undefined | Better HN

0 pointsWorldMaker2y ago0 comments

> People own their networks when they're not out in public.

People rent their networks from one, maybe two area options. The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.) Some of the biggest consumer networks have already proven they are happy to use this hardware control to inject additional ads into customers' networks for a paltry amount of additional revenue.

You are correct that people should have networks that they own and trust at home. You may have missed that they don't and consumers have lost that battle. (You may also be underestimating just how much time people spend on devices "out in public". The mobile device has become the most common device for a lot of users. For some users the only device.)

> every application / Trojan writer

They've always had that power.

Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.

DoH is a standardized port tunnel but that doesn't mean that unstandardized ones never existed before. Trojans/viruses have been doing weird things to avoid DNS for decades. DoH doesn't make them that much easier.

DoH isn't great and it is a shame that for privacy and control it's a big ugly trade-off/compromise from ideals. It's useful for some people. There are definitely unanswered questions in terms of which big corporation truly cares about privacy. I've seen my monopolist consumer ISP inject ads against my wishes and do change the DNS on my home (owned) routers (that I pay extra for each month despite owning my own hardware because of owning my own hardware). I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company. (Yet?)

Trust is hard and we all have different threat models. I don't blame you for distrusting Cloudflare. I have direct evidence for distrusting my current ISP and indirect evidence for distrusting most consumer ISPs I've encountered, despite being paying customers. There's no free lunch and there's no right answer, just a lot of "least wrong" answers. DoH isn't the right answer objectively. But DoH can be a "least wrong" for some users. Just as trying to be the MITM in networks you own is quite wrong from a security standpoint (once you've got one MITM it becomes harder to trust that there isn't a second one) but may be the "least wrong" answer for some users including maybe you.

0 comments

7 comments · 2 top-level

johnklos2y ago· 3 in thread

Trust is hard, yes. Cloudflare might not be going for the low hanging fruit such as injecting ads, but they clearly want to be a monopoly around whom the Internet recentralizes.

Moving DNS from an ISP, who we pay and with whom we have legal contracts, to a company that does things, supposedly, for altruistic reasons, with whom we do NOT have contracts, doesn't fix anything. It makes things worse. The solution is to remove DNS from your ISP and run it yourself, or use a not-for-profit that isn't trying to become a monopoly, that isn't in a position to have its data syphoned off by the NSA, that doesn't knowingly and willingly host spammers, phishers and scammers.

How about we don't trust ISPs AND we don't trust Cloudflare?

BTW - I have to flatly disagree with your suggestion that, "once you've got one MITM it becomes harder to trust that there isn't a second one". That's ridiculous. I can check and verify things to a much greater degree by running my own network. Also, I never said anything about MITM my own network. I want to run my own DNS and block DNS to the rest of the Internet. That's not MITM.

The least wrong thing is to not replace something that MIGHT be shitty with something that MIGHT also be shitty, but might also open you to new problems and security issues. The idea that it MIGHT be less shitty isn't a good enough reason for DoH.

josephcsible2y ago

> The solution is to remove DNS from your ISP and run it yourself

This doesn't work because if you run your own recursive DNS server, it will make insecure requests to all of the authoritative servers, and so your ISP can hijack them all. And DNSSEC will keep you from getting sent to the wrong domain, but won't help you figure out the right domain.

denton-scratch2y ago

> I want to run my own DNS and block DNS to the rest of the Internet.

Your private recursive DNS server, of course, has to send requests to the rest of the internet; you don't want to block those. They don't have to be plaintext, unless the authoritative server in question only talks plaintext.

johnklos2y ago

Of course, and it's obviously easier to configure a single recursive resolver to prefer encryption wherever possible than it is to try to configure each client (or in the case of DoH, each program) to do opportunistic encryption.

The point is that these requests don't go to my ISP's DNS servers.

And for the other people who're making up unrealistic scenarios such as the ISP trying to MITM all DNS, not just queries they answer, there are many forms of tunneling that can be used such as VPNs. It's still easier to do one solution for the whole network than individual solutions for each client (or each application, for DoH).

AnthonyMouse2y ago· 2 in thread

> People rent their networks from one, maybe two area options.

That's not the LAN.

> The consumer networks want to completely control router hardware these days and these days charge extra rental fees for owned hardware instead of rented hardware. (It's fascinating that they can legally get away with that.)

You can put your own router behind theirs. It's ridiculous for them to make you do that but nothing actually stops you.

> You may also be underestimating just how much time people spend on devices "out in public".

For which anyone can use a VPN.

> Applications have never been forced to use OS/network-configured DNS. DNS is an absurdly simple protocol that doesn't even have encryption by default. OS firewalls might block sockets to DNS ports by default, but there are ways to tunnel over other ports plus tools like UPnP given enough user trust.

Your local network can intercept ordinary DNS queries to any server and redirect them to your own. To work around this, a piece of malware would have to contact some custom server on a different port to do a name lookup -- but where does it look up that server's IP address? Hard-coding the IP address allows the malware's lookup server to be blocked.

But if centralized DoH servers become too popular to block because blocking them breaks too many legitimate applications, now the malware can use them and the user can't block them.

> I don't always know what to think about Cloudflare's massive PR engine of how much they claim to value privacy, but so far I've never seen them inject an ad where one doesn't belong nor have I seen ad revenue make a splash in their quarterly reports. They don't seem to be an ad company.

The question is, what are they doing with the data they collect?

> There's no free lunch and there's no right answer, just a lot of "least wrong" answers.

There is already a "least wrong" answer: Use a VPN you trust and use your VPN's DNS or run your own. VPNs have plenty of competition, and you can set up your own on any hosting provider, which also have plenty of competition.

This is basically the same thing as having Cloudflare do it over TLS, except that it's not centralized and remains in the control of the user, so is better.

josephcsible2y ago

> That's not the LAN.

It doesn't matter much that your LAN itself is trustworthy if the only way out of it isn't.

> You can put your own router behind theirs. It's ridiculous for them to make you do that but nothing actually stops you.

Yes, you can do that, but it doesn't do anything to help with the problem that DoH solves.

> For which anyone can use a VPN.

I want to live in a world in which you can have privacy without having to be on a VPN 24/7.

> To work around this, a piece of malware would have to contact some custom server on a different port to do a name lookup -- but where does it look up that server's IP address? Hard-coding the IP address allows the malware's lookup server to be blocked.

Couldn't it host a file with the IP on a service like Dropbox or GitHub Pages? People aren't likely to block them at the firewall.

> But if centralized DoH servers become too popular to block because blocking them breaks too many legitimate applications, now the malware can use them and the user can't block them.

Isn't this basically "privacy for computer programs is bad because malware benefits from it", which is wrong for the same reason that "privacy for people is bad because criminals benefit from it"?

> The question is, what are they doing with the data they collect?

What's your ISP doing with all of the data they collect from your insecure DNS queries? And if you're concerned about Cloudflare in particular, then just use some other DoH provider.

> There is already a "least wrong" answer: Use a VPN you trust and use your VPN's DNS or run your own. VPNs have plenty of competition, and you can set up your own on any hosting provider, which also have plenty of competition.

> This is basically the same thing as having Cloudflare do it over TLS, except that it's not centralized and remains in the control of the user, so is better.

Cloudflare doesn't have a monopoly on DoH. There's plenty of competition between providers for it too: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-av...

AnthonyMouse2y ago

> It doesn't matter much that your LAN itself is trustworthy if the only way out of it isn't.

> Yes, you can do that, but it doesn't do anything to help with the problem that DoH solves.

Well sure it is, because if you know the ISP isn't trustworthy, then you can have your own local DNS server encrypt the DNS traffic to the upstream DNS server of your choosing.

> I want to live in a world in which you can have privacy without having to be on a VPN 24/7.

Something has to encrypt the DNS queries. Why is TLS/HTTPS any better than a VPN?

> Couldn't it host a file with the IP on a service like Dropbox or GitHub Pages? People aren't likely to block them at the firewall.

Those services will take down the page when it's hosting malware.

> Isn't this basically "privacy for computer programs is bad because malware benefits from it", which is wrong for the same reason that "privacy for people is bad because criminals benefit from it"?

The question is, privacy from who? Privacy from governments and corporations is good. Privacy from the device owner is bad.

> What's your ISP doing with all of the data they collect from your insecure DNS queries?

Nothing, when you configure your LAN or device to encrypt them.

> And if you're concerned about Cloudflare in particular, then just use some other DoH provider.

Hard-coding Cloudflare in multiple applications on multiple devices makes it arduous to do this, which is the entire criticism.

1 more reply

j / k navigate · click thread line to collapse