This setup does the opposite of what they're hoping to do, and is the exact reason that Tor implemented "Entry Guards".
If there is any pattern in the DNS queries you perform (e.g you visit certain sites regularly), then all of a sudden there are now going to be four additional organisations that know your browsing habbits, on top of your existing one (your ISP).
Imagine you go to pornhub.com every day. Your ISP knows that you're doing that today because of your DNS lookups, and they will still know that after the deployment of DOH and ESNI, because like millions of other websites, pornhub doesn't share their IP addresses. But now all of a sudden, you'll be telling cloudflare one day that you go to pornhub, google the next day, opendns the next day, and 42l the next day.
Why do people insist on increasing the number of organisations with access to their browsing history, in the name of privacy?
I agree that there is little gain in hiding DNS traffic from your ISP. And like you I'm wondering what the benefit of spreading around one's DNS profile should be. I think it's better to just pick the DNS provider one distrusts the least.
But once you use DoH using a private DNS proxy does in fact provide (some) protection because it detaches one's client address from the requests. Breaking this requires timing correlation or individual domain names for tracking.
Why set up a private DNS proxy when you can (arguable more easily) set up a private VPN, which protects all of your traffic instead? A quick "apt install unbound" on the VPN server will give you a private recursive DNS resolver which supports DNSSEC, and you'll be communicating with that over the VPN, so DoH gives you nothing...
So, what is the benefit of a private tunnel that maps uniquely to you?
Addendum: If it's about distrusting your ISP you gotta consider that you're just moving trust to another ISP or service provider (or worst case both, if they're separate entities).
You're just choosing another ISP to give your data to. In the end the VPN server will be somewhere connected to an ISP. I'm doing just that but I'm fully aware that I have to have at least some measure of trust in my own ISP, as opposed to Google, Cloudflare, or any other such entity.
If you set up your own private VPN and send all traffic over it, then you're choosing another ISP to give your data to yes.
If you set up a DoH proxy, and don't route the rest of your traffic through an encrypted tunnel to the same point, then you're choosing two ISPs to give your data to, instead of just the one.
> I agree that there is little gain in hiding DNS traffic from your ISP. And like you I'm wondering what the benefit of spreading around one's DNS profile should be. I think it's better to just pick the DNS provider one distrusts the least.
This assumes you trust your ISP. I know mine does metadata retention, therefore I do not trust them with my privacy. I also know mine blocks things based on a government "block list" which was implemented all in the name of stopping "serious criminals" such as pedophiles and terrorists.
However, in practice it's used for much more than that, of which does not constitute any criminality (news websites such as torrentfreak.com, that's because of corruption. The Minister for Communications https://en.wikipedia.org/wiki/George_Brandis that oversaw the implementation of this system was also the Minister for Arts and had heavy ties to the movie industry. He had a lot of collusion with Village Roadshow and Sony (evident by the leaked Sony emails) on this matter.
In other parts of the world I have heard that certain ISPs collect that data for marketing purposes.
> When you set up a private VPN to tunnel your traffic through, doesn't your VPN server just become your client? Or am I missing something here?
This is why I pipe everything through a VPN, that I trust more to protect my privacy than my ISP.
My DNS requests then go through to the DNS server on my VPN's network (it's in private address space), that recurses to Cloudflare. As far as those DNS providers are concerned "someone from that provider did a lookup for something", assuming that it isn't already cached.
The reason I use a VPN provider and don't run a VPN on my own server is because that would just link back to a server that is controlled by me, this way my network traffic is mixed with unrelated customers. For times when I need strong anonymity of course I use Tor. (Just before anyone points that out).
I have found issues in the past, particularly with EDNS subnet information not being available when accessing archive.is https://news.ycombinator.com/item?id=19828317 so that's why I have mine setup like so:
I believe this is the 'correct' way to ensure privacy. Essentially my network works like this:
VLAN2 -> direct to ISP via ppp0
VLAN3 -> through VPN via tun0
Local unbound server forwards everything into dnscrypt that first tries my VPN's DNS server, then tries to use DNSCrypt over the VPN
Regardless of which VLAN I am on, my DNS traffic is always sent through my VPN, https://www.dnsleaktest.com/ is a great site for testing that.
I tend to use VLAN2 for things like financial, or stuff where I do not want to be anonymous or cases that require extremely low latency such as gaming. In either case DNS lookups still go through the VPN.
I think if you go for privacy it is best to resolve queries recursively. You can do QNAME minimization with unbound for example and whatever network you are trying to reach will likely see your address anyways some way or another. I mean i for one am more worried about a centralized service like offered by cloudflare then i am worried that individual nameservers tracking me. And if you are worried about people being able to sniff on your traffic protecting only dns from that wont help you much.
Today's Guardian has a piece [1] on Firefox's DNS over HTTP and how Mozilla has no plans yet to make it the default in the UK. Most of the article is about how it breaks centralised web filtering, and has concerned-sounding quotes from child protection organisations. Probably a predictable slant for a general readership publication to take, but it is concerning that use of DoH might be being framed solely as enabling criminality. As someone who lives in the UK and who enabled it several months ago for privacy (anti-tracking) reasons, I'm going to have to keep an eye on this.
> The trade body for British ISPs even nominated Mozilla as one of its “internet villains of the year” in July over the issue.
Wow. I mean, you can have an argument over de desirability of DoH, but referring to Mozilla as internet villains is really missing the forest for the trees.
Luckily:
> A month later, the body withdrew the nomination and cancelled the “award” entirely, saying it “clearly sent the wrong message”.
As someone who lives in the UK and who disabled DoH in Firefox several months ago, and more recently LAN-wide using Mozillas announced canary domain (use-application-dns.net) for privacy reasons, I'm going to have to keep an eye on this.
I'm happy to hear that they currently have no plans to launch DoH in the UK, but I worry that this is only a temporary situation.
Note: If you want to protect the less tech-savy Firefox users on your LAN from Mozillas DoH implementation, update your DNS server to NXDOMAIN use-application-dns.net. You can do this easily in Unbound with the following piece of config:
Mozilla's TRR agreements require that the end user willingly consented to any shenanigans done to their DNS results from your server.
So you can make a kiddy filter DNS provider that won't let you resolve pornhub, but your users need to have gone "Yeah, kiddy filter, that's what I want" not get opted into it by a government policy.
If you don't want a TRR agreement then sure, but now you'll need to teach users to go in and manually configure your servers. I have a feeling that "Here are the mandatory government instructions for ensuring censorship citizen" is not an effective strategy.
I'd be ok with that. The problem would be the emergence of unscrupulous DoH providers.
Presumably the fear is that having DoH built into the browser lowers the bar to entry for people who want to use it as part of engaging in criminality.
Round-robin and privacy do not dwell well together. Like mike-cardwell pointed out in another comment, it just distributes the same information to more parties.
As there has to be at least party which will know the request, some information will be leaked. But what can be prevented, is giving "unrelated" requests in the hands of the same resolver. Few of the request per se are interesting, the combinations of them allow to build user profiles.
The policy should not be round robin, but somehow based on the domain itself, so that all requests about the same domain go to the same resolver, but to nobody else.
An even better mechanism would take into account who is the owner and the controller of the domain. So that requests about, let say, facebook.com and fbsbx.com land at the same resolver, but github.com and microsoft.com by another.
this is more or less what happens if you have an recursive resolver. in most cases your queries will be seen by the same network that will see your traffic afterwards anyways. only the TLD nameservers will somewhat occasionally depending on the TTL know which network you are about to enter and they are arguably more trustworthy. I think about this way: i already trust whichever infrastructure provider my endpoint uses and the choice of nameservers is an extension to that.
I thought that regardless of dns provider, you can't stop the ip destination. No doubt there's real-time recording of what domain points to what ip. It's harder for your local syaadmin probably, but not much further.
Indeed, that and SNI[1] make this whole DoH thing pretty pointless for privacy IMHO --- if you are seriously concerned about your ISP monitoring your traffic, tunnel everything through a VPN that exits into the Internet somewhere else. It seems more like an effort to frustrate host-based adblocking more than anything.
[1] Looking at SNI is even more accurate, since DNS lookups don't necessarily (but often) mean a connection to that host will be made; a TLS handshake, on the other hand, means a connection is being made.
I doubt DoH is a ploy to break adblocking; if you don’t control the device making the requests they could already do plenty of things to break crude adblocking techniques like that. (Nevermind the fact that one of its biggest supporters is Mozilla.)
Stating that this is pointless for privacy seems like an exaggeration. Sure its not a panacea, but for probably 80% of sites, the destination IP tells you you are headed to Amazon or Cloudflare. Besides that, why reveal more information than less, and why not remove unencrypted, easily manipulated network traffic? Personally, I aim to eliminate unencrypted traffic on my networks.
Yep. Encrypted SNI is still a work-in-progress in terms of browser support – like DoH itself – but they’re both being pushed by Cloudflare, and intended to complement each other. No conspiracy theory needed to explain the motivation.
Edit: And Cloudflare‘s own service mitigates the use of IP addresses to identify sites, since (AFAIK) all Cloudflare-wrapped sites are accessed via the same IP. Of course, this is only an improvement if you trust Cloudflare.
Exactly; this isn't suitable for people evading nation-states but I use it for my home network as another layer in privacy where total traffic proxying or all-over-Tor isn't realistic.
I thought this was someone else providing an anonymized dns proxy at first, but it's just how to set up your own proxy. Not sure this saves anything over just using DoH to one of the listed providers directly (the requests still come from something you own and can technically be traced back to you, albeit with more effort?)
edit: I'm wondering what the ideal setup actually is. Would the root servers need to provide DoH endpoints?
The "more effort" part was what I was going for -- no nation state or warrant-holding organization is going to be stymied by this, but as a personal/home user, I'd rather DoH resolvers not be able to tie my lookups to my personal IP which is doubtless held in many other cross-referencable locations (in my case, home-network wide proxying or Tor isn't feasible).
I wonder if it'd be feasible to proxy only the DNS requests over Tor. Maybe set up your network-level DNS proxy to route upstream queries through a Tor tunnel to a different DNS-over-HTTPS resolver. Perhaps even have the DNS proxy cache DNS records and proactively revalidate commonly used ones to avoid most of the latency overhead of Tor.
It's definitely feasible. Old hardware + 2 network cards + pfsense makes a router that can do network-wide VPN. Even a lot of prosumer routers can do VPNs now, but I'm not sure how well it works.
In my opinion it would be ideal if all namerservers (including the root servers) would respond to DNS over TLS (DoT?) traffic which seems like it could be easily adopted but would probably increase the load considerably in some cases (i guess root servers see some massive amount of traffic)... i dont think this will happen anytime soon with DoH or DNS over TLS
I agree, I think I like the idea of DNS over TLS more than the other options, but DoH seems to be the one that's taking off. I don't feel it's quite a betamax situation, though
A quick bug report: you do not need to set up renewals in cron. In the certbot ppa (and Debian, and thus Ubuntu), they're automatically set up for you at the time of install using both cron and systemd timers.
The privacy noted here appears to essentially boil down to “from Cloudflare” right now, and comes at the risk of leaking DNS queries to other third-parties who are often more inclined to act maliciously towards your privacy and are not committed against doing so.
Be sure that you trust your “over the wire” connection to not sniff and uniquely tag all of your DNS requests with your specific identifying information, such as Verizon and many other service provides often do.
But it's round robin. So give it a bit more time and they get a pretty complete picture. Eg if you resolve neopets.com every morning, they just need to wait (approx) 4 days to capture the request
https://simplednscrypt.org for Windows has a one-click setting to enable round-robin over 20+ DoH, DoT, DnsCrypt servers. I don't see why anyone must use a proxy for DNS only to incur additional latency.
DoH and DoT are not really providing privacy unless ESNI is fully developed and deployed by most websites. DoT and DoH do provide security since with plain old DNS, literally anyone in your network path can spoof responses.
Round robin providers is really bad idea. Its like leaving your foot print in literally all places.
Best is to use Tor Browser if you really need privacy.
If there is any pattern in the DNS queries you perform (e.g you visit certain sites regularly), then all of a sudden there are now going to be four additional organisations that know your browsing habbits, on top of your existing one (your ISP).
Imagine you go to pornhub.com every day. Your ISP knows that you're doing that today because of your DNS lookups, and they will still know that after the deployment of DOH and ESNI, because like millions of other websites, pornhub doesn't share their IP addresses. But now all of a sudden, you'll be telling cloudflare one day that you go to pornhub, google the next day, opendns the next day, and 42l the next day.
Why do people insist on increasing the number of organisations with access to their browsing history, in the name of privacy?
Don't set up or use this system.