back to article DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Mozilla says it is baffled by the UK Internet Services Providers’ Association's decision to nominate the browser maker as the internet's 2019 villain of the year. The UK ISPA earlier this week proposed Mozilla, self-styled defender of internet freedom, as a black hat for its "proposed approach to introduce DNS-over-HTTPS in …

  1. Anonymous Coward
    Anonymous Coward

    NIMBY

    Do what you want for home use.

    But it isn't happening on my work networks.

    This is not a solution. Just a sticking plaster over the core issue with unencrypted DNS.

    Is it going to fix the problem with every other application using plain DNS? No.

    Do I want a select few providers controlling all DNS enquiries (who happen to control a large chunk of ad network)? No.

    Makes you wonder who is pushing this agenda. Follow the smell of profit.

    1. Graham Cobb

      Re: NIMBY

      There are some challenges but, overall, I see DoH as positive. At least as long as applications and platforms give users a genuinely free choice about which DNS supplier they want to use.

      It is important that competition regulators, for example, make sure that users can very easily select their chosen supplier: it must be just as easy to use Cloudflare, or Joe's DNS Emporium as Google, Mozilla or Facebook.

      This means that apps or programs must not have their own default DoH servers (Google in Chrome, Mozilla in Firefox for example) but should use a default provided by the platform/OS. And then Windows, Android and Apple platforms must have a standardised way for users to go to a website and click on "make this my DoH host".

      I, like many other readers here, I expect, will be running my own personal DoH server.

      1. Ben Tasker Silver badge

        Re: NIMBY

        > but should use a default provided by the platform/OS

        Yep, and there are solutions in the wild that allow you to do that with DoH already. For Android there's Intra (created by Google's sister company - Intra).

        For desktop OS's there're stubs that accept UDP 53 and DoH it for you. Personally I like this one - https://github.com/m13253/dns-over-https - but there are things like cloudflared too.

        Personally I'd never use Cloudflare's DoH service, and am similarly cagey about Google's, so I set up my own (I've linked to the docs a few times, so won't do it again here as I don't want to spam the comments :) ).

        It means I've got the privacy benefits of DoH but backed by Pi-Hole filtering. That's win-win in my book.

        1. Dan 55 Silver badge

          Re: NIMBY

          Off on a tangent, does anyone know how Infra differs from Android 9's Settings > Network & Internet > Private DNS option?

          Also, what is the "Automatic" option for Private DNS? I've got a feeling it means automatically always use Google's DoH.

          1. Ben Tasker Silver badge

            Re: NIMBY

            Intra is DoH, while Pie's "private dns" support is DoT (i.e. tls wrapped packets to TCP 853).

            Basically the difference is the protocol used.

            Default is (I believe) Google's service, yes, but auto mode is different. it tries to opportunistically use DoT, so it'll try a TLS query to TCP 853 on whatever resolver it got via DHCP etc. If that fails it drops back to plain UDP 53.

            That's my understanding anyway

        2. chivo243 Silver badge

          Re: NIMBY

          +1 for the PI-hole

      2. JohnFen Silver badge

        Re: NIMBY

        "At least as long as applications and platforms give users a genuinely free choice about which DNS supplier they want to use."

        And there will be plenty (mostly ad-related) that won't do this.

    2. Jove Bronze badge

      Re: NIMBY

      Alternate take:

      DoH becomes available, but with new legislation requiring that the servers be hosted in the UK and licensed by Ofcom with warrant-less access granted to the NCSC?

      1. Charles 9 Silver badge

        Re: NIMBY

        Aleternate take on the alternate take:

        New legislation passes, all DoH providers move to France or elsewhere, out of the UK's reach. Since DoH tunnels through HTTP/S, how's the legislation going to be able to tell the difference (one of the key aspects of DoH, as any dedicated port can otherwise be hijacked wholesale by an ISP or anyone else upstream)?

        1. MacroRodent Silver badge

          Re: NIMBY

          They could block trafic from Britain to any foreign subnet known to host "illegal" DoH servers. Cloudflare and such would quickly fall in line. In a contest, meatspace always beats cyberspace, no matter what techno utopians tell you.

          1. K Silver badge

            @MacroRodent you really need to open your eyes

            That is nonsense.. I may be showing my age here, but Meatspace as you call it, is always 2 steps behind and playing catchup. Let me give you several examples:

            1) Law enforcement never got their way when Android/iOS introduced encrypted filesystems

            2) Law enforcement kicked up a stick when IM solutions introduced end-2-end encryption

            3) Law enforcement

            And the real elephant in the room - Law enforcement demanded weakening of encryption mechanism (Way back when PGP was cool), and they're still crying wolf to this very day!

            Give it a few months, once all the luddites have stop crying over stuff they have zero understanding of, and you'll have people at GCHQ and NCSC all saying how great this DNS-over-HTTPs shit really is..

            Note: I'll say this, whilst I use it at home, I do have sympathies for Enterprises trying to improve their security hygiene, not having visibility on DNS, does introduce problems, as monitoring this is a major part of the security strategy (For identify malware and C&C etc).

            1. Pier Reviewer

              Re: @MacroRodent you really need to open your eyes

              “That is nonsense.. I may be showing my age here, but Meatspace as you call it, is always 2 steps behind and playing catchup”

              Alternative examples are available. See Russia vs domain fronting for example. Didn’t take long for Amazon et al to fall into line when the ban hammer loomed. Russia 1 - 0 Privacy.

              The child abuse angle is a straw man. Surely people don’t just browse such abhorrent content as you’d browse YouTube? They’ve got to be aware that it’s illegal, and don’t fancy getting caught, so they’ll already be bypassing their ISP’s filtering etc. DoH won’t have any impact on that aspect at all.

              ISPs want to see *everyone’s* DNS requests. There’s good money in that info. Losing out on that would be an issue for ISPs.

              1. Mage Silver badge

                Re: ISPs want to see *everyone’s* DNS requests

                Except maybe Vodafone Broadband in Ireland. It's offline/down too often so using alternate primary and secondary IPs on my VDSL modem/Router (not the supplied Huawei one locked to Vodafone).

              2. LucreLout Silver badge

                Re: @MacroRodent you really need to open your eyes

                The child abuse angle is a straw man. Surely people don’t just browse such abhorrent content as you’d browse YouTube? They’ve got to be aware that it’s illegal, and don’t fancy getting caught, so they’ll already be bypassing their ISP’s filtering etc. DoH won’t have any impact on that aspect at all.

                You've misunderstood how far below average intelligence the average criminal is. I mean, it's not like they all wear gloves when committing crime to render fingerprint checks worthless, is it? The stoopid is strong with criminals, its a huge part of why they get caught.

                1. MacroRodent Silver badge

                  Re: @MacroRodent you really need to open your eyes

                  > The stoopid is strong with criminals, its a huge part of why they get caught.

                  Exactly. Also the laws of probability work against them. Based on various news accounts about child abuse rings, it seems to be the case that even careful online criminal rings eventually get busted, when one member makes a mistake. When the police get access to his systems, they can catch more.

            2. Jove Bronze badge

              Re: @MacroRodent you really need to open your eyes

              You are not up to date with what is being discussed in USA< UK and EU - certainly not what is being done elsewhere in the world.

            3. MacroRodent Silver badge

              Re: @MacroRodent you really need to open your eyes

              > but Meatspace as you call it, is always 2 steps behind and playing catchup.

              I didn't come up with that term, it is from the seminal cyberpunk novel "Neuromancer" (William Gibson 1984), as is "cyberspace". Made an impression on me back then, and it was fun watching the technobabble from the novel enter common usage...

              About the issue at hand: as usual, XKCD expressed it best: https://xkcd.com/538/

          2. Charles 9 Silver badge

            Re: NIMBY

            Cloudflare can bit back as they host quite a bit of content, El Reg included. Plus there's Facebook, used by billions of people. A possible retort could be, "You wouldn't want a good chunk of the Net to be blacked out to your citizens, eh? Imagine the outcries..."

          3. phuzz Silver badge

            Re: NIMBY

            "They could block trafic from Britain to any foreign subnet known to host "illegal" DoH servers."

            ....for about thirty seconds until they realise they've just blocked all of AWS.

            Region based blocking isn't very useful these days because so much valid traffic comes from places that can also host the 'baddies' servers.

            1. Jove Bronze badge

              Re: NIMBY

              ... thus blocking such subnets is in the national interests as they move towards walled gardens of content subject to national legislation.

        2. Jove Bronze badge

          Re: NIMBY

          ahh, that fantasy world again where the kiddies play.

      2. Roland6 Silver badge

        Re: NIMBY

        > but with new legislation requiring that the servers be hosted in the UK

        I think a case can be made that DoH server providers satisfy the communication service provider criteria of the existing UK legislation.

        Obviously, if they are located in the UK then it becomes easier for UK agencies to gain warrant-less access.

    3. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: NIMBY

      What the fuck are you talking about?

      DNS encryption in this manner is not proprietary in any way. There are hundreds of providers, in the future there will be thousands.

      www.dnscrypt.info

    5. TheVogon Silver badge

      Re: NIMBY

      On a work network you can presumably control which certificates are trusted and still intercept the traffic anyway unless it uses pinned certs ?

      1. Steve Hill 1

        Re: NIMBY

        Less and less. Google have been actively working against TLS interception for the past few years. Android defaults to ignoring user-supplied certificates, and the end user / device owner can't change that (without rooting the device).

    6. TheVogon Silver badge

      Re: NIMBY

      Surely 99% of people looking for stuff that is controversial enough to be blocked are going to be using a VPN for privacy so are probably not going to be inconvenienced by the blocks anyway?

      I'm a fan just on the basis that the government can't track our web browsing any more.

      Anyone know is there a solution for DNS over HTTPS on DD-WRT by the way?

    7. rg287 Silver badge

      Re: NIMBY

      Dunno why all the downvotes.

      DoH is a very good thing.

      DNS Resolution in the Browser, ignoring local split-horizon DNS servers or indeed local discovery services (WINS/NetBIOS) is a ridiculous thing.

      The correct place for DNS is - and always will be - at a system/OS level, where you can be setting up different behaviours (for instance) on Trusted or Untrusted Home/Work/Public networks.

      Also, Firefox's current implementation only allows you to specify one DoH provider. This caused issues last week when Cloudflare fell over.

      There's a reason why every system-level DNS resolver in common usage (Windows, Mac or *nix) allows you to set a primary and secondary!

    8. big_D Silver badge

      Re: NIMBY

      You can set up your local DNS server to pull records over DNS over HTTPS as well.

      What I don't like is it bypassing my local DNS server.

      1. JohnFen Silver badge

        Re: NIMBY

        "What I don't like is it bypassing my local DNS server."

        This is my entire problem with DoH, really. If it were possible to ensure that my own DoH resolver is always used, then I could live with everything else. But, by design, it is impossible to ensure that my own DoH resolver is always used.

  2. Anonymous Coward
    Anonymous Coward

    Good for Mozilla and FU Article 13 Copyright Directive

    1. Anonymous Coward
      Anonymous Coward

      This has nothing to do with filters or illegal content..

      Its all about money.. money and money!

      Most of the large ISP's actually monetise the DNS and traffic logs, selling anonymised data to marketing analytics providers. The recent move to HTTPS by default would have dented the value of this, now DNS-over-HTTPS has basically put a bullet into this revenue!

      1. Jove Bronze badge

        Re: This has nothing to do with filters or illegal content..

        Indeed there are benefits in the form of additional revenues, but the topic is being driven by concerns within Government which has the advantage of both existing and potential new primary and statute legislation as and when required.

      2. Anonymous Coward
        Anonymous Coward

        Re: This has nothing to do with filters or illegal content..

        ... where 'anonymized' may or may not be true depending on:

        (1) how well they understand and do anonymization

        (2) who shows up with a secret warrant, court order, or friendly request

        (3) who shows up with an envelope of cash for the custodian of the pre-anonymized data

        (4) what resources an attacker can bring to bear for various high resource high/wide network access attacks

  3. Ben Tasker Silver badge

    Mozilla are only partly right

    If we insert just one word into their statement, then they're wrong:

    Despite claims to the contrary, a more private DNS would not prevent the use of non-consensual content filtering or parental controls in the UK

    and therein lies the rub. What the ISPA is complaining about isn't that we (the users) would not be able to filter content, but that content would not be able to be filtered without our consent (or at a basic level, knowledge).

    Which, oddly, sounds like exactly the kind of authoritarian bollocks that brought things like DoH about in the first place.

    1. DavCrav Silver badge

      Re: Mozilla are only partly right

      "Which, oddly, sounds like exactly the kind of authoritarian bollocks that brought things like DoH about in the first place."

      Stopping people accessing kiddie porn websites is similar to stopping people accessing guns. We think that curtailing people's freedom to buy guns in the UK is an acceptable trade-off between your right to do what you want and my right for you not to have a dangerous weapon. Cleanfeed is an acceptable trade-off between your right to have unfettered access to information and children's rights not to have pictures of their being raped handed around the Internet. Society, through the standard method of voting for things, agrees. (In surveys it also agrees overwhelmingly with the viewpoint that paedophiles should not be able to trade images online, and is happy for Cleanfeed to exist.)

      Mozilla, Google et al are proposing something that will break Cleanfeed, going against UK Government policy and UK society's wishes. It is incumbent on them to repair the damage that their innovation will do, just as oil companies are expected to pay when they pour millions of gallons of oil on beaches. Tech companies have been getting away with this attitude of doing whatever they want and let society clean up the mess for too long, and this is indicative of that same care-free attitude.

      1. Ben Tasker Silver badge

        Re: Mozilla are only partly right

        The problem is more complex than that though.

        As a society we accepted the introduction of CleanFeed on the basis (as you say) that stopping paedophiles from finding things online is good.

        However, Cleanfeed has long since stopped being *just* about that content. Because the infra was there and capable of doing so, the ISPs were ordered to use it to block Newzbin2 (a torrent site).

        At that point, Cleanfeed's effectiveness was doomed because there was now an "acceptable" reason to be discussing how to circumvent it - prior to that decision those discussions could only happen if you were interested in looking for something very, very illegal.

        It's not like it's stopped there either, we're now in a position where the Govt wants providers to track who watches what adult content, and with the threat of using that same infra to block sites that fail to comply with the requirements. Their aspirations don't end there either, have a search around and you'll see plans to bring in age verification for all kinds of things.

        I agree that blocking the sites on the IWF's watchlist (when they don't screw it up, anyway) is a good thing. But it is the government, and industry who've moved us into the position we're in now.

        Now, you've mentioned surveys to bolster your argument. In most surveys, most Brits didn't know about the impending (now delayed) porn block. Think they'll still support censorship when they're being asked to proof of identity before watching their chosen fetish? What about when a future Govt decides that dwarves are immoral and blocks any sites carrying them?

        What about the Govt's self-confessed position that the porn-block may push users onto the darknet where they may be exposed to things that are much more extreme? (and yes, that includes CP).

        The IWF wants this positioned as a fight against paedophiles, but it's not that simplistic, and not by a very, very long stretch. 15 years ago, it would have been, but the courts and the Govt have perverted the underlying system and it was a given that at somepoint their tower of cards was going to come crashing down.

        Just one final point:

        > paedophiles should not be able to trade images online, and is happy for Cleanfeed to exist.)

        You do understand that Cleanfeed does precisely nothing to prevent this, and isn't even intended to do so right?

        Cleanfeed exists to stop people accidentally stumbling onto this type of content. The aim being to prevent someone who's not yet into child porn (or marginally so), stumbling upon it and then exploring looking for more.

        Those who are actively seeking it out already know about Cleanfeed, as well as the risks if they're caught and so take measures to bypass it. It was *always* understood that this would be the case.

        I mention this primarily because the protection of Cleanfeed isn't nearly what you're trying to portray it as. Pictures still get circulated (unfortunately) Cleanfeed just helps keep it from the sight of the general population.

      2. Paul Crawford Silver badge

        Re: Mozilla are only partly right

        The problem with 'Cleanfeed' is the lack of transparency and the on-going urge for governments to feature-creep it beyond the original goal of stopping kiddy pornography (which AFIK is illegal in practically every country). First it was KP, then it was file-sharing, next it will be legal pr0n sites that don't follow the privacy-invading rules that the gov has proposed in response to red-top "readers". What next?

        It would be very simple to allow, and indeed encourage, the KP filtering aspect of cleanfeed/IWF to be supported by any of the participants in the DoH system, but sadly it seems the lack of transparency and restrictions on access will get in that way.

        But going back to basics, web browser DoH is a horrible kludge and a sad reminder that for many "internet access" is synonymous with web site, and ignoring ssh, pop/imap email, etc, etc. Really there ought to be a service in your router that translates UDP 53 requests to a secure query of the overall DNS system to avoid ISP-specific hacking about.

        Oh well, there is always a VPN for that...

        1. Ben Tasker Silver badge

          Re: Mozilla are only partly right

          I've just been catching up on mail threads and noticed this https://mailarchives.bentasker.co.uk/Mirrors/tor-talk/2019/07-Jul/msg00007.html

          > Mozilla has an interest in

          > potentially integrating more of Tor into Firefox, for the purposes of

          > providing a Super Private Browsing (SPB) mode for our users.

          Think the ISPA are upset now? Just wait until Firefox (potentially) brings Tor to the masses

          1. Raphael

            Re: Mozilla are only partly right

            Brave has a Tor mode for it's Privacy mode.

      3. localzuk

        Re: Mozilla are only partly right

        The issue is the old "slippery slope" though. Cleanfeed is a great idea for blocking child porn. But it isn't just used for that any more.

        We have a system that is in place that is just begging to be abused by those who like to control the citizens more and more. Big brother and all that.

        What happens when we get someone more autocratic in power who decides to label Extinction Rebellion as eco-terrorists and ban their content from the net? Or ban an opposition politician's speeches? All entirely possible via the laws in place for our current filtering setup. We've built the infrastructure for it already.

        1. YetAnotherBob

          Re: Mozilla are only partly right

          It's already there. I live in the US. Trump is routinely blamed for things he never did or said, and comments to that effect are routinely deleted from all the major media forums. The Press here have joined in and never admit they lied. Not even after the full facts have come out, as they always do in the end. The haters also rouitinely get names of 'supporters' and then physically harass them. Often the harassers are police in the larger cities.

          Everybody knows it too.

          But, it's looking like his second term is going to be by a landslide. The opposition is relying on their own lies for their reception.

          Governments always try to increase their own personal power at the expense of the citizens. It's always been that way, and it probably always will be. That's why revolutions happen.

          Here though, a revolution can be implemented peacefully.

          I wonder if Britain has the same ability?

          After all, Americans are nearly all armed and everybody knows it. That's why the Germans and the Japanese never invaded during WWII. It's also why Switzerland hasn't been invaded since Napoleon.

          So, yes, we are in the middle of a mild revolution and it's driving the Powers That Be crazy.

      4. Brad Ackerman

        Re: Mozilla are only partly right

        Cleanfeed is an acceptable trade-off between your right to have unfettered access to information and children's rights not to have pictures of their being raped handed around the Internet. Society, through the standard method of voting for things, agrees.

        And yet multiple governments have totally failed to get Cleanfeed through Parliament. It's not even mandatory for ISPs to implement, let alone for customers to use; and the lack of transparency from its provider is the clearest indication one could possibly ask for that it doesn't do what you seem to think it does.

      5. Jamie Jones Silver badge

        Re: Mozilla are only partly right

        With the ease of getting VPN's, these ISP blocks are worse than useless. Worse, because they can no longer track someone who does look at illegal sick shit.

        But that aside, anything that relies on DNS lookups to block sites is unbelievably weak, it deserves to be broken.

        How is it an issue, anyway? Talk-Talk blocks sites by site accessed (DPI on the Host: header)

        That at least slighty works. If they have to block, other ISPs should do similar..

        Still, with things like eSNI and https everywhere, the government needs to realise that sooner or later they'll have to revert to the traditional way of catching perps.... No more police cuts to finance their vanity projects.

        1. Roopee
          Big Brother

          Re: Talk-Talk blocks sites by site accessed

          Are you sure about Talk-Talk blocking sites by DPI on the Host: header? I found out that TalkTalk blocks the domain of my remote support provider Splashtop (and other similar ones such as TeamViewer), but I can easily get around it by changing the supportee's DNS to an uncensored alternative such as 4th Estate. From this I deduce that they filter via DNS, not DPI, but correct me if I'm wrong.

          1. Jamie Jones Silver badge

            Re: Talk-Talk blocks sites by site accessed

            Maybe they do both? I don't use their DNS - I run my own - nothing to do with blocking, I always have.

            Why would they block splashtop? Are they a pirate site? Have you got a url of theirs I can test? Well, just the address part..

            Try visiting http://www.thepiratebay.org/ from talk-talk, and you should see a mesage about the site being blocked by court order.

            Try https, https://www.thepiratebay.org/, and the connection is dropped after the SSL:

            jamie(root)@thompson% visdump port 443 and tcp &

            [1] 52239

            10:01 [2] (2) "/tmp" jamie(root)@thompson% lo0: netdump: listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes

            em0: netdump: listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes

            tun0: netdump: listening on tun0, link-type NULL (BSD loopback), capture size 262144 bytes

            10:01 [2] (2) "/tmp" jamie(root)@thompson% curl -4vvv https://www.thepiratebay.org/

            * Trying 104.27.217.28...

            * TCP_NODELAY set

            * Connected to www.thepiratebay.org (104.27.217.28) port 443 (#0)

            * ALPN, offering h2

            * ALPN, offering http/1.1

            * successfully set certificate verify locations:

            * CAfile: /usr/local/share/certs/ca-root-nss.crt

            CApath: /usr/local/share/certs

            * TLSv1.3 (OUT), TLS handshake, Client hello (1):

            * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.thepiratebay.org:443

            * Closing connection 0

            curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.thepiratebay.org:443

            em0: www.thepiratebay.org

            em0:

            em0: http/1.1

            1. Anonymous Coward
              Anonymous Coward

              Re: Talk-Talk blocks sites by site accessed

              splashtop and TeamViewer and the type I believe they block to stop those being used in those cons. The ones your PC is infected, phone for Yahoo mail assistance etc that get the user to allow them to remote connect.

              That is a setting as I have turned that off.

              https://www.thepiratebay.org/ did not know they blocked that

              AC as a Talk Talk customer! :D

        2. Anonymous Coward
          Anonymous Coward

          Re: Mozilla are only partly right

          With the ease of getting VPN's, these ISP blocks are worse than useless. Worse, because they can no longer track someone

          -----------------------------------------------

          This might be the best argument yet for ISP blocks - at least they would be doing some good by encouraging safe networked communication.

      6. thehealer

        Re: Mozilla are only partly right

        "...an acceptable trade-off between your right to do what you want and my right for you not to have a dangerous weapon."

        Your *right* for *me* not to have something? Who the hell made you the arbiter of my possessions? And fyi, it's still perfectly legal for law-abiding citizens to own firearms in this country, with the appropriate certificates. And every kitchen has knives, whether *you* like it or not.

        1. DavCrav Silver badge

          Re: Mozilla are only partly right

          "Your *right* for *me* not to have something? Who the hell made you the arbiter of my possessions?"

          Attitudes like that are why I don't want other people to have guns.

          1. Anonymous Coward
            Anonymous Coward

            Re: Mozilla are only partly right

            "Your *right* for *me* not to have something? Who the hell made you the arbiter of my possessions?"

            Attitudes like that are why I don't want other people to have guns.

            What? You mean that guys attitude that he doesn't want to be told by 'you' what he can and cannot own ? You may not want anybody in the UK to own a dangerous weapon, so that also means you don't want anybody to enjoy clay pigeon shooting because you are basically afraid of anybody owning a gun...

            You do realise that just in Kent alone, 25,000 men and women are licensed to own shotguns. What about the UK as a whole....

            Quote

            Most gun use is for sport. But there are still 1.3 million licensed shotguns in the UK – that's a bit less than one in every 64 people. There are also 535,000 legally licensed 'firearms' (basically any other type of gun that's not a shotgun).19 Oct 2017

            Over one million licensed shotguns in the UK. But your quite happy to deny all those people their enjoyment or quite possibly their livelihood because you don't think anybody should own a dangerous weapon irrespective of what it's used for?

            1. Anonymous Coward
              Anonymous Coward

              Re: Mozilla are only partly right

              You are twisting his words, and you know it.

            2. Anonymous Coward
              Anonymous Coward

              Re: Mozilla are only partly right

              Welcome to the arrogance that is par for the course for such organizations and their supporters. The modern-day John Birches with their 'new' approach for the new 'reds'. Don't agree with them 100%? Yeah, they're 100% right we're against them if we're not with their draconian ways. In the meeting between Women Strike for Peace (WSP) and the House Committee on Un-American Ac-

              tivities (HUAC) they needed all the help they could get, and we do, too.

              Look at the "antis" phenomenon recently, where you have infamous Tumblr pages like "BeSureToActuallyRead" that keep getting pasted by the usual suspects. It's like there's a new mental illness out there evolved from ease-of-access for them.

            3. localzuk

              Re: Mozilla are only partly right

              Well, to be realistic about it - guns are still not a necessity for the citizens of the UK to go about their lives.

              If it came down to a choice between banning guns and increases in gun crime, I'd be leaning to the prior.

              However, that's not really what was said now was it. We live in a country with strict checks and rules, so that those who do have guns have a legitimate reason to do so, and are safe people to have them. Its why our gun crime is so low.

              So, realistically the OP is just talking about the controls our society places on such things, rather than outright banning them.

              That said, in answer to "Who the hell made you the arbiter of my possessions?" that one is easy to answer - the majority. Most people don't want every Tom, Dick and Harry having guns in the UK. You remember why the ban on handguns happened right? Your right to possessions extends right to the point where owning those things presents a threat to the lives of others.

              1. rg287 Silver badge

                Re: Mozilla are only partly right

                If it came down to a choice between banning guns and increases in gun crime, I'd be leaning to the prior.

                However, that's not really what was said now was it. We live in a country with strict checks and rules, so that those who do have guns have a legitimate reason to do so, and are safe people to have them. Its why our gun crime is so low.

                Our crime actually isn't that low. It can only be described as low by comparison to the USA, which is a meaningless comparison worthy only of politicians and charlatans.

                The UK has the most restrictive firearms legislation in Europe. Mainland UK (England/Scotland/Wales) is the only place in Europe where you cannot (with the proper license) possess a target pistol or semi-auto rifle for target shooting in an Approved Club.

                Having effectively banned all pistols and a big subset of rifles, you would expect our crime rates to be lower than our European counterparts. But the Intentional homicide rates for Europe (homicides per 100k people) tell a different story:

                [USA: 5.35]

                Finland: 1.42

                France: 1.35

                UK: 1.2

                Germany: 1.18

                Sweden: 1.08

                Denmark: 0.98

                Ireland: 0.8

                Italy: 0.67

                Poland: 0.67

                Austria: 0.66

                Spain: 0.63

                Czech Republic: 0.61 (everything upto AK47s, concealed carry permits available for pistols!)

                Netherlands: 0.55

                Switzerland: 0.54

                Norway: 0.51

                Anyone who tells you that "countries with more guns have more crime/murders" is a charlatan, using a very selective set of statistics - because every country on that list has more guns per capita and more gun owners per capita than the UK. But most have much better homicide rates!

                What makes the difference between the USA and everybody else is licensing. Once you have a sane and rigorous licensing system in place, actually banning specific types of firearm has negligible or even zero impact on firearms crime and violent crime.

                For instance, the most common firearm used in crime in the UK is a pistol. Well we banned them, so it can't be the fault of licensed shooters. They're certainly not coming from the white market because there isn't one! Quite simply it comes down to enforcement - i.e. the rise in UK violent crime since 2011 is attributable to cuts to frontline police numbers - not because we need to ban more guns. Anyone who tells you we need to ban more firearms to [cut crime/protect the public] is a liar or a fool. An outright ban on all firearms would not cut UK crime or homicide stats. Having more Police would, but that's expensive and doesn't make good headlines!

                We could actually wind back UK firearms licensing to a more European model with no negative impacts. Crime rates will track whether we maintain the austerity cuts to Police staffing, not whether people are allowed to shoot Olympic Target Pistol in Home Office Approved Clubs.

                1. BigSLitleP Silver badge

                  Re: Mozilla are only partly right

                  Loving the fact that you are calling other people on twisting stats while twisting stats yourself.

                  Which country has the lowest number of school shootings in Europe over the past 15 years?

                  The UK. 0.

                  Case closed, go home.

                  1. rg287 Silver badge

                    Re: Mozilla are only partly right

                    Loving the fact that you are calling other people on twisting stats while twisting stats yourself.

                    Which country has the lowest number of school shootings in Europe over the past 15 years?

                    The UK. 0.

                    Case closed, go home.

                    You seem to be saying that a higher homicide rate is acceptable provided that people are killed one at a time and are not geographically located in a school? Personally I think that the better system is one in which the fewest people are dead ¯\_(ツ)_/¯

                    Country : Homicide Rate : School Shootings last 15 years:

                    UK: 0 : 1.2

                    Denmark : 0 : 0.98

                    Italy: 0 : 0.67

                    Austria: 0 : 0.66

                    Portugal: 0 : 0.64

                    Gun ownership =!= correlate to firearms crime.

                    Competent enforcement of a rigorous licensing system & registry correlates to low firearms crime amongst legal owners (by ensuring legal ownership is restricted to people with legitimate use).

                    After that, the only effective solution is effective enforcement against organised criminal gangs.

                    Banning pistols in the UK has not prevented gang-on-gang firearms crime, nor has it lowered the homicide rate comparable to any other country in Europe.

                    1. localzuk

                      Re: Mozilla are only partly right

                      There's a minor issue with your stats - you are focused entirely on homicide, except guns deaths are far higher for other things too.

                      Gun deaths USA 2017 - 19.51 per 100,000. Compared to 0.23 in the UK in 2011 but it doesn't change a lot year to year.

                      When you look at gun ownership, there is a considerable increase in gun related suicides and accidents too. Sure, people commit suicide in other ways too, but there's nothing so permanent and easy as grabbing a gun... Most other methods take considerably more effort.

                      1. Dal90

                        Re: Mozilla are only partly right

                        >Most other methods take considerably more effort.

                        And are far less humane.

                        As a fundamental factor of personal autonomy, one should be allowed -- but not required as their only option -- to beg a doctor for poison. Why should the state have any more authority to require someone to live against their consent than they do to execute someone?

                      2. Anonymous Coward
                        Anonymous Coward

                        Re: Mozilla are only partly right

                        There's a minor issue with your stats - you are focused entirely on homicide, except guns deaths are far higher for other things too.

                        Gun deaths USA 2017 - 19.51 per 100,000. Compared to 0.23 in the UK in 2011 but it doesn't change a lot year to year.

                        When you look at gun ownership, there is a considerable increase in gun related suicides and accidents too. Sure, people commit suicide in other ways too, but there's nothing so permanent and easy as grabbing a gun... Most other methods take considerably more effort.

                        ---------------------------------------------------------------------------------------------------------------

                        Looking at firearms related suicides across countries is basically fishing for conflating variables.

                        Swallowing a bottle of pills (acetaminophen / Tylenol / whatever it's called in Britain will do you in quite reliably; as will sleeping pills or enough vitamin D or enough opiate painkillers), and many of these are sold over the counter in unrestricted quantity in many countries, and exist in most first world houses.

                        Stepping off a bridge, balcony, or other tall thing is easy, requires no planning, and is both fast and reliable, with a proper site.

                        Grabbing a high tension line will do it in seconds, or poking on with a metal pole or pipe will also work.

                        Running a car in a closed garage is classic. So is turning on gas without lighting it.

                        Or you can hyperventilate, then swim down till you pass out... virtually foolproof, and no proof it was not an accident, for insurance purposes.

                        Similarly driving into water or a solid object at very high speeds.

                        Or breathing helium, argon, nitrogen, or a number of other gasses that are not oxygen.

                        Or stepping in front of a train, subway, streetcar, or big truck on a highway.

                        Curiously, few people make note of the fact that suicide is believed to be significantly under-reported, and about the least likely to be mistaken for an accident is blowing your own brains out.

                        Also, guns or not, the US comes in at 34th for suicide rate, trailing such notorious hot spots of gun violence as Belgium, Finland, and Japan. (For those not following the topic closely, Japan has some of the most stringent, draconian gun laws in the world.)

                        In many cities everyone has easy casual access to suicide opportunities. Restricting guns may cut the number of reported suicides, with a similar increase in 'accidents', or change the method, or a combination of the two. In most cases, method of suicide seem to be driven by social and cultural expectations and norms, not by the presence or absence of guns, while rates are undoubtedly based on a myriad of factors, social, psychological, cultural, economic, etc.

                        1. LucreLout Silver badge

                          Re: Mozilla are only partly right

                          Sure, people commit suicide in other ways too, but there's nothing so permanent and easy as grabbing a gun... Most other methods take considerably more effort.

                          Gun's are easy to get in the UK. Certainly easy enough to kill yourself with - shotguns rarely miss at that range, and may be preferable to a small cal. rifle. And yet, people still jump in front of trains. I've been a commuter in the SE for 20ish years, and so far have been on 3 trains that someone has jumped in front of; That's not delays, that's being on the train that hit them. Presumably you now seek to ban trains?

                          Method of suicide is a fairly meaningless statistic and certainly not enough to warrant banning guns - more people OD and yet you can still buy OTC pain killers; still more are killed by transport and still we travel; more by falling off tall things and still we build.

                          There's only so much we can and should do to protect people from themselves; thereafter we should respect their wishes.

                          In terms of protection from others, homicide rate is the stat that matters. The rest is noise.

                  2. Cynic_999 Silver badge

                    Re: Mozilla are only partly right

                    ITYWF that there are quite a few other European countries with zero school shootings over the past 15 years. Not that it is all that relevant - as has been said, it is the total number of murders that is important

                2. graeme leggett

                  Re: Mozilla are only partly right

                  I see that the Czechs require passing a written and practical exam and a clean criminal record before a licence is issued.

                  An AK47 needs a specific valid reason to be given . In general the Czech gun laws seem comprehensive and thorough to achieve a balance between public safety and right to have a weapon for certain uses.

                3. Down not across Silver badge

                  Re: Mozilla are only partly right

                  Anyone who tells you that "countries with more guns have more crime/murders" is a charlatan, using a very selective set of statistics - because every country on that list has more guns per capita and more gun owners per capita than the UK. But most have much better homicide rates!

                  Case in point Finland. Higher homicide rate than UK. However that number doesn't tell you if it was gun related. I recall Finland come about 4th in number of firearms, ownership of which is tightly regulated, per capita however guns are only factor in ~14 % of the homicides.

                  1. localzuk

                    Re: Mozilla are only partly right

                    Interestingly, Finland has a much higher gun deaths per capita rate than the UK - 3.25 per 100,000 to 0.23 in the UK. They have a moderately higher intentional homicide rate (1.4 to 1.2) also, and a considerably higher level of suicide - 13.8 per 100k to 7.6 in the UK.

                    So, not a great choice, statistically.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Mozilla are only partly right

                      Interestingly, Finland has a much higher gun deaths per capita rate than the UK - 3.25 per 100,000 to 0.23 in the UK. They have a moderately higher intentional homicide rate (1.4 to 1.2) also, and a considerably higher level of suicide - 13.8 per 100k to 7.6 in the UK.

                      So, not a great choice, statistically.

                      -------------------------------------------------------------------------------------------------------------------------

                      They also live in a far northern location beside a large potentially dangerous country.

                      The north is important - in the Yukon and North West Territories violence and suicide seem to spike more when the sun never sets than when it never rises.

                      All sorts of factors not reflected by naked numbers.

                      1. localzuk

                        Re: Mozilla are only partly right

                        Oh, those were just *gun* suicide and homicide rates.

                        If they didn't have so many guns, I suspect both rates would drop, as both are harder to do with other method.

                4. Anonymous Coward
                  Anonymous Coward

                  Re: Mozilla are only partly right

                  "Czech Republic: 0.61 (everything upto AK47s, concealed carry permits available for pistols!)"

                  Not quite.

                  Any handgun permit includes, automatically, the right to carry two concealed handguns with a round in the chamber. If you carry a third, you can't actually have a round in the chamber, but AFAIK, you can have a loaded magazine in the handgun.

                  Given their low homicide rate, half that of the UK, it would seem that the issues are more about the society and culture, and less about the general availability of firearms.

                  "Switzerland: 0.54"

                  Where many homes contain a real assault rifle - the military tool, not the nerfed purely semi-automatic/cosmetic 'assault weapon' that is the propaganda staple of gun banners - AND THOSE GUNS ARE NOT COUNTED BY THE MOST CITED SOURCE FOR CIVILIAN GUN OWNERSHIP BECAUSE THEY ARE PROVIDED BY THE GOVERNMENT... making skewing the statistics to understate the fundamental irrelevance of widespread gun access much easier.

            4. Omgwtfbbqtime Silver badge
              Facepalm

              Re: Mozilla are only partly right

              So glad my 60lb recurve with broadheads is not a firearm.

          2. LucreLout Silver badge

            Re: Mozilla are only partly right

            Attitudes like that are why I don't want other people to have guns.

            Other people have guns. You're going to have to accept it, because it is now and always be a fact. You have to go back a ways to find the last person killed with a legally held gun, while you don't even have to go back to last week for the most recent killing with an illegally held gun.

            Attitudes like yours are what always leads to fascism. Sorry, but it just does. Outside of very restricted cases, "your" rights cannot trump "my" rights or neither of us can have rights.

          3. YetAnotherBob

            Re: Mozilla are only partly right

            Uh, you do realize don't you that a ball point pen can be used to kill someone?

            Hammers and nails are also potentially lethal.

            Then there are cars. Automobiles are much more dangerous than are most pistols. Rapid Iron Poisoning. Two tons of Iron eighty Kilometers per, Lethal!!!

            So if you're going to ban all weapons, well, there is almost nothing that you can be allowed to keep. Silverware is dangerous in the right hands or with the right disposition. Many people have been killed by plates or other crockery. Where does it end?

        2. Anonymous Coward
          Anonymous Coward

          Re: Mozilla are only partly right

          Yeah damnit. What right has anyone go stop me having sarin, anthdax, semtex, and of course, a couple of nukes?

          1. Anonymous Coward
            Anonymous Coward

            Re: Mozilla are only partly right

            "Yeah damnit. What right has anyone go stop me having sarin, anthdax, semtex, and of course, a couple of nukes?"

            Good point, but I think I'd like safe storage regulations for the nuclear weapons and nerve gas, and any P4 worthy biological agents. If you are going to have them in a populated area, you should take care of them properly.

      7. Anonymous Coward
        Anonymous Coward

        Re: Mozilla are only partly right

        Stopping people accessing kiddie porn is nothing like stopping people from accessing guns. Kiddie porn is illegal in the UK; owning a gun isn't. I own several. The purpose of the firearms licensing regime is to ensure that only people who have been background checked, completed an appropriate course in safety/skills, have a legitimate reason to own a gun and are mentally suitable to hold that responsibility can do so. It also ensures traceability of weapons if it is suspected a crime has been committed. With these checks in place, I believe owning a gun is no more dangerous than being allowed to drive a car. Both can cause serious injury or death if used improperly or inappropriately. Gun owners are some of he most law abiding people I know as things like dangerous/careless driving, drink driving and multiple speeding convictions or anything that gives the impression you don't have respect for the law are likely to result in the loss of your firearms certificate; If you don't drive responsibly with regard to the effects of your behavior on others' safety, you can't be trusted to handle a gun responsibly and are unsuitable.

        When I moved house, I only had a choice of one ISP that wasn't horrifically slow due to local cabling issues. They aren't particularly good. I have changed the resolver settings in my router away from my ISPs DNS. I didn't do this because I wanted to access illegal or unlawful content but because my ISP's DNS was crap (excessive latency and random failures plus they ignore the DNS TTL value which was a real pain in the arse when I was doing a server migration for one of the services I run and turned the TTL down to 15 minutes before changeover but they decided to return the old DNS record for 2 weeks anyway.)

        I have a problem with the lack of transparency of the Cleanfeed system. It's run by the IWF as a closed system with, as far as I know, no independent oversight and it's a violation of the service agreement to open the blocklist and look at what's inside. The standard implementation I am aware of is to redirect blocked requests to a cache that doesn't return content so the user sees a timeout rather than knowing their request was blocked. I would be much more in favour of a system that returned a page stating the content was blocked. In my view, this would give an important safeguard against abuse of the list to block content that the IWF just doesn't like, such as articles critical of the IWF or content they don't agree with politically as it would make the blocking visible. I wouldn't shed any tears if someone leaked a copy of the list to a foreign security researcher who could do an independent audit of it to find out to what extent it may be being abused. I view whether I trust the current government as irrelevant. I have no idea who may be elected in 5 or 50 years so I don't know if they will be able to be trusted. This system mission creep is, in my view, ripe for abuse and has handed every future government an instrument of control if they're bad.

        As is stated by others, I also believe that this system does nothing to stop those really intent on acquiring illegal content. Instructions on how to bypass it are almost certainly being circulated by these people as we speak.

        Posted AC because part of responsible gun ownership is to not let it be widely known guns may be in my home which might encourage criminals to break in and try to steal them.

        1. Roland6 Silver badge

          Re: Mozilla are only partly right

          Re: I believe owning a gun is no more dangerous than being allowed to drive a car. Both can cause serious injury or death if used improperly or inappropriately.

          Possibly in some abstract sense, however, we should not overlook the power of the licencing scheme that keeps the number of guns in circulation down and creates a sense of responsibility.

          We only need to look at the level of car crime/accidents by those who have no insurance, no licence etc. to see that peoples attitudes to cars is very different to guns.

          1. Loyal Commenter Silver badge

            Re: Mozilla are only partly right

            We only need to look at the level of car crime/accidents by those who have no insurance, no licence etc. to see that peoples attitudes to cars is very different to guns.

            Then again, you only have to look at the number of shootings by those who have no firearms licence etc. to see that criminal's attitude to guns is the same at their attitude towards cars. It's just that cars are somewhat more common in the UK.

        2. Anonymous Coward
          Anonymous Coward

          Re: Mozilla are only partly right

          "Posted AC because part of responsible gun ownership is to not let it be widely known guns may be in my home which might encourage criminals to break in and try to steal them."

          Excellent point.

          I happen to know that there are a few hundred thousand more people in my city with firearms licences than most of the public realize.

          We just don't talk about it.

      8. Curt Vile

        Re: Mozilla are only partly right

        Cleanfeed is 100% irrelevant due to the existence of Tor and VPNs. Its only purpose is to allow the witless dullards in government to point to it and say "Look! Look! We're doing something!" If they were really serious about doing curtailing pedos, they would regulate Tor and VPNs.

      9. LucreLout Silver badge

        Re: Mozilla are only partly right

        We think that curtailing people's freedom to buy guns in the UK is an acceptable trade-off between your right to do what you want and my right for you not to have a dangerous weapon.

        Unfortunately you have no such right. People can still routinely access shotguns, bladed weapons, clubs, etc etc With MMA or steroids they can make themselves the weapon. I'm genuinely puzzled why you think you might have such a right and why you might think you would want same.

    2. Robert Carnegie Silver badge

      Re: Mozilla are only partly right

      I'm a bit hazy on how DNS with privacy prevents blocking of access to illegal pornography. If the pornography is on the server with IP address 111.222.333.444 then you can just input that number to get there, no DNS involved. So, banning use of uncensored DNS doesn't stop the pornography...? Conversely, the government could just block the IP address...

      1. Charles 9 Silver badge

        Re: Mozilla are only partly right

        Multi-hosting filtered via SNI means the illegal server can be hidden among legitimate ones, and just entering the IP won't work (it'll go to the default server instead).

        1. Paul

          Re: Mozilla are only partly right

          That's true, but a really canny website could require people to put the hostname/ip address into their local hosts file and thus not need to appear in the public DNS

      2. Spoonguard
        Alert

        Re: Mozilla are only partly right

        well, firstly 333.444 isn't a valid host address; secondly, IP blocking is quite counterproductive given how much IPv4 addresses are reused these days.

        1. Baldrickk Silver badge

          Re: Mozilla are only partly right

          nnn.nnn.nnn.nnn isn't a valid IP either, but we all know what it's representing.

          1. adam 40 Bronze badge

            Re: Mozilla are only partly right

            What, either one of:

            111.111.111.111

            or

            222.222.222.222

    3. big_D Silver badge

      Re: Mozilla are only partly right

      On the other hand, I run my own private DNS server and want all DNS queries going over my filtered DNS set (I use Pi-Hole to block a lot of tracking domains). If DoH bypasses my filtered list, that is a bad thing.

      If I point DNS at my own, private DNS server apps should respect that!

      1. Charles 9 Silver badge

        Re: Mozilla are only partly right

        What about the points BETWEEN you and your private DNS server? What's to stop them altering it midflight? Or, failing that, just blocking the traffic wholesale if it doesn't decrypt with the ISP's certificate? That's what DoH is designed to prevent while still being accessible to Facebook Pharkas.

        1. big_D Silver badge

          Re: Mozilla are only partly right

          There is nothing between me and my private DNS server, it is on the same segment and pulls original records from Quad 9 using DNS over HTTPS or DNSSEC.

          1. Charles 9 Silver badge

            Re: Mozilla are only partly right

            I'm saying what's to stop Quad 9's records being altered without your knowledge. It's not like you have any truly reliable way to check on the fly.

  4. Tromos
    FAIL

    Undermine?

    How is it possible to undermine something that has no basis, no foundation, no support, nothing to prop it up and has generally been in free fall since inception?

    1. Charlie Clark Silver badge

      Re: Undermine?

      It's a figleaf for when they have provide reports to the police or Home Office as to how good effective they've been at filtering, which they're not at all keen on doing. They are, however, keen on collecting everyone's DNS requests for commercial purposes.

  5. VicMortimer
    Pirate

    So they're planning on using DNS filtering?

    At least that should make it easier for you guys to route around the damage.

    1. Ben Tasker Silver badge

      They use DNS as a first step to block the low hanging fruit, and then use DPI to look at SNI later on (or, if you're stillon port 80, the Host header)

      1. Charles 9 Silver badge

        What happens if the SNI is encrypted? Or will they ban TLS 1.3?

  6. Robin Bradshaw

    SHH dont tell anyone

    While the people who are making money off the back of the insecurity of the current DNS system are pissing and moaning about their revenue stream drying up, they seem to have missed that Google slipped DNS over TLS into Android 9.

  7. mark l 2 Silver badge
    FAIL

    How is DoH any different than someone using a VPN to bypass filtering by their ISP? I would say more people probably use those than DoH through FF since FF has quite a small market share.

    There is nothing to stop the ISP's offering their own DoH DNS servers that their customers can connect to those and the ISP can then filter the results from the cleanfeed list.

    1. Ben Tasker Silver badge

      Their concern is (AIUI) very much that browsers are much more of a "general" product, and so used by a greater proportion of users (as small as FF's market share as a %age might be, that's still a lot of people).

      Also, it's not ultimately just going to be Firefox that supports this.

      Though, if we take that first argument, Opera is a browser and I don't seem to remember them complaining when it got VPN functionality built into it.

      The problem with ISPs offering their own DoH server is that (as it stands) you'd need to manually configure it, there's no way for them to push an auto-config down to you. They'd also need to be globally accessible/usable so that when you go out and about onto other networks with your mobile/laptop resolution doesn't break (because that new network can't autoconfig you either).

      It's not something that can't be addressed, but does still complicate things a bit

    2. Paul Crawford Silver badge

      The reason many want this is to stop their ISPs from meddling in DNS queries, both for advertisement/privacy reasons and to bypass government filters that are about vote-winning populist "morality" instead of serious crime.

    3. Roland6 Silver badge

      >How is DoH any different than someone using a VPN to bypass filtering by their ISP?

      I chose which VPN client software I use, I chose which VPN service I use, I chose when I use the VPN service, I chose when I wish to change VPN service providers...

      The problem of DoH is that with the implementation where it is bundled into the browser, so install Firefox and you get Mozilla DOH by default, I assume Chrome will use a different built-in DoH service...

      I expect that enterprise routers/firewalls will introduce DoH traffic redirection/filtering rules, which may break some client implementations and so require RFC 7858 to be updated and made more open and compliant with the principles behind the Internet...

      1. Brad Ackerman

        An organization that cares about DoH usage inside its network probably also has either HBSS or break-and-inspect; even without such measures, both Firefox and Chrome should use whatever DoH server the GPOs tell them to use.

  8. Anonymous Coward
    Anonymous Coward

    Well that looks like a database revenue stream down the toilet that ISPs can no longer sell on.

    1. Graham Cobb

      Yes, that is my guess why UK ISPA really care. There is little business reason why ISPs would be supporting filtering. But they certainly support knowing as much as possible about what their users are doing. Even if they aren't selling personalised information they are certainly selling aggregate information.

      1. DougS Silver badge

        Yep

        The moment I heard about this I knew they were really missed because it will curtail their ability to sell data on their users if people's DNS queries are hidden from their view.

        I'm surprised they didn't come out against browser plans to do 'HTTPS everywhere' since that's even worse for them. Or maybe they did and I missed it?

      2. The Rambling Man

        They do indeed have prior Phorm.

  9. Doctor Syntax Silver badge

    "But some organizations worry improved privacy will protect lawbreakers."

    A good test in these moral quandaries is this: "Is it based on the presumption of innocence?".

    1. ThatOne Silver badge
      Devil

      > presumption of innocence

      Such a quaint, outdated notion, from an old, humanist world long gone...

  10. LDS Silver badge

    Google: "making them subject to surveillance"

    I think Google meant "making them subject to surveillance outside Google control, and without Google monetization and filtering"

    1. Anonymous Coward
      Anonymous Coward

      Re: Google: "making them subject to surveillance"

      >I think Google meant...

      Google doesn't bother me so much as it's "just ad business" which I can understand the $ sign but it's those with political machinations afoot and social engineers that give me the willies.

      1. LDS Silver badge

        "Google doesn't bother me so much as it's "just ad business"

        Do you believe that giving a corporation so much power about people's data is less dangerous? You are really naive, especially since it takes very little for a corporation with such power to get involved in political machinations and social engineering to increase its power and profits. And it could be far more opaque and less accountable.

        1. Charles 9 Silver badge

          Re: "Google doesn't bother me so much as it's "just ad business"

          What's to stop people changing the DoH server setting to a third party? Or even a first party (as in one of their own)?

          1. LDS Silver badge

            Re: "Google doesn't bother me so much as it's "just ad business"

            The problem will be how many DoH servers will be available, and how software will embed a few ones.

        2. Anonymous Coward
          Anonymous Coward

          Re: "Google doesn't bother me so much as it's "just ad business"

          >Do you believe that giving a corporation so much power about people's data is less dangerous?

          Hmm, lets do a quick financial comparison:

          Google Revenue $136bn

          US Gov Federal Tax revenue $3.5tn, Military spend $650bn

          Now tell me who you fear most ?

          The No 1 corporation in any state is always the Government and it likes to keep it that way, the British Government took over the East India Company not the other way around when it became too big for it's boots.

          1. LDS Silver badge

            'The No 1 corporation in any state is always the Government'

            Comparing oranges and apples? State taxes are very different from company revenues and profits.

            Not sparingly Eisenhower warned about the meddling of powerful companies and government.

            If you can't understand the difference, you should invite more knowledgeable people at your Tea Parties.

            1. Anonymous Coward
              Anonymous Coward

              Re: 'The No 1 corporation in any state is always the Government'

              >Comparing oranges and apples? State taxes are very different from company revenues and profits.

              Are they ?

              I think you need an economics 101, taxes are state revenue used to deliver goods and services somewhere in the middle of a perfectly capitalist economy (actually no state in theory) or a perfect communist economy where there is no private enterprise.

              >you should invite more knowledgeable people at your Tea Parties.

              Also please stop being both supercilious and condescending, it only makes you look bad.

              1. Graham Cobb

                Re: 'The No 1 corporation in any state is always the Government'

                If you want to stop being treated with condescension I suggest putting your name to your posts.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: 'The No 1 corporation in any state is always the Government'

                  >If you want to stop being treated with condescension I suggest putting your name to your posts.

                  Such as what, Ivor Biggun, Ben Dover, Mike Hunt or do you suggest I use a real name and address along with pictures of me and my family ?

                  Names are quite irrelevant and shouldn't detract from the discussion, lack of them isn't an excuse for rudeness.

  11. Anonymous Coward
    Anonymous Coward

    I've just tried this. You can enable it in firefox. However it does not bypass blocked sites. Could anyone explain why? Are they telling the truth here or not?

    1. Jamie Jones Silver badge

      As I posted elsewhere, many ISPS block by either IP address, or "Host:" header. (via DPI)

      I know Talk-Talk operates this way. ("Host" header)

      Are you with talk-talk?

      This makes the whole issue moot - even if there are ISPS that use the obviously weak DNS method, they could switch to DPI (admittedly the equipment costs would be higher, but why should the people who maintain the lists care?), so I wonder what the real reasons for their complaints are..

      1. Anonymous Coward
        Anonymous Coward

        Virgin. I'm with you on that, if this doesn't unblock sites then we are back to real issue they have which is snooping.

        I've tried bypassing it before, it resolves the IP address but then blocks it.

        For reference and if others wish to try,

        Firefox > about:config

        network.trr.mode set to 2

        then network.trr.url set to one of the one's on this, https://github.com/curl/curl/wiki/DNS-over-HTTPS

        Default option is https://cloudflare-dns.com/dns-query

        1. disorder

          I had issues on the FF ESR releas ea few months ago, after I configured this where I turned this off.

          Thanks ISPA for complaining. I turned it back on.

        2. Anonymous Coward
          Anonymous Coward

          Many (many) thanks. :-)

    2. Mike007

      Because they don't do filtering at the DNS level, they MITM traffic and filter HTTP requests and TLS handshakes... meaning that DoH actually does nothing at all in relation to their filtering.

      (At least for VIrgin Media who I have checked, I assume other ISPs do the same as they use the same feeds...)

      Of course TLS1.3 might cause a little bit of a problem for them, because they will have to switch to DNS based filtering - Turn on EncryptedSNI and try https://TPB again... (it should work even without DoH for the time being, although I haven't tested if Firefox imposes artificial restrictions that require DoH to be enabled as well)

      1. Anonymous Coward
        Anonymous Coward

        Still no dice with EncryptedSNI on Virgin with DoH enabled.

        1. Mike007

          You need to restart your browser for the setting to change, however I found that it still didn't start working straight away... suddenly started working when I tried again the following day. (caching somewhere?)

          Check Encrypted SNI is working properly: https://encryptedsni.com/

          Once I started getting positive results on there I was able to reach TPB over virgin media without any issues... (although you do need to manually specify HTTPS the first time, as the redirector on HTTP will still be filtered)

      2. rg287 Silver badge

        (At least for VIrgin Media who I have checked, I assume other ISPs do the same as they use the same feeds...)

        Yes, they do these days.

        Time was that changing your DNS from BT's internal DNS to a third party provider (Google/OpenDNS) would get you back on TPB. Not these days. I assume when it got a point where they couldn't credibly argue that their "block" was even remotely effective they had to go from simply poisoning their DNS servers to actively inspecting headers/IPs and blocking traffic.

        1. Charles 9 Silver badge

          I thought they just hijacked port 53 so that ANYTHING going to that port gets handled by the ISP. DoT specifically won't stop this because it still uses a dedicated port which can be hijacked wholesale.

  12. Anonymous Coward
    Anonymous Coward

    Let's be clear

    Although it is a very minor fix, use of this security feature cannot be described as anything but a good thing. If HMG wants to invade my privacy by using an obsolete feature of internet protocols, that is them behaving badly, not the people that are working to stop attacks.

    If kiddy fiddlers are technically aware, they will be taking measures to prevent detection anyway. If they aren't, they will be using IE or Edge and will get the knock on the door that they deserve!

  13. Anonymous Coward
    Anonymous Coward

    Can someone explain:

    What business UK ISPs have spying on their customers?

    Why are they apparently getting upset they won't be able to anymore?

    If they literally can't technically implement court ordered censorship, why is that their problem?

    And by implication, do UK courts really have the authority to ban the internet to UK citizens because ISPs can't enforce the censorship?

    1. Dan 55 Silver badge

      Re: Can someone explain:

      What business UK ISPs have spying on their customers?

      They have to implement the Snooper's Charter.

      Those that use DNS would have to find another more expensive way of doing it (e.g. DPI everything), so I guess there'll be a similar complaint soon about ESNI.

      1. Charles 9 Silver badge

        Re: Can someone explain:

        I wonder if ISPs will be forced to go full encrypted proxy as a counter...

  14. FrankAlphaXII
    Childcatcher

    Think of the Children (and the spies!)

    Its very telling that the UK's ISPA is so dead set against this, because it'll make collection efforts targeting the unencrypted DNS by GCHQ that much harder. I expect that the usual suspects here in the US will as well, especially ARTIFICE (Verizon) and LITHIUM (AT&T). And unlike President Annoying Orange here who thinks that NSA/CSS and the rest of the TLAs are out to get him, neither Johnson nor Hunt is that paranoid over in your little slice of hell.

    1. RegGuy1

      Re: Think of the Children (and the spies!)

      Upvoted for President Annoying Orange -- not heard that before.

  15. Claverhouse Silver badge
    Holmes

    Cognitive Conflict

    The ISP group's other contenders for the title of "internet villain" include the Article 13 Copyright Directive, for threatening free speech online

    As the same ISPS lambast Mozilla for not enabling them to destroy free speech online...

    1. Doctor Syntax Silver badge

      Re: Cognitive Conflict

      From what the report says their problem is wth Mozilla making it more difficult for them to do what HMG is telling them to do. Perhaps they think that having a go at the govt. directly is a bit too risky. Having a go at an EU directive is more likely to win them brownie points with either of the current contenders or with Corbyn should the worst come to the worst.

      1. Adrian 4 Silver badge

        Re: Cognitive Conflict

        I nominate ISPA for discouraging DNS security.

        I don't believe they're required to effectively block politically unpopular sites. Because that would be impossible. They're just required to implement the approved scheme that claims, falsely, to do that. Which, of course, as is the nature of such things, works only for certain chosen circumstances.

      2. sabroni Silver badge

        Re: or with Corbyn should the worst come to the worst.

        That fact you can look at bojo and cunt and then say that Corbyn is the worst outcome is telling.

        Only one of those three is looking at Brexit as a chance to make things better for the plebs. Two of them are in it for the profit it'll make them and their mates.

        So it's the idea of someone thinking of the proles that's so distressing?

        1. scrubber
          Trollface

          Re: or with Corbyn should the worst come to the worst.

          So it's the idea of someone thinking of the proles that's so distressing?

          I thought the whole point of Brexit was to get rid of the proles?

          1. JassMan Silver badge

            Re: or with Corbyn should the worst come to the worst.

            Talk of Brexit is seriously off topic here but since you brought it up.

            No political entity ever votes to get rid of themselves, the idea of Brexit was almost certainly not to commit genicide and exterminate proles. Nor was it a way of getting back at the Liberal elite, since the last time the Liberals were in power (as opposed to coalition) is beyond living memory for over 70% of the population and Liberals have never been elitist anyway. The real reason for Brexit was that a small percentage of the population who have never done a days work in their lives but mostly have right wing tendencies of various degrees, worked out how to lie the public in a way they would not believe they were being conned. Those same people will either make a massive fortune from Brexit or are friends with others who are happy to share the ill gotten gains of Brexit. Remainers were accused of lying when they said we would all be worse off after Brexit, yet the likes of Boris and Nigel keep repeating that all is well. 2 points (a) we haven't actually left yet so of course things are not as bad as they are going to get. (b) your buying power if you travel is at least 15% less than before the vote, and if you buy at home you get less but don't actually notice because of shrinkflation.

            Don't even mention all the wonderfull trade deals we will be able to do with hundreds of countries, most of whom have a GDP less than a medium size UK town

  16. Anonymous Coward
    Anonymous Coward

    VPNs

    I'm surprised ISPA aren't bleating about people having VPNs. Those do all of the above plus cost the ISPs money by increasing their bandwidth usage as they can't cache static content in web pages fetched over a VPN. It might be true that their complaints are motivated by this affecting their ability to hand over "Internet connection records" to law enforcement. With a VPN, they can at least say they recorded a connection to the VPN server and 16GB of data being shifted which seems to satisfy their obligations as they're not required to report what that data was.

    1. Paul Crawford Silver badge

      Re: "they can't cache static content"

      I think that ship sailed with the proliferation of https use...

      1. Ben Tasker Silver badge

        Re: "they can't cache static content"

        Not really, it's just that the model has changed. Nowadays, the ISPs partner with various CDNs to host delivery appliances on-net so that anything served by those CDN's doesn't hit their peering bandwidth (well, origin fetches aside). Because the CDNs are, to the end user, the origin of the content they terminate SSL.

        Those are also impacted by VPNs

  17. Anonymous Coward
    Anonymous Coward

    Call me childish, and infantile ...

    but the second I read that the UKISPA had decided this was A Bad Thing, I suddenly felt a hundred times more justified in using a secure pihole on my network.

    If it gets as far as the Home Secretary grumbling I'll feel 1000 times more justified.

  18. Claptrap314 Silver badge
    Stop

    Didn't there used to be a horse inside this barn?

    So far as legislation goes, this is in the same class as strong encryption. The smart crims are already using some version of this, and it is impossible to prove its even being used.

    Technically, I really, REALLY prefer to control bind myself. I'm fed up with Mozilla, and I trust Google about half as far as I can throw the whole organization. Unlike https, a technical compromise of the browser, by design, would be really, really hard to detect. Is it good for "everyone" to obfuscate dns lookups? Of course. Is it good to funnel 99.999% of dns calls through a handful of entities? Uh, no.

  19. Anonymous Coward
    Anonymous Coward

    as to bypass UK filtering obligations

    ISPs don't give a flying (...) about legality, until they're implied as law-breakers themselves. So, their suspiciously strong moral stand is possibly related to... MONEY? Do they sell data off the DNS requests made by their punters perhaps? Never mind money from advertising for any mistyped web address...

    1. BanburyBill

      Re: as to bypass UK filtering obligations

      I've talked to network ops who don't give a toss about your personal data, but have malware interdiction on their minds. Spotting then blocking malware by perturbing the DNS names the malware uses is, they say, common practice, easy and cheap. Do away with it overnight, and watch the malware volume on their networks explode. They fear that for this, and regulatory reasons, they will now be forced towards deep inspection/MiMing your traffic, having to spend a truckload of money on the kit to do that, and end up in a world with less overall privacy as a result.

      Also, given Mozilla's direction has been to redirecting your DNS to CloudFlare without even an opt-in, only an opt-out which might be designed for ensure the tech naive will click without understanding it? That's good for everyone's privacy? Really?

  20. adam payne Silver badge

    Mozilla insists that its goal is to build a more secure internet and that it continues to have a constructive conversation about security with "credible stakeholders in the UK." The company didn't say whether it considers the ISPA to be a credible stakeholder.

    I think the statement speaks for itself, that would be a no then.

  21. beast666

    The winner of internet villain 2019 is...

    The BBC News website

    1. Anonymous Coward
      Anonymous Coward

      Re: The winner of internet villain 2019 is BBC News website

      How so? I thought the villain was the bbc iplayer site?

    2. Paul Crawford Silver badge

      Re: The winner of internet villain 2019 is...

      Yes, sadly the BBC is still trying to get you to install flash to play videos!

  22. Marjolica
    Devil

    Are ISPs already sabotaging Firefox DoH?

    I enabled the Firefox/Cloudflare DoH on my Firefox-esr (v60.7.2) a few days ago and all was working OK. Thawed my computer this morning and Firefox started to crash. I had a lot of tabs open and lost them. Started to re-enter the ones I use regularly (eg. El Reg), when I got to google calendar it crashed again. Crashes re-occured on other google sites., Repeated attempts led to repeated crashes, each more severe than the last to the extent that the browser wouldn't stay open unless I disconnected the WiFi. Firefox on Android, that I hadn't enabled for DoH, was still working.

    Disabled the DoH (network.trr.mode=0) while offline and now I'm happily sending this. So is it a bug, problems at the Cloudflare doH or are BT injecting something malicious into my DNS?

  23. Anonymous Coward
    Anonymous Coward

    Missing the point

    Happy to send all your DNS data to the land of the orange president?

    Want to push all the DNS data to a handful of big players where the potential for monetisation/abuse/monitoring and invasion of privacy would be far greater than today?

    Watching this is like watching a bunch of six-year-olds playing football. Everyone is running after the encryption football and getting outfoxed (ka-dish!) by entities that certainly only have their own interests at heart.

    It is perfectly viable to implement DoH as a drop-in replacement for DNS in a measured way such that the benefits remain and we don’t all get railroaded into a model which is against the interests of the average user.

    1. JohnFen Silver badge

      Re: Missing the point

      "It is perfectly viable to implement DoH as a drop-in replacement for DNS in a measured way such that the benefits remain and we don’t all get railroaded into a model which is against the interests of the average user."

      How?

      The existence of DoH means that I now have to engage in MITM attacks on my own HTTPS connections in order to maintain security. How can I set up my system so that is no longer required?

      1. Anonymous Coward
        Anonymous Coward

        Re: Missing the point

        The existence of DoH means that I now have to engage in MITM attacks on my own HTTPS connections in order to maintain security. How can I set up my system so that is no longer required?

        ===

        Get a good VPN and use the VPN provider's DNS.

        1. JohnFen Silver badge

          Re: Missing the point

          "Get a good VPN and use the VPN provider's DNS."

          That does nothing to address the problem, though. The problem isn't what DNS provider I use, the problem is that because DNS-over-HTTPS is now a standardized service, any application or website can use it in any way they wish, using any DoH resolver they wish, without my knowledge or consent. This makes it impossible to do any effective DNS-based filtering regardless of whether or not I use a VPN, or which DNS provider I use.

          Seriously, the only defense against the threat of DoH I can think of necessitates examining all of the HTTPS data streams to find and drop or redirect DoH requests. I am eagerly looking for some other way to address this problem, but have come up empty so far.

          One real-world example of the problem is the Godlua attack (https://www.techspot.com/news/80791-meet-godlua-first-known-malware-leverages-dns-over.html), but that's far from the only issue.

          1. Paul Crawford Silver badge

            Re: "Seriously, the only defense against the threat of DoH"

            Would be disabling it in the browser settings?

            1. Charles 9 Silver badge

              Re: "Seriously, the only defense against the threat of DoH"

              And if they don't LET you, or it's too obscure for Joe Stupid? What if it's a critical one-off app that has no substitute...and no option?

  24. Anonymous Coward
    Anonymous Coward

    <scribble> 'DNS-over-HTTPS'...

  25. Grease Monkey

    Many years ago I had an end user phone me complaining that she couldn't change the DNS server settings on her workstation. I explained that being able to do so would so her machine from working because we blocked all outgoing DNS requests at the firewall other than those from the in house servers. The in house servers themselves communicating with the outside world via servers sitting in the DMZ. She told me she "needed" to be able to change her DNS settings to do her job. She wasn't a developer or similar so told her she would need to submit a business case to her manager and if that was successful management would send that in to CAB. Needless to say the business case never arrived at CAB.

    I can see this technology failing in the corporate space for very similar reasons.

  26. JohnFen Silver badge

    Mozilla, I love you

    I love Mozilla, I really do, but I also really think that DoH is a terrible move because it takes away the ability for us to monitor and control what happens on our own machines. Introducing an RFC on it doubles down on the awfulness and takes it into territory that is on the edge of villainy.

    I love you, Mozilla, but can't forgive you for this one.

  27. Danny 2 Silver badge

    El Reg, I love you

    We went from a highly educational and interesting discussion on a privacy feature to porn - which is understandable due to the daft porn 'ban'. Then to kiddie porn extremis, less understandable. And then to a gun control debate‽

    @JohnFen, there are simple ways to monitor what is happening on your machines beyond yielding all similar control to the state or corporations. This is a sledgehammer to your nuts.

    1. JohnFen Silver badge

      Re: El Reg, I love you

      "there are simple ways to monitor what is happening on your machines beyond yielding all similar control to the state or corporations."

      Indeed there are. But DoH specifically interferes with doing that, so I have to MITM all HTTPS connections in order to regain visibility and control.

      1. Danny 2 Silver badge

        Re: El Reg, I love you

        I assume you are a Sys Admin and not just stalking your former partners. It's still wrong.

        A man in the middle attack is an attack. If you don't trust the people using your computers then do what my former employer did, put a CCTV camera facing every internet accessible computer. They had an excuse, what is yours?

        For other people worried here by MITM attacks, Steve Gibson has a tool.

        https://www.grc.com/fingerprints.htm

        1. JohnFen Silver badge

          Re: El Reg, I love you

          I'm talking about my home network, not a business network. There's nothing ethically wrong with doing MITM on my own equipment and datastreams, any more than there's anything ethically wrong with breaking into my own home or covering the inside of my own home with surveillance cameras.

          I do provide an open WiFi connection that bypasses my network entirely for guests to use. I don't MITM any traffic on that (but at the same time, I also don't use that AP myself). If someone wants to use my real network with HTTPS, they need to install my cert to do so -- so anyone doing so is fully aware of the proxy.

          "If you don't trust the people using your computers"

          This isn't about trusting people using my computers (which is, largely, just me). This is about trusting websites and applications.

          1. Danny 2 Silver badge

            Re: El Reg, I love you

            "covering the inside of my own home with surveillance cameras."

            Nothing wrong with a 'nanny cam' in your child's bedroom, but something seriously wrong in the bathroom. You get my point?

            "This is about trusting websites and applications."

            I honestly don't understand why you would Man In The Middle yourself. That is not a criticism, I am out of date by a decade at least. Please explain. I'm assuming you think your machines may be hijacked, and you want to stop that. My point was you are going about it the wrong way.

            MITM attacks are detectable by anyone, and anyone would assume the worst.

            1. JohnFen Silver badge

              Re: El Reg, I love you

              "Nothing wrong with a 'nanny cam' in your child's bedroom, but something seriously wrong in the bathroom. You get my point?"

              It would be excessively creepy, yes, but not ethically problematic so long as anyone who intends to use the bathroom is aware that there's a camera in there before they do. With the use of HTTPS from my LAN, everyone who may want to do that is made fully aware that I have a MITM in place.

              "My point was you are going about it the wrong way."

              Believe me, I very much wish I didn't have to do this. What would your suggestion be for doing this "the right way"?

              "I'm assuming you think your machines may be hijacked, and you want to stop that."

              No, that's not the concern that I'm addressing with this. My concern is primarily about stopping the tracking and telemetry that so many websites, applications, and malware engage in these days.

              One of the ways I use to prevent malware and trackers from phoning home is through blocking DNS lookups. With traditional DNS, it was easy to maintain control because I could force DNS lookups to happen through my own DNS server where I have control over the results it returns.

              With DoH, this is no longer possible for two reasons. First, it doesn't use the DNS port so my router can't help me find the DNS lookups -- they're disguised as HTTPS traffic instead. Second, because HTTPS is encrypted, I can't see what my browser or other application is actually looking up anymore.

              This allows malware and trackers to completely evade my security. Even if I run my own DoH server, a website or application can easily ignore that and do their own DoH exchange with whichever DoH server it wants. I have no control over that. In order to regain that control, I need to use a MITM proxy.

              The existence of DoH means that I have to trust websites and applications about stuff that they've spent years demonstrating that they can't be trusted about. Or, I have to MITM the connection.

              1. Danny 2 Silver badge

                Re: El Reg, I love you

                Okay, I get where you ar coming from, you've lost a lock. I just want to point out nobody would use a toilet with CCTV.

                If you are not tracking folk, only uninvited trackers, then I can see the 'ethicacy' of a MITM attack. You could still just stop inviting the trackers in.

                In terms of people though, I could easily explain to my nephew and niece that there is no internet access for them over my router because I'm a wee bit paranoid. I'd find it harder to say I'd be intercepting all their communications - and there were cameras in my toilets.

                1. JohnFen Silver badge

                  Re: El Reg, I love you

                  "I'd find it harder to say I'd be intercepting all their communications"

                  But I don't need to say that at all. As I mentioned in an earlier comment, I provide an open WiFi access point for guests to use. There is no MITM there at all, and anybody who wants internet access can just use that. What you can't do through that AP is reach my LAN -- but it's extremely rare that a guest needs to have access to my LAN.

                2. Anonymous Coward
                  Anonymous Coward

                  Re: El Reg, I love you

                  Part of the issue here is that the idiots in the browser companies that are primarily behind the DoH initiative (looking at you Mozilla and Google) decided to put it in the app layer, allowing any and every app to decide which DoH server to use. That obviously includes malware, as demonstrated in the first known example last week.

                  They compounded this error by mixing the DNS traffic with regular HTTPS traffic through the same port, making sensible net/system admin options such as blocking the port (an easy fix for any admin wanting to disable DoT) impossible. So you're left with options such as MITM etc in order to undertake basic network security, something that Mozilla's CTO appears intent on undermining.

                  DoH as implemented by the IETF is based on poor engineering choices by US tech companies that may coincidentally(!) benefit from future data monetisation opportunities at a global scale. And it is part of a concerted series of activities to centralise the internet, breaking some of the internet's original design philosophy.

                  Anything that delivers massive amounts of user data to US tech companies (most people will accept the default settings), and therefore open to scrutiny by US security services, is a bad thing. Just because it involved Mozilla doesn't make it right - remember the bulk of its funding comes from Google!

                  1. Charles 9 Silver badge

                    Re: El Reg, I love you

                    "They compounded this error by mixing the DNS traffic with regular HTTPS traffic through the same port, making sensible net/system admin options such as blocking the port (an easy fix for any admin wanting to disable DoT) impossible."

                    Which was exactly the point. What you can do, Big Brother can do, too. And Big Brother could very well be your (and other available) ISP, either for commercial gain (demographics) or by mandate (Snoopers' Charter).

                    1. JohnFen Silver badge

                      Re: El Reg, I love you

                      DoH doesn't protect you much against Big Brother. It only changes which Big Brother you're exposed to. Instead of being exposed to your ISP, you're now exposed to the DoH server and every program or web scripts that wants to track you.

                      1. Charles 9 Silver badge

                        Re: El Reg, I love you

                        But what if the DoH server is under YOUR control?

                        1. JohnFen Silver badge

                          Re: El Reg, I love you

                          That would be very different. Unfortunately, you have no way of ensuring that your DoH server is the one that a website or application will be using. They can use any DoH server they like, no matter what your wishes are.

                          1. Charles 9 Silver badge

                            Re: El Reg, I love you

                            What stopped them doing that before? It's not like an app HAD to obey the DNS settings (Microsoft's telemetry doesn't)...

                            PS. If an app doesn't let you select the DoH server, perhaps it's time to use a different app...

                            1. JohnFen Silver badge

                              Re: El Reg, I love you

                              "What stopped them doing that before?"

                              The fact that you could use your router to block or redirect such DNS requests to your own DNS server.

                              "If an app doesn't let you select the DoH server, perhaps it's time to use a different app."

                              I agree, but that doesn't really address the problem. First, nothing stops Javascript on a web page from doing DoH requests itself. Unless you examine the script, you wouldn't know that's happening. Second, even if an application does provide such a setting, you have no way of verifying that it's being respected. Third, malware doesn't care what your preferences or settings are.

                              1. Charles 9 Silver badge

                                Re: El Reg, I love you

                                Thing is, it never did, so it could've just tunneled things before DoH. Some malware has even been shown to use procedurally-generated hostnames (recall fast-flux DNS) so it could find a host without performing an in-the-wild lookup.

                                Basically, what I'm saying is being concerned about tunneled DNS now is kind of late. The horse of tunneling techniques left a long time ago.

          2. Charles 9 Silver badge

            Re: El Reg, I love you

            How do you stop telemetry like Microsoft's, then? It uses encrypted connections, uses an internal hosts list so never uses DNS, and uses the same IS as legit servers which means they can't be safely blocked at the IP level?

            For that matter, what was stopping maleware using programmatic or tunneled DNS BEFORE DoH came along?

            1. JohnFen Silver badge

              Re: El Reg, I love you

              "How do you stop telemetry like Microsoft's, then?"

              By not using Microsoft products. There are no Windows machines on my network.

              "For that matter, what was stopping maleware using programmatic or tunneled DNS BEFORE DoH came along?"

              IP blocks. In the end, of course, perfect security is impossible and nobody can say that they are stopping everything. I just make a best effort.

              The primary difference that the existence of DoH makes is that most malware must do a DNS lookup to find their home server to communicate with it. They have to use a domain name to avoid trivial IP blocking -- even to use tunneled DNS. Therefore, pre-DoH, DNS filtering was an effective (although certainly not perfect) measure. Now that DoH is a thing, though, malware can just directly use DoH to a mainstream DNS provider and bypass my own DNS server -- and I can't really block mainstream DNS providers without causing a lot of other problems.

              Therefore, the existence of DoH is exposing my network and reducing my security. That's why I need to engage in extreme countermeasures.

              As I said a few times, I hate that I have to do this and I'm looking for a less intrusive solution to this problem. If anyone has any alternative approach, I'm very, very eager to hear it.

              1. Charles 9 Silver badge

                Re: El Reg, I love you

                "They have to use a domain name to avoid trivial IP blocking -- even to use tunneled DNS."

                If they have an internal list (like Microsoft does), the resolution is done at localhost and can't be blocked.

                If the DNS is tunneled (such as via a VPN, which existed before DoH), how do they block the DNS attempt without blocking something legitimate?

                1. JohnFen Silver badge

                  Re: El Reg, I love you

                  "If they have an internal list (like Microsoft does), the resolution is done at localhost and can't be blocked."

                  If they have an internal list, then blocking is easily done by your firewall (which Microsoft has no access to or control of). Just drop all packets going to the IP addresses in the list.

                  "If the DNS is tunneled (such as via a VPN, which existed before DoH), how do they block the DNS attempt without blocking something legitimate?"

                  I'm not sure I understand your question. I can think of a number of different scenarios that you may be referring to, and each of them are handled a bit differently. Rather than write an essay covering everything, I'll punt and ask for a more precise question instead.

                  The new vulnerability DoH creates isn't so much a result of the encrypted communications channel as it is the creation of standard DoH resolvers, plus the standardization of pushing non-HTTP traffic through the HTTPS port. It was easier to detect unauthorized communications streams (such as a VPN connection) to alert me that I had an intrusion that had to be dealt with.

                  A similar (although less comprehensive) effect was always possible, but it was rarely done because it requires a bit of technical knowledge and it's hard to hide. The existence of DoH eliminates both of those speed bumps. DoH makes defense harder because it allows the use of "legitimate" DoH resolvers that can't be blocked without serious adverse consequences, and makes intrusion detection more difficult.

                  From my point of view, DoH doesn't provide much more DNS security than was already achievable using other methods, and introduces a rather large security problem that didn't exist before. That's why I not only consider DoH to be a Bad Thing, I consider it an active threat.

                  1. Charles 9 Silver badge

                    Re: El Reg, I love you

                    "If they have an internal list, then blocking is easily done by your firewall (which Microsoft has no access to or control of). Just drop all packets going to the IP addresses in the list."

                    Which if you'll recall are the SAME IPs that are used to handle security updates and the like. Can you say collateral damage? Just as hiding a malware host on a multi-hosted IP full of legitimate sites means you can't block by IP without blocking legit sites.

                    1. JohnFen Silver badge

                      Re: El Reg, I love you

                      "Which if you'll recall are the SAME IPs that are used to handle security updates and the like."

                      Indeed. But, as I said, my actual solution to this issue is to not use Microsoft products, mostly because they're full of their own security problems. Easy-peasy. And even if I did use them, I'd still block access to Microsoft servers regardless of DNS issues, in order to ensure that automatic updates don't happen (not to mention telemetry).

            2. Brad Ackerman
              Holmes

              Re: El Reg, I love you

              Don't allow direct connections to external networks—make everything go through a proxy server. Alternatively, configure your IPS to block traffic if anything tries to talk to an IP address that hasn't recently been returned in a response from your DNS server.

              The only real change for malware is that it could potentially use legitimate third-party DoH services, but those can all be blacklisted; and if an actor can use their own DoH server's IP address to bypass DNS-based filtering, they can also open a connection to that IP address without using any sort of DNS.

              1. Charles 9 Silver badge

                Re: El Reg, I love you

                How does that help when the connection is encrypted end-to-end? The only way to get around that is to host a secure proxy which means dedicated machines, certificates, and a not-insignificant amount of time and work invested: neither of which may be possible from Joe Stupid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019