The thing that bothers me most about DoH is that it moves the responsibility for name resolution from the operating system to each application. So now you don't have the ability to set up your own DNS server system-wide, you need to do it per-application and per-device. Assuming, of course, that the applications and devices in question allow you to do this and/or respect your choice when you do it.
Also shoving every protocol under the sun into HTTPS just feels wrong. I get why it's happening (too many middleware boxes and ISPs think internet == web). But shouldn't we fix the ISPs and middleware instead of endlessly working around it?
bornfreddy · 11m ago
Not just that. ISP knows the IP addresses anyway, so they can make an educated guess which domain you are accessing (or use SNI). So why would I want to leak this data to another entity?
Of course, Cloudflare (if page uses them) and Google (if you are not blocking their remote fonts & js) also already have this information, so there's that.
josephcsible · 5m ago
> Not just that. ISP knows the IP addresses anyway, so they can make an educated guess which domain you are accessing (or use SNI). So why would I want to leak this data to another entity?
Because a lot of sites are behind a CDN that makes such guessing infeasible, and can use ECH to block the SNI leak. And since your ISP knows your real identity and other personal info like physical address, it's better privacy-wise for them not to be the ones who know exactly which sites your IP is visiting.
josephcsible · 4m ago
> Also shoving every protocol under the sun into HTTPS just feels wrong. I get why it's happening (too many middleware boxes and ISPs think internet == web). But shouldn't we fix the ISPs and middleware instead of endlessly working around it?
It'd be great for the horrible ISPs and middleboxes to change, but that's not realistic, and working around it by wrapping everything in HTTPS is realistic.
mlhpdx · 33m ago
Yes, but it won’t be easy. Heavy investment has gone into HTTP and we have great tooling and support for it as a result. That has a lot of benefits and I’m glad for it. But there is a cost.
HTTP is a blunt hammer and computing sometimes needs a scalpel. Lighter, more efficient protocols are important, as QUIC and WireGuard have proven.
Mister_Snuggles · 8m ago
To play devil's advocate, shoving everything into HTTP/HTTPS also allowed a ton of innovation.
Would video streaming sites (Youtube, Vimeo, etc) ever have gotten off the ground if they had to go to IANA to get a port number assigned, then wait for browsers to support the new protocol that runs over the new port, etc? Probably not to be honest. Or maybe browsers would just let JavaScript connect to any port, which would be terrifying from a security standpoint.
I'm firmly convinced that shoving everything into HTTP/HTTPS was a mistake. But I'm also willing to acknowledge that it's probably the least-worst solution to a bunch of problems.
meindnoch · 29m ago
>Also shoving every protocol under the sun into HTTPS just feels wrong. I get why it's happening (too many middleware boxes and ISPs think internet == web).
But the HTTP part of HTTPS is invisible to middleboxes. They see an opaque TLS stream.
Mister_Snuggles · 25m ago
Usually.
Some middleboxes inspect the TLS session setup (e.g., SNI sniffing) and in some corporate environments they even decrypt the traffic (this relies on the endpoints having a root certificate installed that allows this functionality, which is something you'd see in a corporate environment).
meindnoch · 5m ago
Ok, but at that point there's zero benefit to DoH anyway.
lokar · 31m ago
Why can’t you have a forwarding resolver send out queries via http and then use it as the system default?
Mister_Snuggles · 29m ago
There's no reason you couldn't, and this would actually be fine in my view.
The problem is that with DoH the applications themselves have their own resolver built in that doesn't respect the system defaults.
VWWHFSfQ · 23m ago
Firefox at least allows to set your own DoH resolver if you want
Mister_Snuggles · 20m ago
I can see a future where Chrome will use the system resolver for everything except Google's advertising domains, and those name resolutions will be impossible to block because they're going to a Google IP that may also serve services you want. Maybe Chrome would get called out for this change and they'd back it off.
But I doubt that a smart TV that does this would get called out, and even if they were the response would likely be "Oh, that model is three months old and we don't do firmware updates, sorry."
dabacaba · 2h ago
DoH does wonders against ISPs which filter DNS traffic (including traffic to third-party DNS servers). This happens more often than many people realize. My ISP blocks traffic to a couple of random websites (perfectly safe and legal) just because their security system doesn't like them, and they can't do anything about that. I only wish for more websites to deploy ECH, because they are using SNI filtering as well.
atahanacar · 48m ago
>they are using SNI filtering as well
This is surprisingly easy to beat using very funny methods, like splitting the request in the middle of SNI, or sending a request with a low TTL to an unblocked website first which gets dropped then repeating it to the correct SNI.
There are more methods all of which I find very funny for some reason. You can use GoodbyeDPI on Windows and zapret on Linux.
bornfreddy · 44m ago
I guess it depends on the situation then. My ISP doesn't pull such stunts and if they did, I would switch them in a moment. Fortunately others around here don't suck either. Cloudflare (or Google, or whoever) OTOH gets waaaay too much data from everybody. For my taste at least.
jsiepkes · 1h ago
Same goes for if you have an IoT device behind a corporate firewall and you are being forced to use a enterprise DNS server running on some Cisco or Juniper device which doesn't respect TTL's, filters TXT records, etc.
unethical_ban · 52m ago
A decent corporate policy will block or decrypt DoH, same as it blocks direct outbound DNS.
elashri · 5h ago
I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers. Put VPN in front of it and know you trust this VPN company (kudos Mullvad).
And abusing https is for a good reasons. Blocking ports 53 and 853 is easy and many ISPs will do that.
The author also make it feel like the only option is to use cloudflare DoH on Firefox while that's the first option, there is also nextdns and custom field. There are many providers I would trust more like quad9 and Mullvad DoH.
I think the reasons why not to use DoH is the same for why not using public dns from providers you don't trust anyway.
Most of the people are happily using 8.8.8.8 and handing all their dns information to the biggest advertisement company in the world. Or wosre, using their ISP provided DNS.
btasker · 5h ago
> The author also make it feel like the only option is to use cloudflare DoH on Firefox
In fairness, the date on the post is 2018 - when Firefox first launched this, Cloudflare was the only option
rainsford · 2h ago
True, but at the end of the post the author also explicitly rejects the idea of the DoH protocol in general on questionable technical grounds, so clearly their objection isn't just Cloudflare. I think the argument would be a lot clearer if they didn't conflate "using Cloudflare for your DNS" with "using the DoH protocol for DNS" even if they think both of them are bad.
elashri · 4h ago
Now that makes more sense regarding this point. I missed the date. I think the submission title needs (2018).
heavyset_go · 30m ago
The Tor daemon exposes DNS resolvers if you enable them in torrc.
You'd of course be trusting Tor nodes for your DNS at that point, as I believe the network pulls records from exit nodes' resolvers, but you sidestep the quandary of deciding who you trust to directly make requests to.
You can also have multiple resolvers in the same daemon that use their own circuits, reducing the chances of receiving forged DNS records from potentially malicious exit nodes.
Similarly, DoH and DoT work over Tor.
You don't have to use it at a system level, just point your DNS clients at the daemon.
toast0 · 1h ago
> I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers
With modern recursive DNS, you don't leak much to the root servers, just the tld you're trying to resolve. And you can axfr the root zone and then the root servers only know you're a resolver. The TLD servers know a lot, by necessity, though.
mixdup · 1h ago
I think, though, for the purposes of this argument you can lump the TLD and root servers together. Lot of people are going to know who you are and what you're looking up if you run your own recursive resolver directly against the root servers
avg_dev · 1h ago
I wonder if using a large number of DNS servers and picking one from the list or rotating through them would help.
mlhpdx · 28m ago
If you’re going to be hacking, why not just build your own DNS?
mlhpdx · 29m ago
Not really. If motivated, building a bespoke DNS for personal (or whatever) use is easy these days. The hard part is the infrastructure to make it reliable and maintainable.
mercora · 4h ago
its funny you call out Mullvad in this specific case because its the one thing i really dislike about their VPN service. It wont route DNS to the root server, or any designated server really. They redirect DNS queries to their cache indiscriminately. which actually will harm the success of setting up a recursive resolver. I get this is done to prevent leaks, i would just like the option to opt out of it. been customer for many years now though. I use unbound semi recursively resolving using a forwarder with DNS over TLS. So Mullvad is not burdened with what i resolve and the forwarder not with information on who.
immibis · 2h ago
It's crazy that OSes don't run their own recursive resolver by default or even have it as an option.
ddtaylor · 1h ago
I think `systemd-resolved` provides it out-of-the-box for most distros.
a022311 · 1h ago
AFAIK it's just a proxy to another DNS server with the added benefit of being able to resolve local domain names through mDNS.
hk1337 · 26m ago
Isn’t that essentially what DNS is? It may cache results but it has to get the results at some point and they communicate with other DNS servers that have the information?
ls612 · 3h ago
I tried configuring Mullvad DNS on Firefox (last year) with DoH/DoT and it would randomly flake out and not resolve some domains (different ones each time) and the only way to fix it was restarting the browser. Cloudflare at least Just Works (tm)
yegle · 13m ago
I don't understand any of the arguments.
Why mentioning DNS-over-TLS if you are against DNS-over-HTTPS? They have all the same "downside".
What's wrong with one less peeper (your ISP)? You _have_ to use a DNS server unless you use something fancy like dnsmasq to round-robin between multiple DNS servers (but your ISP can still see everything)
Besides, you can run your own DoH server with ease, you don't have to use Cloudflare's.
xrmagnum · 5h ago
I find it problematic that this article recommends disabling DoH, which leaves users with unencrypted DNS — still centralized (e.g. to Google’s 8.8.8.8 or an ISP) and now vulnerable to man-in-the-middle attacks. Replacing one form of centralization with another while giving up encryption doesn’t improve privacy — it worsens it.
If the goal is to reduce centralization, a better approach would be to use encrypted DNS (DoH or DoT) with resolver rotation or randomization. That way, users retain privacy from local networks and ISPs without concentrating all DNS traffic in a single provider’s hands.
tptacek · 38m ago
It is problematic; it's a post from 2018 that did not age well at all.
exiguus · 4h ago
If you're looking to implement encrypted DNS with multiple servers or providers, consider using unbound, which supports TLS resolvers and can operate in recursive mode. Alternatively, you might opt for AdGuard DNSProxy or dnscrypt-proxy, both of which support DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. You can run these tools on your local network or computer and configure your resolve.conf to point to them.
piskov · 21m ago
DoT is explicitly mentioned as a better alternative
WhyNotHugo · 4h ago
Disabling DoH in your browser’s settings should make it fall back to you system’s resolver.
You’ll only be vulnerable to a MitM attack if your system’s resolver is insecure and also vulnerable to a MitM attack.
sammy2255 · 4h ago
(which all are by default)
NewJazz · 54m ago
No, plenty of OSs ship encrypted DNS resolvers by default.
creata · 5h ago
The points here aren't technically wrong, but it still feels like disabling DoH would be a reduction in security. For example:
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.
bigfatkitten · 5h ago
My ISP is bound by robust privacy, telecommunications interception and other legislation.
Cloudflare, on the other hand is based in a foreign jurisdiction that offers none of these protections.
zinekeller · 4h ago
> My ISP is bound by robust privacy, telecommunications interception and other legislation.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
immibis · 2h ago
So is Cloudflare, which is a US ISP....
mixdup · 1h ago
Cloudflare is not an ISP. They have other services they sell. Maybe they're selling your data, maybe not. I honestly have not read their agreements and terms, but it's not nearly as obvious that you're the product as something like Google
waynesonfire · 4h ago
And until TLS is made secure they'll continue to rape privacy by scraping your https traffic.
mcpherrinm · 1h ago
The most important part of DoH, etc is that it allows you to make a choice. You can choose a vendor in your country. As a Canadian, I might want to use the service offered by my national TLD operator https://www.cira.ca/en/canadian-shield/configure/firefox/
Many ISPs explicitly sell DNS data, and are also advertising vendors.
> The most important part of DoH, etc is that it allows you to make a choice.
So does UDP based DNS, and TLS based DNS. It’s all the same in that regard.
AshamedCaptain · 2h ago
In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
koakuma-chan · 1h ago
> IP traffic metadata such as addresses and packet sizes.
Even if you use a VPN?
gruez · 1h ago
That just shifts the trust from your ISP to your VPN provider. Moreover if you're already using a VPN, your DoH requests to cloudflare is already anonymized.
mlhpdx · 19m ago
If you are using WireGuard between endpoints your traffic if opaque, but yeah if/where it exits it becomes (depending on the encapsulated protocol) visible.
j16sdiz · 1h ago
ISP regularly captures NXDOMAIN.
They know your government id when you subscribe to their service.
CloudFlare, otoh, never have your identity. They only have the metadata
archerx · 5h ago
> That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
Based on what?
ignoramous · 4h ago
> Based on what?
The bar is real low, mostly for the fact that ISPs are mandated by law in most if not all countries to track traffic flowing through their pipes.
You're next argument might be "but how do you know the server is really using ODNS?" You don't. If your security threat profile doesn't allow for this, whatever you're doing shouldn't be using a public internet network anyway.
ortichic · 5h ago
Can you also choose which company provides the physical infrastructure that connects to your home?
tialaramex · 5h ago
If you live in a city or other urban area, typically you have the option of the decoupled telco (BT Openreach) that more or less everybody has, the entity which bought all the cable television companies (Virgin Media) and usually a fibre-for-purpose Internet company that decided to do your city or region.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
chaz6 · 4h ago
CityFibre is only available through wholesale ISP's. Other smaller alt-nets (such as the one I work for - Netomnia (including Brsk/YouFibre)) is gearing up to provide wholesale access.
In the UK there are even aggregators like Fibre Café [1] that makes it easier for ISP's to connect through multiple networks.
If you are lucky, yes. For example, I have a choice between CityFibre (XGS-PON), Openreach (GPON) and Virgin Media (DOCSIS) as well as 2 different 5G networks. It is rare for a property to only be covered by a single wired network these days in the UK.
AshamedCaptain · 2h ago
> That's true, but that's no reason to go from an imperfect solution to a nonsolution.
This is textbook politician's fallacy. Yes, it may be preferable to continue with a "non-solution" if the solution proposed is stupid enough.
creata · 1h ago
No it's not. I'm saying don't let the perfect be the enemy of the good.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
haiku2077 · 57m ago
In the Politician's Fallacy, the chosen solution doesn't solve the problem. In this example, DoH solves many of the problems, perhaps not optimally, but better than the "do nothing" choice.
nmcfarl · 1h ago
To save some googling the Politicians Fallacy is this one:
We must do something.
This is something.
Therefore, we must do this.
sudahtigabulan · 5h ago
His proposed alternative, DoT, still has one known peeper, and is easier to block. DoH, OTOH, looks like regular HTTPS traffic and is on port 443.
So the "abuse" of HTTP is not unnecessary, you get something in return.
In some situations, DoT is fine. In others, it won't work, but DoH will.
rainsford · 2h ago
Even ignoring the question of the technical merits of DoT vs DoH, the way the author transitioned from "Cloudflare bad" to talking about DoT made no sense since DoT as an alternative does not solve the problems raised earlier in the post. Is the author opposed to DoH as a protocol or opposed to sending DNS requests to a company they don't like?
If we're getting into the technical part of the discussion though, I personally don't think DoH or DoT are great protocols for DNS. Security is fine, but it's a lot of overhead for relatively small requests where latency matters. I wish DNScrypt had gained more traction as an encrypted protocol designed specifically for DNS.
thr0w · 1h ago
With DNS over UDP, you have plausible deniability that you didn't actually make the request. With DNS over HTTP(S), you don't.
Agree with the general claim that anything "S" could be a power grab by a single peeper. Google pushing HTTPS in Chrome comes to mind.
lokar · 28m ago
By claiming src spoofing?
orbital-decay · 1h ago
The tone is pretty manipulative and sounds like a weird FUD.
>DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.
How is this a lie? It does protect your queries from MitM. I doubt anyone ever said anything about protecting from everyone - either you keep a synced copy of the entire DNS database (or its part) locally, or send your query to someone else's computer. How else do you expect it to work?
>Refuse to use it today
"Refuse"? Why???
>Is there an alternative way? Yes, there is. It is called DNS over TLS
How does this eliminate the single peeper? You're still sending your query to someone else's computer. DoT encrypts, so it must be a good thing, right?
conradev · 1h ago
Is there an alternative way?
Yes, there is. It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol.
HTTP/3 is a full VPN protocol via MASQUE. I don’t understand how DNS over TLS is anything but slightly less convenient and otherwise no different than DNS over HTTP.
mixdup · 1h ago
Is DoH a bad idea because Cloudflare sees your queries or you're overloading HTTP as a protocol? This article seems to be advocating two different things
At the end of the day, if your problem is you don't trust the DNS provider to also be snooping, no flavor of encrypted DNS will solve it. Whoever lands the DNS query will be able to snoop whether it's TLS or DoH
toomim · 2h ago
You can solve the problems with DoH by using OHAI:
I trust cloudflare more than my ISP, since I live in a place where internet is very state controlled.
Some of the websites just don't open without DoH.
exiguus · 4h ago
I concur and generally advise against using large corporate DNS providers. Instead, consider setting up your own DNS infrastructure, such as your own recursive servers, or opt for a trustworthy DNS provider like Freifunk or CCC, rather than Google, Cloudflare, or Quad9.
The advantages of self-hosting recursive servers include complete configurability, absence of censorship, tracking, and rate limits. However, like any self-hosting solution, it requires an investment of time and money. It's also important to note that DNS lacks an authentication layer, so for access restrictions, it should be placed within a private network or VPN.
The issue of pre-configured DNS over HTTPS (DoH) in many browsers and mobile devices can be addressed through firewall rules on your router.
For creating your own DNS infrastructure, I recommend dnsdist if you have ample time, though bind and unbound are also viable options.
For the past three years, I have been running dnsdist with recursive servers on two ARM VPS instances, costing around 14 EUR per month. This setup provides me with DNS over TLS (DoT), DoH, and other features. I use them with unbound (TLS) or dnsproxy and dnscrypt-proxy across routers, servers, and other machines. For mobile devices, I utilize DoH directly.
Previously, I used bind in recursive mode without any encryption beyond SSH tunneling or VPN.
Alternatively, I can recommend ffmuc as a DNS provider.
c0l0 · 4h ago
I also run my own recursive DNS server on a VPS I rent, but I freely share it with other users of the Internet. This causes my "personal" signal of queries to authoritative servers to effectively disappear, and I also (marginally) benefit from caching effects of other users' lookups.
exiguus · 4h ago
I haven't taken this step yet, but I have considered it. Could you recommend whether I should share the service on a list such as dnscrypt.info/public-servers?
c0l0 · 4h ago
I was not aware of such a directory existing in the first place :) I only advertise "my" service (it only implements DNS and DoT) through word of mouth in communities I participate in.
victorbjorklund · 4h ago
Are there any security risks with sharing it wiyh others?
c0l0 · 4h ago
Well, concerning technical risks, DNS Cache Poisoning[0] is a thing - but I keep the software implementing my recursive DNS service up to date very eagerly, so I guess the risk of falling victim to such an attack is rather low.
How do you secure it against being used as a reflector in a UDP amplification attack?
toast0 · 1h ago
Probably rate limits, making sure response minification is fully enabled, and maybe set a low truncation size?
You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small.
ddtaylor · 2h ago
DoH is problematic in other ways too.
Due to recent browser problems I was giving Brave a shot. It's an interesting browser, but it has DoH enabled in a way that seemingly cannot be entirely disabled. It can be frustrating to not be able to interact with a lot of services because the browser is disregarding my local policy on my system.
EbNar · 2h ago
How is that? It's just a switch, as in any other Chromium browser.
Topic is about privacy concerns for using provider not DoH itself. With Doh, i am not worried about some UDP based attacks, i can easily put WAF and other auth mechasims for self hosted Private DNS systems
dev_l1x_be · 3h ago
Two raspberries with Adguard combined with Tailscale is pretty safe and removes a nice chunk of garbage from the internet
Why two ? For redundancy or am I missing anything?
ggm · 7h ago
Eh. He doesn't discuss which public dns upstream supports dtls and in some sense it's just picking who snoops, ie he argues against cloudflare snooping but doesn't discuss who else might.
Run hyperlocal root, run your own dns.
His "don't move off 22 for ssh" is also just opinion. He argues "you will be found" but misses the experience of those of us running on shifted ssh is continuously validated by the visibly lower level of probes we see. He offers no mathematical analysis of how quickly a port knock sequence will be uncovered, and again dismisses it as infeasible and useless.
I've got nothing against strongly held opinions and these are his. But, form your own opinions too.
btasker · 4h ago
> His "don't move off 22 for ssh" is also just opinion. He argues "you will be found"
Worse than that, that post misunderstands it's own statement:
"Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots"
That's a *good* thing, because the move has reduced the signal to noise ratio. By getting rid of most of the crufty noise of the internet, you now know that anything hitting your logs now is more likely to be an actual threat than the poorly automated dictionary attack bots.
Moving SSH to a different port doesn't make the system much more secure (and definitely shouldn't be the only thing you do), but it does generally enable you to be more responsive.
mhitza · 4h ago
I'm going to mention again dns0.eu which does support DNS over TLS. I haven't looked in-depth but I'm pretty sure some corporate networks block it somehow because on some networks my Android phone fails to connect to it.
Yeah I get almost no login attempts on ports other than 22. Should I even care about attempts on 22 though? They bounce off, and fail2ban blocks the IP after a while.
I sometimes think of putting my private servers on completely random IP addresses drawn from /64 IPv6 ranges. It should be near-impossible to find those by address scanning, unless I'm overlooking something dumb. Am I? It wouldn't surprise me.
tialaramex · 6h ago
An arbitrary IPv6 address is indeed not practical to find by scanning. However, unless you're willing to type in that 128-bit value each time you need it (which maybe you are) you'll advertise this address somehow and if you do that your advertisements can be read by others.
For example suppose you put my-private-server.vanity-domain.example in DNS with an AAAA pointing to your private server - "passive DNS" service means big DNS providers will sell the answers they saw when anybody (say, yourself, on somebody else's computer) asks AAAA? my-private-server.vanity-domain.example. They don't reveal who asked, so this isn't personal information, but they do reveal what the question was and its answer.
A long time ago we used this to build target portfolios, if we're going to sell your company our product X, this is way we can see that you already have products A, B and C, but not D, E or F so we look a bit smarter coming into the sale.
miyuru · 5h ago
For a real world example, I use IPv6 only SSH+public DNS and my fail2ban has 2 fails for a uptime with 285 days.
KwanEsq · 5h ago
Couldn't you just make my-private-server.vanity-domain.example a manual /etc/hosts entry to prevent advertising it?
kvdveer · 5h ago
You could. You'd only have the ability to log in from your own machine though. If that compromise works is very much dependent on your situation.
throwaway81523 · 3h ago
Yes, that's the idea of a private server. All the clients allowed to connect to it are mine, or at least authorized by me on a very small scale. Think of a backup server or a jump host.
Come to think of it, I could have a private DNS too. I haven't bothered with that.
NewJazz · 51m ago
At that point don't open port 22 to the internet, just set up wireguard or tailscale.
hk1337 · 5h ago
Just as easy, you could just set the Host in your ssh config. Then you don’t have to deal with dns
j0057 · 5h ago
I agree that sooner or later your SSH port will end up on Shodan anyway. Putting SSH behind a Wireguard VPN solves this completely.
drykiss · 5h ago
They don't really say if DoT is safer. I'm more confused than informed by this article. Would've been nicer if they provided some proofs or data to back up their claims.
Also, does anyone know what's the safest option? And how to configure it for all our home devices?
dec0dedab0de · 1h ago
i want to be able to man in the middle anything that phones home.
a022311 · 3h ago
That was indeed yet another one of Mozilla's well hidden moves to reduce our privacy. I've set up Adguard Home with a local recursive DNS resolver [1]. I haven't enabled encryption of the DNS queries, but I only ever connect through secure connections, so I don't mind. Sometimes queries are slightly slower or might fail (I'm guessing they time out), but I think it's really worth the extra privacy. I'm not really worried about leaking my IP to root servers, since at least they aren't run by an advertising company. (I hope?)
That's not a bad setup, but now your DNS requests to the root servers aren't encrypted, which means anyone between you and the root servers can see the requests. I guess it depends on whether it's more likely that someone is snooping the requests off the wire or that the server you're sending the requests directly to is snooping on them in addition to just resolving them.
I think the ideal solution would be if the root servers adopted encryption of some sort. But I can see why they're somewhat reluctant to do that, especially with relatively heavy protocols (compared to DNS) like DoH or DoT.
Edit: With the existence of QNAME minimization, I guess I should say that the requests to the root servers or authoritative DNS servers are unencrypted. This does at least spread out the risk a little, since other than your ISP there's probably some variation in who is actually between you and the various servers you're making requests to.
a022311 · 1h ago
I totally agree with this and I wish root servers supported DoT, but I guess this setup is slightly better than having all your queries collected by a single entity (at least as far as you can know, because as you said, anyone in between can intercept requests). At least response integrity can be verified with DNSSEC and DNS-level censorship can be prevented much more effectively.
tptacek · 38m ago
DNSSEC doesn't do anything to prevent DNS-level censorship, and DoT is easier to block than DoH --- that's why there's DoH in the first place.
jedisct1 · 5h ago
Anonymized DNSCrypt and Oblivious DoH are designed to keep your IP address hidden from resolvers, and there are DNS relays located all over the world. If you truly care about privacy, use anonymized DNS, not DoH.
arbll · 4h ago
Ah yes I'm going to disable DoH and go from trusting a central entity to trusting another central entity and everyone else on the wire.
Article is a bunch of strong opinion with nothing to back them.
deknos · 6h ago
is it possible to route DoH over generic HTTPS service when i only inspect a certain route? so i could have a generic https-server, where at some route, DNS requests are answered, other stuff just gives me a normal website?
because then we could use DoH for hiding our DNS requests..
btasker · 5h ago
Yes.
DoH requests go to /dns-query so you only need that path to proxy onto your DoH handler.
Some DoH clients will also allow you to specify a custom path, so you can also obfuscate the path by configuring client and server to use /foobar instead.
But, re-using an existing site does come at the cost of generating a bunch of extra log noise (fine if it's just you, not so fine if it isn't). If you don't have some kind of auth in place, you might also find that you suddenly come under a lot of load (when I ran a public DoH service, I eventually started getting a lot of traffic from users in an authoritarian country)
crabique · 5h ago
This is how it works already, the DoH endpoint is "/dns-query", both CloudFlare and Google route this endpoint to their resolver services, while the rest of the site (one.one.one.one or dns.google) is just a website.
api · 1h ago
I have blocked outbound raw DNS on my home LAN in favor of DoH from a pi hole.
spiffyk · 4h ago
Alright so the article's tl;dr says to not use DoH as it merely reduces the number of peepers to one (which firstly is a good thing and secondly also offers protection against UDP spoofing attacks)... then goes on to recommending DoT, which would suffer from the exact same (non-)issue, but also actually gets to the actual problem with DoH, which is that the HTTP part has no business being there and increases complexity, which I as a former DNS resolver implementor wholeheartedly agree with!
Why discredit the whole post by adding an irrelevant tl;dr?
tester756 · 5h ago
wtf is this?
>Is there an alternative way?
What about just using different provider that you trust?
What if I trust Cloudflare more than I do trust my ISP?
theamk · 1h ago
Not a very coherent article.
.. is author's problem privacy or security?
If it's privacy, why offer DNS-over-TLS as an alternative? It has exactly the same privacy properties.
If it's security, then tl/dr and first section makes no sense.
jchw · 2h ago
This is a very strange article.
DoH using HTTPS for example is a reasonable choice; it blends the DNS traffic in with HTTPS traffic, not requiring network operators to open a new port and, in fact, making it harder for network operators to stop you from being able to use it. If you are not on a hostile network then there's not much of a practical advantage of picking DoH or DoT, but the reasoning for why DoH made this choice is not unreasonable. And HTTP may be more complicated than DNS, but neither of them are really close to the complexity of TLS, and any OS is going to need at least one good implementation of both if it plans on existing on the Internet, so I'm really not sure why this seems like a good place to draw the line.
Secondly, okay sure, don't trust Cloudflare... But, on the other hand, why is it better to send your DNS requests unencrypted? i.e. why would you disable DoH entirely? One party peeping is still less than an arbitrarily large number? In practice there is an extremely good chance that even if Cloudflare acted in a maximally malicious manner, having them as your DNS provider is the least scary implication. They already have untold amounts of information about you from the fact that they're a middle man terminating TLS for a lot of the websites you visit. And while it would be nice to have private DNS that is hardened against Cloudflare or the U.S. government spying on you, this is kind of at odds with having DNS be low latency, accurate and reliable.
I think a lot of actual dislike of DoH comes from people who believe that network operators should be the ultimate controllers of their domain, but in the future we actually got most people don't even control the WiFi in their home to any meaningful extent. As much as it's hard to trust Google or Cloudflare, since you know they have bad incentives to circumnavigate the will of the user and network operators, they are in the unfortunate situation of "having a good point" with regards to DoH. I ultimately never liked Firefox's decision to roll out DoH by just automatically sending DNS requests to Cloudflare using a trust-me-bro promise; oddly enough, Chrome did a more reasonable approach, trying to use whatever your configured DNS server is, but automatically upgrading it to DoH if it was a resolver that had a known DoH endpoint.
Granted, I believe Google Chromecast devices also will attempt to use DoH to get around a Pi Hole, so obviously I'm not trying to give any undue credit here. You still can't really trust Google or Cloudflare on the whole. But, being wrong about some things doesn't mean you're also wrong about other things, and the points made in favor of DoH still do stand, especially when it is configured explicitly by the end user. (P.S.: and it's silly to really dwell on this point too much anyways. If you had a truly malicious party, they could simply not use any kind of DNS to resolve names at all, in an effort to make their traffic harder to block. Using DoH is still less obscure.)
The bottom line is though, it's not clear if you can really trust your own ISP anymore than Cloudflare, especially depending on where you live. Ultimately, it's not hard to see why Firefox made this choice.
Also shoving every protocol under the sun into HTTPS just feels wrong. I get why it's happening (too many middleware boxes and ISPs think internet == web). But shouldn't we fix the ISPs and middleware instead of endlessly working around it?
Of course, Cloudflare (if page uses them) and Google (if you are not blocking their remote fonts & js) also already have this information, so there's that.
Because a lot of sites are behind a CDN that makes such guessing infeasible, and can use ECH to block the SNI leak. And since your ISP knows your real identity and other personal info like physical address, it's better privacy-wise for them not to be the ones who know exactly which sites your IP is visiting.
It'd be great for the horrible ISPs and middleboxes to change, but that's not realistic, and working around it by wrapping everything in HTTPS is realistic.
HTTP is a blunt hammer and computing sometimes needs a scalpel. Lighter, more efficient protocols are important, as QUIC and WireGuard have proven.
Would video streaming sites (Youtube, Vimeo, etc) ever have gotten off the ground if they had to go to IANA to get a port number assigned, then wait for browsers to support the new protocol that runs over the new port, etc? Probably not to be honest. Or maybe browsers would just let JavaScript connect to any port, which would be terrifying from a security standpoint.
I'm firmly convinced that shoving everything into HTTP/HTTPS was a mistake. But I'm also willing to acknowledge that it's probably the least-worst solution to a bunch of problems.
But the HTTP part of HTTPS is invisible to middleboxes. They see an opaque TLS stream.
Some middleboxes inspect the TLS session setup (e.g., SNI sniffing) and in some corporate environments they even decrypt the traffic (this relies on the endpoints having a root certificate installed that allows this functionality, which is something you'd see in a corporate environment).
The problem is that with DoH the applications themselves have their own resolver built in that doesn't respect the system defaults.
But I doubt that a smart TV that does this would get called out, and even if they were the response would likely be "Oh, that model is three months old and we don't do firmware updates, sorry."
This is surprisingly easy to beat using very funny methods, like splitting the request in the middle of SNI, or sending a request with a low TTL to an unblocked website first which gets dropped then repeating it to the correct SNI.
There are more methods all of which I find very funny for some reason. You can use GoodbyeDPI on Windows and zapret on Linux.
And abusing https is for a good reasons. Blocking ports 53 and 853 is easy and many ISPs will do that.
The author also make it feel like the only option is to use cloudflare DoH on Firefox while that's the first option, there is also nextdns and custom field. There are many providers I would trust more like quad9 and Mullvad DoH.
I think the reasons why not to use DoH is the same for why not using public dns from providers you don't trust anyway.
Most of the people are happily using 8.8.8.8 and handing all their dns information to the biggest advertisement company in the world. Or wosre, using their ISP provided DNS.
In fairness, the date on the post is 2018 - when Firefox first launched this, Cloudflare was the only option
You'd of course be trusting Tor nodes for your DNS at that point, as I believe the network pulls records from exit nodes' resolvers, but you sidestep the quandary of deciding who you trust to directly make requests to.
You can also have multiple resolvers in the same daemon that use their own circuits, reducing the chances of receiving forged DNS records from potentially malicious exit nodes.
Similarly, DoH and DoT work over Tor.
You don't have to use it at a system level, just point your DNS clients at the daemon.
With modern recursive DNS, you don't leak much to the root servers, just the tld you're trying to resolve. And you can axfr the root zone and then the root servers only know you're a resolver. The TLD servers know a lot, by necessity, though.
Why mentioning DNS-over-TLS if you are against DNS-over-HTTPS? They have all the same "downside".
What's wrong with one less peeper (your ISP)? You _have_ to use a DNS server unless you use something fancy like dnsmasq to round-robin between multiple DNS servers (but your ISP can still see everything)
Besides, you can run your own DoH server with ease, you don't have to use Cloudflare's.
If the goal is to reduce centralization, a better approach would be to use encrypted DNS (DoH or DoT) with resolver rotation or randomization. That way, users retain privacy from local networks and ISPs without concentrating all DNS traffic in a single provider’s hands.
You’ll only be vulnerable to a MitM attack if your system’s resolver is insecure and also vulnerable to a MitM attack.
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.
Cloudflare, on the other hand is based in a foreign jurisdiction that offers none of these protections.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
Many ISPs explicitly sell DNS data, and are also advertising vendors.
Cloudflare, on the other hand, doesn’t share or sell data and retains minimal data: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...
So does UDP based DNS, and TLS based DNS. It’s all the same in that regard.
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
Even if you use a VPN?
They know your government id when you subscribe to their service.
CloudFlare, otoh, never have your identity. They only have the metadata
Based on what?
The bar is real low, mostly for the fact that ISPs are mandated by law in most if not all countries to track traffic flowing through their pipes.
Cloudflare provides relatively better privacy guarantees for the public DNS resolvers it runs: https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...
CF issues are dealt with “hope to get a post on HN trending”.
You're next argument might be "but how do you know the server is really using ODNS?" You don't. If your security threat profile doesn't allow for this, whatever you're doing shouldn't be using a public internet network anyway.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
In the UK there are even aggregators like Fibre Café [1] that makes it easier for ISP's to connect through multiple networks.
[1] https://fibrecafe.co.uk/
This is textbook politician's fallacy. Yes, it may be preferable to continue with a "non-solution" if the solution proposed is stupid enough.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
We must do something. This is something. Therefore, we must do this.
In some situations, DoT is fine. In others, it won't work, but DoH will.
If we're getting into the technical part of the discussion though, I personally don't think DoH or DoT are great protocols for DNS. Security is fine, but it's a lot of overhead for relatively small requests where latency matters. I wish DNScrypt had gained more traction as an encrypted protocol designed specifically for DNS.
Agree with the general claim that anything "S" could be a power grab by a single peeper. Google pushing HTTPS in Chrome comes to mind.
>DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.
How is this a lie? It does protect your queries from MitM. I doubt anyone ever said anything about protecting from everyone - either you keep a synced copy of the entire DNS database (or its part) locally, or send your query to someone else's computer. How else do you expect it to work?
>Refuse to use it today
"Refuse"? Why???
>Is there an alternative way? Yes, there is. It is called DNS over TLS
How does this eliminate the single peeper? You're still sending your query to someone else's computer. DoT encrypts, so it must be a good thing, right?
At the end of the day, if your problem is you don't trust the DNS provider to also be snooping, no flavor of encrypted DNS will solve it. Whoever lands the DNS query will be able to snoop whether it's TLS or DoH
https://ietf-wg-ohai.github.io/oblivious-http/draft-ietf-oha...
Some of the websites just don't open without DoH.
The advantages of self-hosting recursive servers include complete configurability, absence of censorship, tracking, and rate limits. However, like any self-hosting solution, it requires an investment of time and money. It's also important to note that DNS lacks an authentication layer, so for access restrictions, it should be placed within a private network or VPN.
The issue of pre-configured DNS over HTTPS (DoH) in many browsers and mobile devices can be addressed through firewall rules on your router.
For creating your own DNS infrastructure, I recommend dnsdist if you have ample time, though bind and unbound are also viable options.
For the past three years, I have been running dnsdist with recursive servers on two ARM VPS instances, costing around 14 EUR per month. This setup provides me with DNS over TLS (DoT), DoH, and other features. I use them with unbound (TLS) or dnsproxy and dnscrypt-proxy across routers, servers, and other machines. For mobile devices, I utilize DoH directly.
Previously, I used bind in recursive mode without any encryption beyond SSH tunneling or VPN.
Alternatively, I can recommend ffmuc as a DNS provider.
[0]: https://en.wikipedia.org/wiki/DNS_spoofing#Cache_poisoning_a...
You can't run a public service without reflecting something, but you can endeavour to make the reflection ratio small.
Due to recent browser problems I was giving Brave a shot. It's an interesting browser, but it has DoH enabled in a way that seemingly cannot be entirely disabled. It can be frustrating to not be able to interact with a lot of services because the browser is disregarding my local policy on my system.
https://adguard-dns.io/en/welcome.html
Run hyperlocal root, run your own dns.
His "don't move off 22 for ssh" is also just opinion. He argues "you will be found" but misses the experience of those of us running on shifted ssh is continuously validated by the visibly lower level of probes we see. He offers no mathematical analysis of how quickly a port knock sequence will be uncovered, and again dismisses it as infeasible and useless.
I've got nothing against strongly held opinions and these are his. But, form your own opinions too.
Worse than that, that post misunderstands it's own statement:
"Sure, you will see fewer attacks than before, but most of the attackers are no longer just stupid bots"
That's a *good* thing, because the move has reduced the signal to noise ratio. By getting rid of most of the crufty noise of the internet, you now know that anything hitting your logs now is more likely to be an actual threat than the poorly automated dictionary attack bots.
Moving SSH to a different port doesn't make the system much more secure (and definitely shouldn't be the only thing you do), but it does generally enable you to be more responsive.
I sometimes think of putting my private servers on completely random IP addresses drawn from /64 IPv6 ranges. It should be near-impossible to find those by address scanning, unless I'm overlooking something dumb. Am I? It wouldn't surprise me.
For example suppose you put my-private-server.vanity-domain.example in DNS with an AAAA pointing to your private server - "passive DNS" service means big DNS providers will sell the answers they saw when anybody (say, yourself, on somebody else's computer) asks AAAA? my-private-server.vanity-domain.example. They don't reveal who asked, so this isn't personal information, but they do reveal what the question was and its answer.
A long time ago we used this to build target portfolios, if we're going to sell your company our product X, this is way we can see that you already have products A, B and C, but not D, E or F so we look a bit smarter coming into the sale.
Come to think of it, I could have a private DNS too. I haven't bothered with that.
Also, does anyone know what's the safest option? And how to configure it for all our home devices?
[1] https://github.com/semihalev/sdns
I think the ideal solution would be if the root servers adopted encryption of some sort. But I can see why they're somewhat reluctant to do that, especially with relatively heavy protocols (compared to DNS) like DoH or DoT.
Edit: With the existence of QNAME minimization, I guess I should say that the requests to the root servers or authoritative DNS servers are unencrypted. This does at least spread out the risk a little, since other than your ISP there's probably some variation in who is actually between you and the various servers you're making requests to.
Article is a bunch of strong opinion with nothing to back them.
because then we could use DoH for hiding our DNS requests..
DoH requests go to /dns-query so you only need that path to proxy onto your DoH handler.
Some DoH clients will also allow you to specify a custom path, so you can also obfuscate the path by configuring client and server to use /foobar instead.
But, re-using an existing site does come at the cost of generating a bunch of extra log noise (fine if it's just you, not so fine if it isn't). If you don't have some kind of auth in place, you might also find that you suddenly come under a lot of load (when I ran a public DoH service, I eventually started getting a lot of traffic from users in an authoritarian country)
Why discredit the whole post by adding an irrelevant tl;dr?
>Is there an alternative way?
What about just using different provider that you trust?
What if I trust Cloudflare more than I do trust my ISP?
If it's privacy, why offer DNS-over-TLS as an alternative? It has exactly the same privacy properties.
If it's security, then tl/dr and first section makes no sense.
DoH using HTTPS for example is a reasonable choice; it blends the DNS traffic in with HTTPS traffic, not requiring network operators to open a new port and, in fact, making it harder for network operators to stop you from being able to use it. If you are not on a hostile network then there's not much of a practical advantage of picking DoH or DoT, but the reasoning for why DoH made this choice is not unreasonable. And HTTP may be more complicated than DNS, but neither of them are really close to the complexity of TLS, and any OS is going to need at least one good implementation of both if it plans on existing on the Internet, so I'm really not sure why this seems like a good place to draw the line.
Secondly, okay sure, don't trust Cloudflare... But, on the other hand, why is it better to send your DNS requests unencrypted? i.e. why would you disable DoH entirely? One party peeping is still less than an arbitrarily large number? In practice there is an extremely good chance that even if Cloudflare acted in a maximally malicious manner, having them as your DNS provider is the least scary implication. They already have untold amounts of information about you from the fact that they're a middle man terminating TLS for a lot of the websites you visit. And while it would be nice to have private DNS that is hardened against Cloudflare or the U.S. government spying on you, this is kind of at odds with having DNS be low latency, accurate and reliable.
I think a lot of actual dislike of DoH comes from people who believe that network operators should be the ultimate controllers of their domain, but in the future we actually got most people don't even control the WiFi in their home to any meaningful extent. As much as it's hard to trust Google or Cloudflare, since you know they have bad incentives to circumnavigate the will of the user and network operators, they are in the unfortunate situation of "having a good point" with regards to DoH. I ultimately never liked Firefox's decision to roll out DoH by just automatically sending DNS requests to Cloudflare using a trust-me-bro promise; oddly enough, Chrome did a more reasonable approach, trying to use whatever your configured DNS server is, but automatically upgrading it to DoH if it was a resolver that had a known DoH endpoint.
Granted, I believe Google Chromecast devices also will attempt to use DoH to get around a Pi Hole, so obviously I'm not trying to give any undue credit here. You still can't really trust Google or Cloudflare on the whole. But, being wrong about some things doesn't mean you're also wrong about other things, and the points made in favor of DoH still do stand, especially when it is configured explicitly by the end user. (P.S.: and it's silly to really dwell on this point too much anyways. If you had a truly malicious party, they could simply not use any kind of DNS to resolve names at all, in an effort to make their traffic harder to block. Using DoH is still less obscure.)
The bottom line is though, it's not clear if you can really trust your own ISP anymore than Cloudflare, especially depending on where you live. Ultimately, it's not hard to see why Firefox made this choice.