cancel
Showing results for 
Search instead for 
Did you mean: 

Why have Plusnet blocked secure DNS?

Highlighted
Newbie
Posts: 4
Thanks: 5
Registered: 3 weeks ago

Why have Plusnet blocked secure DNS?

Can't use DNS over TLS using either google.com or 1dot1dot1dot1.cloudflare-dns.com. This worked as recently as last week and still works fine anywhere else so long as I'm not connected via Plusnet as soon as I'm connected via Plusnet, at at home or at a relative's house, it doesn't work.
I'd really prefer not to have my security choices dictated to me.
54 REPLIES 54
Highlighted
Grafter
Posts: 43
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

DNS over TLS (Private DNS) on Android suddenly stopped working overnight

DNS over TLS (Private DNS) on Android suddenly stopped working overnight when connected via WiFi. This works fine when connected using Mobile data on the 3 network. Has something been changed or blocked at the Plusnet ISP level? I have confirmed this using both Cloudflare and NextDNS. I rebooted my router to rule that out. Please can someone else try setting up private DNS on Android 9 or higher using 1dot1dot1dot1.cloudflare-dns.com to confirm this is a widespread issue?
Highlighted
Grafter
Posts: 43
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: DNS over TLS (Private DNS) on Android suddenly stopped working overnight

Just tested it at my mother's house on her Plusnet ADSL, connected via WiFi and it works. I'll raise a ticket

Highlighted
Grafter
Posts: 43
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: Why have Plusnet blocked secure DNS?

I also posted about this yesterday in the forums and no one replied. One slight oddity in my case is that it does still work on my mother's Plusnet ADSL but not on my fibre connection. Maybe she has yet to pick up the new policies? I see no reason for them blocking it at all if DNS over HTTPS is still allowed. Why just punish DNS over TLS? I'm hoping it's an error that will be reversed.
Highlighted
Aspiring Hero
Posts: 12,451
Thanks: 591
Fixes: 18
Registered: ‎01-09-2007

Re: Why have Plusnet blocked secure DNS?

Presumably it gets blocked because Plusnet can't tell which https web sites you are visiting, other than via your DNS requests?

BTW I have a longstanding setting for Firefox:-

xx.png

 

Note that I allow my router to have their rubbish settings.

"In The Beginning Was The Word, And The Word Was Aardvark."

Highlighted
Grafter
Posts: 43
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: Why have Plusnet blocked secure DNS?

Your post is not really relevant to the thread which is, why has DNS over TLS been blocked
Highlighted
Community Veteran
Posts: 15,216
Thanks: 1,096
Fixes: 12
Registered: ‎01-08-2007

Re: Why have Plusnet blocked secure DNS?


@Swipe wrote:
Your post is not really relevant to the thread which is, why has DNS over TLS been blocked

@VileReynard 's first sentence answered your question - presumably because plusnet can't see what sites you're visiting.

The rest of his reply is a bit irrelevent yes, however the first sentence said it all. 

I need a new signature... i'm bored of the old one!
Highlighted
Newbie
Posts: 4
Thanks: 5
Registered: 3 weeks ago

Re: Why have Plusnet blocked secure DNS?

But they also couldn't see it if I used DNS over HTTPS, or even just used a VPN.

It would be nice if someone from Plusnet would chime in with a response.
Highlighted
Rising Star
Posts: 96
Thanks: 35
Registered: ‎19-08-2018

Re: Why have Plusnet blocked secure DNS?


@VileReynard wrote:

Presumably it gets blocked because Plusnet can't tell which https web sites you are visiting, other than via your DNS requests?

 

 


But why would PN want to know that? Other than routing, obv.

Highlighted
Aspiring Hero
Posts: 12,451
Thanks: 591
Fixes: 18
Registered: ‎01-09-2007

Re: Why have Plusnet blocked secure DNS?

As pointed out by@Swipe , my response was not relevant to this topic.

However, Plusnet are required to record all web sites visited by you:-

See https://www.ispreview.co.uk/index.php/2018/04/high-court-rules-uk-isp-internet-snooping-law-is-unlaw... 

or https://en.wikipedia.org/wiki/Data_retention#United_Kingdom 

On the original topic:-

There is a difference between DNS over TLS and DNS over HTTPS.

DNS over TLS uses its own port and so can be blocked or firewalled by servers [or Plusnet]. DNS over HTTPS just uses the standard https port.

https://www.cloudflare.com/learning/dns/dns-over-tls/ 

 

"In The Beginning Was The Word, And The Word Was Aardvark."

Highlighted
Community Veteran
Posts: 15,216
Thanks: 1,096
Fixes: 12
Registered: ‎01-08-2007

Re: Why have Plusnet blocked secure DNS?


@kev51773 wrote:
But they also couldn't see it if I used DNS over HTTPS, or even just used a VPN.

It would be nice if someone from Plusnet would chime in with a response.

If they blocked https most of the internet would studdenly stop working for plusnet users - everything from webmail to paypal (and other payment websites).

HTTPS cannot be blocked for that very reason - and as it's encrypted, plusnet can't filter out the dns requests to block them.

VPN is also not easy to block - many employers use VPN connections to let their staff access the corporate network remotely eg from home. Infact you could argue that a VPN works in a very similar way to an ISP (and thus should log all traffic).

DNS that is unencrypted is not really blockable either - by corporate firewalls at least. That's how some people manage to use VPNs to escape work - the vpn using dns requests to a vpn server which sends back data in the reply - that data being the vpn packets instead of actual dns query replies.

As for plusnet replying, that's just not going to happen. They don't like admitting to negativity or restricting their customers abilities online.

I need a new signature... i'm bored of the old one!
Highlighted
Newbie
Posts: 4
Thanks: 5
Registered: 3 weeks ago

Re: Why have Plusnet blocked secure DNS?

When did we reach a stage where ISP's were actively working against security.

I get that they are required to keep a list of sites visited. Or at least they are required to attempt to keep a record (since there are myriad ways are avoiding there tracking which cannot be prevented). What they're doing here is the equivalent of banning people from locking there doors in case the police want to pop in for a random unannounced visit.
Works great for the police.... Or for anyone else.

Sadly, that's another ISP on the blacklist. Roll on end of contract.
Highlighted
Grafter
Posts: 43
Thanks: 6
Fixes: 2
Registered: ‎30-05-2010

Re: Why have Plusnet blocked secure DNS?

For what it's worth, I've just raised it as a ticket. I'll report back when they respond.

Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.
Highlighted
Community Veteran
Posts: 15,216
Thanks: 1,096
Fixes: 12
Registered: ‎01-08-2007

Re: Why have Plusnet blocked secure DNS?


@kev51773 wrote:
When did we reach a stage where ISP's were actively working against security..

When everyone decided to ignore it rather that sign digital petitions because "everyone else will deal with it".

That's usually the case. We've seen it with Covid too but people who are part of the problem still can't accept it and ask why others have screwed it up.

I need a new signature... i'm bored of the old one!
Highlighted
Aspiring Hero
Posts: 12,451
Thanks: 591
Fixes: 18
Registered: ‎01-09-2007

Re: Why have Plusnet blocked secure DNS?


@kev51773 wrote:
When did we reach a stage where ISP's were actively working against security.

For a long time the politicians were happy logging IP addresses (like in the films), so when they found out about multiple web-sites sharing an IP address they got upset.

Control freakary and security considerations don't go together very well.

Actually, I blame uncritical acceptance of the Internet Watch Foundation (IWF) block filters - which successfully keeps child abuse material off of mainstream sites. However well-meaning it might be, it formed a proof of concept for capturing information at the web domain level.

"In The Beginning Was The Word, And The Word Was Aardvark."