Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS

from the encrypt-ALL-the-things! dept

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla last year announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.

As a result, a lot of these folks have been throwing temper tantrums in recent weeks.

The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah, that's an entirely different mess). Mozilla's response to telecoms' face fanning? To first urge Congress to investigate telecom's long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.

In a blog post, Mozilla explains its thinking as such:

"At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit."

While there's a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They'll be quick to note there's several other points at which ISPs can still engage in data surveillance and sales. They'll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.

Mozilla says it's listening to these complaints, so it's starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox's encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla's FAQ here.

Filed Under: browsers, dns, dns-over-https, encryption, firefox, privacy, snooping
Companies: mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    JoeCool (profile), 27 Feb 2020 @ 6:52am

    Bonus

    One bonus to using DNS over HTTPS that I haven't seen mentioned is that it's faster resolving addresses. Given all the snooping and tracking regular DNS goes through, I had significant delays on address lookups that went away when I switched to encrypted DNS.

    reply to this | link to this | view in chronology ]

    • identicon
      MathFox, 27 Feb 2020 @ 7:26am

      Re: Bonus

      I expect that's because of the caching at Cloudflare. An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower.
      If the DNS server you use has the answer cached it can directly reply. however if the answer is not cached it can take several inquiries for the DNS server to obtain the answer in a recursive lookup.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 8:58am

        Re: Re: Bonus

        setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower.

        Why wouldn't Firefox leave that connection open?

        reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 28 Feb 2020 @ 6:24am

        Re: Re: Bonus

        "An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower."

        That's true...and yet I've had the same experience as JoeCool. Once i'm on my VPN ping latency and jitter both drop noticeably as compared to when i'm online outside of the tunnel.

        Something is making an encrypted connection a lot faster despite going through more loops and through more servers.

        reply to this | link to this | view in chronology ]

    • icon
      Cdaragorn (profile), 27 Feb 2020 @ 7:55am

      Re: Bonus

      This is simply not true. While I can't speak to why you were seeing delays, standard DNS has so many layers that cache requests for you to speed them up the next time you ask that there's zero chance doing it over HTTPS could be faster for the sole reason that you lose all those caches.
      Your own router maintains a DNS cache so most common requests you make never even have to go over the internet to get resolved.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 9:26am

        Re: Re: Bonus

        there's zero chance doing it over HTTPS could be faster

        Your own router maintains a DNS cache

        That depends on the router and its configuration. In any case, the local cache only contains things that were looked up locally (and recently), while the DoH cache could contain things looked up by other users. If the DoH server connection is kept open, and has sufficiently low latency, there's a good chance that DoH will give a significant net improvement.

        The CDNs do try to put themselves close to people, and their DoH server may be closer than a national ISP's central DNS cluster. For sites run by the same CDN it won't even have to forward the requests. Don't say "zero chance" without measuring.

        reply to this | link to this | view in chronology ]

      • icon
        Federico (profile), 27 Feb 2020 @ 1:44pm

        Re: Re: Bonus

        Never underestimate how incompetently run a lot of ISP's infrastructure is. DNS servers are no exception. DNS resolution can take hundreds of ms in the wild.

        reply to this | link to this | view in chronology ]

  • icon
    tz1 (profile), 27 Feb 2020 @ 7:59am

    NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists. (Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn't, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn't want or need; when I find something chattering I can't block, I add it to my hosts file as a 0.0.0.0). That is what I'm using and I have several ad, tracking, and malware lists enabled. So "safety" is an excuse. I'm probably safer as I block more things. As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching - the "big iron" servers are likely to have most things already cached and a large enough capacity. One problem is bounce pages from wifi portals that want you to click "I agree" or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don't have https or certs.

    reply to this | link to this | view in chronology ]

    • identicon
      Rekrul, 27 Feb 2020 @ 9:26am

      Re:

      when I find something chattering I can't block, I add it to my hosts file as a 0.0.0.0). That is what I'm using and I have several ad, tracking, and malware lists enabled.

      Have you heard of the MVP Hosts file?

      http://winhelp2002.mvps.org/hosts.htm

      It's a big list of advertising and malware servers that's constantly being updated. Start with that and add your own sites to the bottom. :)

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2020 @ 9:30am

      Re:

      Generally using 1.1.1.1 as the site will bounce because IP addresses don't have https or certs.

      Go to https://1.1.1.1 and look at the certificate via your browser's interface. It does, in fact, have a valid HTTPS certificate with several IP addresses as alternate names.

      reply to this | link to this | view in chronology ]

  • icon
    em_te (profile), 27 Feb 2020 @ 8:12am

    The last mile network

    Telecoms don't want to give up control of DNS lookups to companies like CloudFlare because of the lucrative business of CDNs (Content Delivery Network).

    The DNS lookup determines which CDN the browser uses to download the file. This allows the DNS lookup to choose a CDN in a physical location that is closer to the user to improve speeds. CloudFlare is a CDN provider and many Telecoms are also CDN providers.

    While CDNs are free to the end user, they cost the telecom money when a user tries to load data found an "out of network" CDN because then the telecom will have to pay the network where the CDN is located for usage of their network. It is in the telecom's best interest to serve content from a CDN already on their network and they can generate more money by getting other people to download from their CDN too.

    Large telecoms already have carrier exchange agreements in place because counting all the bytes that they each exchange would be too much work. But telecoms can strong-arm smaller companies like CloudFlare to pay more. If CloudFlare is able to control the DNS, they have leverage against the telecoms and can divert traffic to networks that offer lower rates and CloudFlare can pay less.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2020 @ 8:51am

      Re: The last mile network

      So Cloudflare can make money off of this while looking like good guys. Heh. So using DNS to "block, filter, and track" internet activity has come back to hit the profiteers in the revenue streams for a short while at least. Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 9:03am

        Re: Re: The last mile network

        Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)

        If you mean DNS over HTTPS, now. Go to the FAQ page and follow the "disable DoH" steps; but when you get to the preference, enable it instead.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 10:00am

        Re: Re: The last mile network

        You can enable it by going into preferences->general, and clicking network setting at the bottom of that page. Enable DNS over HTTPS is at the bottom of the page that that brings up.

        reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 27 Feb 2020 @ 9:36am

    I'm confused about one point; Supposedly this is to prevent ISP snooping, but probably 99% of average internet users' account will be setup to use the ISP's own DNS servers by default. How does it prevent ISP snooping if you encrypt the connection, then ask the ISP to look up a DNS address for you?

    And even if users change their DNS server to a third-party one, and the ISP can't snoop on the request, the browser is just going to turn around and ask the ISP to connect it to the address that was looked up anyway.

    Unless you're using a VPN (which most average users aren't), the ISP has to know what sites you want to connect to, to you know, connect you to them.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Feb 2020 @ 9:41am

      Re:

      When using the DNS-over-HTTPS feature you're no longer using your ISP's DNS servers. You're using DNS-over-HTTPS via mozilla.cloudflare. Your ISP no longer has any visibility into your DNS queries. It can, however, still see the IPs/hosts from which you're pulling traffic which is still pretty thorough tracking of sites visited. The only thing they can't see is failed DNS lookups.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 9:42am

        Re: Re:

        I should also add that they can no longer serve up their own ads for sites that do not resolve via DNS. Super annoying and most ISPs do this. I thought it was ruled illegal over a decade ago...

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Feb 2020 @ 10:32am

          Re: Re: Re:

          I should also add that they can no longer serve up their own ads for sites that do not resolve via DNS. Super annoying and most ISPs do this. I thought it was ruled illegal over a decade ago...

          Are you confusing it with Verisign's Site Finder? ICANN said it wasn't allowed by their domain registry agreement, plus a lot of people blocked it via technical means, and Verisign eventually disabled it. There were some legal proceedings but no court ever ruled on it.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Feb 2020 @ 10:08am

        Re: Re:

        It puts the public one step ahead in the arms race. DNS-based tracking is easy: a national ISP can have everyone use one server, and have it log everything. IP-based tracking will need a completely different setup: they'll need hooks to grab the metadata at every network interconnection, reduce it to a manageable amount of data, and forward it to headquarters. If they're not set up for it now, it could take a while.

        CDNs work against this technique, unless the ISPs also decode the HTTPS setup to grab the hostname. But Mozilla started encrypting this last year ("encrypted SNI"). They'll know someone's connecting to Cloudflare for DNS and/or other content, but it's much harder to tell what they're doing.

        reply to this | link to this | view in chronology ]

        • icon
          Sequentious (profile), 27 Feb 2020 @ 10:56am

          Re: Re: Re:

          At the moment, SNI is still largely unencrypted.

          Encrypted SNI is still just a draft, Firefox doesn't implement the current version draft, and it is not yet supported by Apache or nginx.

          At the moment, ESNI effectively only works between Firefox and Cloudflare. (I'm not sure about Chrome's status. I didn't look it up).

          ESNI will eventually arrive and fix this leakage as well.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 27 Feb 2020 @ 11:07am

            Re: Re: Re: Re:

            ESNI will eventually arrive and fix this leakage as well.

            If they can get that done before the ISPs can start sniffing these hostnames in response to DNS-over-HTTPS, it's still good. Then we'll need to do more about IP addresses.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Feb 2020 @ 5:32pm

    but the dns itself can snoop. more security snake oil.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.