cancel
Showing results for 
Search instead for 
Did you mean: 

DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

For years, all DNS requests have been sent in clear text (using UDP) - but you can encrypt DNS requests:-

Of all browsers, Firefox's DoH support is the strongest and easiest to configure, primarily because they've been working on it for longer than anyone else.

The organization is currently enabling DoH by default for all users in the US.

DoH won't be enabled by default for UK users, following the UK government's pushback against the feature.

But its easy to configure - especially in Firefox.

The following link has info on how to do it... https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-...

"In The Beginning Was The Word, And The Word Was Aardvark."

Tags (1)
17 REPLIES 17
VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

A follow up:-

When you enter a website into your browser, the internet uses DNS (Domain Name System) to send the domain name to a server - normally one at Plusnet Towers to obtain an appropriate IP address for the web site.

All this takes place in clear text.

However, if you would prefer to reduce the possibility of your web browsing to be tracked, it is relatively simple to arrange for most of your DNS requests to be carried out in a secure way - DNS over HTTPS (shortened to "DoH"). 🤣

See https://en.wikipedia.org/wiki/DNS_over_HTTPS

for more info...

"In The Beginning Was The Word, And The Word Was Aardvark."

Baldrick1
Hero
Posts: 3,601
Thanks: 1,552
Fixes: 99
Registered: ‎30-06-2016

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

@VileReynard 

Very interesting. I don't know how familiar you are with it but I have just enabled it on my Firefox browser. From my reading of this article my understanding is that this directs an encrypted request to Cloudfare for interpretation. Consequently I expected my primary DNS server to be 1.1.1.1. However when I use ipconfig to check the DNS server my Win 10 computer is using it still comes back with those of Open DNS. Does this mean that DNS lookups now do a double hop, that is to Open DNS then on to Cloudfare? Either way I'm not conscious of any slow down in performance, I'm just interested.

Superuser
Superuser
Posts: 7,737
Thanks: 1,500
Fixes: 95
Registered: ‎30-07-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

I believe it just causes the browser to send all dns requests to cloud fare via https  rather than the normal configured dns server.

Ipconfig will still show the normal dns since dns requests other than by the browser will still go via that route

VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

I've been using this setup for a several weeks now without any obvious problems.

 

 

"In The Beginning Was The Word, And The Word Was Aardvark."

Baldrick1
Hero
Posts: 3,601
Thanks: 1,552
Fixes: 99
Registered: ‎30-06-2016

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition


@MisterW wrote:

I believe it just causes the browser to send all dns requests to cloud fare via https  rather than the normal configured dns server.

Ipconfig will still show the normal dns since dns requests other than by the browser will still go via that route


Ah, I think that I’ve got it. Because the browser already knows the IP address of Cloudfare it can directly address it with the encrypted request without going near any other DNS server.

Superuser
Superuser
Posts: 7,737
Thanks: 1,500
Fixes: 95
Registered: ‎30-07-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

That's about it.

My guess (and it's just a guess!) is that the browser does a conventional dns lookup on Cloudfare (or whatever custom DoH server you've configured) when it starts, caches it, and then periodically requeries depending on the TTL it gets from that request.

Community Veteran
Posts: 14,737
Thanks: 882
Fixes: 12
Registered: ‎01-08-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition


@VileReynard wrote:

For years, all DNS requests have been sent in clear text (using UDP) - but you can encrypt DNS requests:-

DoH won't be enabled by default for UK users, following the UK government's pushback against the feature.


Firstly it's not sent as plain text in the same way that plain text is sent. It's actually converted to a byte stream going between devices where data is sent as ordinals not text although yes that's easy to convert back into text..

Secondly you can use dns over TCP. It doesn't work by default for some obscure reason however i've not yet found how to use encryption with this.

As for using dns over http that's going to introduce some serious lag as http is a complex protocol compared to dns. As for it being logged and inspected by the government, ANY server you connect / broadcast to anywhere in the world can log your requests and make them available to whoever wants them for the right price. You can not assume anonymity from ANY server online. Your TOR network for instance may well be operated by the CIA for all you know - just because the nodes are apparently spaced around the world (which lets face it. it's only a record update of the IP address) but could still be property of the CIA or NSA with a direct link back to their HQ.

Your only true anonymous internet access is to use an unregistered internet connection such as a usb modem and pre-paid credit.

I need a new signature... i'm bored of the old one!
VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

TOR is a way of sending data securely by sending encrypted data via several nodes, randomly chosen.

DNS is not the same thing at all...

I get no detectable delay in using DNS over HTTPS versus DNS over UDP - although obviously adding encryption to a simple protocol must incur some extra delay.

"In The Beginning Was The Word, And The Word Was Aardvark."

Community Veteran
Posts: 14,737
Thanks: 882
Fixes: 12
Registered: ‎01-08-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

I used TOR as an example. The nodes may well be random but whats to say those nodes are not recording your requests and linking them back to your original IP?

What better way to spy on civilians than to setup a sneaky "anonymous" network that everyone trusts?

Same thing with DNS. Which ever DNS server you use it may well be recording those requests and be monitored by the state.

I need a new signature... i'm bored of the old one!
VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

Recording IP addresses by servers is common - indeed the larger UK ISP's are required by law to do this (plus other identifying information). But at least a third party DNS would have the advantage of not easily being associated with my personal details.

"In The Beginning Was The Word, And The Word Was Aardvark."

Community Veteran
Posts: 14,737
Thanks: 882
Fixes: 12
Registered: ‎01-08-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

But it IS easily associated. Your IP address gives the game away and as i said, any 3rd party dns is probably funded by some government agency anyway. When was the last time you saw an advert or "this dns response was sponsored by..." in a reply header? - You didn't. So why are those 3rd party companys providing free dns for a loss? - they're probably state funded.

The state and it's intelligence services always like to be several steps ahead and with budgets that allow them to cater for the latest tech years before it's even available to the majority, they've had plenty of time to be prepared.

GCHQ monitors everything going in and out of the country too. They're sniffing your data continuously for anything that interests them. Doesn't mean they actively monitor YOU or me constantly but at some point your data will come to their attention via some automated process even if it is discarded again later.

While the police might not have access to the same sort of information legally, the security services certainly will have. I don't worry about all these 3rd party dns and vpn servers. It's just a way to guarantee all your traffic goes through them and can be easily accessed - every last http request, email etc. At least with your ISP you know its going to be monitored by the state if it needs to and not several others who just agreed to share whatever they can get their mucky hands on.

I need a new signature... i'm bored of the old one!
Highlighted
VileReynard
Champion
Posts: 11,988
Thanks: 501
Fixes: 17
Registered: ‎01-09-2007

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

I'm happy to use 1.1.1.1 (cloudfare) since so much data goes via their servers anyway. There are quite a number of free DNS service providers...

According to https://1.1.1.1/dns/ no logging takes place - so maybe it doesn't. I certainly wouldn't trust Google and have doubts about Plusnet's "deep packet inspection", so I have no reason to make life easier for them or anybody else feeding off my internet stream.

"In The Beginning Was The Word, And The Word Was Aardvark."

Baldrick1
Hero
Posts: 3,601
Thanks: 1,552
Fixes: 99
Registered: ‎30-06-2016

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition

I have no problem with the security services knowing where I bank and do my shopping if they find the need to check. I do object though to the likes of Google tracking it. I’m not so sure of Plusnet either after the ACS Law / Norwich Pharmaceuticals Order fiasco, be it a few years ago now.

I find that DoH works fine on my PC but I can’t find the option on the IPad version of Firefox.

TheRoadCrew
Rising Star
Posts: 81
Thanks: 13
Fixes: 5
Registered: ‎14-05-2017

Re: DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition


@Baldrick1 wrote:

 

I find that DoH works fine on my PC but I can’t find the option on the IPad version of Firefox.


I don't know if Firefox for iOS supports DoH, perhaps the Cloudflare app would be a suitable alternative.