back to article Rolling in DoH: Chrome 78 to experiment with DNS-over-HTTPS – hot on the heels of Firefox

Only days after Mozilla said it plans to make DNS-over-HTTPS (DoH) available by default gradually for Firefox users in the US, Google announced its intention to test DoH in Chrome 78, due for beta release in the next two weeks. DoH wraps domain-name queries in a secure, encrypted HTTPS connection to a DNS server, rather than …

  1. Blockchain commentard Silver badge

    Let's hope Google honours the hosts file in all this. After all, I don't want to have a secure HTTP if my insecure, plain text ad-blocking hosts file gets ignored (for my safety obviously).

    1. Richard Boyce

      They'd be crazy to bypass the hosts file, so I think we can assume they won't.

      1. DougS Silver badge

        They WILL bypass the hosts file

        The whole point of DoH is that an application uses it INSTEAD of the system's resolver configuration. If you have DoH enabled on Firefox it will bypass your hosts file as well.

        Of course Google has an evil reason for wanting DoH - this way they can bypass any controls on content that exist in the environment that might serve to block ads. Well, they would if it was more than 1% of people who use such methods to block ads, but this lets them control the whole experience instead of letting a router get in the way via DNS lookups. Honestly, if you care about privacy or your browsing experience you're an idiot if you use Chrome.

        1. GnuTzu Silver badge

          Re: They WILL bypass the hosts file

          "...this way they can bypass any controls on content that exist in the environment that might serve to block ads."

          Any? I can think of a counter example, a proxy using a service that categorizes destination FQDN's that are ad services and blocks them accordingly, which I assure you does exist.

          Yes, there are places that block ad services per security policy as a potential source of malware. Because, what responsibility do ad services have to ensure that the ads their many customers feed them are free from malware.

          The thing I'm wondering about is how this affects ad-blocking plugins.

    2. GnuTzu Silver badge

      Hosts File -- Resolver -- How The Hell???

      This is not a pretty picture. They are going to bypass the O.S. resolver, which is what includes the hosts file, which then means that to include the hosts file... Well what? Are they going to check the resolver and their own mechanism and compare them? Do resolvers say when they get an IP address from the hosts file? Do these browsers expect to get read-only access to a host file, on a hardened system? Or, are they going to flip a coin between the resolver and their own mechanism? Um, they need to make this a little more clear.

      I was pretty sure I updated my knowledge on this last week--because I needed to be sure I was interpreting my diagnostic indicators correctly--in one of those workplace support situations where arguments go askew if you haven't got your facts nailed down. They are definitely going to need to have a carefully written support page explaining exactly how they deal with the hosts file--written in multiple layers for all levels of expertise.

      Seriously! In an enterprise environment if we can't support these browsers--according to organizational policy, the big wigs are going to take them away. Whaaaaaa!!!!!

    3. TheVogon Silver badge

      Good point. This should be done at the OS level not the browser level.

      Any Linux gurus want to describe how to implement this on DD-WRT and Open WRT so every device in my house uses it?

      Not that I'm a terrorist or a reader of alt.sex.hamsters.duct-tape but its the principle of the government forcing ISPs to record everything we browse...

      1. Alister Silver badge
        Childcatcher

        alt.sex.hamsters.duct-tape

        You filthy pervert, you should be locked away.

        1. stiine Silver badge

          Re: alt.sex.hamsters.duct-tape

          That one's still around?

          What about alt.sex.with.dogs ?

          Or comp.languages.cobol ?

          Ahh, memories.

      2. I ain't Spartacus Gold badge
        FAIL

        TheVogon,

        You use masking tape on hamsters you idiot! Duct tape is best used on sheep.

        Or so I've heard...

  2. GnuTzu Silver badge

    Just How Trustworthy is Cloudflare

    "Google is thus avoiding one of the concerns raised by Mozilla's approach, forcing Firefox users to change their chosen DNS provider for Cloudflare."

    Funny, Google will honor Quad9, which promises privacy, but Firefox forces Cloudflare. Did I get that right?

    How do we know Cloudflare will never turn evil? Do they have a statement like Quad9's? Which of us is going to take the plunge, and dig into their privacy statement?

    (Also, there are enterprise concerns here, if anyone dares to dive into that can of worms.)

    1. DougS Silver badge

      Re: Just How Trustworthy is Cloudflare

      I thought Cloudflare was Firefox's default, but you could set your own?

      Regardless, if Cloudflare "turns evil" no doubt Firefox would switch their default. At least Firefox is starting out non-evil in their DoH implementation (other than the fact it will be by default on) If you use Chrome you've already bought in "evil" hook line and sinker, and what DoH resolver you use makes as much difference as the color of shirt you wear in Hell.

      1. JohnFen Silver badge

        Re: Just How Trustworthy is Cloudflare

        "if Cloudflare "turns evil" no doubt Firefox would switch their default"

        I'm not so sure about that, to be honest.

        "Firefox is starting out non-evil in their DoH implementation"

        In my view, DoH itself is, while not exactly evil, a blow to security and privacy regardless of how its implemented in Firefox.

        1. DougS Silver badge
          Thumb Down

          Re: Just How Trustworthy is Cloudflare

          It is only a (theoretical) blow to security/privacy for technically competent users, like El Reg readers. And such users are smart enough to flip the configuration switch to 'off'.

          For the average person who doesn't know DNS DoH from Homer Simpson's D'oh, who uses a store bought router that never has a security update and takes the default ISP setting for DNS servers, it is a win. If someone hacks their router or their PC it won't have any effect on their DNS lookups from Firefox. They can't create a banking website "clone" of their real one to fool them, steal their Gmail password and often correctly guess that the same email/password combo is used at many other places, etc.

          It is a HUGE WIN for the privacy and security of the 98% of internet users who don't understand any of this stuff we are debating!

          1. Steve Graham

            Re: Just How Trustworthy is Cloudflare

            It would be a "HUGE WIN" if DNS hijacking happened much. Which it doesn't.

            1. tuppence

              Re: Just How Trustworthy is Cloudflare

              you're not a Virgin customer then?

            2. TheVogon Silver badge

              Re: Just How Trustworthy is Cloudflare

              Yes it does. Numerous Trojans and adware hijack DNS settings for instance.

          2. JohnFen Silver badge

            Re: Just How Trustworthy is Cloudflare

            "It is only a (theoretical) blow to security/privacy for technically competent users"

            I disagree. DoH opens a hole that allows software to be able to phone home without the users being able to detect or control that. That's why it's forced me to MITM all HTTPS connections in my home network, so I can manage DNS.

            "And such users are smart enough to flip the configuration switch to 'off'."

            That doesn't solve the problem, because the problem is that DoH is effectively a standard. How any particular piece of software uses it, or the controls that software provides, is not relevant to the problem.

            But this is all academic at this point. The damage is done.

            1. DougS Silver badge

              Re: Just How Trustworthy is Cloudflare

              Before DoH was a standard applications could manage their own DNS in whatever way they see fit, from hardcoded IP/hostname mappings in the app to sending out DNS requests on non standard ports to rolling their own version of "DoH".

              How does DoH being a standard make it any worse? Evil apps are gonna evil. IMHO the risk of MITMing your connections is much higher than the risk of DoH. If a hacker gets access to your MITM device all your most sensitive data is exposed.

              1. stiine Silver badge

                Re: Just How Trustworthy is Cloudflare

                Yes, and just because Microsoft did that for their root CA check on their domain controllers starting with 2003?, doesn't make it right.

      2. NATTtrash

        Re: Just How Trustworthy is Cloudflare

        I thought Cloudflare was Firefox's default, but you could set your own?

        Yes, I think I remember that you can. Wasn't it something like network.trr.uri in about:config?

        Whether that needs specific protocol requirements of the DNS (provider) I don't know (sorry, no expert, but I'm sure somebody here will know).

    2. IGotOut

      Re: Just How Trustworthy is Cloudflare

      "How do we know Cloudflare will never turn evil?"

      You don't, but good luck avoiding them. For starters, you'd have to stop visiting here.

    3. TheVogon Silver badge

      Re: Just How Trustworthy is Cloudflare

      At an educated guess it's just a starting point as they have presumably tested Cloudflare extensively. Once they know it all works I'm sure it will be selectable.

    4. TheVogon Silver badge

      Re: Just How Trustworthy is Cloudflare

      There are no real fully enterprise managed system concerns here. They can use group policy settings to force this off on imstalled browsers and do it at the network border if they want it but still see / filter what is being accessed internally.

      For BYOD and guest WIFI I expect there are also solutions.

      1. stiine Silver badge
        Flame

        Re: Just How Trustworthy is Cloudflare

        And just how long do you expect Mozilla to leave the knobs enabled in about:config? 2 version? 3? before they remove it because Kirk Steuber decided it should be removed because he's the smartest person on the planet.

    5. TheVogon Silver badge

      Re: Just How Trustworthy is Cloudflare

      And a quick Bing finds https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/

      DEVELOPERS

      Search the docs...

      1.1.1.1

      Setting Up 1.1.1.1

      What is 1.1.1.1?

      DNS over HTTPS

      DNS over TLS

      Supporting IPv6-only Networks

      Privacy

      Cloudflare 1.1.1.1

      Cloudflare Resolver for Firefox

      Fun With DNS

      The Nitty Gritty

      Privacy

      Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your phone or computer does is ask its directory: where can I find this?

      Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads. Cloudflare, in partnership with APNIC, runs 1.1.1.1, a recursive DNS service that values user privacy. Even though most Internet users have no insight into the Recursive DNS process or the entities involved in that work, there are legitimate concerns about how personal information collected through the Recursive DNS process are used or repurposed.

      Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:

      Cloudflare will never sell your data or use it to target ads. Period.

      All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.

      Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.

      Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.

      Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:

      Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.

      Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.

    6. Jove Bronze badge

      Re: Just How Trustworthy is Cloudflare

      This is touched on in the other Register article covering the Mozilla adoption of DoH (and the Mozilla articles and blogs on the topic).

    7. Jove Bronze badge

      Re: Just How Trustworthy is Cloudflare

      You are asking these questions on a forum covering an article about a Google browser?

      1. GnuTzu Silver badge

        Re: Just How Trustworthy is Cloudflare

        Um, not entirely. The opening paragraph introduces the topic of Google following Firefox. My point is that Google is offering an option that Firefox is not--as the article mentions. I am primarily pointing out that this appears to be the reverse of what is normally portrayed.

    8. Ben Tasker Silver badge

      Re: Just How Trustworthy is Cloudflare

      Unless things have changed, Cloudflare is just the default to begin with.

      Mozilla's intention (IIRC) is to have regional defaults (i.e. if you're in the US, you might get Cloudflare, if you're somewhere else, someone else will be the default).

      There's a long list of rules that you have to show you abide by in order to be included in the pool of defaults, including:

      - clear statements on how you'll address privacy

      - not filtering/tampering with results.

      - Using QNAME Minimisation

      - No ECS unless the upstream connection is encrypted

      So, to answer your question:

      - Yes Cloudflare have a statement on this (dedicated to this)

      - Any other provider Firefox chooses would have to abide by the same rules

      Which still skips over the following

      - You can configure your own

      - You're complaining about the privacy of Firefox in a thread about Google Chrome

  3. Dinanziame
    Paris Hilton

    DoT or DoH

    Is there a legitimate advantage to DoT? Isn't the very point of encrypting DNS that third parties cannot control it?

    1. TheVogon Silver badge

      Re: DoT or DoH

      How is that not a legitimate advantage?

    2. druck Silver badge

      Re: DoT or DoH

      DOH or DOT, you can bet corporate installed spyware security tools will intercept it.

      1. stiine Silver badge
        Big Brother

        Re: DoT or DoH

        Its my network, the switches are mine, the firewalls are mine, the servers are mine, even the electrons are mine, so yes, I'll be intercepting it if I can't disable it completely

  4. Blofeld's Cat
    Unhappy

    "The CMS server is broken" ...

    I'm just waiting for those support calls where users have (perhaps unknowingly) switched on DoH, bypassed the local network's DNS server, and now cannot access the "whatever.local" machines.

    1. stiine Silver badge

      Re: "The CMS server is broken" ...

      The note ad the bottom of the Cisco Umbrella page says the only solution is to install a MitM proxy and controll it that way.

  5. Jusme
    Big Brother

    Click

    Another notch... so soon

    https://forums.theregister.co.uk/forum/all/2019/09/09/mozilla_firefox_dns/#c_3866675

  6. JimmyPage Silver badge
    Stop

    The more I think about this, the more it's broken

    as with a lot of commentards above me, this is messing up the distinction between application and OS. OK, so now a browser is using DoH. But howabout my email client ? My Usenet client ? Or any other applications I have which need to access the internet ?

    Much prefer my current setup, where a piHole is looking after my DNS (using DoH) and all my devices, clients and apps go through that which I control.

    In 2019, the idea of things being hardbaked into applications should be history. Instead, because applications can update in real time, it seems to be the default.

    Which predictable results.

    1. ScissorHands
      Trollface

      Re: The more I think about this, the more it's broken

      The browser is the only application you need for email and Usenet. Why transfer KBs when you can turn that into MBs *and* serve you ads **and** know everything you're doing?

      What do you mean there are protocols other than HTTP? /s

      1. Anonymous Coward
        Anonymous Coward

        Re: The browser is the only application you need for email and Usenet

        Upvoted if that is sarcasm ... I reserve the right to return and swap votes :)

    2. Anonymous Coward
      Anonymous Coward

      Re: The more I think about this, the more it's broken

      Much prefer my current setup, where a piHole is looking after my DNS (using DoH) and all my devices, clients and apps go through that which I control.

      Cheers for the PiHole heads-up: out of curiosity I looked it up, thought it sounded damn neat, checked out where and how to install it, fired up a CentOS VM last night and had it cleaning up the local LAN browsers within an hour!

  7. Zippy´s Sausage Factory

    DoH seems to me to be an inefficient way to get applications to take on what should be an operating system problem: resolving host names.

    Basically, DoH now means another place (or set of places) to maybe sort-of support IPv6 and obfuscate where your network naming is coming from.

    Whoever thought this was a good idea is really an idiot.

  8. sebbb
    IT Angle

    I don't agree with baking DoH into applications as somebody said here as well, that should still be a system-wide setting.

    However, I do not agree with people thinking DoH is the wrong choice. I absolutely have no idea why I would want my ISP to intercept and log whatever I'm doing with my Internet connection, therefore why I installed on my home pfSense a nice DoH client and use it as default DNS for my whole network.

    And as the discussion for local company networks goes instead, there's not much else to say IMHO: it's your network, you can block the IPs of the DoH servers, run your own beloved DNS and live happily ever after.

    1. Terje

      The question is not to encrypt or not but how and where to encrypt and handle the name resolving.

      This application is doing it In the browser and over http which the consensus here seems to agree is a bad idea as opposed to the OS doing it over an encrypted channel honoring the host file etc.

      i.e. Name resolving is an OS job, not a job for the application.

      1. sebbb

        The major reason for what is happening here is this in my opinion: there is a technology, people don't want to adopt it or it's very slow in adoption. Then, let me use that for myself and embed it into my application. It's like IPv6 guys, nobody gives a s**t about it, so people have been trying to invent absurd alternatives like 6in4 and such. If adoption is the problem and I want to use something in my product, I'll implement it on my own. I think this is exactly what happened here at Mozilla and Google. If tomorrow MS comes our with a native DoH/DoT client in Windows, rest assured that perhaps these guys would give you the option to keep going with the usual way.

    2. JohnFen Silver badge

      "it's your network, you can block the IPs of the DoH servers"

      Yeah, good luck with that. Anybody, including attackers, can easily set up their own DoH server and use that. Trying to block DoH servers via IP is a game of whack-a-mole that requires you to constantly monitor your router logs in order to suss them out.

  9. Anonymous Coward
    Anonymous Coward

    One thing is clear and speaks out loud

    If Google is not at all worried is that they can read the URL before you send it out for name resolution.

  10. Yes Me Silver badge
    Facepalm

    Vixie is right...

    ...as usual. DoH is a terrible idea and will only help Big Company to profile you.

  11. gnarlymarley Bronze badge

    first DoH servers hosted by?

    I am sure google and firefox will be happy to host your first DNS-over-HTTPS servers. Because "trust" them more then we trust our own ISP, RIGHT??????

  12. Anonymous Coward
    Anonymous Coward

    "Google promises ..."

    Haha, good one.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019