Post 9opmrPRMDufEohl8C0 by allo@chaos.social
(DIR) More posts by allo@chaos.social
(DIR) Post #9opXdaTiaWV4UbrqNs by rugk@social.wiuwiu.de
2019-11-10T19:47:46Z
0 likes, 2 repeats
Mindboggling about the security feature #DoH (DNS-over-HTTPS):When #Mozilla enables it in the US (only for now), people cry.Without even knowing the details, sometimes.E.g. this is the consent prompt you get, when it is enabled… (https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_opt-out)When #Google just enables #DoT (DNS-over-TLS) on #Android with their own servers and without any notification to the user, even, nobody cares… 🤷 https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
(DIR) Post #9opXdbWEie6nii3Mwq by rugk@social.wiuwiu.de
2019-11-10T19:50:21Z
0 likes, 0 repeats
Some more thoughts: I very much like their consent prompt there. It balances the clear intent to keep it enabled (as it is a security feature) and the ability to disable it.I've written more details on why I like this here: https://github.com/mritzmann/firefoxvschrome.com/pull/3#issuecomment-552226642
(DIR) Post #9opXdc8WQIjXdRxwci by rugk@social.wiuwiu.de
2019-11-10T19:53:26Z
0 likes, 0 repeats
Clarification about Google's Android implementation: As far as I could find out, they don't override the default DNS server.Their default setting is to automatically use it, if the server supports it. If I understand that correctly… 🤔 (official resources are scarce, again not a good thing)
(DIR) Post #9opXdcfqQPO9InYYYy by rugk@social.wiuwiu.de
2019-11-10T19:54:37Z
0 likes, 0 repeats
*However*, on mobile connections Googles DNS is always the default on Android and always has been.You see, nobody complained about that… (at least not in the way they look down on Mozilla for introducing a security feature)So your Android DNS queries very likely always got to Google…
(DIR) Post #9opXddLJwCZ7NQxgDA by nerd@social.wiuwiu.de
2019-11-10T20:26:58Z
0 likes, 0 repeats
@rugk /etc/resolv.conf should be the point. But you’re right, most of the users didn’t care about this
(DIR) Post #9opXdeLiCETMUw9VSa by rugk@social.wiuwiu.de
2019-11-10T20:39:23Z
0 likes, 0 repeats
@nerd DNS on Android (without/prior to that DoT that they now have in the settings) is awkward anyway, there is no system /etc/resolv.conf on Android… https://github.com/termux/termux-packages/issues/1174#issuecomment-319794722
(DIR) Post #9opXdfMoPcwledftoW by nerd@social.wiuwiu.de
2019-11-10T20:44:36Z
0 likes, 0 repeats
@rugk There was! I changed it years ago. Around 5-8 years. Think it was the system/etc/ folder. Dunno actual systems
(DIR) Post #9opXq2FZ9vtA6HBRVQ by nerd@social.wiuwiu.de
2019-11-10T20:46:57Z
0 likes, 0 repeats
@rugk ok, due this Blog it was 8 years ago. https://butterflydroid.wordpress.com/2011/10/19/how-to-set-dns-server-on-android-phone/
(DIR) Post #9opXr6mpmHiSSZFwWW by allo@chaos.social
2019-11-10T19:54:24Z
0 likes, 0 repeats
@rugk I think "Disable Protection" is misleading for a feature that has a few good points against it. And "Got it" should be "Enable it". This is kind of a leading question.
(DIR) Post #9opXr79ARFa3ZphmKm by rugk@social.wiuwiu.de
2019-11-10T19:57:48Z
0 likes, 0 repeats
@allo well… that pro/con thing is the point here.Your opinion seems to be that the cons outweigh the pros. Okay, fine…Mozilla does not seem to be, as you can see.Now that would be a dark pattern if they would try to convince you into enabling a feature to track you or so.However, it is a security feature. It secures your DNS traffic from "potentially infinite adversaries" (anyone one the line), where one such thing is known (likely the ISP in 99%) to "only Cloudflare".
(DIR) Post #9opXr7gURMEfFBIOH2 by allo@chaos.social
2019-11-10T20:23:41Z
0 likes, 0 repeats
@rugk My opinion is "it depends". Mozillas opinion seems to be "Please click the primary button, that enables it", while they should now, that it has pros (privacy, options to use own DoH servers) and cons (e.g. centralization, distrusting cloudfare, DoH being one proposed solution among others that may be better, etc.).
(DIR) Post #9opXr8FaKsJB01iPya by allo@chaos.social
2019-11-10T20:26:35Z
0 likes, 0 repeats
@rugk I would for example not be sure, if they shouldn't try to implement DoT instead of (or in addition to) DoH.
(DIR) Post #9opXsI2dPyjLeiD5mq by rugk@social.wiuwiu.de
2019-11-10T20:35:14Z
0 likes, 0 repeats
@allo that's a technical detail and a complete other discussion, but the TL;DR as far as I've heard is: HTTPS is on port 443 and a known protocol, so can harder be blocked.And as you speak German, I can recommend you this article: https://www.golem.de/news/doh-standard-dns-ueber-https-ist-besser-als-sein-ruf-1907-142624.htmlAlso the implementation is not hard, HTTPS is anyway implemented in the browser. 😆
(DIR) Post #9opXv2jOnVwt2ZWe2q by rugk@social.wiuwiu.de
2019-11-10T20:01:30Z
0 likes, 0 repeats
@allo Yes, Cloudflare is big and centralized and this is really bad and I would also like a better DoH server as a default there. (but would have no immediate suggestions, also! Which shows what the actual problem here is…)However, #Cloudflare is able to handle the load, and I guess this is why they chose it. (for US! rememeber that, AFAIK they search for others for other parts of the world)Only idea I would have is to setup their own servers, but this is a huge maintenance burden.
(DIR) Post #9opY6ow3uppbjF448G by rugk@social.wiuwiu.de
2019-11-10T20:04:28Z
0 likes, 1 repeats
@allo So let's rather talk about the solution we'd like to have in the optimal case for #DoH: Small to medium-sized servers (probably even ISPs servers), which are fast and can handle a quite big load; likely per region or so. And all should be legally bound to privacy agreements not to collect user's #DNS data.This is an utopia of course, but… #dosOverHttps
(DIR) Post #9opY6pBJ0A1aUWCEtM by rugk@social.wiuwiu.de
2019-11-10T20:05:12Z
0 likes, 0 repeats
@allo …, but it shows what the actual problem is: The problem is *not* that software uses/enables #DoH (by default), the problem is they don't have a lot of good servers to choose from.(Realistically NGOs or so would be the best suitable ones to provide such servers.)
(DIR) Post #9opY8mkwzNQvY6nuka by rugk@social.wiuwiu.de
2019-11-10T20:28:03Z
0 likes, 0 repeats
@allo it has a learn more link and I guess that goes to this site: https://support.mozilla.org/en-US/kb/firefox-dns-over-httpsAnd they are exemplary honest there and list the risks right at the top.
(DIR) Post #9opbkPRWPpEU6vLfua by allo@chaos.social
2019-11-10T21:14:08Z
0 likes, 0 repeats
@rugk This is NOT a technical detail, but a whole other protocol. And it is not unimportant, because you either use the one or the other and they have huge differences. And there are quite a few problems with DoH, while DoT is a less intrusive change.And TLS is implemented in Firefox as well ;-).
(DIR) Post #9opbkRf4ARFszVhWIj by allo@chaos.social
2019-11-10T21:18:07Z
0 likes, 0 repeats
@rugk Te be clear: DoT is a less intrusive change, with less potential for breaking things, what means that it brings less new features as well.The big question is, how many new features do you want and at which cost?For example DoH has the feature that sites can push DNS records, so you have one lookup less. But this comes at the cost, that DoH needs to be implemented at application level, causing trouble when different applications have different behavior and make debugging harder.
(DIR) Post #9opbkTZ75XgKtcvnIf by rugk@social.wiuwiu.de
2019-11-10T21:22:17Z
0 likes, 0 repeats
@allo oh that feature is new to me, but sounds nice. (I doubt though it will often be used, does it rely on HTTP/2 pushes? – which I also only roughly know how they work)Anyway, you obviously don't need to use all the new features, when you implement it.But given your thoughts, yeah, I guess I know why system-level DNS things like Android and systemd tend to rather implement DoT (for now) than DoH.Though that also means/explains the tendency for browsers to rather use DoH…
(DIR) Post #9opbkVt2SQoC60GjdR by allo@chaos.social
2019-11-10T21:24:48Z
0 likes, 0 repeats
@rugk There is quite a bit of criticism and you cannot discuss this with enough details to be fair to each alternative (e.g. keeping DNS for now, using DoH, using DoT, maybe implementing DoH at system level, etc.) in 500 characters.I would suggest to read some of the more extensive articles where people who know a lot more of networking stuff than us write down what they think why it is a problem.
(DIR) Post #9opbkWsil69HBJ7zmK by rugk@social.wiuwiu.de
2019-11-10T21:25:48Z
0 likes, 0 repeats
@allo wait? *what* is the problem? That system libs (not browsers) adopt DoH/DoT?
(DIR) Post #9opbkXm1RUNtwp09ya by allo@chaos.social
2019-11-10T21:26:02Z
0 likes, 0 repeats
@rugk I think we all have a common goal: Secure, private and censorship resistent networks.The question is, what techniques will help and what are the side-effects.
(DIR) Post #9opbkYoXZbzdAvBgXY by allo@chaos.social
2019-11-10T21:29:08Z
0 likes, 0 repeats
@rugk At the moment, the browsers implement DoH. When Firefox cannot resolve a domain, it is possible that you can ping, dig, traceroute it and everything works fine and you're stuck when trying to debug the issue.Now assume the tools will adapt to DoH, then they still don't use the same way to resolve things. For example Firefox may use cloudfare and Chrome starts to use Google DNS and your system uses your providers new DoH server. And DHCP cannot push a DoH server either.
(DIR) Post #9opbka3SxbWh1VB7RY by rugk@social.wiuwiu.de
2019-11-10T21:28:55Z
0 likes, 0 repeats
@allo That last toot is a quote I could totally sign… 👍 😃
(DIR) Post #9opbkamUGDXTH8F4cK by rugk@social.wiuwiu.de
2019-11-10T21:30:45Z
0 likes, 0 repeats
@allo hmm yeah debugging… maybe…Just keep in mind 99% of the users will never debug anything. 🤣 It either works for them or they cal some hotline, because "the internet™" does not work.
(DIR) Post #9opl9BIP7zB7NGf9No by nerd@social.wiuwiu.de
2019-11-10T21:12:41Z
0 likes, 0 repeats
@rugk Need Root, but https://www.kuketz-blog.de/android-dns-server-fuer-mobiles-netz-einstellen/
(DIR) Post #9opm3ZDLbrQweRRJM8 by allo@chaos.social
2019-11-10T21:38:00Z
0 likes, 0 repeats
@rugk Most of the users will probably prefer a stable non-private DNS to a private DNS that makes problems from time to time because the implementation is 15 years younger ;-).Both should not be their problem. We need to implement something sane. And DoH seems the typical thing that is implemented without asking anyone before. Just like SPDY and now QUIC. This may result in useful stuff, but I would prferen, when experts create a standard, and not when browsers just experiment with new stuff.
(DIR) Post #9opm3ZeHzgz6002pLk by rugk@social.wiuwiu.de
2019-11-10T21:40:27Z
0 likes, 0 repeats
@allo first sentence: that's why they probably use Cloudflare. They will alaways scale and work, and in their tests were sometimes even faster than the non-DoH default DNSes… 🤔 Thing is just our utopia is facing reality. That's the trade-off Mozilla made.We can discuss, whether that is right, of course.As for never asked: They have. AFAIK Mozila asked ISPs to setup own DoH servers. The technology itself is IETF standardized. (so it's also not that "new", that process takes some time)
(DIR) Post #9opm3a5aMCopMeoctc by rugk@social.wiuwiu.de
2019-11-10T21:40:54Z
0 likes, 0 repeats
@allo IETF are experts for me. So it was the experts who agreed and built this stuff. Don't know who else should do that…
(DIR) Post #9opm3apfargLfaNQjA by allo@chaos.social
2019-11-10T22:49:55Z
0 likes, 0 repeats
@rugk I am still sceptical, but I have nothing against providing experimental features. But not with a button "I got it", but with a button "I want it". I don't think this allows for informed consent for the average user.That's just another "What do I need to press, so the message goes away" dialog, that defaults to a controversial feature.I would be much happier to use DoH when it's ready, when nobody would try to make me use it because they want me to use it.
(DIR) Post #9opm3bZkpWXryVwEYi by rugk@social.wiuwiu.de
2019-11-10T22:54:26Z
0 likes, 0 repeats
@allo well… who defines when it is ready? When it is standardized? (it already is)…But yeah, as for the other parts: I think I've said all my arguments and made my point clear. (could only repeat now) So let's agree to disagree here.
(DIR) Post #9opm3cFaK00Q4FVdlA by allo@chaos.social
2019-11-10T23:26:12Z
0 likes, 0 repeats
@rugk We won't have much influence anyway.And for if it is ready ... I think we will see some fuckup until it's really ready.There DNS learned from centuries of fuckups, why should a protocol that replaces it while reinventing almost everything not make the same mistakes?But we will see. Maybe they still learned from the problems, that DNS had and avoided many of them upfront.
(DIR) Post #9opmATWz8dS53Hv2O0 by allo@chaos.social
2019-11-10T23:27:28Z
0 likes, 0 repeats
@rugk We won't have much influence anyway, so we're in fact just discussing theory, while browser programmers define what will happen.And for if it is ready ... I think we will see some fuckup until it's really ready.There DNS learned from centuries of fuckups, why should a protocol that replaces it while reinventing almost everything not make the same mistakes?But we will see. Maybe they still learned from the problems, that DNS had and avoided many of them upfront.
(DIR) Post #9opmDvxHujeA4ps45w by rugk@social.wiuwiu.de
2019-11-10T23:28:08Z
0 likes, 0 repeats
@allo hmm what are "the same mistakes" in this context?
(DIR) Post #9opmrPRMDufEohl8C0 by allo@chaos.social
2019-11-10T23:35:13Z
0 likes, 0 repeats
@rugk DNS had (and sometime has) many problems, like people poisoning the cache. Some are obvious now nowadayds, but others may still be reimplemented. And I expect new types of attacks, that we will not predict now.The next type of problems you can expect when looking at the long list of SSL/TLS attacks.For privacy enhanced DNS we will not be able to avoid TLS(-like) protocols, so this needs to be implemented with care anyway.
(DIR) Post #9opnEfXEY8AxOVbBYG by allo@chaos.social
2019-11-10T23:37:06Z
0 likes, 0 repeats
@rugk But what for example about timing or length attacks based on the fact that it uses HTTP?I did not read the full spec and I guess most things I would predict from my head are already considered, as the people implementing this know more about cryptography than I do.But on the other hand, I expect a lot of new fuckups that we cannot anticipate, yet.
(DIR) Post #9opnEgFts3u9d2UrAm by rugk@social.wiuwiu.de
2019-11-10T23:39:28Z
0 likes, 0 repeats
@allo hmm… let's see… future is not teasing us… 😜
(DIR) Post #9opniXRFDVoKyF2YL2 by chucker@mastodon.social
2019-11-10T23:44:50Z
0 likes, 0 repeats
@rugk @allo that’s not the point. “Disable Protection” and “Got It” are disingenuously labeled buttons.
(DIR) Post #9oppPXbyY6WTui82sa by allo@chaos.social
2019-11-10T21:22:32Z
0 likes, 0 repeats
@rugk Purists will argument, that DNS resolution has to be implemented at system level.It will work at application level and this will enable a few fancy features, but in the end when something needs to be updated, you need to update every single program, instead of a central place in your system.And it is an admin nightmare, because system rules are ignored at the application level.When you do DoH or DoH in your system libraries, it would be a drop-in replacement for DNS. This way it is not.
(DIR) Post #9oppPYHo2Zz20RhS52 by rugk@social.wiuwiu.de
2019-11-10T21:23:42Z
0 likes, 0 repeats
@allo That dropin is going to be developed. As said, systemd has DoT support, Android has.So yeah, that it is implemented in applications is likely just a workaround "for now", I guess. (If I'd allow myself to guess the future…)
(DIR) Post #9oppYzRGSQ96pBclXc by rugk@social.wiuwiu.de
2019-11-10T21:22:27Z
0 likes, 0 repeats
@allo All their own "domain". 😆 (pun not intended)
(DIR) Post #9optU3D9P7BctQvHma by shibayashi@communicating.cypherpunk.observer
2019-11-10T20:11:07.847176Z
0 likes, 0 repeats
@rugk @allo there are some, like the servers from the Foundation for Applied Privacy or Digitalcourage.If you use apps like Intra or DNSCloak they also offer a list of known server which support DoT and DoH to choose from.
(DIR) Post #9optU3YQ82CTxOsGw4 by rugk@social.wiuwiu.de
2019-11-10T20:18:34Z
0 likes, 0 repeats
@shibayashi @allo thanks for the suggestions. The servers seem to be nice, indeed. And the app is unfortunately not on F-Droid, because it is apparently not 100% FLOSS: https://github.com/Jigsaw-Code/Intra/issues/9But that app is technically obsolete anyway since Android 9, apparently… 😃
(DIR) Post #9optg3KemPGKkA9mm8 by rugk@social.wiuwiu.de
2019-11-10T20:15:52Z
0 likes, 0 repeats
@allo /me used the hashtag #dosOverHttps… Damn, stupid… 🙄On the other hand, I think that's beautiful and not as controversial as #dnsOverHttps 😜 And of course I mean the system OS streaming over HTTPS. 😜
(DIR) Post #9oqsDoOCpyyfUkkMFM by elrido@social.dssr.ch
2019-11-11T12:02:31Z
0 likes, 0 repeats
@rugk @allo The whole point of DNS always was that it's decentralized. So the ideal scenario is that every single subnet uses their own little local resolver, so that when you visit example.com from different devices on the same network only one request is ever made to your local DNS' upstream server and not by your browser directly. The reply is cached for as long as the records TTL is, the negative cache TTL is defined per zone (i.e. per domain or sub-domain).All of this is already in daily use by most of us when using a physical internet connection. Most routers that you get for personal internet connections already do this local DNS caching out of the box. In corporate environments you have this as well and often also run dedicated, redundant DNS resolvers. If you are tech-savvy you can also change the upstream that your routers DNS resolver uses - i.e. to bypass the DNS filtering that your ISP's DNS servers would do or to avoid them tracking what is accessed.Basically my concern is that currently my DNS queries get mixed in with all the other DNS queries of other people in the same household or office and I am in control over which upstream is used, but with DoH in the browser the DoH server now can differentiate each device as an independent TCP connection and I will have to configure the used upstream per user profile.I agree that DoH does make a difference for mobile devices that use cell phone internet connections, as there you are typically dependent on the ISP's DNS solution and DoH allows you to avoid that.Once I can set up my own DoH resolver in my network and can somehow communicate this automatically with DHCP option like regular DNS it may actually become as good as the current solution plus give me encryption so that other users on the same network can't sniff my DNS queries anymore. Currently I have to use a VPN to avoid that (I am running my own VPN server and control the DNS resolver that it uses).Bottom line: I think DoH addresses a specific concern for mobile devices and travelling, but introduces new issues for many other use cases. It may not be the ideal solution for every use case.
(DIR) Post #9or1MCTxM2PnmkL8C0 by rob@fosstodon.org
2019-11-11T13:52:18Z
0 likes, 0 repeats
@rugk not with #DNS66 on @fdroidorg! : https://f-droid.org/en/packages/org.jak_linux.dns66/
(DIR) Post #9orNlokjGW0jU4xEiu by rugk@social.wiuwiu.de
2019-11-11T18:02:41Z
0 likes, 0 repeats
@rob @fdroidorg yeah, though it seems it does not support #doh or #dot, so the DNS queries are still unencrypted then: https://github.com/julian-klode/dns66/issues/356
(DIR) Post #9orOHNnGpslp4DByK0 by DC7IA@chaos.social
2019-11-11T12:25:41Z
0 likes, 0 repeats
@nerd @rugk LineageOS and some other ROMs have a setting for that.
(DIR) Post #9orOHO4zlywrxBU7wu by rugk@social.wiuwiu.de
2019-11-11T18:09:15Z
0 likes, 0 repeats
@DC7IA @nerd hmm, rly. LineageOS does _not_ AFAIK 🤔(just the default AOSP DoT DNS setting in Android 9)