Why Apple, Cloudflare, and Fastly Proposed a New Privacy-Focused DNS Standard Called 'Oblivious DoH' (zdnet.com) 64
"Cloudflare, Apple, and Fastly have co-designed and proposed a new DNS standard to tackle ongoing privacy issues associated with DNS," reports ZDNet.
Cloudflare calls it "a practical approach for improving privacy" that "aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience..." Third-parties, such as ISPs, find it more difficult to trace website visits when DNS over HTTPS (DoH) is enabled. DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy...
The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare's 1.1.1.1's public DNS resolver — and the combination of both this and public key encryption "guarantees that only the user has access to both the DNS messages and their own IP address at the same time," according to Cloudflare... "The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target's responses..."
Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox's CTO, has already indicated that Firefox will "experiment" with ODoH.
Cloudflare calls it "a practical approach for improving privacy" that "aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience..." Third-parties, such as ISPs, find it more difficult to trace website visits when DNS over HTTPS (DoH) is enabled. DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy...
The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare's 1.1.1.1's public DNS resolver — and the combination of both this and public key encryption "guarantees that only the user has access to both the DNS messages and their own IP address at the same time," according to Cloudflare... "The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target's responses..."
Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox's CTO, has already indicated that Firefox will "experiment" with ODoH.
Latency (Score:2, Flamebait)
Current oDoH is DoA with 2-300ms of latency. The concern is real, though - keep working on it.
Cloudflare wants the DNS traffic for themselves (Score:1)
If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.
Be wary of anyone offering things for free.
Re: Cloudflare wants the DNS traffic for themselve (Score:3, Interesting)
Re: Cloudflare wants the DNS traffic for themselv (Score:1)
Re: (Score:2)
And Apple will try to make everyone license some portion of it.
Re: (Score:2)
Google, safari, edge... (Score:3)
I note that the browsers themselves will know both. and if you have auto-complete in the URL box turned on then they phone home. I'm suspecting that google chrome phones home no matter what since I've seen it resolve URLs even when the DNS server I pointed my computer too was down. Either that or it pre-fetches things I'm likely to open from bookmarks.
Re: Cloudflare wants the DNS traffic for themselve (Score:2)
Excactly. They got costs too. Who's gonna pay those bills?
You are!
Or your personally assigned vultures. Mmmhh, uuseeer! Delicious!
Re: (Score:2)
If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.
Be wary of anyone offering things for free.
I'm wary of your free advice.
Re: (Score:2)
Cloudflare's business model is to provide a basic service for free and charge for faster or better features. They'll probably find ways to charge for faster DNS resolution for the most popular/lucrative websites.
Re: (Score:2)
Cloudflare is an embarrassing service that ultimately only does things to lower their own costs. They know significant amounts of traffic they protect are illegal, and this DoH service is just a way to ultimately hide everything illegal they know about.
Re: (Score:2)
If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.
They do, but not in the way you think. I remember reading they chose to own the 1.1.1.1 address because for years it was a major target of packets coming from misconfigured servers all around the Internet, including routers whose code believes it's a non-existent IP address, meaning it's been a DDoS target before the term was coined, and then added a DNS service on top of it so as to make it even more a target, so as to use it as a constant test bed and calibration source for their anti-DDoS service, which
Dupe. Dupe. (Score:3)
Dupe [slashdot.org].
Again? (Score:3)
I guess EditorDavid must be filtering out msmash's postings [slashdot.org], because this already made the front page of Slashdot almost a week ago.
Re: Again? (Score:2)
Re: (Score:2)
Yes thats totally about privacy.
What is the real purpose? (Score:3)
The first justification for this is to hide your DNS queries from your ISP. The second is to hide your IP from the DNS server.
For the first half: once you have resolved the DNS address, guess what? You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible. ReverseDNS, and voila, your ISP knows what website you are looking at. Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.
For the second half: you must sent along your public key, in order for the reply to be encrypted. This means that the DNS service can group queries by public key, which is at least as unique as your IP address. Unless you go to the effort of generating a new key for every query, the protocol has already failed the other half of its purpose, namely, preventing the DNS service from identifying you.
Seems like using a VPN is a better solution all around.
Re: (Score:3)
You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible. ReverseDNS, and voila, your ISP knows what website you are looking at. Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.
Ignoring for a moment that most content is served from a CDN or shared IP these days, even if they know the site they don't know what pages you are looking at... Unless you DNS queries leak that information too thanks to third party content. And third party content is even more likely to be CDN based.
One of the benefits of the cloud.
Re: What is the real purpose? (Score:3)
Ignoring for a moment that most content is served from a CDN or shared IP these days, even if they know the site they don't know what pages you are looking at... Unless you DNS queries leak that information too thanks to third party content. And third party content is even more likely to be CDN based.
I think this is sort of a backwards view of the situation. I mean yes, with ESNI and encrypted DNS, it should make it at least very tricky to determine where you just went by looking at your traffic. That is a privacy win in a big way, for when the bad guy is tailing you to see where you go because they don't have any clue, looking for something to hang you for maybe. Plus it would be hard to outright block certain sites, but that's not a privacy concern.
However, when someone actually IS watching your tr
Re: (Score:2)
I think you underestimate the value of making things harder and more expensive. Mass surveillance is only done when it's cheap enough to justify the cost.
Re: (Score:2)
. I mean yes, with ESNI and encrypted DNS, it should make it at least very tricky to determine where you just went by looking at your traffic. That is a privacy win in a big way
The prospects of widespread ECH adoption are nill given CA costs involved and lack of benefit. This technology will only be employed by the large proxy infrastructure providers it was intentionally designed to advantage.
Simply using anonymous DH could have actually been a big practical privacy win but can't have that.
Re: What is the real purpose? (Score:2)
Well a number of governments have metadata retention laws that look like casual snooping and are (intentionally!) Vague on retention length and even what security measures ISPs are supposed to implement, while also demanding warrantless online access to said data for "law enforcement". There's huge troves of data just sitting there ripe for a malicious actor to extract.
Knowing which DNS addresses you resolve frequently can be used against you even without knowing what pages you access.
Do you resolve genital
The client doesn't HAVE a public key (Score:3)
The first half of what you said is right. It doesn't really hide anything unless the site uses a CDN. That's why Cloudflare likes it. An eavesdropper can only tell that you are connecting to a Cloudflare IP; they can't tell which site.
The second half is not correct and seems to indicate a misunderstanding of https or DoH.
Not correct:
"you must sent along your public key, in order for the reply to be encrypted" - the client doesn't HAVE a public key.
DNS over https is literally exactly what the name says.
The
Re:What is the real purpose? (Score:5, Informative)
You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible.
And? Congratulations, your ISP knows that you connected to Cloudflare or Akamai.
Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.
It seems you have a 1990s view of the internet. Your "more complicated than that" scenario is in fact the modern internet default scenario.
Seems like using a VPN is a better solution all around.
Sounds good. Can you suggest a good DNS to go with it?
Re: What is the real purpose? (Score:2)
Re: (Score:2)
The last question was facetous, but thanks for the share anyway. Are they affiliated with Protonmail?
I believe most VPNs will offer their DNS servers as well. I use Private Internet Access for the odd time I need to.
Re: What is the real purpose? (Score:2)
will also break some adblockers (Score:3, Interesting)
Re: (Score:3)
This is not a proposal to force browsers -- or anything else -- to use ODoH. As long as they use the system resolver, or a stub resolver that talks to a network-local recursive resolver, the user's local system or network can use ODoH in conjunction with DNS blacklists or other mechanisms.
If the browser still uses pihole to do the actual name resolution, pihole can block its rejected names and use ODoH for names that pass. It's designed to keep your DNS queries private from your ISP and from the end resol
Re: (Score:2)
Browsers are one thing, but IOT devices or the android system on a "smart" TV is another thing. It will be much harder to block on these devices using DNS now.
Re: (Score:2)
Why do you think it would break pihole? Pihole is a local DNS resolver. Pihole could add support for ODoH between it and upstream resolvers like Cloudflare, thus providing you with the benefits of ODoH while still using standard DNS or DoH for its interactions with you, allowing it to continue blocking as it always has.
The only way this breaks pihole is if it bypasses pihole altogether, but there’s nothing inherent in thieve protocols that does so. Of course, if the browser has baked-in resolvers it
Re: (Score:2)
*in these protocols
Yay for auto-correct.
Re: (Score:1)
Re: (Score:2)
Sure. So don’t use browsers that do that. This isn’t a hard problem or an inevitability.
Re: (Score:2)
If your browser is doing that without an option to disable the "feature", it's malware and it's hijacking your traffic, plain and simple. Stop using it. I don't understand why people keep bringing this up as if it's an inevitability or something difficult to avoid. There are plenty of competing browsers that will not ever make this a mandatory feature.
As for DoH and ODoH, I think it's actually undeniable that there are privacy benefits to be had with them. They make it a lot harder to tie your DNS requests
Re: (Score:2)
So if this is such a big deal why isn't it being done at the OS level instead of the browser level?
On the surface, it seems to me that someone wants to say "uh, yeah. we look at ALL the dns requests", for good or bad reasons.
Also makes me want to say "why are you taking away control from me" - I run my own DNS on my LAN and if I want to redirect facespace.foo to a local address that has a simple page that says "daughter #1, you should be doing homework", how can I if the browsers are all using this and not
Re: (Score:2)
So if this is such a big deal why isn't it being done at the OS level instead of the browser level?
That's the million dollar question, right there.
I see no reason why they can't, but until they do, I'm staying away from any of these.
Another broken protocol (Score:2)
Yet another broken-in-some-way-we-have-not-found-yet protocol that only benefits the players that made it. There is no way I can let this crap through the firewall.
We need to secure internet communications but dns-solution-of-the-week is not the answer. Fuck all of these spys.
Re: (Score:2)
Yet another worthless post from someone who doesn't understand the protocol, how it works, or what problem it tries to solve.
We need to go back to this being news for nerds rather than the modern day news for anti-corporation conspiracy theory nutjobs Slashdot has become.
Re: (Score:2)
What problem does it solve? How many extra security layers do I need? VPN + ODoH? At what point is it turtles all the way down? At some point a DNS server will resolve the query, there are lots of ways to wrap the communications between the client and server. Its really not obvious why this is better, the answer lies somewhere in the same space as to why CloudFlare and others want to insert themselves as proxies in these communications.
Middle men, please let me pay them all - in the name of security an
Big corps screw things up again (Score:3)
We don't have any way out when a couple corps conspire to "improve" the internet?
DNS works. Leave it alone!
If you want your ISP to respect you, PASS SOME LAWS and punish them when they violate your privacy! Simple.
You have to rely on somebody to do DNS for you... so now we have another middle man protecting you from your local middle man. Your local middle man ISP gets paid by you; these new ones don't get paid by you and they are not just doing this out of generosity; at least not long term. If you thin
Re: (Score:2)
Gee without our savior CloudFlare there simply is no way to secure DNS. Please insert yet another provider between me and things I need to access, call it secure and fast - because inserting an extra layer in the network has always been shown to improve both latency and security.
Sure the NSA is one type of spy, perhaps here I meant spying on my browsing and selling that information for a profit. But go ahead, get it all mixed up into nonsense - that says more about you than me.
Do you propose news standard called 'oblivious rep (Score:2)
Seems to already be a great success!
Re: (Score:2)
Name needs to be changed from "oblivious DoH" to Simpson DNS.
Cloudflare (Score:2)
Is it cynical to question whether they would do anything that doesn't continue to justify their existence?
Re: Cloudflare (Score:3)
It may be cynical, but at the same time we shouldnâ(TM)t take things at face value.
Apple has generally been pro privacy (they make their money elsewhere), so there is a good chance their motives are genuine, compared to if Facebook proposed them. Actually Apple may well have a business motive in reassuring traffic is kept secret, in that it becomes a selling point for their solutions.
Berryflare. (Score:2)
Worked well for Blackberry. How are they doing?
Re: (Score:2)
They provide DNS services. How does this (and I assure you they will be one of the first to implement it and thus become an instant default) not justify their existence?
Also known as... (Score:2)
"The Homer Simpson Standard."
Re: (Score:2)
And a Homer Simpson quality idea. Trojan Horse security. Please lock us in as the only spies on your DNS, so sorry that your DNS blockers all stopped working. I want to let you know about the 3pm specials at the donut shop.
How is target IP address hidden (Score:1)
"...Firefox will "experiment" with ODoH..." (Score:3)
Re: (Score:2)
Perhaps this will help? https://support.mozilla.org/en... [mozilla.org] I have been setting keyword.enabled to false for quite awhile, and the address bar no longer automatically searches.
Re: (Score:2)
Also, FireFox has its own DoH settings: https://support.mozilla.org/en... [mozilla.org]
While FF's DoH currently lacks the additional layer of encryption (on top of HTTPS encryption), it's provider partners certainly could insert a proxy in front of the DNS resolver to provide some screening. Or their resolvers could simply just not log requestor IPs.
Re: (Score:2)
This scheme is INHERENTLY flawed (Score:2)
This scheme is merely a shell game of unnecessary complexity intended to provide public cover for centralized collection of data that does not need to be centralized in the first place.
There are three things to consider.
1. A centralized DN.S service that is not trustworthy in the first place cannot be rendered trustworthy simply by deployment of an address hiding proxy. Even if the proxy is trustworthy and does not collude a D.NS service can single-handedly effectively negate the protections of the proxy b
Run all your DNS requests through our (Score:2)
It's not enough (Score:1)
Let's be clear what this really means (Score:2)
With DRM, we no longer control what is executed on our own machines. With HTTPS everywhere, it becomes almost impossible to monitor traffic to/from our devices, which we don't control, and increasingly don't own. Hiding DNS just adds to the difficulty.
We are one enabling event away from the end of legal general purpose computing for the masses.