Browser encryption of DNS

[Phishfry]

What are your thoughts on the browser handling DNS?
Mozilla using Cloudflare. Google with Chrome.
Now your ISP is sad.

Google faces scrutiny from Congress, DOJ over plans to encrypt DNS

Google's bid to encrypt domain name requests appears to be raising hackles among American officials. The Wall Street Journal has learned that the House Judiciary Committee is investigating Google's plans to implement DNS over HTTPS in Chrome, while the Justice Department has "recently received...

www.engadget.com

Personally I don't think DNS should be a browser function but an operating system function.
Thoughts?

 

[ralphbsz]

Personally I don't think DNS should be a browser function but an operating system function.

That was a nice theory when there was still something like an operating system, which ran a variety of programs (local ones, network clients, network servers), networks were small (hundreds or thousands of nodes that one computer may reach in the foreseeable future), and caching DNS made sense, because if an outside host is accessed by one program, it is likely that it will be accessed by another program soon.

But that's not the situation we're in today for desktop machines. On those, fundamentally the only program that is running is the web browser. Many people do their e-mail in the browser, they edit documents in the browser, and they do all the "browsery" things too. For many people it has reached the point that they use an "OS" that consists of nothing but the web browser: I know lots of people who use Chromebooks, and are super happy with them (and that's seasoned computer professionals). Once you have only the browser running, it makes sense to do DNS management and caching right in the browser. Matter-of-fact, allowing anyone else to touch the DNS packets or the DNS cache just opens the doors to bugs or security problems. And since on many desktops today (even when people still have an OS that allows other apps), the browser does 99% of the work, this makes sense.

As an example, consider the thing on my lap. It is a high-end 15" MacBook pro (paid for by my employer). I am running three applications right now: A browser (which does most of the work, including both home and work e-mail), an ssh client (which I use to log in to computers), and a VNC client (for working on a stationary Mac at home, which I use for scanning documents). So other than 3 or 4 fixed host, nearly all the network traffic goes to/from the browser.

 

[obsigna]

This has been called DNS over HTTPS, i.e. DoH. This has been pushed through all the instances in no time by Mozilla and Google, and a RFC exists as well - RFC 8484. They are telling that this is for improving the privacy of the users. Actually, Google does this for circumventing DNS based Ad-Blocking and Mozilla becomes paid for it from Cloudflare. At least in Chrome, it can be disabled by one switch, while in Firefox the setting is deeply carved in. The obstacle starts, that also Mozilla names this officially DoH, but the setting got the pseudo-technical nonsense abbreviation trr, and for completely disabling it, you need to set network.trr.mode = 5. Why the hell 5 and not 0? Because Mozilla don't want you to disable it.

In any case, besides disrupting any trr setting in Firefox, I added an ipfw rule to the FreeBSD gateway for blocking access to Google’s and Cloudflare’s DNS services:

...
# Block DNS bypassing via Cloudflare's 1... and Google's 8...
/sbin/ipfw -q add 96 deny ip from any to 1.0.0.0/24,1.1.1.0/24,8.0.0.0/9 53,443,853
...

I know this is not enough, in the future I will add known DoH services to my dns/void-zones-tools. Unfortunately, it is not a one switch operation for stopping this bullshit. The network gaming platform Roblox uses this since the RFC came out at the end of 2018, why? This is to defeat corporate's DNS based policies.

 

[Phishfry]

ralphbsz I have a different opinion.
Where we used to have network layer settings for DNS this DoH scheme makes it an application level DNS scheme.
So Mozilla and Chrome will now use two different DNS servers.
Too much control in companies I don't trust.
How about our very own pkg.
It uses DNS so we will have different DNS servers being queued for different applications.
I would call this fragmentation.

 

[rigoletto@]

I've be using dns/unbound forwarding only to servers (list below) supporting DNS Over TLS (aka DoT) since while and currently I already disabled DoH on Firefox ( network.trr.mode=5).

In regards to network.trr.mode

• 0 - Off (default). use standard native resolving only (don't use TRR at all)
• 1 - Reserved (used to be Race mode)
• 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
• 3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
• 4 - Reserved (used to be Shadow mode)
• 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.

However, be aware, if you set to 5 and then change it to ON using the "Preferences" dialog in Firefox, when you disable it again Firefox will set to 0. Also, you can setup your own DoH proxy server but I didn't bothered with that.

forward-zone:
    name: .
    forward-tls-upstream: yes
    forward-addr: 193.17.47.1@853        # CZ.NIC
    forward-addr: 185.43.135.1@853        # CZ.NIC
    forward-addr: 37.252.185.232@853    # Foundation for Applied Privacy
    forward-addr: 146.185.167.43@853    # SecureDNS
    forward-addr: 91.239.100.100@853    # UncensoredDNS
    forward-addr: 89.233.43.71@853        # UncensoredDNS

Cheers!

 

[toorski]

"Google has maintained that its Chrome tweaks would give users control over who shares their info, and that it won't force people to switch to encrypted DNS".

Chrome tweaks? by majority of dumb-end users that have no clue what DNS is or how it works, just like cookies and meta data collection trails that their web browsers leave when visiting web servers.

Google should offer encryption with their own freebie Gmail service before they start using and abusing DNS to their liking as they do with WWW.

 

[obsigna]

From what I remember about the statements of Mozilla about the trr.mode has a different notion. Mode 0 = OFF by default is misleading, since it should be read Mode 0 = default -- for the time being = OFF. And Mozilla has announced one month ago that they’re in the public rollout phase now, so they switched already Mode 0 = default to ON for an unknown number of clients in the U.S. So, to prevent Mozilla does the choice for you, you need to set it to 5.

 

[Crivens]

I think this is a bad idea. It is me who sets up DNS server configs depending on whom I trust.

And mozilla is on its way off my systems because of their actions.

 

[MarcoB]

What happens when you have both DoT and DoH on your system? Does it interfere with each other?

 

[6502]

Google wants to encrypt DNS traffic for others but to watch it.

 

[toorski]

What happens when you have both DoT and DoH on your system? Does it interfere with each other?

Then, they won’t know where you coming from and you won’t know where you going to, they won’t know your name and how to get back to you

Unless you figure out howto eliminate the IP from TCP, encrypt the TCP and then get somewhere without the IP, there’s nothing that you can do to change the level of security or privacy over TCP/IP

 

[MarcoB]

I do understand how DoT and DoH work but when both are on, is FF (with DoH) then circumventing DoT running on the system?

 

[obsigna]

For DoH, FF would need the system’s DNS, either of normal or DoT, only for bootstrapping, namely for resolving the IP address of the DoH server it wants to use, in case it would not be already known, like 1.1.1.1. After this FF would circumvent DoT.

1. At this stage, we can stop DoH from happening only at the firewall, and only in case we know the DoH address.
   
   
2. We could prevent DoH bootstrapping by imposing our DNS policies, by either let DoH domains not resolve, and force FF to fallback to the system’s DNS or by informing the IP of our own DoH server. The latter might become tricky, when we would need to fake Google or Cloudflare certificates, because we would need to install our local CA root certificates to all the clients.
   
   
3. We may of course trust Google and Mozilla, and others to always provide a switch for users may easily and effectively disable DoH once and forever. Perhaps this is asking for too much, and therefore it is good to have measures (1.) and (2.) in place -- „Trust, but verify!“

 

[usdmatt]

Been involved in the Internet since the 90's and TBH I'm not the biggest fan. Seems like eventually every service will end up being tunnelled through HTTPS. We already have HTTP moving towards a binary protocol over UDP so you gain a few milliseconds of efficiency for some website to then go and load 400kb of javascript. (Maybe part of the end goal of Google developing HTTP3 is to make it more applicable as a transit protocol for other udp/binary services that would normally be far more efficient that http...)

Not that I'm against improvements in privacy, but it's interesting that Google are involved when their entire business is based on tracking people. Of course, using the Chrome browser and their DoH servers is only going to improve their tracking abilities.

I'm sure a lot of thought and design has gone into it, but the sceptic in me can't help but think companies like Google have a specific interest in developing it the way it is. I would of much rather had it developed as a standard part of DNS, so any DNS server you've configured your OS to use could use TLS over standard dns ports (assuming the server supported it).

 

[xtaz]

There are checks built in to Firefox that you can take advantage of to force it to be disabled. If any enterprise policy is configured or if security.enterprise_roots.enabled is set to true then it will be disabled. Also if the canary domain "use-application-dns.net" returns NXDOMAIN or SERVFAIL from DNS then it will also be disabled.

This is a temporary measure by Mozilla until such mechanisms are standardised. It remains to be seen if Google build the same into Chrome.

 

[rigoletto@]

I do understand how DoT and DoH work but when both are on, is FF (with DoH) then circumventing DoT running on the system?

DoH is nothing but a web proxy running some smol code to hook on some regular[1] DNS server. So, FF is not circumventing anything but just ignoring it.

[1] which can be a DoT DNS server.

 

[kpedersen]

I know lots of people who use Chromebooks, and are super happy with them (and that's seasoned computer professionals).

I have always been interested by how seasoned computer professionals are able to do anything using nothing but consumer websites. For example, there are no decent UML, database, network diagram tools. No serial port access; no disk label utils, etc. There is also barely a terminal emulator or grep tool. How do they even find documents?

Most companies use a Microsoft samba share to store internal shared documents; how are web browser thin clients able to get the data stored there, uploaded to a web server and then viewed using the web services viewer. That must be so many steps just to view a document! Surely this employee would have to basically be spoonfed documents via email or other medium. I would absolutely hate to work with a "special" guy like that in my department XD

Perhaps I just don't quite understand what a computer professional is these days.

 

[Crivens]

Perhaps I just don't quite understand what a computer professional is these days.

Who is and who calls himself one are two things. A friend tries to get me into docker and stateless services. Not my cup of tea but...

 

[Geezer]

Will Iridium use DoH?

 

[xtremae]

I personally use (and prefer) unbound as it provides DoT pretty much across the board, instead of just browser sessions. This, combined with the ability to use multiple DNS providers with round robin selection and configurable caching TTLs, has the benefit of increased privacy over browser defaults.

Perhaps I just don't quite understand what a computer professional is these days.

As a term it has become tarnished since people misuse it to defend a particular point of view. If professionals use xyz, then xyz is fine for most people. However, this only tells half the story because, in this context, there is no evidence to support the argument that professionals are privacy minded individuals, or at least, more than average users.

 

[shkhln]

Most companies use a Microsoft samba share to store internal shared documents

Do they? That seems like a mess to be honest.

That must be so many steps just to view a document!

We can easily reverse that argument by comparing, say, Google Docs collaborative editing features with SMB/NFS collaborative editing features (if you even consider unreliable file locking a feature, else there is nothing to compare). Not to mention that everyone and their dog nowadays has a file sync app.

 

[abishai]

I read some articles, but I still don't understand. If I run local resolver, do I need DoT locally or through public services? Is FF starts to ignore my local resolver? This is stupid as I have local zone for my domain.

 

[kpedersen]

Do they? That seems like a mess to be honest.

Yes, it is always a mess. I will not defend it

We can easily reverse that argument by comparing, say, Google Docs collaborative editing features with SMB/NFS collaborative editing features (if you even consider unreliable file locking a feature, else there is nothing to compare). Not to mention that everyone and their dog nowadays has a file sync app.

A file sync app is not really the same as web browser only solution (like a chromebook or what marketing refers to as "the cloud"). A sync app is basically an even weaker alternative to an smb/nfs approach and nothing more.

Some workflows of how I imagine the "special" cloud user to compare for image editing:

The typical desktop user

1) Copy from NFS/SMB in file explorer to desktop
2) Double click file to open in (i.e photoshop), edit and save
3) Copy file back

The typical developer

1) svn update
2) Open file in photoshop, edit and save
3) svn commit

The webbrowser muppet

1) Copy from NFS/SMB... [Fail, a web browser cannot do this]
2) Pretend the file is already in dropbox
3) Open in photoshop [Fail, photoshop "Cloud" doesn't actually run in a browser]
4) Pretend there is a web photoshop equivalent
5) Open file in web based image editor [Fail, no way to obtain file from dropbox]
6) Copy file from dropbox onto local machine and then upload back to the specific web service (~15 clicks).
7) Edit file and save. [Fail, the web service only saves to its own database, not dropbox]
8) Manually transfer from web service to your drop box (~15 mouse clicks)
9) Copy file back to NFS/SMB [Fail, again no functionality in web browser]

Not a single step here can actually work. Yes, if you stick to entirely google docs, perhaps but then you can forget about using actual tools. It is an absolute joke to try to depend entirely on ratty websites for any kind of workflow. Not even for tweaking holiday photos XD.

 

[shkhln]

A file sync app is not really the same as web browser only solution (like a chromebook or what marketing refers to as "the cloud").

I don't think anyone can do any work, other than maybe creative writing, with chromebook as their only computer. As secondary machines they are very compelling as long as you don't mind Google spying on you. Computer enthusiasts are precisely the type of people I would expect to buy such a device for the sheer novelty factor, if nothing else.

 

[ralphbsz]

I have always been interested by how seasoned computer professionals are able to do anything using nothing but consumer websites. For example, there are no decent UML, database, network diagram tools.

There is a version of ssh that runs in browsers. Works perfectly well, even with multiple monitors and many ssh windows.
Diagramming tools are all over. For example, I have been using Microsoft Visio (for the last 15 or 20 years), and recently switched to run Visio on the web, instead of installing a copy on Windows. It saves me having to install a Windows "machine" just for running visio.

No serial port access; no disk label utils, etc.

Serial ports are de-facto obsolete. You need them for embedded development, nothing else.
Disk label? As I said above, people today use a desktop machine that has no OS (for example a Chromebook or iOS/Android tablet). There is no disk labels, there are no user-visible disks, there are no utilities. You open a browser or installed canned apps, nothing else.

There is also barely a terminal emulator or grep tool.

Terminal emulator: See above, web-based ssh exists. Grep: That is built into your work flow tools.

How do they even find documents?

Most companies use a Microsoft samba share to store internal shared documents; how are web browser thin clients able to get the data stored there, uploaded to a web server and then viewed using the web services viewer.

You run what amounts to a search engine. You can run it in a server. For example, at home I have a large ZFS-based file system, on a FreeBSD machine, where I store scanned documents (there are tens of thousands of those, I have a paperless archiving system at home). On that server there is a simple CGI page that allows me to search for files by string in file names (20 lines of Python); that already allows me to find files by file name. To find files by a string in them, I have run glimpse a.k.a. agrep before, and made it accessible via another simple CGI script. Alas, that didn't work well: My paper scanning software has really bad OCR built in, so the PDF files it creates have very little searchable content. I need to take all my documents and re-run the OCR on them (and add the text output to the PDF files as another layer or comments). While I know how to do it, it is quite time-consuming, and I haven'gotten around to it.

Have you tried using Cloud accounts like Azure or Google? All your documents are online (and when I say "documents", I don't mean just word files, but databases, programs, queries, make file, spreadsheets, e-mails), and are all searchable.

Perhaps I just don't quite understand what a computer professional is these days.

In my example, typically someone with a PhD (or at least MS) in Computer Science, who works as a software engineer or project manager at a computer company? And doesn't have a "computer" (in the sense of a device with an OS), but uses a lightweight stateless desktop or client (like a Chromebook or tablet) for all their work? This example is quite common today.