Comcast And Mozilla Partner Up To Help Encrypt DNS

from the strange-bedfellows dept

Over at our Tech Policy Greenhouse, Article19’s Joey Salazar and Consumer Reports’ Benjamin Moskowitz just discussed how it’s long past time to encrypt the Domain Name Server (DNS) system at the heart of the internet. Thanks to the GOP demolishing of FCC broadband privacy rules in 2017, ISPs have carte blanche to monetize this data as they see fit, storing and selling access to your DNS browsing data to data brokers who continue to build detailed user profiles with little to no meaningful oversight.

At the forefront of encrypting DNS have been Google and Mozilla, both of which have been pushing for a standard known as “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. The proposal doesn’t come without downsides, and has seen opposition from ISPs that are either eager to continue to profit off of this data, or are worried that somebody else will (usually Google) if they can’t.

Comcast, AT&T, and others had previously been trying to demonize the Google and Mozilla efforts any way they could, from insisting the move constitutes an antitrust violation on Google’s part (it doesn’t), to saying it’s a threat to national security (it’s not), to suggesting it even poses a risk to 5G deployments (nah).

After Mozilla claimed to Congress that ISPs were being disingenuous with their opposition to the plan, at least one major ISP appears to have come around to the proposal. This week Mozilla announced that Comcast had joined the Firefox Trusted Recursive Resolver (TRR) program, which requires encrypted-DNS providers to not only meet privacy and transparency standards, but to promise not to block or filter domains by default “unless specifically required by law in the jurisdiction in which the resolver operates.” From the blog post:

“This program aims to standardize requirements in three areas: limiting data collection and retention from the resolver, ensuring transparency for any data retention that does occur, and limiting any potential use of the resolver to block access or modify content. By combining the technology, DoH, with strict operational requirements for those implementing it, participants take an important step toward improving user privacy.”

While Comcast has a well-deserved and terrible reputation for anti-competitive behavior, lobbying shenanigans and comically awful customer service, the company’s engineering folks remain top notch, and obviously appreciate the benefits of encrypting the DNS in the wholesale snoopvertising age. In conversations, the company continues to insist to be they’ve never monetized this data (not that anybody in government would ever have the ability or courage to confirm this), and had been running a beta version of its own encrypted DNS offering since last year.

Mozilla helping to standardize this and forming a coalition with Comcast is foundational, and under the partnership, Comcast is promising to not “retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.” Now it’s just a matter of Comcast transparently proving that they’re actually adhering to those standards.

Filed Under: , ,
Companies: comcast, mozilla

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Comcast And Mozilla Partner Up To Help Encrypt DNS”

Subscribe: RSS Leave a comment
26 Comments
Anonymous Coward says:

Re: Re: Re:

Full quote:

Comcast is promising to not "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser."

Rather then:
Not to retain…….made to our DNS servers from any program..

PaulT (profile) says:

Re: Re: Re: Re:

The statement is directly about this browser so it makes sense to specify it in the statement. That doesn’t necessarily mean they’re doing all those things elsewhere, just that they’re stating they won’t be doing it here.

If course, if you’re concerned about this, your main complaint should be that the market is so bad over there that you can’t just move to another ISP if you don’t trust Comcast.

Anonymous Coward says:

"the company continues to insist to be they’ve never monetized this data "

Lot of pants on fire at that company….

The fact that they are now in sudden agreement to encrypt DNS, just tells me their "top notch" engineers have found a way around the obstacle of deciphering the data so they can still "not monetize" it.

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:

Doesn’t that depend upon whether one selects their own set of DNS servers or not? If a Comcast customer allows Comcast to select the DNS servers, then your right, but if there was say a tool that reset DNS servers to ones that weren’t Comcast but were enabled to handle the encrypted requests then something different would be needed for Comcast to monetize those requests.

Anonymous Coward says:

Re: Re: Re: Re:

Doesn’t that depend upon whether one selects their own set of DNS servers or not? If a Comcast customer allows Comcast to select the DNS servers

That’s what I’d interpret from "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." Comcast can ensure their servers are always the fastest for their customers, in which case Firefox would choose them.

I’m sure Firefox won’t force users to stick with those servers. But only a tiny fraction of people choose their own servers. Probably the same troublemakers that contact their ISPs to opt out of stuff like data-sharing and forced arbitration. Those numbers are too small to matter.

Anonymous Coward says:

Re: Re: Re:2 Re:

That’s what I’d interpret from "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." Comcast can ensure their servers are always the fastest for their customers, in which case Firefox would choose them.

Which then breaks the entire point of Encrypted DNS: To ensure those you don’t want peeking at the lookup requests can’t see them. After all if you can just run a "web browser corporate-backer approved" encrypted DNS server that the web browser trusts, what prevents the browser from using it if the user doesn’t want to?

I say this because the whole point of normal DNS is decentralization of the lookup queries, and network traffic shaping. If the web browsers only trust certain servers, it’s trivial for an ISP or any other service provider to block all requests not destined for their
"trusted" servers and claim that using other servers violates their ToS, breaks security, "you must be up to no good", etc. I.e. It’s a very obvious trap that any enterprise network engineer has deployed to secure their networks against rogue users exfiltrating data. Further, given the current pushes for censorship and "neutrality" what’s to prevent these "trusted" servers from denying lookups to sites the operators disapprove of? Or worse logging and reporting it without the user having alternatives? That’s the whole problem with centralized services like DNS, but even more so when you start mandating who can be trusted and who cannot.

Anonymous Coward says:

Re: Re: Re:3 Re:

After all if you can just run a "web browser corporate-backer approved" encrypted DNS server that the web browser trusts, what prevents the browser from using it if the user doesn’t want to?

The lack of any code to do that prevents the browser from doing it. Firefox’s idea, that Comcast’s server is the one that Comcast users will want to use, is certainly questionable. But at least there’s been no suggestion that browsers will make that the only option.

Sure, Comcast could block other servers. They could also block Tor, HTTPS, whatever. Even they haven’t yet shown signs of stooping to this level.

McKay (profile) says:

This scares me

IMO, the purpose of encrypted DNS is that the ISPs like Comcast can’t get your DNS data. Well, if Comcast is in on it, then they’ll be building their own server, and we’re back where we started. Sadly, Comcast getting in on it will make all the other dumb ISPs realize they can do the same thing. We can still choose another DNS server, but there’ll be a lot of people who just leave it at default through DHCP.

Anonymous Coward says:

Re: This scares me

Centralizing it all at Cloudflare has its own problems. An independent service in each country could be an improvement, if clients used more than one. Domain-blocking orders would then need to target over 100 countries to be effective, at which point it’s easier to target the registry or registrar. Running the DNS servers as onion services would additionally prevent court orders of the form "country X says to block all clients from country X", as geo-location would be impossible.

A lot of uses of DNS, however, are kind of pointless when we have DNSSEC. Once you can authenticate data, it doesn’t matter where you get it from. EG: when one website links to another, the target’s DNS records could be provided by the source site.

Annonymouse says:

Re: Waitaminnit

It all depends on what Mozilla does or doesn’t do with the "help" from Comcast.

My hope is that they treat it as what it is and look for, circumvent but not tell them about any features added by comcast untill after the fact. In other words let Comcast do Comcast and be proactive when it comes to the shenanigans.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...