Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS
from the encrypt-ALL-the-things! dept
Historically, like much of the internet, DNS hasn’t been all that secure. That’s why Mozilla last year announced it would begin testing something called “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.
As a result, a lot of these folks have been throwing temper tantrums in recent weeks.
The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google’s part (it doesn’t), to saying it’s a threat to national security (it’s not), to suggesting it even poses a risk to 5G deployments (nah, that’s an entirely different mess). Mozilla’s response to telecoms’ face fanning? To first urge Congress to investigate telecom’s long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.
In a blog post, Mozilla explains its thinking as such:
“At the creation of the internet, these kinds of threats to people?s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”
While there’s a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They’ll be quick to note there’s several other points at which ISPs can still engage in data surveillance and sales. They’ll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.
I find DNS over HTTP unwise from a Corp security perspective for a few reasons (particularly NIDS and legacy malware detection), but this is a good explanation and I?d pay close attention to the sections on how to force-disable it as an organization if you rely on that detection. https://t.co/i2yjATPbP9 pic.twitter.com/I7bgyCMCtW
— Lesley Carhart @RSAC (@hacks4pancakes) February 25, 2020
Mozilla says it’s listening to these complaints, so it’s starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox’s encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla’s FAQ here.
Filed Under: browsers, dns, dns over https, encryption, firefox, privacy, snooping
Companies: mozilla
Comments on “Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS”
Bonus
One bonus to using DNS over HTTPS that I haven’t seen mentioned is that it’s faster resolving addresses. Given all the snooping and tracking regular DNS goes through, I had significant delays on address lookups that went away when I switched to encrypted DNS.
Re: Bonus
I expect that’s because of the caching at Cloudflare. An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower.
If the DNS server you use has the answer cached it can directly reply. however if the answer is not cached it can take several inquiries for the DNS server to obtain the answer in a recursive lookup.
Re: Re: Bonus
Why wouldn’t Firefox leave that connection open?
Re: Re: Bonus
"An DNS request/reply requires only two UDP packets, setting up a TLS connection requires several roundtrips to the server and should (in theory) be slower."
That’s true…and yet I’ve had the same experience as JoeCool. Once i’m on my VPN ping latency and jitter both drop noticeably as compared to when i’m online outside of the tunnel.
Something is making an encrypted connection a lot faster despite going through more loops and through more servers.
Re: Bonus
This is simply not true. While I can’t speak to why you were seeing delays, standard DNS has so many layers that cache requests for you to speed them up the next time you ask that there’s zero chance doing it over HTTPS could be faster for the sole reason that you lose all those caches.
Your own router maintains a DNS cache so most common requests you make never even have to go over the internet to get resolved.
Re: Re: Bonus
That depends on the router and its configuration. In any case, the local cache only contains things that were looked up locally (and recently), while the DoH cache could contain things looked up by other users. If the DoH server connection is kept open, and has sufficiently low latency, there’s a good chance that DoH will give a significant net improvement.
The CDNs do try to put themselves close to people, and their DoH server may be closer than a national ISP’s central DNS cluster. For sites run by the same CDN it won’t even have to forward the requests. Don’t say "zero chance" without measuring.
Re: Re: Bonus
Never underestimate how incompetently run a lot of ISP’s infrastructure is. DNS servers are no exception. DNS resolution can take hundreds of ms in the wild.
NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists.
(Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn’t, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn’t want or need; when I find something chattering I can’t block, I add it to my hosts file as a 0.0.0.0).
That is what I’m using and I have several ad, tracking, and malware lists enabled.
So “safety” is an excuse. I’m probably safer as I block more things.
As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching – the “big iron” servers are likely to have most things already cached and a large enough capacity.
One problem is bounce pages from wifi portals that want you to click “I agree” or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don’t have https or certs.
NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists.
(Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn’t, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn’t want or need; when I find something chattering I can’t block, I add it to my hosts file as a 0.0.0.0).
That is what I’m using and I have several ad, tracking, and malware lists enabled.
So “safety” is an excuse. I’m probably safer as I block more things.
As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching – the “big iron” servers are likely to have most things already cached and a large enough capacity.
One problem is bounce pages from wifi portals that want you to click “I agree” or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don’t have https or certs.
Re: Re:
Have you heard of the MVP Hosts file?
http://winhelp2002.mvps.org/hosts.htm
It’s a big list of advertising and malware servers that’s constantly being updated. Start with that and add your own sites to the bottom. 🙂
Re: Re:
Go to https://1.1.1.1 and look at the certificate via your browser’s interface. It does, in fact, have a valid HTTPS certificate with several IP addresses as alternate names.
The last mile network
Telecoms don’t want to give up control of DNS lookups to companies like CloudFlare because of the lucrative business of CDNs (Content Delivery Network).
The DNS lookup determines which CDN the browser uses to download the file. This allows the DNS lookup to choose a CDN in a physical location that is closer to the user to improve speeds. CloudFlare is a CDN provider and many Telecoms are also CDN providers.
While CDNs are free to the end user, they cost the telecom money when a user tries to load data found an "out of network" CDN because then the telecom will have to pay the network where the CDN is located for usage of their network. It is in the telecom’s best interest to serve content from a CDN already on their network and they can generate more money by getting other people to download from their CDN too.
Large telecoms already have carrier exchange agreements in place because counting all the bytes that they each exchange would be too much work. But telecoms can strong-arm smaller companies like CloudFlare to pay more. If CloudFlare is able to control the DNS, they have leverage against the telecoms and can divert traffic to networks that offer lower rates and CloudFlare can pay less.
Re: The last mile network
So Cloudflare can make money off of this while looking like good guys. Heh.
So using DNS to “block, filter, and track” internet activity has come back to hit the profiteers in the revenue streams for a short while at least.
Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)
Re: Re: The last mile network
If you mean DNS over HTTPS, now. Go to the FAQ page and follow the "disable DoH" steps; but when you get to the preference, enable it instead.
Re: Re: The last mile network
You can enable it by going into preferences->general, and clicking network setting at the bottom of that page. Enable DNS over HTTPS is at the bottom of the page that that brings up.
The last mile network
So Cloudflare can make money off of this while looking like good guys. Heh.
So using DNS to “block, filter, and track” internet activity has come back to hit the profiteers in the revenue streams for a short while at least.
Can anyone point to when this stuff will be available to other countries in the five eyes group(sic?)
I’m confused about one point; Supposedly this is to prevent ISP snooping, but probably 99% of average internet users’ account will be setup to use the ISP’s own DNS servers by default. How does it prevent ISP snooping if you encrypt the connection, then ask the ISP to look up a DNS address for you?
And even if users change their DNS server to a third-party one, and the ISP can’t snoop on the request, the browser is just going to turn around and ask the ISP to connect it to the address that was looked up anyway.
Unless you’re using a VPN (which most average users aren’t), the ISP has to know what sites you want to connect to, to you know, connect you to them.
Re: Re:
When using the DNS-over-HTTPS feature you’re no longer using your ISP’s DNS servers. You’re using DNS-over-HTTPS via mozilla.cloudflare. Your ISP no longer has any visibility into your DNS queries. It can, however, still see the IPs/hosts from which you’re pulling traffic which is still pretty thorough tracking of sites visited. The only thing they can’t see is failed DNS lookups.
Re: Re: Re:
I should also add that they can no longer serve up their own ads for sites that do not resolve via DNS. Super annoying and most ISPs do this. I thought it was ruled illegal over a decade ago…
Re: Re: Re: Re:
Are you confusing it with Verisign’s Site Finder? ICANN said it wasn’t allowed by their domain registry agreement, plus a lot of people blocked it via technical means, and Verisign eventually disabled it. There were some legal proceedings but no court ever ruled on it.
Re: Re: Re:
It puts the public one step ahead in the arms race. DNS-based tracking is easy: a national ISP can have everyone use one server, and have it log everything. IP-based tracking will need a completely different setup: they’ll need hooks to grab the metadata at every network interconnection, reduce it to a manageable amount of data, and forward it to headquarters. If they’re not set up for it now, it could take a while.
CDNs work against this technique, unless the ISPs also decode the HTTPS setup to grab the hostname. But Mozilla started encrypting this last year ("encrypted SNI"). They’ll know someone’s connecting to Cloudflare for DNS and/or other content, but it’s much harder to tell what they’re doing.
Re: Re: Re: Re:
At the moment, SNI is still largely unencrypted.
Encrypted SNI is still just a draft, Firefox doesn’t implement the current version draft, and it is not yet supported by Apache or nginx.
At the moment, ESNI effectively only works between Firefox and Cloudflare. (I’m not sure about Chrome’s status. I didn’t look it up).
ESNI will eventually arrive and fix this leakage as well.
Re: Re: Re:2 Re:
If they can get that done before the ISPs can start sniffing these hostnames in response to DNS-over-HTTPS, it’s still good. Then we’ll need to do more about IP addresses.
but the dns itself can snoop. more security snake oil.