Oh great. ANOTHER technical Food Fight in progress.
I’d noticed this in my usual “turn off all the insecure crap” first boot of browsers on a new (Buster?) install on one of my SBCs (Single Board Computers). I think the SBC in question was the RockPro64, maybe.
Wandering through all the settings and turning off camera, microphone, auto-run sound & video, location… I discovered one setting was to do DNS over HPPTS, or not. WT? I want to use MY carefully made and ad blocking DNS servers (that also reduce DNS traffic out of my site and hide particular machine identity from external DNS providers…)
So I turned it off, checked that I still had blocking working, and moved on.
Then I ran into an issue on the Odroid N2 running plain Armbian where ad blocking wasn’t working (and found out it was very hard to get it to accept a change of DNS server…). Eventually enough crowbar got it to work ;-)
Along the way found that OpenDNS was bought by CISCO (who I’m pretty sure was happy with the Prism Program and likes working with the TLAs of the world… so I’m not feeling all secure about that DNS info). This caused me to think maybe it was time to run my internal / house DNS servers over a VPN (to change geolocation information) and via a TLS encrypted pipe (to keep DNS lookups private) to some trustworthy upstream.
Looking into this, I found out just why the browser was suddenly wanting to steal my DNS lookups. “It’s complicated” and comes down to a Food Fight between Privacy and Security and over “Who has control” and “Who gets the information about you to sell”.
The short form is that if you put HTTPS DNS into the browser, it bypasses and site local DNS servers (so local network managers lose visibility and control) and sends the information to an “authoritative” DNS provider who is beyond local control and beyond Telco visibility (so that one site gets all the lucrative information about what DNS lookups are happening AND gets all that tactical information too…). It also lets your browser bypass all the local filtering by DNS for things like blocking porn sites ( I’m sure that was not a consideration… /sarc;) and other forbidden stuff.
Now Ideal for me would be allowing me to choose. Put HTTPS DNS in the browser, but let me turn it on / off AND let me chose what DNS Server it points at. Let me as Site Admin put my DNS on TLS secure pipes if I so choose. Also, let a local admin lock OUT browser DNS IFF the company so chooses (otherwise the network admin has no control and all manner of malware blocking fails).
Here’s the IEEE article about it:
From Nov. 2019, so I”m only a year late getting to this. Likely as things get to the ARM ports about a year after they hit the Intel chip ports… IMHO.
27 Nov 2019 | 15:52 GMT
The Fight Over Encrypted DNS: Explained
DNS over TLS and DNS over HTTPS both do what they are designed to do. So what’s all the fighting about?
Pros and Cons
For the privacy-minded, DNS over TLS isn’t good enough because anyone monitoring the network will know that any activity on Port 853 must be DNS-related. While an observer won’t know the actual contents of the query because both the response and request are encrypted, the fact that anyone could know that queries are being made is enough to raise warnings flags for some. While secure, DNS over TLS isn’t as privacy-friendly as DNS over HTTPS.
Another downside of DNS over TLS—as far as opponents are concerned—is that it requires software developers and device makers to make changes so that their applications and hardware support the protocol. The resolver may have the certificates to handle the encryption, but if the program or device can’t (or won’t) establish the connection, DNS over TLS isn’t protecting the user.
DNS over HTTPS is more democratic, as anyone using a supported web browser automatically gets encrypted DNS. DNS over HTTPS stops all third parties—bad actors, Internet service providers, government agencies, law enforcement, and network operators (including corporate IT staff)—from seeing anything about what sites viewers are browsing. That’s exactly what privacy advocates want, but it’s the opposite of what network administrators and security teams need.
Privacy vs Security
DNS over HTTPS treats privacy as absolute—but parental control applications, antivirus and security software, enterprise firewalls, and other networking tools don’t share that ethos. Having DNS over HTTPS turned on by default in the web browser means all DNS queries are relayed to the designated DNS server, which may not be the organization’s own DNS server, or even the ISP’s.
Mozilla has announced that DNS over HTTPS will be the default for Firefox users in the United States, and that change is currently being rolled out. Firefox will automatically relay all DNS traffic to Cloudflare’s 126.96.36.199 service and ignore the user’s existing DNS settings. That bypasses all associated network-based filtering rules, such as those that block malware from communicating with command-and-control servers, or that stop users from accessing malicious or illegal sites.
Google also turned on DNS over HTTPS for Chrome users, but that situation is slightly different as the browser defaults to DNS over HTTPS only if the user has a DNS over HTTPS-compatible service.
Microsoft is trying to have it both ways, as it plans to support DNS over HTTPS in Windows, but will allow Windows administrators to maintain some control.
DNS is a “reasonable place to restrict access” to bad entities, Akamai’s April said. Network operators block hostnames used by Wannacry and other malware or redirect users who try to access malicious or banned sites. Operators of public Wi-Fi networks modify DNS queries to first load a network sign-on page for new users. DNS over HTTPS breaks these use cases.
This is partly why Mozilla is not turning on DNS over HTTPS for Firefox users in the United Kingdom, as UK law requires ISPs to block access to illegal websites, such as those related to child pornography. Losing visibility over the network is dangerous, April said.
DNS over HTTPS versus DNS over TLS is also a battle over the user’s web browsing data and who gets to access it. DNS queries from Firefox will go to Cloudflare, which means Cloudflare is going to be sitting on top of a lot of DNS data. The tech companies that operate centralized DNS servers—such as Cloudflare and Google—will ultimately benefit with DNS over HTTPS, as they will be the ones with more visibility into what people are browsing, Vixie said.
Privacy advocates believe that users should be in charge of their web browsing, not ISPs. But Mozilla’s decision forces Firefox users to use Cloudflare regardless of their own preferences.
Most users won’t notice any difference when encrypted DNS becomes the default—which has already happened for Chrome users. For enterprises and ISPs, the socially-conscious, user-oriented approach forces a tradeoff: the price for increased privacy is reduced security.
The reality of the modern Internet is that ISPs and enterprises play a role in keeping threats away from users. Ideally, web browsers should let users choose whether or not to use DNS over TLS or DNS over HTTPS, and give users the option to control which DNS provider to use.
Oh Joy. Yet Another Security Breaking move that we all must adapt to. But where most folks will be blissfully unaware and uncaring.
So, OK, I can see this is going to be an issue. I expect that the Chromium Open Source version of Chrome will have more optional control than the official Google Chrome, but when? How hard?
So I can turn it off in FireFox (done). And I may have to do something else with new Chromium (whenever it gets to my old SBCs in an eventual software update…). While I don’t really want to get into the business of hacking Chromium, that it IS open source means I can if need be. Hopefully others more engaged will do that hacking before I get motivated enough ;-)
Just Be Aware that YOUR browser may well be bypassing any DNS settings you have made in your machine, or your site, or your corporate standards; and any made by your Telco if you depend on their defaults.
Welcome to the Browser DNS Wars…
Why is it so hard to just get folks to stop screwing around with stuff that works?