Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Internet Privacy Apple

Why Apple, Cloudflare, and Fastly Proposed a New Privacy-Focused DNS Standard Called 'Oblivious DoH' (zdnet.com) 64

"Cloudflare, Apple, and Fastly have co-designed and proposed a new DNS standard to tackle ongoing privacy issues associated with DNS," reports ZDNet.

Cloudflare calls it "a practical approach for improving privacy" that "aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience..." Third-parties, such as ISPs, find it more difficult to trace website visits when DNS over HTTPS (DoH) is enabled. DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy...

The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare's 1.1.1.1's public DNS resolver — and the combination of both this and public key encryption "guarantees that only the user has access to both the DNS messages and their own IP address at the same time," according to Cloudflare... "The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target's responses..."

Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox's CTO, has already indicated that Firefox will "experiment" with ODoH.

This discussion has been archived. No new comments can be posted.

Why Apple, Cloudflare, and Fastly Proposed a New Privacy-Focused DNS Standard Called 'Oblivious DoH'

Comments Filter:
  • Latency (Score:2, Flamebait)

    Current oDoH is DoA with 2-300ms of latency. The concern is real, though - keep working on it.

  • If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.

    Be wary of anyone offering things for free.

    • Thar seems a little one-sided given that many of the best and most trustworthy apps and services are free (and often open-sourced). Yes, users should always be careful with ANY service -paid or otherwise - but to broadly and generically say that free services are essentially out to get you seems more like biased fear mongering and/or conspiracy theory than an actual warning based on evidence.
    • by cusco ( 717999 )

      And Apple will try to make everyone license some portion of it.

      • First of all how will Apple license anything by proposing a standard to the IETF whose sole purpose is open standards. The proposed standard can be crap and rejected but it is being proposed as an open standard. Second DoH involves infrastructure equipment that Apple can not control. For example good luck on Apple trying to license that in Linux especially Linux servers which run on a good portion of Internet servers.
    • I note that the browsers themselves will know both. and if you have auto-complete in the URL box turned on then they phone home. I'm suspecting that google chrome phones home no matter what since I've seen it resolve URLs even when the DNS server I pointed my computer too was down. Either that or it pre-fetches things I'm likely to open from bookmarks.

    • Excactly. They got costs too. Who's gonna pay those bills?

      You are!
      Or your personally assigned vultures. Mmmhh, uuseeer! Delicious!

    • If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.

      Be wary of anyone offering things for free.

      I'm wary of your free advice.

    • Cloudflare's business model is to provide a basic service for free and charge for faster or better features. They'll probably find ways to charge for faster DNS resolution for the most popular/lucrative websites.

    • by Kisai ( 213879 )

      Cloudflare is an embarrassing service that ultimately only does things to lower their own costs. They know significant amounts of traffic they protect are illegal, and this DoH service is just a way to ultimately hide everything illegal they know about.

    • If you don't think that Cloudflare isn't going to make some sort of money off of traffic analysis of DNS over HTTP traffic, I don't know what to tell you.

      They do, but not in the way you think. I remember reading they chose to own the 1.1.1.1 address because for years it was a major target of packets coming from misconfigured servers all around the Internet, including routers whose code believes it's a non-existent IP address, meaning it's been a DDoS target before the term was coined, and then added a DNS service on top of it so as to make it even more a target, so as to use it as a constant test bed and calibration source for their anti-DDoS service, which

  • by msauve ( 701917 ) on Sunday December 13, 2020 @10:45AM (#60825648)
    Today's news: /. "editors" don't read /. Dog bites man.

    Dupe [slashdot.org].
  • by Entrope ( 68843 ) on Sunday December 13, 2020 @10:46AM (#60825654) Homepage

    I guess EditorDavid must be filtering out msmash's postings [slashdot.org], because this already made the front page of Slashdot almost a week ago.

    • Slashdot is privacy focused and has implemented the oblivious editor protocol.
      • Is that the protocol where all editor duties are forced to go through a single centralized authority, forced to do so by that same centralized authority?

        Yes thats totally about privacy.
  • by bradley13 ( 1118935 ) on Sunday December 13, 2020 @11:05AM (#60825710) Homepage

    The first justification for this is to hide your DNS queries from your ISP. The second is to hide your IP from the DNS server.

    For the first half: once you have resolved the DNS address, guess what? You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible. ReverseDNS, and voila, your ISP knows what website you are looking at. Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.

    For the second half: you must sent along your public key, in order for the reply to be encrypted. This means that the DNS service can group queries by public key, which is at least as unique as your IP address. Unless you go to the effort of generating a new key for every query, the protocol has already failed the other half of its purpose, namely, preventing the DNS service from identifying you.

    Seems like using a VPN is a better solution all around.

    • by AmiMoJo ( 196126 )

      You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible. ReverseDNS, and voila, your ISP knows what website you are looking at. Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.

      Ignoring for a moment that most content is served from a CDN or shared IP these days, even if they know the site they don't know what pages you are looking at... Unless you DNS queries leak that information too thanks to third party content. And third party content is even more likely to be CDN based.

      One of the benefits of the cloud.

      • Ignoring for a moment that most content is served from a CDN or shared IP these days, even if they know the site they don't know what pages you are looking at... Unless you DNS queries leak that information too thanks to third party content. And third party content is even more likely to be CDN based.

        I think this is sort of a backwards view of the situation. I mean yes, with ESNI and encrypted DNS, it should make it at least very tricky to determine where you just went by looking at your traffic. That is a privacy win in a big way, for when the bad guy is tailing you to see where you go because they don't have any clue, looking for something to hang you for maybe. Plus it would be hard to outright block certain sites, but that's not a privacy concern.

        However, when someone actually IS watching your tr

        • by AmiMoJo ( 196126 )

          I think you underestimate the value of making things harder and more expensive. Mass surveillance is only done when it's cheap enough to justify the cost.

        • . I mean yes, with ESNI and encrypted DNS, it should make it at least very tricky to determine where you just went by looking at your traffic. That is a privacy win in a big way

          The prospects of widespread ECH adoption are nill given CA costs involved and lack of benefit. This technology will only be employed by the large proxy infrastructure providers it was intentionally designed to advantage.

          Simply using anonymous DH could have actually been a big practical privacy win but can't have that.

        • Well a number of governments have metadata retention laws that look like casual snooping and are (intentionally!) Vague on retention length and even what security measures ISPs are supposed to implement, while also demanding warrantless online access to said data for "law enforcement". There's huge troves of data just sitting there ripe for a malicious actor to extract.

          Knowing which DNS addresses you resolve frequently can be used against you even without knowing what pages you access.

          Do you resolve genital

    • The first half of what you said is right. It doesn't really hide anything unless the site uses a CDN. That's why Cloudflare likes it. An eavesdropper can only tell that you are connecting to a Cloudflare IP; they can't tell which site.

      The second half is not correct and seems to indicate a misunderstanding of https or DoH.

      Not correct:
      "you must sent along your public key, in order for the reply to be encrypted" - the client doesn't HAVE a public key.

      DNS over https is literally exactly what the name says.
      The

    • by thegarbz ( 1787294 ) on Sunday December 13, 2020 @01:29PM (#60826188)

      You send an HTTP(S) query through your ISP, and the IP you are requesting is - indeed must be - visible.

      And? Congratulations, your ISP knows that you connected to Cloudflare or Akamai.

      Yes, it can be a bit more complicated than that, if multiple domains share an address, but generally speaking you have hidden exactly nothing.

      It seems you have a 1990s view of the internet. Your "more complicated than that" scenario is in fact the modern internet default scenario.

      Seems like using a VPN is a better solution all around.

      Sounds good. Can you suggest a good DNS to go with it?

  • by ultramagnus1 ( 2961225 ) on Sunday December 13, 2020 @11:09AM (#60825722)
    This will also break DNS based adblockers such as pihole, which may be one of the real motivations for some of the backers.
    • by Entrope ( 68843 )

      This is not a proposal to force browsers -- or anything else -- to use ODoH. As long as they use the system resolver, or a stub resolver that talks to a network-local recursive resolver, the user's local system or network can use ODoH in conjunction with DNS blacklists or other mechanisms.

      If the browser still uses pihole to do the actual name resolution, pihole can block its rejected names and use ODoH for names that pass. It's designed to keep your DNS queries private from your ISP and from the end resol

      • Browsers are one thing, but IOT devices or the android system on a "smart" TV is another thing. It will be much harder to block on these devices using DNS now.

    • Why do you think it would break pihole? Pihole is a local DNS resolver. Pihole could add support for ODoH between it and upstream resolvers like Cloudflare, thus providing you with the benefits of ODoH while still using standard DNS or DoH for its interactions with you, allowing it to continue blocking as it always has.

      The only way this breaks pihole is if it bypasses pihole altogether, but there’s nothing inherent in thieve protocols that does so. Of course, if the browser has baked-in resolvers it

      • *in these protocols

        Yay for auto-correct.

      • by x0ra ( 1249540 )
        Hardcode oDoH DNS IP in browser, hardcode trusted certificate in browser, sign browsers binaries, OS enforce only signed binaries. GAFAM wins, you lose.
      • So if this is such a big deal why isn't it being done at the OS level instead of the browser level?

        On the surface, it seems to me that someone wants to say "uh, yeah. we look at ALL the dns requests", for good or bad reasons.

        Also makes me want to say "why are you taking away control from me" - I run my own DNS on my LAN and if I want to redirect facespace.foo to a local address that has a simple page that says "daughter #1, you should be doing homework", how can I if the browsers are all using this and not

        • So if this is such a big deal why isn't it being done at the OS level instead of the browser level?

          That's the million dollar question, right there.

          I see no reason why they can't, but until they do, I'm staying away from any of these.

  • Yet another broken-in-some-way-we-have-not-found-yet protocol that only benefits the players that made it. There is no way I can let this crap through the firewall.

    We need to secure internet communications but dns-solution-of-the-week is not the answer. Fuck all of these spys.

    • Yet another worthless post from someone who doesn't understand the protocol, how it works, or what problem it tries to solve.

      We need to go back to this being news for nerds rather than the modern day news for anti-corporation conspiracy theory nutjobs Slashdot has become.

      • What problem does it solve? How many extra security layers do I need? VPN + ODoH? At what point is it turtles all the way down? At some point a DNS server will resolve the query, there are lots of ways to wrap the communications between the client and server. Its really not obvious why this is better, the answer lies somewhere in the same space as to why CloudFlare and others want to insert themselves as proxies in these communications.

        Middle men, please let me pay them all - in the name of security an

    • We don't have any way out when a couple corps conspire to "improve" the internet?
      DNS works. Leave it alone!

      If you want your ISP to respect you, PASS SOME LAWS and punish them when they violate your privacy! Simple.

      You have to rely on somebody to do DNS for you... so now we have another middle man protecting you from your local middle man. Your local middle man ISP gets paid by you; these new ones don't get paid by you and they are not just doing this out of generosity; at least not long term. If you thin

      • Gee without our savior CloudFlare there simply is no way to secure DNS. Please insert yet another provider between me and things I need to access, call it secure and fast - because inserting an extra layer in the network has always been shown to improve both latency and security.

        Sure the NSA is one type of spy, perhaps here I meant spying on my browsing and selling that information for a profit. But go ahead, get it all mixed up into nonsense - that says more about you than me.

  • Seems to already be a great success!

  • Is it cynical to question whether they would do anything that doesn't continue to justify their existence?

    • It may be cynical, but at the same time we shouldnâ(TM)t take things at face value.

      Apple has generally been pro privacy (they make their money elsewhere), so there is a good chance their motives are genuine, compared to if Facebook proposed them. Actually Apple may well have a business motive in reassuring traffic is kept secret, in that it becomes a selling point for their solutions.

    • They provide DNS services. How does this (and I assure you they will be one of the first to implement it and thus become an instant default) not justify their existence?

  • "The Homer Simpson Standard."

    • And a Homer Simpson quality idea. Trojan Horse security. Please lock us in as the only spies on your DNS, so sorry that your DNS blockers all stopped working. I want to let you know about the 3pm specials at the donut shop.

  • I donâ(TM)t quite understand how this protects privacy. Ultimately, unless using VPN permanently, your browser has to make a connection to some target website and that IP address must be know to your ISP. Yes, lots of little servers use shared addresses but the large ones have to be known.
  • by QuietLagoon ( 813062 ) on Sunday December 13, 2020 @02:08PM (#60826298)
    I wish Firefox would have a config setting to totally and completely bypass any DNS processing it does within the browser, and use the DNS service on my network instead. I have become quite tired of Firefox sending me to a search engine when I enter a perfectly good fully-specified host name into the address bar, a host name that the DNS on my network resolves quite well.
    • Perhaps this will help? https://support.mozilla.org/en... [mozilla.org] I have been setting keyword.enabled to false for quite awhile, and the address bar no longer automatically searches.

    • Also, FireFox has its own DoH settings: https://support.mozilla.org/en... [mozilla.org]

      While FF's DoH currently lacks the additional layer of encryption (on top of HTTPS encryption), it's provider partners certainly could insert a proxy in front of the DNS resolver to provide some screening. Or their resolvers could simply just not log requestor IPs.

      • I have FF's DoH set to off. At least, that is what I set it to, FF seems to have a mind of its own regarding the DNS mess it created for itself. Sometimes I think FF is just trying to do far more than it is capable of doing reliably. I do not want FireFox to mess with DNS, DoH, etc. Just pass the hostname to the network's DNS server. Period. That probably is not complicated enough to get the FF developers' attention to fix it to work properly....
  • This scheme is merely a shell game of unnecessary complexity intended to provide public cover for centralized collection of data that does not need to be centralized in the first place.

    There are three things to consider.

    1. A centralized DN.S service that is not trustworthy in the first place cannot be rendered trustworthy simply by deployment of an address hiding proxy. Even if the proxy is trustworthy and does not collude a D.NS service can single-handedly effectively negate the protections of the proxy b

  • systems(trust us we'll encrypt it both ways ;) wink! wink! so we can save it and mine it out for big bucks.
  • I would like to point out that while this is not necessarily a bad thing, it will not prevent an ISP or any skilled adversary that sees your source traffic from finding out what websites you visit. Despite using ODoH or Tor or a VPN. An adversary at the source can still work out what websites you're visiting with 96% accuracy without ever needing to see your DNS queries (and apply blocking). As a reference I would reference this explanatory study https://distrinet.cs.kuleuven.... [kuleuven.be]
  • With DRM, we no longer control what is executed on our own machines. With HTTPS everywhere, it becomes almost impossible to monitor traffic to/from our devices, which we don't control, and increasingly don't own. Hiding DNS just adds to the difficulty.

    We are one enabling event away from the end of legal general purpose computing for the masses.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...