[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DOH (was: geolocation services disabled and Gnome maps)

On 4/12/20, Reco  wrote:
> On Sun, Apr 12, 2020 at 12:35:44PM +0200, tomas@tuxteam.de wrote:
>> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
>> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, tomas@tuxteam.de wrote:
>> > > That's why I cringe at the idea that browsers want to start doing
>> > > name resolution over HTTPS.
>> >
>> > This simple one line of dnsmasq configuration will disable this
>> > problematic feature for good for Firefox (basically it creates a bogus
>> > NXDOMAIN response for this particular site):
>> >
>> > local=/use-application-dns.net/
>>
>> I don't quite understand [1] how the dnsmasq config has a say on
>> whether the browser resolves things over HTTP (it won't ask the
>> resolver in the first place, would it?), but thanks for the pointer
>> anyway.
>>
>> Cheers
>> [1] That's not a rhethorical flourish, it's genuine. I know too
>>    little about DNS-over-HTTP to be of any use at this point.
>
> The questionable idea behind DOH is that the browser makers do not trust
> your local resolver.

Mozilla claims it's a privacy issue:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
  Benefits
DoH improves privacy by hiding domain name lookups from someone
lurking on public WiFi, your ISP, or anyone else on your local
network. DoH, when enabled, ensures that your ISP cannot collect and
sell personal information related to your browsing behavior.

Altho I suspect "cannot" should be changed to "has a slightly harder time to"

> As usual, main arguments here are:
>
> 1) One can use a local resolver with the ability *not* to resolve
> certain DNS queries, which refer to the sites which just happen to
> contain advertisements, fingerprinting, tracking, cryptomining etc.
> Since all two major browser makers (Google and Mozilla) happen to rely
> on revenue generated by advertising *and* users' browsing habits this
> obviously can not be tolerated.

Wasn't there a fairly recent kerfluffle about an upcoming change to
chrome that would break things like the uMatrix addon? hrmm...  ok,
found it
https://bugs.chromium.org/p/chromium/issues/detail?id=896897&desc=2#c23
  If this (quite limited) declarativeNetRequest API ends up being the
only way content blockers can accomplish their duty, this essentially
means that two content blockers I have maintained for years, uBlock
Origin ("uBO") and uMatrix, can no longer exist.

If firefox wasn't a viable alternative to chrome, what are the chances
that change would have been implemented?


> 2) ISPs can intercept DNS queries, and modify them at their leisure.
> Usually considered a first step to a censorship, implemented in this
> particular form at certain European countries.

along with ISPs can monitor DNS queries and sell the info.

https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data
  Ellen Canale, director of corporate communications at Mozilla, wrote
in an email, "This is part of a pretty aggressive campaign we've seen
from the ISPs to protect their control over DNS traffic and the
tracking opportunities it provides them."

> 3) Bad guys and gals can hijack DNS too, to the usual hilarious results.

And the bad guys and gals can use DOH to "hide" their traffic and
circumvent things like pihole.  I just did a quick search and couldn't
find anything for smart TVs using DOH.  Probably because my search
skillz sux :(

> With the advent of HTTPS all this may be seen as moot points (if you're
> redirected elsewhere the certificate validation should fail), but
> nevertheless DOH is forced upon the collective throat of Firefox users
> as we speak (and Chrome users are likely to follow them Soon™).
> Currently a Firefox user is supposed to trust Cloudflare to do DNS
> queries for them, and HTTPS is used for this purpose because Security™.

For some values of "security", DOH _is_ more secure.  How many people
use a dnssec validating resolver?  At least Cloudflare resolvers have
dnssec enabled.

^shrug^ there's lots of trade-offs to be made in this area.  I'm
certainly not a fan of DOH and I do my best to block it on my
network..  I just think there are some privacy/security arguments for
DOH that you're minimizing.

Regards,
Lee
Reply to: