "usually").
    No manual starting of the service is needed. You just seem to prefer to do that instead, which there is no need to.

    Griping about software that actually has a bug is fine, but as I said, this is nothing to do with the GUI or the author, or for them to fix.
    If you want to point the finger of blame then it is at the author of the core service.
    As for thinking Simple DNSCrypt to be the widest used option. That is a non-issue as there is no other option.
    You either use it via CLI as it was intended, or use the only free GUI in development, and any other GUI will still have the same issues.
    Compared to CLI yes Simple DNSCrypt is simple. It is so simple my 70 year old Mum can use it with me on the other end of the phone.
    It has a very obvious switch which changes your connection very obviously to green if the service is running.
    What is not simple about that ?
    Try dealing with that compared to the Windows service panel, and a 70 year old on the phone.

    As this problem happens to so few people, I would also suggest you are making a mountain from a mole-hill.
     
  21. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    @A_mouse

    I'm not saying this is the end of the world. What I'm saying is that something should be done about the issue, seeing as Simple DNSCrypt is otherwise a great program. Instead of acknowledging it, or reaching out to the creator of DNSCrypt-proxy itself for some kind of collaboration, the creator of SDNSCrypt (and the creator of DNSCrypt-proxy) seemingly just ignore it. I wouldn't say this is affecting just a few people. Very few people actually use DNSCrypt tools in the first place, as you need knowledge to even seek it out, and this issue seems to affect absolutely everyone, some time. There are 34 participants in the issue I posted. I'd say that's significant.

    Some people, like this guy seems to have gone above and beyond in trying to make it work properly by setting it to a delayed start, etc. But it doesn't seem to work all the time, according to this person.

    I'm also not sure if this is actually caused by the proxy itself, and not Simple DNSCrypt, as it worked properly before.

    Interestingly enough, I found an attempt to fix it by bitbeans. Evidently, the fix did not take.

    So while this might be easier than running the CLI, it's still got a long way to go if it wants to compete with the simplicity of enabling DoH in Firefox.

    Also, I'd argue YogaDNS is an option. It doesn't have this issue at all and you can easily import a configuration (Like the one I posted) and be up and running in seconds.
     
  22. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    117
    Location:
    USA
    Yeah, everyone's gonna want to have their fav DNS as in there. :) (I'd like to see a check box to enable bootstrapping.)

    Anyhow, is there a problem with selecting Custom in the Network Settings and entering the URL?
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,382
    Location:
    .
    Connection Settings.png network trr dns quad9 w 9999.png
     
    Last edited: Jan 2, 2020
  24. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,089
    Thanks. I have been trying out YogaDNS

    A little something I have noticed in Brave (and most likely every other Chromium browser).
    I have Adguard DoH with Yoga DNS and on dnsleak sites it works fine. But if I enable the Chrome flag for secure DNS lookup the dns starts to leak.

    For those with chromium browsers try to make sure the flag for secure DNS lookup isn't enabled.
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,983
    Location:
    USA
    Yes, I'm using YogaDNS at the moment and setting it up was really easy. It's nice having the option to open the window and observe the DNS queries in real-time.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.