Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated

from the ill-communication dept

In a bid to avoid losing access to the cash cow that is your daily browsing data, ISPs like Comcast have been lying about Google and Mozilla's quest to encrypt DNS data. The effort would effectively let Chrome and Mozilla users opt in to DNS encryption -- making your browser data more secure from spying and monetization -- assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don't much like that.

As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah).

Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:

"Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage," the letter, signed by Marshall Erwin, senior director of trust and security and Mozilla, reads. "With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation."

While there's obviously plenty of perfectly legitimate criticism of Silicon Valley giants like Facebook and Google, we've been noting how telecom lobbyists have been quietly co-opting this backlash to help the telecom sector. So far you'd have to view these efforts as successful; while the government hyperventilates about Facebook and whether it should be broken up and heavily regulated, telecom has convinced lawmakers to effectively obliterate all oversight of telecom, despite the sector having historically been every bit as terrible as Facebook on the subjects of privacy, consumer rights, and competition.

As a result there are a few lawmakers (Marsha Blackburn comes quickly to mind) who claim to be utterly incensed at Facebook's behavior, but have chosen to give telecom a free pass. Mozilla's letter urges Congress to, you know, stop doing that if they want to be taken seriously:

"We believe that more information regarding ISP practices could be useful to the Committee as it continues its deliberations on this front, and we encourage the Committee to publicly probe current ISP data collection and use policies."

As we look to craft what the privacy standards and guidelines of tomorrow look like, it's another reminder of how focusing too exclusively on the missteps of Silicon Valley giants obscures the fact that these problems aren't just exclusive to "big tech." Mozilla's spot on when it notes that privacy solutions that don't consider telecom aren't much of a solution in the first place.

Filed Under: congress, dns over https, doh, encrypted dns, privacy, security
Companies: at&t, comcast, google, mozilla, verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Nov 2019 @ 7:00am

    "if they want to be taken seriously"

    Hahahaha - good one.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2019 @ 7:37am

    The Reason Telecoms don't Want Encrypted DNS Lookups

    Be careful here though. I've seen people who claim that their ISP is hijacking their DNS lookups (regardless of whether they're using the ISP's DNS Server or not) and when pressed on it they point to how some ISPs are taking failed DNS lookups to their own DNS servers and returning their own search page (which they can obviously sell ads and placing on). A lot of experts claim this breaks certain functionality that relies on invalid domain errors (NXDOMAIN).

    If the DNS lookup was encrypted, then obviously the ISP could not hijack a DNS lookup that was going to another DNS Server and route it to their own, but as far as I can tell, there's no evidence that they are doing that. They also wouldn't be able to use DNS lookups that are going to third party DNS servers to accumulate lists of visited websites, but they can do that anyways since 99.999% of the time right after a DNS lookup is done, the next step is to actually go to that IP address. So they have that information anyways.

    So why are they opposing it? I suspect because they know if encrypted DNS lookups become standard, it will mean a cost to them to implement. Sure, there's also the failed DNS lookup aspect to it, but since pretty much every browser these days uses a unified address bar, most people expect a search page to show up if they mistype a domain name. So I'd be surprised if any ISPs even bother to hijack NXDOMAIN errors anymore since more often than not the browser is going to handle it.

    reply to this | link to this | view in chronology ]

    • icon
      NoahVail (profile), 8 Nov 2019 @ 8:05am

      Re: The Reason Telecoms don't Want Encrypted DNS Lookups

      I'd be surprised if any ISPs even bother to hijack NXDOMAIN errors

      C:\> nslookup

      server 4.2.2.2
      flubboxzing.org (returns 23.217.138.108)
      cheeorgeack.net (returns 23.217.138.108)

      Off the top of my head, Charter and Comcast are still doing it also.

      reply to this | link to this | view in chronology ]

      • icon
        NoahVail (profile), 8 Nov 2019 @ 8:17am

        Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

        Just a note for any "Level3 isn't an ISP" folks:
        When FiOS got handed over to Frontier, those DNS servers were often proposed for folks w/ static IPs. Frontier's current DNS servers return the same IPs for NXDOMAIN (as Level3's DNS).

        Synopsis: ISP's Buddy hijacking DNS != ISPs don't hijack DNS.

        ref: other Frontier DNS servers
        https://www.dslreports.com/forum/r31831677-Faster-Internet-Frontier-DNS-settings

        reply to this | link to this | view in chronology ]

      • icon
        Zof (profile), 8 Nov 2019 @ 9:06am

        Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

        Hijacking NXdomain and replacing them with landing pages was pioneered by Verizon, and they still do it.

        reply to this | link to this | view in chronology ]

        • icon
          Gary (profile), 8 Nov 2019 @ 2:40pm

          Re: Re: Re: The Reason

          ... The lair is pretty much correct. Verizon and Comcast have used that to hijack searches and inject content into streams.

          reply to this | link to this | view in chronology ]

          • icon
            jlivingood (profile), 8 Nov 2019 @ 3:13pm

            Re: Re: Re: Re: The Reason

            Comcast's network does not do that (in FD I work there...) NXDOMAIN redirection was done for a short period that ended in January 2012 when DNSSEC Validation was turned on (1st large ISP in the US to do so).

            reply to this | link to this | view in chronology ]

      • icon
        jlivingood (profile), 8 Nov 2019 @ 3:10pm

        Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

        Comcast is definitely *not* doing that (I work there). Here is a demonstration using dig @ that server and a name that does not exist. 1st example results in NXDOMAIN. 2nd example gets a SERVFAIL, likely because the auth server does not respond to recursions from 4.2.2.2. dig @4.2.2.2 nonamehere.example.com ; <<>> DiG 9.10.6 <<>> @4.2.2.2 nonamehere.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19479 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 8192 ;; QUESTION SECTION: ;nonamehere.example.com. IN A ;; AUTHORITY SECTION: example.com. 1884 IN SOA ns.icann.org. noc.dns.icann.org. 2019101516 7200 3600 1209600 3600 ;; Query time: 84 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Fri Nov 08 18:06:57 EST 2019 ;; MSG SIZE rcvd: 107 dig @4.2.2.2 flubboxzing.org ; <<>> DiG 9.10.6 <<>> @4.2.2.2 flubboxzing.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38884 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;flubboxzing.org. IN A ;; Query time: 24 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Fri Nov 08 18:09:20 EST 2019 ;; MSG SIZE rcvd: 33

        reply to this | link to this | view in chronology ]

        • icon
          jlivingood (profile), 8 Nov 2019 @ 3:12pm

          Re: Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

          Wow - that is all mangled in plain text. Trying again in markdown:

          dig @4.2.2.2 flubboxzing.org

          ; <<>> DiG 9.10.6 <<>> @4.2.2.2 flubboxzing.org
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38884
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

          dig @4.2.2.2 nonamehere.example.com

          ; <<>> DiG 9.10.6 <<>> @4.2.2.2 nonamehere.example.com
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19479
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 8192
          ;; QUESTION SECTION:
          ;nonamehere.example.com. IN A

          ;; AUTHORITY SECTION:
          example.com. 1884 IN SOA ns.icann.org. noc.dns.icann.org. 2019101516 7200 3600 1209600 3600

          ;; Query time: 84 msec
          ;; SERVER: 4.2.2.2#53(4.2.2.2)
          ;; WHEN: Fri Nov 08 18:06:57 EST 2019
          ;; MSG SIZE rcvd: 107

          ;; QUESTION SECTION:
          ;flubboxzing.org. IN A

          ;; Query time: 24 msec
          ;; SERVER: 4.2.2.2#53(4.2.2.2)
          ;; WHEN: Fri Nov 08 18:09:20 EST 2019
          ;; MSG SIZE rcvd: 33

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Nov 2019 @ 3:41pm

      Re: The Reason Telecoms don't Want Encrypted DNS Lookups

      IP address alone isn't super useful to ISPs when more and more websites are using shared IPs via cloud hosting.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2019 @ 9:17am

    More privacy for consumers is a good thing,
    isp,s selling data to private companys could be a security risk,
    the less companys that have acess to your browsing data ,
    the less chance of it been hacked and even being leaked on the web
    and to being used to gain acess to financial info like credit card info ,
    purchasing info.
    Most people do not want info leaked of for instance the fact they pay to buy adult dvds or stream xx rated movies .
    Private companys have a bad record of securing user data from being hacked .
    Google and facebook are criticised for selling user data to advertisers ,
    meanwhile isp,s get a free pass to any small private company .
    i would trust google or mozilla than any isp .

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2019 @ 10:03am

    Upvote Mozilla bug preventing DoH and ESNI from working together

    Please upvote Bug 1585395 under the "Details" dropdown menu, since both DoH and ESNI are needed to minimize ISP spying.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Nov 2019 @ 10:11am

    Friday deep thoughts:

    The trick is: convincing people that online anonymity, online privacy, actually exist. Actual privacy is the fallacy.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 8 Nov 2019 @ 1:16pm

    BUT, BUT...

    Thats not fair..
    https://www.techdirt.com/articles/20191104/19421143323/cbp-now-has-access-to-nsa-cia-collecti ons.shtml

    gov. dont like it
    ISP's dont like it..
    VPN dont like it..
    Advert agencies dont like it..

    NOW, how much are the Congress going to get?? Backdoors open..

    reply to this | link to this | view in chronology ]

  • identicon
    Garcia, 10 Nov 2019 @ 9:08pm

    Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers https://www.upsers.one/

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2019 @ 2:47am

    Stop it with these links to news sites, rather than the doc

    Karl,

    Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:

    The link there is NOT to the letter but to a Vice article. Are they paying you or are you just being lazy?

    Dont give us:

    https://www.vice.com/en_us/article/zmj5p9/mozilla-firefox-asks-congress-to-investigate-internet- service-providers-data-selling-collection?utm_source=mbtwitterus

    Give us:

    https://assets.documentcloud.org/documents/6538356/Mozilla-Letter-to-Congress-on-DoH.pdf

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2019 @ 7:02pm

    I don't see here why it makes any sense that DNS traffic should be directed by a browser breaking network automation and directing people to the worst violators of individuals privacy. I trust tech about as much as I trust ISPs, but the ISPs I can avoid. The big tech giants I have no way to avoid. So why does this make any sense. Don't give me a terms of service agreement that has zero penalties if broken.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.