Comment by josephcsible
20 hours ago
This article is totally wrong. I'm not sure how it got so much traction. Details:
> But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries.
There are a lot of DoH providers other than Cloudflare. https://github.com/curl/curl/wiki/DNS-over-HTTPS lists several. If you don't want Cloudflare seeing your DNS requests, then use one of them instead. (And even for users who do just stick with the default, I think it's better privacy-wise for Cloudflare to see that data than for the average American ISP to.)
> Yes, there is. It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol.
The only difference between DoT and DoH is that DoT is easier to block and force fallback to totally insecure DNS. There's no reason to ever use DoT if you can use DoH. (And I don't get why the author likes it better: whoever runs the DoT server gets the exact same data that they'd get with a DoH server instead.)
> No, it is not. Abusing HTTP as a transport protocol for DNS data adds a unneeded complexity to the protocol. You must add a HTTP module to all DNS servers or interact with a separated HTTP server on the same system in order to support DoH. That is a lot of code which can contain a lot of bugs and security flaws. Complexity is the enemy of security.
The extra complexity of HTTP is massively outweighed by the significant reduction in fallbacks to insecure DNS.
> If you don't want Cloudflare seeing your DNS requests, then use one of them instead.
Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
> The only difference between DoT and DoH is that DoT is easier to block and force fallback to totally insecure DNS.
A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS. A corporate one that requires you to install certificates on the client so that it can, is just as able to block DoH as DoT.
And fallback isn't required in either case. If some network is blocking encrypted DNS, the client device can be configured to fail rather than use the insecure DNS, at which point the user knows that the network is adversarial and can switch to a VPN or a cellular connection etc.
> Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
This goes the other way too. Normal people don't know about DNS at all, and without DoH, are leaking all of their DNS queries to their ISP without knowing.
> A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS.
DoT uses port 853, which can just be blocked wholesale. It's not feasible to do the same for DoH since it uses port 443.
> And fallback isn't required in either case. If some network is blocking encrypted DNS, the client device can be configured to fail rather than use the insecure DNS, at which point the user knows that the network is adversarial and can switch to a VPN or a cellular connection etc.
It can be, but it's not the default on any mainstream system. Normal people won't change defaults, and they deserve privacy too.
> This goes the other way too. Normal people don't know about DNS at all, and without DoH, are leaking all of their DNS queries to their ISP without knowing.
But is this actually any better than leaking them to Cloudflare? There is at least the possibility that the ISP isn't logging them and that they only run a DNS server because their customers expect one.
It's hard to imagine any reason for Cloudflare to do it other than because they want to analyze DNS traffic, and then it's in a much more centralized location than to be distributed across every network and ISP.
> DoT uses port 853, which can just be blocked wholesale. It's not feasible to do the same for DoH since it uses port 443.
So run DoT over port 443. The benefit of DoT is removing the implementation complexity of a pointless HTTP stack.
> Normal people won't change defaults, and they deserve privacy too.
So change the system defaults to use DoT. That might even get you port 853 open, because breaking the defaults in popular devices would get the network admins off their butts to notice that a new protocol exists.
13 replies →
With or without DoH you ISP knows all hosts you connect to anyway, for HTTP and similar including hostname. ECH could have been an improvement but does not get much traction.
1 reply →
> A normal middlebox can't even tell the difference between DoH and DoT because they both just look like TLS.
You forgot the "let's intercept in a public place (e.g. public Wi-Fi hotspots)" one where blocking port 853 is super trivial while blocking port 443... is impossible. Sure, Google DNS will be blocked easily but there a lot of DoH providers!
There is no law against running DoT over port 443.
7 replies →
There are only like 3 major ones. You can block those IPs too.
4 replies →
> Normal people have no idea that this even exists, much less how to do it, so they're still having all their queries routed to Cloudflare by default.
This is a complaint about Firefox's implementation, not DoH in general. Chrome will use DoH with your system dns provider, if it supports it.
I'm torn on whether using cloudflare by default was a good choice. On the one hand, having all requests going to a single provider and trusting that provider not to log anything is a potential privacy problem. And it can cause problems for people who use private DNS resolvers. On the other hand, even if you don't completely trust cloudflare, it is probably more private than a lot of people's default DNS providers that come from ISPs that are known to spy on customers either for profit or at the request of a government.
The article is not wrong, it's exactly what they're doing, but so does Google with their 8.8.8.8 servers, and you thought Google was doing it out of the goodness of their hearts (after they removed the do not be evil clause).
At least Cloudflare offers their 1.1.1.2 and 1.1.1.3 resolvers with built-in content filtering or full adult content filtering as as unfiltered 1.1.1.1, which is better than others. Normally folks pay Cisco OpenDNS or other enterprise-y products for this, and I applaud them doing it in general, for free. I'd set my mother to use it if something I had to do still. Cloudflare is probably one of the less-evil companies today, and is a good engineering company if you follow their blogs.
Apple is actually worse in that they forced an entire DNS AND Web Proxy solution to get ALL traffic every apple users do in the name of "privacy", but in the end it's really more for their marketing and analytics they can sell at will. Funny Google tried to offer a VPN service and everyone shunned it, but Apple people just drank the kool-aid as something nice Apple did just because they're a lovely company like that.
As the security guy that runs enterprise firewalls, I tend to block the Apple's VPN/proxy stuff as proxy-avoidance by default, which creates a ton of noise in terms of denied apple proxy and doh drops, but it keeps them using my internal dns and internet that I can see when l-users happen to get themselves infected and start exfiltrating data to China. Otherwise with Apple's VPN/Proxy privacy bs, I have no ability to see or stop it, and neither do their users. Thanks for the fish Apple.
I just assume all VPN companies do this now as their real revenue stream.
I also happen to do work for Firefox's primary advertising partner, and I can tell you it brings me no comfort as a Firefox user myself.
"But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries."
This is not wrong. This is correct. The article speaks correctly here.
The comment you're replying to used that quote to frame their argument that there are plenty of providers besides Cloudflare. Nobody is disputing that if you set your provider to Cloudflare your queries go to Cloudflare. This is not a reasonable rebuttal.
In 2018 how many other choices were there actually?
1 reply →
If you use Cloudflare as your provider, then yes. But the article incorrectly asserts that DoH requires you to use Cloudflare as your provider.
>The only difference between DoT and DoH is that DoT is easier to block and force fallback to totally insecure DNS. There's no reason to ever use DoT if you can use DoH. (And I don't get why the author likes it better: whoever runs the DoT server gets the exact same data that they'd get with a DoH server instead.)
Don't use shitty networks then. This is not an issue for all residential (and mobile) connections. Only corporate and other shtity configured networks are affected by this.
> Don't use shitty networks then. This is not an issue for all residential (and mobile) connections. Only corporate and other shtity configured networks are affected by this.
There are some residential and mobile connections that this is an issue for. And it's not always an option to use a network that doesn't try to do this.
Maybe 0.01%. Anyway, it's not an argument against it.