undefined | Better HN

0 pointsjohnklos2y ago0 comments

That's an incorrect oversimplification.

It takes control away from the owner of networks, even when we're the owner of those networks. Should DoH start to become more common, blocking it will become a Sisyphean task.

It takes control away from the owner of endpoints. Sure, you can go and change the settings in Firefox to turn off DoH after they've turned it on without asking and without telling us, but what happens when applications and Trojans start doing DoH lookups, skipping our system's configured DNS? So yes, your statement about control residing with the endpoints is correct, but DoH removes control, doesn't add it.

For the case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway", that's FUD. There are many, many better ways to deal with evil ISPs.

Encouraging the world to send all of their DNS lookups to a centralized entity like Cloudflare (who, by every right, are precisely in a position to be an evil ISP) is such an incredibly shortsighted idea that I have to think that you haven't thought out the implications of a world where DoH is dominant.

If you care to learn, consider things without DoH: you can edit your hosts file. You can choose your DNS servers. You can run a local recursive resolving DNS server. You can block ads and advertisingware using your DNS server and/or something like Pihole. You can block all DNS queries to the outside world on your network so that they all go through your own resolvers.

Next, consider a world where DoH is commonplace: you have no control over DNS lookups on your own system. Your only choice is to not run binaries that might do things you don't like. Want to block ads or adware, or adult sites, or conspiracy sites, or any of a number of other things on the Windows system that your child uses? Now Edge doesn't let you. Want to block the Trojans and phishing sites that Google serves through their ad network? Chrome doesn't let you. "Just don't run binaries that do that" is one heck of an ask for people who don't know how to set their own DNS or who have an evil ISP.

You can block common DoH servers, until Cloudflare puts them on the same address as the endpoints for their millions of hosting customers. But what happens when apps do DoH lookups using random Amazon AWS or Google Cloud servers? How do you block them? Do you block ALL https?

You see, you'd give up freedom, and have everyone else give up their freedom, for some abstract "safety" from ISPs that use your DNS data. You'd apply a shitty fix for 1% of the people to 100% of the people, rather than create tools for the 1% to circumvent their evil ISPs.

The fact that you'd choose this makes me think that either you want big, evil companies like Cloudflare to win, or you really don't understand the issues.

Just like this article above does a good job explaining the lack of security in the cloud, we really could use a good article explaining how completely inane the idea of DoH is.

0 comments

10 comments · 3 top-level

Avamander2y ago· 3 in thread

> but what happens when applications and Trojans start doing DoH lookups, skipping our system's configured DNS?

Exfiltration has always been a problem. But it's not a good reason to make MITM possible.

Network control should not give control over endpoints any degree more than is necessary to deliver packets from point A to B. We can't trust them with more.

> [...] Now Edge doesn't let you.

That's blatantly false for normal endpoints though. Be it an AV or parental controls, an endpoint administration will have that ability to intercept.

If an endpoint doesn't let you do thay then to be honest, you've already lost the battle. Even simple HTTPS is not really filterable.

> Just like this article above does a good job explaining the lack of security in the cloud, we really could use a good article explaining how completely inane the idea of DoH is.

What is actually inane is the amount of implicit trust and control given to networks right now. Your network might be a nice wonderland, but many aren't.

johnklosOP2y ago

People own their networks when they're not out in public. Again, solving for a problem with public networks by forcing shortcomings on to all networks is shortsighted and ill conceived.

"But it's not a good reason to make MITM possible" is disingenuous. Avoiding DoH doesn't make MITM possible, just as adding DoH doesn't save us from MITM. It does, though, save apps / Trojans from MITM, particularly when we're the ones who want to be in the middle :P

"That's blatantly false for normal endpoints though. Be it an AV or parental controls, an endpoint administration will have that ability to intercept."

Go ahead and tell me how to remove Edge, or how to have Windows open links in other browsers, without involving third party software that forces this, then tell me how "endpoint administration" is something we can expect of people who can't set their own DNS (or who have evil ISPs and can't set up any of a number of other ways to circumvent said evil ISPs).

You didn't address the real meat of the issue: Why is avoiding one issue - ISPs tracking DNS - worth all the bad things that come with it? The only explanation that makes sense to me is that it's worth it to companies that want to control as much as they can, like Cloudflare.

"What is actually inane is the amount of implicit trust and control given to networks right now." So instead of teaching people how and encouraging them to make their networks better, you'd rather divest some of that trust to companies like Cloudflare, and to every application / Trojan writer? Right - because the amount of data collection in software isn't a problem at all. We just need to trust them, and they'll do right by us.

You've made my point for me that you, and other apologists for DoH, haven't really thought things through, have you?

josephcsible2y ago

> People own their networks when they're not out in public. Again, solving for a problem with public networks by forcing shortcomings on to all networks is shortsighted and ill conceived.

It's not just being out in public. Even when you're home, you're still at the mercy of your ISP.

> Go ahead and tell me how to remove Edge, or how to have Windows open links in other browsers

What does preventing use of Edge have to do with DoH?

> You didn't address the real meat of the issue: Why is avoiding one issue - ISPs tracking DNS - worth all the bad things that come with it?

You've yet to convincingly point out a single bad thing that actually comes from DoH.

> So instead of teaching people how and encouraging them to make their networks better, you'd rather divest some of that trust to companies like Cloudflare, and to every application / Trojan writer?

You can't make public Wi-Fi or your ISP's network better no matter how knowledgeable you are.

1 more reply

WorldMaker2y ago

> People own their networks when they're not out in public.

People rent their networks from one, maybe two area options. The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.) Some of the biggest consumer networks have already proven they are happy to use this hardware control to inject additional ads into customers' networks for a paltry amount of additional revenue.

You are correct that people should have networks that they own and trust at home. You may have missed that they don't and consumers have lost that battle. (You may also be underestimating just how much time people spend on devices "out in public". The mobile device has become the most common device for a lot of users. For some users the only device.)

> every application / Trojan writer

They've always had that power.

Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.

DoH is a standardized port tunnel but that doesn't mean that unstandardized ones never existed before. Trojans/viruses have been doing weird things to avoid DNS for decades. DoH doesn't make them that much easier.

DoH isn't great and it is a shame that for privacy and control it's a big ugly trade-off/compromise from ideals. It's useful for some people. There are definitely unanswered questions in terms of which big corporation truly cares about privacy. I've seen my monopolist consumer ISP inject ads against my wishes and do change the DNS on my home (owned) routers (that I pay extra for each month despite owning my own hardware because of owning my own hardware). I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company. (Yet?)

Trust is hard and we all have different threat models. I don't blame you for distrusting Cloudflare. I have direct evidence for distrusting my current ISP and indirect evidence for distrusting most consumer ISPs I've encountered, despite being paying customers. There's no free lunch and there's no right answer, just a lot of "least wrong" answers. DoH isn't the right answer objectively. But DoH can be a "least wrong" for some users. Just as trying to be the MITM in networks you own is quite wrong from a security standpoint (once you've got one MITM it becomes harder to trust that there isn't a second one) but may be the "least wrong" answer for some users including maybe you.

2 more replies

hkt2y ago· 2 in thread

As jeremiads go, this is golden. I for one and persuaded and am grateful you wrote it.

I hadn't considered before that DoH effectively takes an avenue away from people who want to block advertising and trackers. This makes it a fiercely unpleasant thing working against users.

Personally, I'm switching to DNS over TLS instead.

josephcsible2y ago

There are ad-blocking DoH servers available. How is DoT any better than DoH in that respect?

briHass2y ago

Because, at least with plain ol UDP DNS, I can masquerade my adblocking DNS server to any IoT junk that ignores my DHCP provided DNS servers and uses its own hardcoded one.

DoT is obviously immune to that, as is DoH, but at least for DoT, that seemes to never have become popular, likely due to the fear of aggressive firewalls not allowing that port.

1 more reply

josephcsible2y ago· 2 in thread

> It takes control away from the owner of networks, even when we're the owner of those networks.

My point is that even when you are the owner of a network, you shouldn't have control of traffic on it between endpoints that you don't own either of.

> what happens when applications and Trojans start doing DoH lookups, skipping our system's configured DNS?

The Trojans could just hardcode the IP instead, so blocking DoH wouldn't magically guarantee you could catch them with DNS.

> So yes, your statement about control residing with the endpoints is correct, but DoH removes control, doesn't add it.

Which programs specifically don't let the user disable DoH? If none, then how does its presence remove control?

> For the case of "can't, because even if you change the setting, $evil_isp will hijack the queries anyway", that's FUD. There are many, many better ways to deal with evil ISPs.

Such as? How would you solve the specific problem of an evil ISP hijacking DNS?

> centralized entity like Cloudflare (who, by every right, are precisely in a position to be an evil ISP)

ISPs tend to have regional monopolies, but DoH servers don't. If Cloudflare becomes evil, you can just switch to some other DoH server.

> If you care to learn, consider things without DoH: you can edit your hosts file. You can choose your DNS servers. You can run a local recursive resolving DNS server. You can block ads and advertisingware using your DNS server and/or something like Pihole. You can block all DNS queries to the outside world on your network so that they all go through your own resolvers.

All but the last thing is still possible with DoH, and it's a good thing that it breaks the last thing, since doing that would affect other people's endpoints too.

> Next, consider a world where DoH is commonplace: you have no control over DNS lookups on your own system.

How do you figure? DoH is still configurable.

> Your only choice is to not run binaries that might do things you don't like.

I already don't.

> Want to block ads or adware, or adult sites, or conspiracy sites, or any of a number of other things on the Windows system that your child uses? Now Edge doesn't let you. Want to block the Trojans and phishing sites that Google serves through their ad network? Chrome doesn't let you.

Those are still easy: just point at a DoH server that does those blocks, the same way you'd point at an insecure DNS server that does them today.

> You can block common DoH servers, until Cloudflare puts them on the same address as the endpoints for their millions of hosting customers. But what happens when apps do DoH lookups using random Amazon AWS or Google Cloud servers? How do you block them? Do you block ALL https?

It's a good thing that network-level blocking of DoH is hard.

> You see, you'd give up freedom, and have everyone else give up their freedom, for some abstract "safety" from ISPs that use your DNS data. You'd apply a shitty fix for 1% of the people to 100% of the people, rather than create tools for the 1% to circumvent their evil ISPs.

What freedom am I giving up? What harm does DoH do to regular people?

johnklosOP2y ago

You're not arguing in good faith. You're suggesting that me controlling my own network, and people controlling their own networks, is bad ("even when you are the owner of a network, you shouldn't have control of traffic on it between endpoints that you don't own either of").

You're suggesting that applications and Trojans have the "right" to be free from my control, on my network, on my machines. Wow. What a take!

You're saying that all programs, Trojans included, will allow us to configure DoH. Again, a pretty crazy take, and completely, unambiguously wrong.

"What freedom am I giving up? What harm does DoH do to regular people?"

You clearly don't care about freedom, since you actively want to send your DNS to some third party. But you'd have me give up my freedom to control what goes on on my network because some ISPs track DNS, and instead of addressing that, you're for the idea of normalizing a protocol that removes my freedom and puts it in the hands of application / Trojan makers.

It harms regular people because it exfiltrates private information that they don't know about. Someone installs Firefox (very common) and doesn't know about DoH (also very common). Now their DNS lookups are all going to Cloudflare. We have no reason to trust Cloudflare (we do have plenty of reasons to not trust them, though).

But the point is that these regular people DON'T KNOW and haven't agreed to have their DNS data shared with Cloudflare. This has all sorts of negative implications that I'm sure you can't see.

josephcsible2y ago

> You're suggesting that me controlling my own network, and people controlling their own networks, is bad ("even when you are the owner of a network, you shouldn't have control of traffic on it between endpoints that you don't own either of").

Should your ISP be allowed to censor what you can see on the Internet? Remember they own the network that all of your traffic flows through.

> You're suggesting that applications and Trojans have the "right" to be free from my control, on my network, on my machines. Wow. What a take!

I'm not arguing that anything on your machines should be free from your control. I'm specifically saying that traffic passing through your network but not from or to one of your machines should be free from your control.

> You're saying that all programs, Trojans included, will allow us to configure DoH. Again, a pretty crazy take, and completely, unambiguously wrong.

I meant all legitimate programs do. Trojans obviously do whatever they want, and that was the case even before DoH existed.

> You clearly don't care about freedom, since you actively want to send your DNS to some third party.

You're always sending your DNS requests to some third parties. The only question is which.

> But you'd have me give up my freedom to control what goes on on my network because some ISPs track DNS, and instead of addressing that, you're for the idea of normalizing a protocol that removes my freedom and puts it in the hands of application / Trojan makers.

I disagree that "my freedom to control what goes on on my network" is a freedom that should be protected. For an extreme example, consider that someone complaining "they took away my freedom to own slaves" is obviously in the wrong. As I've said before, you should only have any control of traffic for which one of the endpoints is yours.

> It harms regular people because it exfiltrates private information that they don't know about. Someone installs Firefox (very common) and doesn't know about DoH (also very common). Now their DNS lookups are all going to Cloudflare. We have no reason to trust Cloudflare (we do have plenty of reasons to not trust them, though).

Most American ISPs are way less trustworthy than Cloudflare, and that's where almost everyone's DNS would be going otherwise.

> But the point is that these regular people DON'T KNOW and haven't agreed to have their DNS data shared with Cloudflare. This has all sorts of negative implications that I'm sure you can't see.

Do regular people even know what DNS is? Did they agree that their ISP could see their insecure DNS?

1 more reply

j / k navigate · click thread line to collapse