DNS over HTTPS (RFC 8484), Pros, Cons, Benefits and Unforeseen Consequences

Networking Networking Software
, ,
1

A primer on DNS over HTTPS

You are probably familiar with the term, but do you understand the technology and how it works? Let’s have a chat. This discussion thread’s purpose is not to scare you. The intent is that we all become more well-informed. Sunshine is the best disinfectant. You’re probably wondering what made me decide it was time for a forum post. Tim Holus and I were having a discussion. Here is a link to where we left off. DOH and it's effectiveness against ISPs - #20 by TimHolus . @TimHolus I felt my reply required a dedicated post. He is correct in regards to DoH being here to stay. However, I’m afraid I have to disagree with his take on it being an essential technology for the future. Many people reading this will probably not have been alive during the earlier days of the Internet. That is a history lesson for another day. Please do watch the youtube videos in the sources area at the bottom if you want the same point delivered by infinitely smarter people than I am.

The forum will attract younger people at some point. We must educate them as we got educated in technology while younger. DoH presents some problems for anyone who runs a managed private network. What DoH has done is encapsulate all of your DNS traffic into HTTPS on port 443, effectively encrypting it and removing it from your view to manage and deal with. Years ago, in 2013, a series of disclosures made the general public aware of how the world works. On path actors have not been good stewards. People understandably could have reacted better to what nation-states were doing; however, I digress. Thus, the motivation to protect the individual or user was born. Openness has been one of the defining characteristics of the Internet for as long as it has existed. It is paramount we continue to preserve this. Most requests for HTML pages and associated content are in plain text. The responses are returned similarly, even though HTTPS has existed since the 90s. Still, sometimes there’s a need for security and privacy. While internet traffic encryption has become more widespread for online banking and shopping, the privacy-preserving aspect of many internet protocols hasn’t kept pace.

In particular, when you look up a website’s IP address by hostname, the DNS request is almost always transmitted in plain text, allowing all the computers and ISPs along the way to determine what website you were browsing, even if you use HTTPS once the connection is made. The idea of encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 00s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH). Cloudflare, in particular, is quite insidious. The former companies do not have address agility on their DoH resolvers, but Cloudflare does. They make precisely ZERO promises to allow their service to be blocked. DoH encrypts the DNS request and serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS. DoH is unblockable by design, as shortly after DoT came into existence, the IETF decided it wasn’t enough. ALL user traffic needed to be unblockable. Encrypted SNI is only going to make this worse. ECH will cause this to become ungodly difficult to block using traditional endpoint security methods. This is a double-edged sword. While it protects the DNS request itself, just as DNSCrypt or DoT do, it also makes it impossible for the folks in charge of security at large firms or any operator responsible for the management and use of their network under law to monitor DNS spoofing, and its moves the responsibility for a critical networking function from the operating system into an application. Worse yet, they want to avoid TCP, and the designers have a legitimate argument. TCP congestion control is atrociously outdated and unmaintained in OS kernels today. UDP allows them to do their own. People don’t understand or willfully ignore that UDP doesn’t need to ask the kernel to make a connection. An application can open a connection of its own accord. The application does not need to provide a valid destination. The reality is that an effective way to block this behavior is to ban UDP traffic on your network. I hate to agree with China here, but you must tell me your destination before I open the gates. If I do not want you going to this destination, you will not go. This has a lot of implications, but it’s a lot to unpack, and I will if asked. All these application platforms, including IoT, are the new way for companies to print money at their behest. DoH also doesn’t do anything to hide the website’s IP address that you just looked up. You still visit that page, after all, and with some traffic analysis, you can know that the prior request was DNS. What is sad is that some parents want to filter what their kids see on the world wide web. All of these techniques make parental controls incredibly easy to bypass. In my view, this violates parental consent and network consent simultaneously. This is not a “think of the children” argument. A legitimate case exists for a parent controlling what their kid may or may not visit. That is a parental responsibility, and in the same way, it extends the argument of the network operator’s responsibility to maintain the safety of his network and users.

In comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment, Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing. We can get around this by hosting our own, but it is not a solid solution. We can get to that later.

Here is a primer on it from Cloudflare. At least they are honest enough to recognize the issues it poses. DNS Encryption Explained

DNS as an RFC

The first DNS server (Berkeley Internet Name Domain Server, or BIND) was written in 1984 by a group of UC Berkeley students based on RFC 882 and RFC 883. By 1987 the DNS standard had been revised several times, resulting in RFC 1034 and RFC 1035, which have remained unchanged. Here is a LINK to my bind thread if you want to know more.

Before we get around to encrypting DNS requests, it’s essential to be sure that the DNS server we’re talking to can be trusted. The need for this became apparent during the 1990s, culminating in the first workable DNS Security Extensions (DNSSEC) standard (RFC 2353) and the revised RFC 4033 (DNSSEC-bis). DNSSEC works by signing the DNS lookup records with public-key cryptography. The authenticity of a DNS record can thus be verified by the public keys for the DNS root zone, which is the trusted third party in this scenario. Domain owners generate their keys, which are signed by the zone operator and added to the DNS. While DNSSEC allows one to be relatively confident that the responses one gets from the DNS resolver are genuine, it does require DNSSEC to be enabled in one’s OS. Unfortunately, few OSes implement a DNS service that is more than just ‘DNSSEC-aware,’ meaning they do not validate the DNS responses. This means that today one cannot be sure that the DNS responses one receives are genuine. This is a fundamental problem, as DNSSEC is a better solution to the trust issue than any other current solution.

Consequences to Network Operators

These network operators are possibly corporate environments that rely on plaintext DNS inspection to enforce policies, or they are yourself running your network at home. You may care about privacy and network consent and do not want devices talking to specific destinations. DoH through this all out the window in the name of “protecting the user.” They designed something for the user without actually understanding who the user was. If devices fall back to plaintext DNS if DoH/DoT is unavailable, the network administrators could block port 853 with little risk because it is only used by DoT.

On the other hand, if they block port 443, then all HTTPS websites will become unavailable. Similarly, if they see an influx of DoT traffic, it could indicate an anomaly. Suppose some similar traffic spikes occur with DoH. In that case, it might not be possible to distinguish HTTPS from DoH traffic directly. DoH and DoT are comparable on a protocol level; DNS messages are encrypted in both cases. See also my Cloudflare blog post explaining DNS encryption, where I describe the technical protocol details, deployment choices, and different expectations from individuals and organizations.

The operating system has historically accepted whatever the local network advertised DNS resolver via DHCP. The corporate network administrator, the ISP, or your own recursive resolver typically configures this. They expect to be able to provide services such as malware blocking, parental filtering, blocking illegal content, and in some cases, query data logging.

DoH and DoT are great in protecting the privacy and integrity of DNS queries in untrusted environments such as airport Wi-Fi or even snooping/interference from the local government in some ways. Hiding from a nation-state is hard; DoH will not help you here. A nation-state has unlimited time and resources. You do not so stop being naive about your approach to combatting surveillance. However, since it was an emerging technology, not all existing DNS resolvers have support for it.

That put early adopters such as Mozilla in a difficult position. Should they abandon the idea of improving privacy or select a DNS resolver who supports DoH with a firm privacy policy? They ended up with the latter, which meant that the default DNS resolver provided by the operating system was initially ignored. This is probably the reason for the negative pushback against DoH from ISPs and governments. This is also my reason for pushback. No software, program, or application should have the right to bypass what I have defined as the legal boundaries of my network. The current threat model is that any device can have a DoH resolver, particularly with oDoH, to bypass your systems entirely. You aren’t going to block port 443 generically, are you? If the DoH resolver doesn’t go to a URL but rather an IP directly, then blocking it becomes much more difficult as most nefarious IPs have address agility.

Hiding these addresses in a simple TXT record provided by Cloudflare that you entered into the DNS system maliciously is relatively easy. It’s trivial, and that’s how C2 servers work. So now we have a non-respecting, global, and potentially viral internet. Organizations need to start evaluating the risk associated with the DoH protocol because attackers have already begun using DoH to look up command-and-control (C2) servers. The best-known example of DoH as a C2 mechanism came in April 2019 with the Godlua backdoor (360 Netlab, 2019). A newer variant of the Godlua backdoor runs on Linux and Windows. It uses a DoH request to grab a part of its C2 information.

Another way an attacker could use DoH in an attack is to trigger a redirected webpage as part of a spam campaign. Researchers at MyOnlineSecurity (2019) found a sample where an email attachment had a Base64 encoded string that would query Google DoH for a TXT record. The TXT record would have a JavaScript redirect to a spam webpage whose address is often changed.

Numerous DoH C2 proofs-of-concept are publicly available, meaning that the threat of malicious actors using DoH will likely increase rapidly. It gets worse.

The Internet will become a Single Point of Failure

Let us ensure we are on the same page about the definition of a SPoF and how to extend that definition to what we see. A single point of failure (SPOF) is a potential risk posed by a circuit or system’s design, implementation, or configuration flaw. SPOF refers to one fault or malfunction that can cause an entire system to stop operating. A SPOF in a data center or other IT environment can compromise the availability of workloads or the complete data center, depending on the location and interdependencies involved in the failure.

Mozilla’s answer to the IP tracking problem is that there is no problem because of the Cloud. As more and more websites and content distribution networks (CDNs) get lumped onto a handful of services (Cloudflare, Azure, AWS, etc.), the meaning of that single IP becomes less and less meaningful; you have to trust whichever Cloud service you pick not to steal your data, or go down for a day. The grim reality is that you are now the product again.

There was a massive downtime event on June 24th, 2019, when a configuration mistake at Verizon led to Cloudflare, Amazon, Linode, and many others being unavailable for much of the day. Then on July 2nd of that year, Cloudflare went down for about half an hour, taking down many websites that rely on its services. Coincidentally Microsoft’s Cloud-hosted Office365 also had a multi-hour outage that same day, leaving many of its users stranded and unable to use the service. Meanwhile, on US Labor Day weekend, a power outage at AWS’ US-East-1 data center led to 1 TB of customer data vanishing as the hardware it was stored on went FUBAR. Before adopting this model, some issues must be ironed out with this ‘centralizing the internet is good’ message. I’m afraid I have to disagree with this model entirely. We have other significant examples, but you get the point. Additionally, I talked about threat vectors and models earlier. Guess what? If an attacker can gain control of AWS infrastructure, they could do significant damage. That’s likely much harder than penetrating individual companies because AWS is very good at running a secure shop. Still, of course, it’s not impossible. That possibility should fundamentally not sit well with you. There are real but imponderable risks to a couple of companies controlling so much of the Internet.

This is a FLAWED design. It doesn’t work. We can continue to band-aid it or attempt to go in a different direction.

We don’t need DoH. We have VPNs

It’s in many ways astounding that in this whole discussion about privacy and tracking, there’s no mention of Virtual Private Networks (VPN). These solve the issues of encrypting your data and DNS queries, hiding your IP address, and so much more by simply moving the point where your PC or other internet-enabled devices ‘exists’ on the Internet. Most people will probably agree that the basic tenets of a VPN are a good thing. I fundamentally believe that internet privacy is more than just a good thing. It’s paramount to the success of the online world. Many people delay getting a VPN, considering it inessential or, worse, unnecessary. They shouldn’t. They make complex solutions like DoH but don’t consider the OG method of protecting your traffic. A good way of illustrating the necessity of a VPN is to show how exposed you are when your internet connection is not encrypted. Dissidents in authoritarian regimes have very commonly used VPNs for decades to get around internet censorship and, along with specialized forms such as the Tor network, are a crucial element in online freedom. You might think that HTTPS does the job, but it’s ok. For the uninitiated, HTTPS secures information communicated between a person’s web browser and a website. The lock in the browser address bar indicates it. At the same time, this provides added security while web browsing. Your data will still be vulnerable, mainly if you use public Wi-Fi. It’s a bit like closing your front door but failing to lock it. Sure, it’s better than keeping your front door open, but security could be tighter.

Whether you’re connected to the Internet in public or at home, without a VPN, you are exposed to a myriad of vulnerabilities. When browsing at home, your ISP can see everything you do and is probably logging it. Places with public Wi-Fi hotspots, such as coffee spots and airports, are vulnerable to hackers who can easily set up fake but convincing hotspots.

On the other hand, when you use a VPN, your data is not exposed. The origin of your data will be your VPN server. By using a VPN, your online actions will not be tracked and logged by ISPs and malicious on-path actors, nor will sensitive information be taken. Even if data is intercepted, it is encrypted, so it looks nonsense to anyone without a decryption key.

If you can trust a giant corp to run your DoH server, why can’t you reasonably find a trustworthy VPN provider? Why is this lost on people? It is an entirely valid statement that DoH honors its acronym by poorly doing what DoT already does. More focus should be on implementing DNSSEC everywhere, along with DoT (name server to name server) and QNAME minimization. Suppose true privacy by dodging tracking is your goal. In that case, you should look at VPNs, especially if you’re a dissident trapped in some authoritarian regime. The naive view of internet activists is that they believe if they drive the cost and means to be authoritarian that the nation-state will stop doing so. My lizard brain says no. The nation-states have more resources than the collective might of the first-world open-source community could dream of. You are merely contributing to them becoming more authoritarian. Stop and think about what you are doing. Mailing lists move so fast on RFCs that it becomes inevitable that your voice is left out. You have to declare email bankruptcy. Sadly what makes this worse is your opinion only matters before, not afterward.

Mitigating the new risks posed by DOH

(Reserved for an update later). I want to update this thread at some point with how to start to combat the dangers DoH poses to a network operator’s security. Still, I do not know enough about mitigating it yet save using an SSL proxy. It disgusts me that I need to decrypt SSL to do this. Let’s talk about free and open-source solutions below on how to do that. Let’s make some guides to combat DoH. DoH is acceptable for people, but knowing what it can do is also essential. You are responsible for the safety and integrity of those on your network. Ultimately we may have to return to the honor system in some form. You respect the rules of my network, and you may use it. You break those rules, and you are excommunicated, so to speak.

Conclusion

You are in a fight, but you don’t realize it. Before we were born, aircraft were made and bypassed the traditional laws of land and sea. There was a race to control the air. We are now in the information age, and there is a race to control the most information and encryption of that information. Large corporations have recognized that having information superiority even over that of nation states is a significant advantage in this paradigm, and they will continue to seek it out. Their IOT platforms will gather data on you and make money off of it. Their AI models will map your mind over time. You are merely a money printer to them, and if you do not want this to happen, we should do something about it. It is not going to be easy. It may not even be simple. To paraphrase and rip off JFK, We do these things not because they are easy but because they are hard; because that goal will serve to organize and measure the best of our energies and skills because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one we intend to win, and the others, too. The first and primary way we do that is by questioning how our inventions can be misused. It would help if people were more open to a decentralized open internet. An internet and tech world where we can milk the good for the good. A web of trust of sorts where companies can innovate but we can out the braked on technological misuse. It seems the sentiment is dying. Perhaps I will become a relic like it will be if we continue down these paths. DNS over HTTPS is fundamentally flawed in that it was designed to protect the user without real regard for who the user was. We must learn to live with that now. Do with this as you may. Discussion below is welcome.

P.S Paul Vixie’s views align quite closely with my own. Dude’s an actual hero

Sources:

DNS over HTTPS - Wikipedia
What is DNS over HTTPS? Definition, Implementation, Benefits, and More
DNS over HTTPS · Cloudflare 1.1.1.1 docs
What DNS over HTTPS Is and How to enable It in Windows 10
https://www.cloudflare.com/learning/dns/dns-over-tls/
DNS-over-TLS  |  Public DNS  |  Google for Developers
DNS over HTTPS Vs DNS over TLS. DNS queries are sent from the client… | by R. Gupta | Geek Culture | Medium
DNSFilter: DoH Isn’t Better, It’s What Google Likes: DNS-over-TLS
https://www.cloudflare.com/learning/dns/what-is-dns/
What is DNS? – Introduction to DNS - AWS
What Is Domain Name System (DNS)? | Fortinet
What is DNS and how does it work? | Network World

7 Likes
2

Owners of networks are responsible for security of the network, not security of the devices on it.

Owners of devices on the network are responsible for security of the devices, not security of the network they’re on.

In short, install your own cert root on your own devices, and optionally remove any others, and you can MITM your own device traffic as much as you want from outside the device.

If you don’t own the device (can’t install your own cert of them), you don’t get to do that.

3 Likes
3

That is one solution and my current solution I just wish there was a better and easier way. I realize this method is the catch all. Perhaps I should write a guide on breaking SSL?

2 Likes
4

threw*

Sorry to disappoint, but Firefox can be controlled via Group Policy in Windows. One of my previous companies used to do that, in order to deliver our proxy config to all the computers in our network. Port 443 was blocked and you could only go out through our web proxy. It’s not rocket science when you have control over the devices. Through the same GPO, you can tell firefox to disable DoH. Look for Mozilla Policy Templates. Not sure how it can be done for companies with macs and linux pcs, but I’m sure there’s a solution for that.

The pushback came from people who didn’t want to have to do more work to spy on you and from ingoranuses who fell for the propaganda (especially sysadmins who aren’t worth their salt that kept complaining companies couldn’t disable DoH in FF, when they could - when ESR was launched it came with DoH disabling support via GPO and you shouldn’t be running non-ESR in a corporate network; again, admins not worth their salt, hope they got better and more knowledgeable after they found their stupid claims to have been wrong).

That’s not true, otherwise we wouldn’t be paying taxes.

government-prints-money
government-prints-money1024×1019 239 KB

The idea is to treat actors as if they had unlimited time and resources. When going after a single individual, this holds true, but at scale this doesn’t hold water. All resources are limited and at some point, they will start prioritizing analysis of certain traffic over other. Both DoT and DoH help this and I’m tired of this defeatist idea. “If they have unlimited power, just give up, it’s not worth it, you’re gonna lose” basically. It’s demonstrably false.

The ISPs monitor DNS traffic and even take advantage of it for traffic shaping and heavy caching. Some do it for nefarious reasons, like selling data to brokers (despite what the legislation may say, the fines are just the cost of doing business).

Governments and ISPs went against DoH, because instead of just grabbing the DNS packet, now they had to monitor traffic going to certain IPs, find all the connections and do reverse DNS lookups, which is definitely more work. Not to mention that this comes with some heavy disadvantages, especially for the way the internet is currently organized. With so many servers behind cloudflare, a DNS lookup is literally meaningless, because it will point to cloudflare, akamai, aws, linode caching and so on. I dare anyone to try to find who is forum.level1techs.com and do a reverse lookup on the ip.

Now, governments would have to go after cloudflare instead of ISPs. ISPs are already heavily regulated as communication providers (and the definition under what title changes with every administration at this point), but CDNs aren’t as regulated yet, making it difficult to justify going after them. AFAIK, DoT is just basic DNS. You still get the IP of the DNS server via DHCP and on the clearnet, you still get a DNS server from your ISP. Makes no difference if it’s plain DNS or DoT.

ISPs didn’t like this change, because now moz://a can control who the traffic goes to. Normies don’t care about changing the defaults. Both DoT and DoH protect the payload from getting sniffed, but DoT is clearly more prone to abuse by ISPs. Of course, people can just change their DNS, but how many people do that?

ISPs and governments especially didn’t like that with just a program update, every users could be way harder to look into (packet and traffic flow analysis is a more intensive task than the dns packet decapsulation and inspection and they weren’t prepared - and doing it for a huge % of the population is going to require a lot of hardware upgrades and infrastructure planning, which can’t be done overnight).

DoH came to FF in February 2020. DoH and DoT came in iOS 14 in September 2020 (likely influenced by Mozilla, correct me if I’m wrong). DoT came to Android in 2018, but without the fanfare. Nobody cared about DoT, because it wasn’t going to change things, the main DNS would still be plain text, served to everyone by DHCP.

What makes this impossible to do with DoT? Or even plain DNS for that matter, other than maybe blocking TXT queries altogether from internal clients (which would break some stuff)? I highly doubt anyone here DNS blocks malware of unknown origin (you probably block known malware domain names, but how can you block an unknown domain name that serves malware - except with a whitelist only DNS, which I thought of doing at some point).

I also don’t like the centralization of the internet. Bigtech pages being the most accessed things on the internet, mail oligopoly and anti-competitive practices like not receiving or delivering mail from self-hosted servers, DNS centralization, heck, I abhor that to acquire a domain name, there’s a chance you might get asked for an ID if your hosting providers “believes you’re doing something wrong” (even if they have no proof). Then either show ID, or be left without your money and domain name. Not to mention that you can’t own a domain and your domain can be seized at any time.

Personally, I’d like more things to get ported to darkwebs like tor and i2p (especially the later). Maybe I should be the change I want to see in the world. The clearweb is just too prone to abuse. Just the fact that you can be identified by your traffic origin is insane to me. There’s always trust in the middle. The ISP you use, the VPN you use, the websites you visit (not to mention fingerprinting).

Darkwebs decentralize the web, especially i2p, where the traffic is randomly routed through other users routers, making your point of origin completely irrelevant (because so many others could be coming from there). And you don’t have to suffer from things like not owning your website’s address (because of DHT, which nobody is in control of).

As for DoT, I find that there are just too few players serving it, them being 800lbs gorillas like cloudflare and google. But the solution isn’t to have less of DoH, but more. We need more people to host DoH. And projects like DoHoT (DNS-over-HTTPS-over-TOR) are certainly intriguing. It’s like the missing link for tor users (as tor doesn’t support udp, thus can’t use dns over tor - correct me if I’m wrong), so now all traffic will be routed through tor, except some bootstrapper dns queries for your local resolver.

If you use tor to access the clearweb, then as long as you block all other outgoing traffic, you can’t be linked to a source of origin (which is what tor is supposed to be, but clearweb dns queries and website access times can be correlated to a tor access of a website).

As far as parental control is involved, parents should be monitoring their kids online and should be the ones in control of their devices. I personally find that authoritarianism breeds more authoritarianism (how many times have you heard the expression that “I’ve been spanked as a kid and I’ve become a respectable person” cliche? It’s wrong to spank your kids). Parents should form trusting relationships with their kids, so when kids visit some nefarious website, they ask their parents for advice. They should be reporting when a stranger sends them a friend request, or if they manage to find a dirty website, parents should explain what that is and tell them what is wrong and what is not, what is permitted and what is not.

“It’s embarrassing to explain” is not a valid excuse to avoid parenting. And “I don’t want my kid to be exposed to this,” IMO, is not going to prepare your kid for when they will actually be exposed to that - parents need to be teachers every time their kids find something new. And if they’re incapable of answering, they should learn together (which I believe is a good way to further strengthen a bond with one’s kids).

For IT infrastructures, the IT people already control the devices, they can do whatever, including changing DoH setting and blocking it from being changed. For home infrastructures, if you don’t control the device, you don’t get to choose. Whenever people connect to my wifi, I tell them the rules clearly: don’t access stuff that could get me in trouble (illegal material or piracy), because I’m not going to cover for you and don’t yourself do illegal activity on my network (and I kick people off my network after they’re done). I don’t enforce it, but I don’t allow people I don’t trust on my network. It is as much as honor system as it gets.

2 Likes
5

Would be great to have a guide around here in wiki form.

There’s some old YouTube videos where someone goes to configure squid to proxy google.com using a self signed cert.

Videos are hard to make and hard to keep up to date.

2 Likes
6

For now but they want to create DoH resolvers that are mandatory strict TRRs and pass it over encrypted UDP packets aka DOQ. So yes for now it is. Later it wont be. The DoH working group desires to make DoH/DoQ completely and entirely unblockable. This drew a negative reaction from apple, tesla, and amazon but a positive reaction from google and cloudflare so your not disappointing me at all. The working group however is. The ultimate goal for them is nobody not even corporations should dictate DNS and I think thats wrong.

Okay go tell the government what to do. Let me know how that works out for you. You might pay taxes but try to stop paying them and see what happens? Legitametly im not being facetious im saying that is a bit of an optimistic view. Perhaps I should amend the statement “unlimited relative to the individual”

Also this is a decent reference to staying anonymous and private being quite difficult on the web from a nation state and this isnt a chide against you im about to make a general statement. I think people are far too overconfident about their privacy techniques

Im not saying give up. I wrote an entire section on a better method which are vpns. DoH helps but only marginally. Really good traffic analysis will uncover what you are doing. Its really not that difficult and I can prove it on my own firewall at home though im not currently home right now to do so.

That is I believe outside the scope of this post but im up for the conversation. Ultimately if our goal is to preserve rhe anonymity of web hosters I doubt DoH helps this. I do love that cloudflare, namecheap and AWS all push privacy quite hard. So does linode. You couldnt whois me from my domain and I appreciate that. Its how it should be but how does DoH aid this? Im unclear?

Its not. What makes it dangerous is DoH can bypass typival methods of securing endpoints at least currently its partially blockable. DOQ as I mentioned prior will make it far more difficult because UDP operates below the kernel level. There is no system call in UDP where an application has to ask the operating system hey connect to this place so I can exchange some information and handshake. Well that goes out the window with HTTP3 and I think dismissing that concern is both dangerous and irresponsible (again people are free to disagree). I regret not expanding on UDP and its mechanisms. I probably should have and I appreciate you pointing this all out to me. See with UDP the mechanism says please transmit this UDP datagram for me and it gets routed on l2/l3 and your kernel doesnt need to know a destination nor does it care or log the event (without special and computational expensive filtering). Also they want ro employ ECH so even if tou tried to view where they are going or what they are about, you couldnt. Now wendell presented an interesting potential solution to this at the firewall level which is offloading all that special ruleset filtering to AMD pensando chips on opnsense via suricata or p4 IDS. I really would like to look into this. It presents the real possibility of blocking this technology, whereby I can force having to tell me a destination before you are let out of my network and if I can do this I absolutely will do this and will promote it and write guides on it and make sure the technology becomes blockable for the layman user. Thats my position and I am sticking to it. Im kind of sad that this a position also shared by russia and china and australia. I treat UDP as a priveledged connection type on my networks and almost no devices habe UDP save a laptop for gaming and even then its hyper specific on the ports. Now I personally hate that nation states want to do that. I share that position in that public networks should be public but I dont share this for my private networks or a corporate network. I have several videos below that discuss this. They arent defeatist but they bring up legitimate concerns worth the listen. You know adblock requires both connection and content analysis. Its difficult to do that against a device that is using DoH instead of plain DNS. You gotta ask yourself who benefits to hurt content filtering. You named two of them which are ISPs and Nation States but you forgot one, Big Tech Corporations. Big tech example. Chromecast REFUSES to listen to the DHCP assignment of DNS. Watch its traffic in snort or in your firewall…its hard coded to ONLY use DoH to 8.8.8.8. You can block it ans then it wont connect to wifi. Ive tried endlessly to fake it out but telling it 8.8.8.8 is really at 10.31.82.1. That doesnt work. Basically the way it now works in the latest firmware update to the devices is if it cant reach its DoH resolver for google DNS it will say you arent on the internet please connect to continue to use chromecast. China isnt worried about this. Its simple for china to stop this. They can force all their citizens who can use the internet to have a mandatory proxy or they get no connection. They are already doing this. All DoH accomplished there my dude is driving everyones costs up (not just chinas). @Novasty and I discussed this last night and were quite displeased equally by it…we are both network operators. The idea that a bunch of internet activists in the IETF are going to defest china here is both laughable and completely unreasonable. It simply doesnt work on a first principles basis. Have you tried to use little snitch on apple these days? It used to be incredibly effective to stop apple devices from phoning home. Now all of that traffic is occurring below the mach and xnu kernels. Cant be stopped by little snitch. The idea that we dont own the traffic exiting our devices is a form of unintentional tyranny. I hope we are hearing each other here.

I do think zero trust is the way forward with how everything is going I just dont know if I trully trust the current implementations of zero trust

Well thats because X509 tbch is a complete dumpster fire.it was my hope that DoT would be supported resolver to resolver and root to root. That didnt happen because we dont know what key to use. We traditionally communicated to DNS via IP and verified it with dnssec but now we need to know the TLS startup credential we should be sending per server. Do you see the limitation here?

Yeah they are. Wendell is making a tailscale video soon ™ but if enough people asked him for a video on this using pensado, the method you described and a ton of l2/l3 ruleset filtering im sure he would make it.

7

It was a bigger picture to view. And I said it wasn’t DoH specific, it also applies to DoT. When DNS traffic is encrypted (and obviously you aren’t using the DoH / DoT server that your ISP provides via DHCP), your ISP will know even less about what site you visit. The point was maintaining privacy.

ISPs can see what sites you visit when you use their DNS (encrypted or not) and when you use someone else’s plaintext DNS. They don’t have to do any additional work than decapsulate the UDP 53 packet and peak into it. You encrypt the DNS packet and use an external resolver (or your own) and your ISP has to do reverse queries on the IP addresses you are connecting to, to find what you’re accessing. Sometimes they might get a hit correlation, like if you’re visiting gnu.org, but with most traffic going to a CDN, their reverse lookup will be useless.

Of course, now your DNS provider will be the one who knows what IP accesses what website, but at least to get an identify associated with it is more of a hassle. If you’re using another service from your provider with a login account, it’s easy (i.e. if you use google dns and you’re also logged in to google, they can easily correlate identity, or at least the pseudonymous identity you provided them). If you’re not (like you’re using cloudflare and you don’t use any of their services, like hosting or DNS config), then they know less about you. And to get a bigger picture, state actors would need to subpoena both your ISP and your DNS provider to see what sites you visit (because the aforementioned CDNs hiding the sites visited behind their reverse proxies).

Definitely more hassle. Not impossible, but you can’t do that for the whole population, or even a large minority of it, unless you turn totalitarian. Then, there’s also hardware limitations, which force you to ignore some traffic analysis and prioritize another.

This results in surveillance state becoming less likely (again, both DoT and DoH help towards this). They’ll still be able to go after individuals, but to just do it for many innocent people at once, they will hit diseconomies of scale.

Where DoH comes into play is that it’s decoupled from your ISP, making normies use it without their knowledge. I understand why ISP provided DNS was a thing in the early days of the internet (to avoid traffic going outside their network, which was costly), but now when DNS traffic is such a small portion of overall traffic, it makes no sense and it gives ISPs more power than they should have over their users. I’m completely against ISP provided DNS servers, encrypted or not, at least as a stop gap before a better internet is conceived, where people can be more private.

Sorry for being ignorant, but how does a malware website or program get prevented from communicating with its C2 if the user is not using DoH / DoQ, but uses a DoT server that is not in your control, say, google DNS (which supports DoT)? Especially because DNS 853 uses UDP as well. How can this malware be prevented from working by not using DoH?

Of course, if you’re the provider of the DNS server and you filter known malicious websites (like via Pi-Hole), then it doesn’t matter what method your user used to query that malware’s C2 A or AAAA record. But even when you are, I don’t see how you can stop malware from accessing a C2 server which you don’t know is a C2 server (because you’re just seeing DNS queries for random domains) - unless, again, you only do whitelist filters, which are hard to manage, but waaaaay more secure. Please enlighten me.

I wish I had more understanding of IDS / IPS systems. Why would the IDS need to know the DNS query to function properly? AFAIK, an IDS will not look at DNS, but mostly HTTP/S traffic and try to look for patterns, like C2 server commands and if it’s an IPS, stop the traffic in place. I’m sure knowing the destination domain will make it easier to identify malware, or at least if it’s an unknown domain that got registered 2 days ago, at least make a reasonable guess that it’s malware and stop it in its tracks.

But I don’t think an IDS necessarily needs to know the server accessed to function properly. I can see how blocking port 53 and 853 to any servers except yours would force your users to make use of your malware filtering DNS server and how DoH is antithetical to that. But a persistent cybercriminal can use alternative methods to DoH. Let’s say you block known DNS sites on port 443 on your firewall.

BANNED_DNS="1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4,9.9.9.9,149.112.112.112,9.9.9.11,149.112.112.11,9.9.9.10,149.112.112.10"
iptables -I FORWARD -d ${BANNED_DNS} -p tcp --dport 443 -j REJECT
iptables -I FORWARD -d ${BANNED_DNS} -p udp --dport 443 -j REJECT

What’s stopping a malicious actor from hosting their own DoH website behind something like cloudflare? Say you get served a google ad (lol) that retrieves some javascript from totallynotshaddy.com. You see the domain query (or rather, pi-hole sees it), but it doesn’t know (yet) that it’s a DNS server on 443, so it allows it. Let’s say the malicious actor is galaxy brained and does some padding on the https packets, to try to fool IDSes (again, lack of knowledge, not sure how an IDS would treat a padded https traffic).

Let’s go deeper. Let’s say it’s not even a standard DoH server, as defined by rfc8484, but it’s just a simple API that queries the C2 domain name via JSON. So it’s not even DoH, but rather a simple coded API in the JS that you’re being served. It then connects to the C2 and awaits its orders. Your DNS server is still completely ignored and your firewall is not using whitelists, but blacklists and is unaware of this particular domain and IP address(es) are being used for malicious purpose, thus allows the traffic.

Without controlling the device that is being used to connect to the C2, you don’t stand much chance of blocking that malware. Of course, you can do better, like disable JS, or maybe not as hardcore, install a browser security extension that functions like a local IDS (or rather more like an AV that blocks what it thinks may be a C2 server, or even what it sees as potentially malware JS - be it an ad or just a malicious website that makes your browser run that JS). With more and more e2ee going on, without control of the device, I don’t think you can limit the access using traditional network appliances, except by using whitelists.

I’m aware. I don’t have a chromecast myself. But this seems contradicting to this:

Chromecast honours DHCP’s DoHoT DNS server, but also tries to use 8.8.8.8

Approximately every 20 seconds my Chromecast attempts to send a request to 8.8.8.8, which my firewall drops and logs. I find this interesting, but it’s not really a DoHoT problem so much as a matter of my choice to block any non-DoHoT DNS requests.

The Chromecast - including upgrades - still works fine, so I am ignoring this matter.

Last commit over 2 years ago, maybe things changed since, but I’m curious.

I think that’s a service lock-in problem and not a DoH problem. I’m sure that without DoH, google would’ve done something similar via the aforementioned JSON API example that a malicious actor would use. Absolutely proprietary.

The same can happen to websites too. They can be made to not display content if you block their connection to their (non-malware) C2 servers. I imagine a time where if you want to use google services and have an adblocker, google will have some code into their platforms that will try to pull the ads back into the browser through other means (like for youtube they could realistically have an API that interrupts the stream of the video and gives you an on-demand ad video stream, then the normal video stream resumes upon that one’s end). I’m sure there’s a way. Maybe that’s what chrome extensions manifest v3 is all about.

Same as with chromecasts, I don’t see how DoH is the problem in itself here. I have no such issue with NoScript on Firefox (and what I like about it is that it’s whitelist by default - not that you can’t enable that with stuff like ublock origin).

I agree. I wouldn’t want a device I buy, say my phone, run a torrent type program to distribute updates to other users, without my consent (MS introduced something like this in w10, albeit I recall it being opt-in - who knows for how long). I don’t care that it’s insignificant traffic for me and it helps you save money by not having a big server, or use tons of bandwidth when delivering updates (especially not when the savings are not translated into cheaper prices). If I don’t want it, I’m gonna block it, or rather, not use your absolutely proprietary malware (yes, I call it malware - so are Apple and Google products).

I meant DoH there, there should be more DoH players, not less, but same for DoT. Again, the problem is that DoT is also not gaining any traction. But I never realized the need for x509 (and it makes sense).

I highly prefer TLS schemes that use TOFU, like SSH and Gemini (where you agree to connect on first time, then you trust that source, as opposed to having certificates and trusted CAs, which are another form of internet centralization). I wonder if there’s anything that can be done for DoT to have a TOFU function.

Unfortunately, my knowledge in certificates is also very limited (I know some terms and some general ideas of how they work, but not too in-depth). But I have a feeling x.509 might be too large to fit in a TXT record, given my limited previous experience with TLS. I wish DNS and the general internet packet size would get larger. Like, it’s dumb you can’t have an rsa-4096 for dkim because of UDP packet size limitation (check 3.3.3). I don’t think there’s any device around the world now that wouldn’t be able to support a MTU of 9000 without having to fragment the packet. It’s ridiculous that the IETF doesn’t want to change the MTU because of a constant decided more than 40 years ago because of slow PLLs. But I digress.

I myself would like to be able to control what goes and what doesn’t go on my network, to some degree. E2ee is antithetical to that, but with things like i2p, I’m full commie on it, because all traffic looks the same and it’s how the network functions. I see DoH as part of e2ee’s future. And I really don’t see how DoH in itself is the devil, when just plain old https and some json apis can achieve the same thing. It’s just that now it’s a standard, making it easy for anyone to use it.

If you have untrusted users on your network that are trying to get around some limitations, they will. Heck, when my own network was malfunctioning and I didn’t know why (turns out wireguard needed a lower MTU to avoid fragmentation and make all websites function properly, some did and some didn’t before that), I’ve used a proxy website that loads the page inside a JS browser, making me bypass all traffic from my machine and seeing the website through another website (think of something like “live wayback machine”). Good luck blocking all the internet web proxies without a whitelist-based blocking.

I’m not particularly super excited about DoH as a technology, I find it pretty boring (most of https stuff is boring), but I’ve yet to see any technical evidence as to why it’s so bad and how you can avoid similar problems with other means that still use https, just not the DoH variety.

Most of the criticism I’ve seen of DoH is that someone else has control over the DNS (mozilla - technically true, but also technically true of many things, yet people don’t realize), that it enables devices in your network from doing nefarious things (that can be done even in absence of doh) and that there’s some hardcoding in certain devices or programs that require a connection to a particular server (which again I see no reason why they wouldn’t stop functioning in absence of doh - for chromecast in particular, I’d see goolag hardcoding 8.8.8.8 in plaintext udp53 and still refuse to work if you block connection to that). How many devices turn into bricks when their C2 server goes offline nowadays (like nest, home and amazon’s alexa)?

There might have been other criticism, but none of them seemed technical justifications against DoH (in itself). My ears are open. Again, the only reason I see DoH as beneficial is adoption. It won’t stop nations like China from banning it in the great firewall of China, but it will stop some free data mining here and there (again, that is not inherent to DoH, but DoH is gaining adoption faster than DoT). China can implement their own DoH server for their citizens, but that won’t stop the spying apparatus, because it’s not meant for that.