DNS over HTTPS

From LinuxReviews
Jump to navigationJump to search
Network-wired.png

DNS over HTTPS (DoH) is a protocol for doing domain name (DNS) lookups via the HTTPS protocol. The supposed goal of doing DNS queries this way is to increase end-users privacy and security by removing men-in-the-middle's ability to eavesdrop on and manipulate DNS data. DoH shifts the point of attack from anyone between clients and the DNS resolvers responsible domains that are queried to the two large multinational corporations who run DoH servers: Cloudflare and Google. DoH creates central points of attacks where large amounts of DNS data from a vast amount of people can be stored and monitored.

States Purpose and he Actual Attack Vectors[edit]

The Internet uses IP addresses to identify computers. Domain names turn those IPs into names that are easier to remember. You can type linuxreviews.org into a web browsers address bar and magic behind the scenes turn that into a IP address. The web browser goes to that address and fetches the page. The DNS lookup will typically go to the Internet Service Provider who hands connected clients a few DNS servers along with a IP address when the client connects and makes a DHCP requests. Most people use these default ISP servers. The ISPs can and many do censor certain domain names. They do, in effect, have the power to say "linuxreviews.org? We don't like that one, you can't have that name resolved". They can also log all the DNS queries that are made.

Your ISPs domain servers are, of course, not responsible for linuxreviews.org. They will contact .org and ask is when you make a query (unless they have it cached). They then contact one of our nameservers and ask that to turn the domain name into a IP. The ISP will then turn around and feed that information to the computer who asked - or not.

The ISP is, in effect, a man-in-the-middle who can do man-in-the-middle attacks. ISPs can also very quietly log all the DNS queries that are made. It is possible to by-pass the ISPs nameserver by setting up your own caching nameserver on your local network using Unbound. Most of our readers will do something like that. The vast majority of people out there won't. And it's only a measure which makes it harder to log all your DNS queries. Your ISP is in a position where they see all your traffic anyway which means that they could log all traffic to and from your assigned IP. It's just harder than collecting all the customers DNS queries from a pair of central DNS servers and it also much less likely that they would target a individual customers uplink.

Domain over HTTPS "fixes" the problem of ISPs being in the middle by.. placing Google or Cloudflare in the middle. Those are, as of December 2019, the alternatives. Others could set DoH servers up but it wouldn't make much of a difference in the grand scheme of things. Mozilla Firefox uses Cloudflares servers by default. Google Chrome will much likely use Google's DoH servers as it's default when Google adds DoH to their browser. That's a lot of user-data given to two companies who already have a whole lot of user-data.

Deployments[edit]

Several web browser vendors are pushing DNS over HTTPS as a default.

Mozilla Firefox[edit]

Mozilla Firefox has made DNS over HTTPS default for all users. This change was silently made around September 2019. It is possible to check what it's doing by going to Preferences where Network Settings is at the very bottom of the General section. Clicking Settings below the Network Settings headline opens up a dialog box for Connection Settings which was historically used to configure proxy settings. The very bottom of that page has a checkbox [ ] Enable DNS over HTTPS. Enabling it allows you to either choose Cloudflare, which is the default, or a "Custom". Un-checking the box disables DNS over HTTPS.

It is also possible to change Firefox's DoH settings in it's about:config settings-value editor (type it into the URL bar). The setting to look for is network.tr.mode which can have the values 5=disabled, 3=DoH only, regular DNS is disabled, 2=Use DOH and regular DNS as fallback and 1=DoH can be used and Firefox decides it it will be used on a per-site basis. That's quite a few more options than the Connection Settings offer. The service used for DoH is stored in network.trr.uri which defaults to https://mozilla.cloudflare-dns.com/dns-query.

OpenBSD and most GNU/Linux distributions like Fedora ship their own default Firefox configuration. In Fedoras case it's defined in

/usr/lib64/firefox/browser/defaults/preferences/firefox-redhat-default-prefs.js

and that file contains

/* Disable DoH by default */
pref("network.trr.mode",                    5);

Users of Windows will have DoH enabled by default and so will users of some other GNU/Linux distributions. OpenBSDs default is to disable DoH.

Google Chrome / Chromium[edit]

Google started enabling DNS over HTTPS for "a small percentage of users" in Chrome 79. It is unclear what that really means. It does indicate that Google will enable it for everyone at a later date. It makes total sense from a business perspective, that's quite a lot of very lucrative user-data.

Final Thoughts[edit]

The promise of end-user privacy by enabling DNS over HTTPS for everyone in major web browsers seems dubious. It simply shifts the position an eavesdropper needs to be in from many small and large ISPs around the globe to just two multinational corporations well known for their cooperation with state actors, and not necessarily benign ones.


avatar

Senseivita

one day 2 hours 31 minutes ago
Score 0++

First of all, if this a blog in a wiki? That's kinda cool.

Anyway... Although it's not something that can be just dismissed, who's collecting the data is the least of my concerns regarding DoH. The real, or the most pressing issue, is this is something readily available on a web server's environment that can be exploited by companies to deliver content that use to be blocked by standard DNS filtering and they've caught on.

On my Yahoo! Mail (testing) account, it goes sometimes over a year between logins so I'm always curious what's it doing. On one of these occasions, in the dev tools, I found among the domains *attempted* (uBlock Origin stopped it) to be contacted "yahoodns.net". Meaning, there was an in-browser Javascript DNS client deployed without consent so even if the browser itself has DoH disabled, they still manage to show ads or find tracking servers. Yahoo!'s ridiculously obvious domain name was just lazy but others such as Apple aren't as naïve, because it seems that it uses the same set of servers for everything and since the transport is HTTP at the end of the day, a reverse proxy puts the DNS traffic back on track at their end making it harder to block without locking you out of services you might actually want. If that wasn't enough, QUIC then shows up in the picture: stateless, encrypted HTTP.

I'm actually writing a guide about this, it's very special-use case; Active Directory with complex DNS routing and filtering... but there's a part of it that may be useful for everybody, a list I'm collecting about DoH/DoT servers. If you have a firewall that can block based on DNS (e.g; pfBlockerNG in pfSense), all the results from a query, not just the first one, block TCP:80, TCP:443, TCP:853, UDP:80 & UDP:443 to:

use-application-dns.net

cloudflare-dns.com

security.cloudflare-dns.com

family.cloudflare-dns.com

one.one.one.one

1dot1dot1dot1.cloudflare-dns.com

dns.google

doh.dns.apple.com

doh.opendns.com

doh.familyshield.opendns.com

dns.quad9.net

dns9.quad9.net

dns10.quad9.net

dns11.quad9.net

dns.adguard.com

dns-unfiltered.adguard.com

dns-family.adguard.com

doh.cleanbrowsing.org

security-filter-dns.cleanbrowsing.org

family-filter-dns.cleanbrowsing.org

adult-filter-dns.cleanbrowsing.org

dns.nextdns.io

dns.switch.ch

dns.comss.one

dns.east.comss.one

private.canadianshield.cira.ca

protected.canadianshield.cira.ca

family.canadianshield.cira.ca

doh-fi.blahdns.com

doh-jp.blahdns.com

doh-de.blahdns.com

fi.doh.dns.snopyta.org

dns-doh.dnsforfamily.com

odvr.nic.cz

dns.alidns.com

dns.cfiec.net

asia.dnscepat.id

eropa.dnscepat.id

doh.360.cn

public.dns.iij.jp

doh.pub

dns.twnic.tw

doh.tiarap.org

doh.tiar.app

dot.tiar.app

jp.tiarap.org

jp.tiar.app

dns.oszx.co

dns.pumplex.com

doh.applied-privacy.net

dot1.applied-privacy.net

dns.decloudus.com

resolver-eu.lelux.fi

doh.dns.sb

dnsforge.de

kaitain.restena.lu

doh.ffmuc.net

dns.digitale-gesellschaft.ch

doh.libredns.gr

ibksturm.synology.me

getdnsapi.net

dnsovertls.sinodun.com

dnsovertls1.sinodun.com

unicast.censurfridns.dk

anycast.censurfridns.dk

dns.cmrg.net

dns.larsdebruin.net

dns-tls.bitwiseshift.net

ns1.dnsprivacy.at

ns2.dnsprivacy.at

dns.bitgeek.in

dns.neutopia.org

privacydns.go6lab.si

dot.securedns.eu

dnsotls.lab.nic.cl

tls-dns-u.odvr.dns-oarc.net

doh.centraleu.pi-dns.com

dot.centraleu.pi-dns.com

doh.northeu.pi-dns.com

dot.northeu.pi-dns.com

doh.westus.pi-dns.com

dot.westus.pi-dns.com

doh.eastus.pi-dns.com

dot.eastus.pi-dns.com

doh.eastau.pi-dns.com

dot.eastau.pi-dns.com

doh.eastas.pi-dns.com

dot.eastas.pi-dns.com

doh.pi-dns.com

dot.seby.io

doh-2.seby.io

doh.dnslify.com

yahoodns.net

If you don't need any other service from these hosts, block all traffic to them. If they are deploying in-browser DNS clients, who's to stop them from deploying in-browser VPN clients, or "relays" right Apple?, or what have you.

As the author mentions have your own nameserver which should be the only thing on your network allowed to query external nameservers.
Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.