Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS

from the encrypt-ALL-the-things! dept

Historically, like much of the internet, DNS hasn’t been all that secure. That’s why Mozilla last year announced it would begin testing something called “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.

As a result, a lot of these folks have been throwing temper tantrums in recent weeks.

The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google’s part (it doesn’t), to saying it’s a threat to national security (it’s not), to suggesting it even poses a risk to 5G deployments (nah, that’s an entirely different mess). Mozilla’s response to telecoms’ face fanning? To first urge Congress to investigate telecom’s long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.

In a blog post, Mozilla explains its thinking as such:

“At the creation of the internet, these kinds of threats to people?s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”

While there’s a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They’ll be quick to note there’s several other points at which ISPs can still engage in data surveillance and sales. They’ll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.

Mozilla says it’s listening to these complaints, so it’s starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox’s encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla’s FAQ here.

Filed Under: , , , , , ,
Companies: mozilla

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS”

Subscribe: RSS Leave a comment
24 Comments
MathFox says:

Re: Bonus

I expect that’s because of the caching at Cloudflare. An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower.
If the DNS server you use has the answer cached it can directly reply. however if the answer is not cached it can take several inquiries for the DNS server to obtain the answer in a recursive lookup.

Scary Devil Monastery (profile) says:

Re: Re: Bonus

"An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower."

That’s true…and yet I’ve had the same experience as JoeCool. Once i’m on my VPN ping latency and jitter both drop noticeably as compared to when i’m online outside of the tunnel.

Something is making an encrypted connection a lot faster despite going through more loops and through more servers.

Cdaragorn (profile) says:

Re: Bonus

This is simply not true. While I can’t speak to why you were seeing delays, standard DNS has so many layers that cache requests for you to speed them up the next time you ask that there’s zero chance doing it over HTTPS could be faster for the sole reason that you lose all those caches.
Your own router maintains a DNS cache so most common requests you make never even have to go over the internet to get resolved.

Anonymous Coward says:

Re: Re: Bonus

there’s zero chance doing it over HTTPS could be faster

Your own router maintains a DNS cache

That depends on the router and its configuration. In any case, the local cache only contains things that were looked up locally (and recently), while the DoH cache could contain things looked up by other users. If the DoH server connection is kept open, and has sufficiently low latency, there’s a good chance that DoH will give a significant net improvement.

The CDNs do try to put themselves close to people, and their DoH server may be closer than a national ISP’s central DNS cluster. For sites run by the same CDN it won’t even have to forward the requests. Don’t say "zero chance" without measuring.

tz1 (profile) says:

NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists.

(Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn’t, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn’t want or need; when I find something chattering I can’t block, I add it to my hosts file as a 0.0.0.0).

That is what I’m using and I have several ad, tracking, and malware lists enabled.

So “safety” is an excuse. I’m probably safer as I block more things.

As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching – the “big iron” servers are likely to have most things already cached and a large enough capacity.

One problem is bounce pages from wifi portals that want you to click “I agree” or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don’t have https or certs.

tz1 (profile) says:

NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists.

(Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn’t, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn’t want or need; when I find something chattering I can’t block, I add it to my hosts file as a 0.0.0.0).

That is what I’m using and I have several ad, tracking, and malware lists enabled.

So “safety” is an excuse. I’m probably safer as I block more things.

As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching – the “big iron” servers are likely to have most things already cached and a large enough capacity.

One problem is bounce pages from wifi portals that want you to click “I agree” or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don’t have https or certs.

Rekrul says:

Re: Re:

when I find something chattering I can’t block, I add it to my hosts file as a 0.0.0.0). That is what I’m using and I have several ad, tracking, and malware lists enabled.

Have you heard of the MVP Hosts file?

http://winhelp2002.mvps.org/hosts.htm

It’s a big list of advertising and malware servers that’s constantly being updated. Start with that and add your own sites to the bottom. 🙂

em_te (profile) says:

The last mile network

Telecoms don’t want to give up control of DNS lookups to companies like CloudFlare because of the lucrative business of CDNs (Content Delivery Network).

The DNS lookup determines which CDN the browser uses to download the file. This allows the DNS lookup to choose a CDN in a physical location that is closer to the user to improve speeds. CloudFlare is a CDN provider and many Telecoms are also CDN providers.

While CDNs are free to the end user, they cost the telecom money when a user tries to load data found an "out of network" CDN because then the telecom will have to pay the network where the CDN is located for usage of their network. It is in the telecom’s best interest to serve content from a CDN already on their network and they can generate more money by getting other people to download from their CDN too.

Large telecoms already have carrier exchange agreements in place because counting all the bytes that they each exchange would be too much work. But telecoms can strong-arm smaller companies like CloudFlare to pay more. If CloudFlare is able to control the DNS, they have leverage against the telecoms and can divert traffic to networks that offer lower rates and CloudFlare can pay less.

Anonymous Coward says:

Re: The last mile network

So Cloudflare can make money off of this while looking like good guys. Heh.

So using DNS to “block, filter, and track” internet activity has come back to hit the profiteers in the revenue streams for a short while at least.

Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)

Anonymous Coward says:

The last mile network

So Cloudflare can make money off of this while looking like good guys. Heh.

So using DNS to “block, filter, and track” internet activity has come back to hit the profiteers in the revenue streams for a short while at least.

Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)

Rekrul says:

I’m confused about one point; Supposedly this is to prevent ISP snooping, but probably 99% of average internet users’ account will be setup to use the ISP’s own DNS servers by default. How does it prevent ISP snooping if you encrypt the connection, then ask the ISP to look up a DNS address for you?

And even if users change their DNS server to a third-party one, and the ISP can’t snoop on the request, the browser is just going to turn around and ask the ISP to connect it to the address that was looked up anyway.

Unless you’re using a VPN (which most average users aren’t), the ISP has to know what sites you want to connect to, to you know, connect you to them.

Anonymous Coward says:

Re: Re:

When using the DNS-over-HTTPS feature you’re no longer using your ISP’s DNS servers. You’re using DNS-over-HTTPS via mozilla.cloudflare. Your ISP no longer has any visibility into your DNS queries. It can, however, still see the IPs/hosts from which you’re pulling traffic which is still pretty thorough tracking of sites visited. The only thing they can’t see is failed DNS lookups.

Anonymous Coward says:

Re: Re: Re: Re:

I should also add that they can no longer serve up their own ads for sites that do not resolve via DNS. Super annoying and most ISPs do this. I thought it was ruled illegal over a decade ago…

Are you confusing it with Verisign’s Site Finder? ICANN said it wasn’t allowed by their domain registry agreement, plus a lot of people blocked it via technical means, and Verisign eventually disabled it. There were some legal proceedings but no court ever ruled on it.

Anonymous Coward says:

Re: Re: Re:

It puts the public one step ahead in the arms race. DNS-based tracking is easy: a national ISP can have everyone use one server, and have it log everything. IP-based tracking will need a completely different setup: they’ll need hooks to grab the metadata at every network interconnection, reduce it to a manageable amount of data, and forward it to headquarters. If they’re not set up for it now, it could take a while.

CDNs work against this technique, unless the ISPs also decode the HTTPS setup to grab the hostname. But Mozilla started encrypting this last year ("encrypted SNI"). They’ll know someone’s connecting to Cloudflare for DNS and/or other content, but it’s much harder to tell what they’re doing.

Sequentious (profile) says:

Re: Re: Re: Re:

At the moment, SNI is still largely unencrypted.

Encrypted SNI is still just a draft, Firefox doesn’t implement the current version draft, and it is not yet supported by Apache or nginx.

At the moment, ESNI effectively only works between Firefox and Cloudflare. (I’m not sure about Chrome’s status. I didn’t look it up).

ESNI will eventually arrive and fix this leakage as well.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...