America's rotten ISPs object to encrypted DNS, argue that losing the ability to spy on your traffic puts them at a competitive disadvantage

Originally published at: https://boingboing.net/2019/10/07/brandeiswashing.html

2 Likes

Without encrypting DNS your ISP can spy on what you’re visiting no matter what DNS server you use. Setting up their own encrypted DNS server doesn’t stop you from using somebody else’s encrypted DNS and denying them that marketing data. Thus it isn’t simply a matter of them being lazy, they are going to be hurt. Too bad, they shouldn’t have had the data in the first place.

4 Likes

Fun story: Comcast’s new UHD set-top boxes require you to use their XFinityWiFi wireless routers. They don’t have coaxial cable inputs at all.

I discovered this yesterday when I replaced my current set-top boxes because they only support up to 1080p. Because I use my own modem instead of renting one from Comcast, the new set-top boxes didn’t work. I had to go back to the XFinity store and get older boxes instead. I fear that soon, you won’t be able to have cable television unless you agree to let Comcast spy on your local network traffic.

6 Likes

On the upside, soon there won’t be any reason for anybody to have cable television at all. What you’re seeing is a desperate play to maximize the long tail of old-school TV service, because everybody in the industry knows its days are numbered and they’re all sweating bullets trying to find a way to soft-land that beast.

9 Likes

Oof is Firefox that impopular already? That’s a shame…

The other way of denying your ISP insight to your browsing behavior is with a VPN, a Tor connection or similar method or re-routing your traffic. Most of these tunnel the DNS requests too and encrypt the rest of the traffic too. But all that does is relay the point where spying is possible, so you still need to trust the VPN supplier.

3 Likes

8.8.8.8 or 8.8.4.4
and HTTPS Everywhere

1 Like

ISPs: But! If people use encrypted DNS we’ll be able to overcharge for only the shit we’re supposed to charge you for! No fair!!!

1 Like

It’s great that we’ll be able to encrypt domain names from most people on the wire, but won’t we need to trust someone to be our DNS? I mean, if Google has a plan to route DNS traffic away from our ISPs, and they happen to run a DoH service won’t that just be sending more data to Google?

1 Like

:confused:

NEWS FLASH: the post office knows who you’re sending mail to

1 Like

even with encrypted DNS they could still find out what servers you’re hitting. It would be considerably more complicated than when you use their DNS servers, but doable: they’d just track the IP addresses you communicate with, which are always unencrypted (the ISP needs to know where to route your packets after all).

The only way around that is TOR, which has its own set of problems.

Great: now Google knows every site you visit, too!

3 Likes

This story confuses me a bit; I thought DNS over TLS is already a thing, albeit a little tedious to implement. Unbound can encrypt with TLS and cycle your DNS requests between servers then cache the results. I suppose another approach could be to throw chaff with stochastic, but plausible DNS requests. I suppose you would need to take at least some care about the false requests.

It is a less than subtle situation, to me, that surveillance is so easy and well-financed, but protection against it so inconvenient. Ultimately, until we make surveillance itself illegal, by finding a new balance between the (now technically inexpensive) right to observe and record and the right not to be, our technical solutions will be just another arms race. Personally, I think the only regulatory approach that works is one which makes personal data collection toxic and accrue high liability.

1 Like

The IP addresses are in the clear, but that’s not nearly the same thing as having the DNS data.

Consider this site: bbs.boingboing.net resolves to an opaque discourse.cloud IP address. Yep, Comcast will know that I’m reading comments (or commenting) on a website. But they won’t know if it’s boingboing, a model railroad site, or a 9-11 truther site. The value to the ISP is in figuring out which group of commenters I belong to, not that I made a comment somewhere.

2 Likes

True, it does reduce the value quite a bit. Especially now that so many sites are hosted on shared cloud infrastructure.

I’m all for encrypted DNS. But whoever’s running the DNS server still gets your info. Savvy users can choose a DNS host they trust, in theory. But most accept the auto-configured DNS servers from their ISP, or, if they bother to manually configure one, switch to Google instead.

1 Like

Something I’ve been thinking about lately comes to mind here. How do we poison the data well? If these people want our data, let 'em have it, but let’s obfuscate it, fill it full of erroneous info so that they don’t know exactly who, where or how we are. A data scramble suit, if you will. Is it just a matter of never using true or correct info about yourself except when it can’t be avoided?

I’ve spent some time researching this, but much to my surprise, no one seems to have thought of it.

I love the idea, but it doesn’t work on Medicare or Social Security, where I need it most. They do not use encryption AFAIK.

If you manage to create and sell a program, be it for computer or phone, I’d love to hear about it.

Right, it won’t work in those instances where you have to be honest and use correct, truthful information. Social Security we’re cornered into at birth, and Medicare and the like, they will verify. There’s no way out of those situations. But thanks to regulations such as HIPPA, that information is limited anyway. Allegedly. Also, this side steps the matter of encryption. It can all be in clear text, and it doesn’t matter, as long as the data is not true or correct. If someone collects data on you that represents you as the wrong gender, wrong age, state, city and town, and has all sorts of weird internet behaviour that isn’t really representative of you, then it doesn’t matter.

So knowing that a baseline of correct information is out there, surely there has to be a way to obscure the data that some portion of the data collecting world gets. It likely won’t or can’t be done through some sort of program/software. It will also require actual actions and behaviours, and those will extend beyond the use of computers, tablets, cellphones and the internet. One example: Not using loyalty cards at stores. I’ve stopped that recently. I just tell them no, I’ll pass. Although with Kroger I’ve accumulated cards for fifteen years, and they span a number of cities across two states, under multiple names. So it’s rather fun to use a different card each time I go to Kroger. It really upset one store manager when she asked why I had so many Kroger cards.

Anyway, I digress. It seems that it can be done to some degree or another, it just requires some clever minds to work at it. How effective it could be remains to be seen. It certainly seems worth trying, rather that just going into that good night and letting these cretins just have our data, without any sort of effort to stymie them, at least. Some other ideas - use VPNs, start multiple email and other online accounts under false names, with false birthdays, addresses, age, gender, etc. I’d love to find a way to start a fake Facebook account, with a fake photo and build an entire personality and life that is a complete fabrication (it’s apparently impossible to do, but I haven’t accepted that as fact yet). Sign up for accounts of various types at places while out of town, or at homes of friends and family. Have friends out of state sign you up for various accounts and services.

Maybe not all of those are effective, maybe none of them are, but I’m just brainstorming, which is where it starts. Maybe.

I remember as a kid reading about a weird dystopian sort of world. Reading the works of Philip K. Dick and others, I never imagined I’d actually live in that world.

Somebody’s always going to know if you have an upstream DNS provider. You could set up a DNS proxy and distribute among many distributed providers, but… yeah. You’re going down a rabbit hole of paranoia at that point, though.

I do wish that distributed browsing was easier; basically, in a group you are friends with and trust, do browsing where it goes into the onion and comes back out. However, then you just make it statistically figuring out who is supporting whom based on who you are communicating with on the IP level and also what traffic comes out from the cloud of aggregated users at the same time.

At least Tor spreads it out, but I wouldn’t want to be a Tor exit node for anybody to come by and use (because I don’t want the cops to show up and take all my hardware because of bad actors). Indeed, some sites block access to IPs acting as exit nodes (which I guess I can get) and relay nodes (which is beyond me unless you just hate freedom to some degree).

Sure. You have to trust someone with your dns requests. I would prefer that my DNS provider not have a business model that involves tracking my browsing to sell to advertisers.

This is much ado about nothing, though, because the fundamental premise of their position - that Google will force chrome users to use their DNS is a complete fabrication.

They wouldn’t do this anyway. countless enterprises and even medium-sized orgs use internal DNS for routing of things like internal web apps and services - forcing them to use outside DNS would break all of that.

I’m not sure what the ISP’s hope to accomplish really. Even if the FCC “banned” DNS-over-HTTPS, how would they even enforce that? Especially if the rest of the world moves that way?

Cory, I don’t think anybody’s going to argue that ISPs deserve the benefit of any doubt as to their intentions. After the SOPA wars, I certainly won’t be coming to their defense. However, your strong rhetoric here may be a provoked bias. DNS has never been ignored and it’s in no way creaking. There is a secure protocol called DNS-over-TLS which has identical encryption properties to DNS-over-HTTPS, the only difference being that DoT can be blocked in a firewall whereas DoH is designed not to be detected or blocked. In your article you’re responding to an anti-trust argument advanced by Comcast against Google, but your response shows no awareness of two vital facts:

  1. If ISP’s want to become surveillance capitalists so that they can compete against Big Tech’s surveillance capitalists, that doesn’t make ISP’s evil, that simply reminds us that surveillance capitalism is evil. This is gangster-on-gangster violence, and neither Big Tech nor Big ISPs are going to use their winnings to help improve lived privacy for any of us. We have to stop all of the surveillance, not merely change who can and cannot surveil.

  2. As an operator of managed private networks at home and at work, I strongly resent being told by the DNS-over-HTTPS cloud that my firewall is now obsolete, and anyone including underaged children, poisoned supply chains, malware, or intruders will from now on be able to ask whatever DNS questions they want, with no monitoring or filtering possible by the owner of the network. That should be my decision, not theirs. Not all perimeter security is authoritarian. DNS-over-TLS cannot be intercepted without notice to the end-user, and so DoT solves the vast majority of end user privacy woes, but without changing who can prevent it from working.

DNS-over-HTTPS is ill-considered and may usher in far stronger controls, costing everybody no matter what their agenda was, and benefiting almost nobody. DNS-over-TLS is what we need to keep Big ISPs in check without giving more power to Big Tech. Happy to discuss 1x1 if you’d like to hear more on this topic.

Paul Vixie

2 Likes