DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
Posted Jun 2, 2018 3:06 UTC (Sat) by gdt (subscriber, #6284)Parent article: DNS over HTTPS in Firefox
The referenced A cartoon intro to DNS over HTTPS says:
The resolver will also often include the first 24 bits of your IP address in the request. This helps the DNS server know where you are and pick a CDN closer to you. But this information can be used by DNS servers to link different requests together. Instead of doing this, Cloudflare will make the request from one of their own IP addresses near the user.
Am I reading the implication correctly? ISPs which host CDNs will also need to host Cloudflare servers in order for the that ISP's other hosted CDN servers to be effective?
Posted Jun 2, 2018 10:55 UTC (Sat)
by roc (subscriber, #30627)
[Link] (4 responses)
E.g. if your country has two ISPs, ISP X hosts a CDN, and ISP Y hosts a Cloudflare server, the DNS request will appear to come from an IP address under ISP Y, and hopefully the CDN resolver will resolve it to ISP X's CDN.
Posted Jun 3, 2018 17:31 UTC (Sun)
by gdt (subscriber, #6284)
[Link] (3 responses)
The more likely situation is that both ISP X and ISP Y have CDN hosts. If ISP Y hosts a Cloudflare server and ISP X does not, then ISP X pulls from ISP Y's CDN, for all DNS-directed CDN services. The long-run likelihood is that the X-Y path has a charge [1]. Thus Mozilla's choice means that ISP X faces a strong financial motivation to install a Cloudflare CDN server. My view is that free software should promote open network infrastructure rather than promote a proprietary partner.
The other consideration is that ISP X is likely to be a small ISP and ISP Y is likely to be a large ISP (ISP Y is wealthy enough to host a Cloudflare CDN host, which is pretty far down the list of desirable CDN hosts). That is, Mozilla's acceptance of removing the EDNS Client Subnet Option proposed by Cloudflare adds to the market power of larger ISPs. It would be better if Mozilla had retained the EDNS Client Subnet Option, perhaps asking Cloudflare to enhance privacy by rounding the source IP address up to (a large fraction of?) the BGP-visible network rather than to the proposed /24. --
Posted Jun 3, 2018 20:45 UTC (Sun)
by tialaramex (subscriber, #21167)
[Link] (2 responses)
As it stands the only thing I can divine from a DNS request via Cloudflare's Mozilla DoH offering is that it... came from some particular Cloudflare node. Probably that node is near the originator, although maybe not. There's no way around revealing this unless you're happy sacrificing performance (e.g. TOR will incur a few hundred milliseconds latency, in exchange for which nobody knows where you are in the world)
But if the EDNS "Client Subnet" is back, I get to see part of an IP address which may be more or less incriminating. Among the addresses handled by my ISP are "dynamic" assignments, where even seeing the whole address without access to their logs doesn't tell you much, right through to genuinely portable address space owned by customers, where even seeing /20 potentially gives away the game about who the end user is. I'm in the middle, with a static (but not portable) /28 of my own. So when you snip off the last 8 bits, you narrow things down to maybe a dozen customers like me with "Client Subnet" as it stands today, and maybe you could make that hundreds, but you can't make it thousands without also destroying the utility of the technique, and you'd still identify those with portable space.
Posted Jun 4, 2018 2:19 UTC (Mon)
by gdt (subscriber, #6284)
[Link] (1 responses)
on the other hand you smash some of the routing data That's only the case if the BGP feed to the ISP's CDN providers differs from the BGP offered to globally-visible neighbors. In which case the solution is to provide CloudFlare with the same BGP feed as provided to the ISP's other CDNs providers.
Posted Jun 6, 2018 15:18 UTC (Wed)
by buchanmilne (guest, #42315)
[Link]
Which requires you to deploy CloudFlare everywhere you have any CDN.
Not going to happen.
In a real ISP I used to be involved with:
It was not technically challenging to adjust the route filters appropriately to advertise the client subnets correctly to allow for this, and customers using the ISPs DNS would transparently get the best experience with the least exposure of their DNS requests. It would be technically challenging to get this setup to work with or without Cloudflare in the ISPs DCs.
There is no real privacy improvement available here, because Mozilla's picture doesn't quite hold true. Due to the peering configuration, most DNS requrests to the large CDNs would not traverse the public internet, but would be routed across private peering connections (between the ISP and a root DNS operator, then between the ISP and it's CDN partner).
With DNS over HTTPS, now these requests may traverse the open internet, and be exposed to a 3rd-party (Cloudflare).
IMHO, for some use cases (e.g. public WiFi), this may be an improvement, but for either fixed-line or mobile-operator (e.g. 3G/LTE) internet access, this is a regression in terms of privacy (at least in my country).
In short, this move does make me wonder if Cloudflare recently made some large donation to Mozilla ... which makes me suspicious of both parties.
Posted Jun 2, 2018 11:24 UTC (Sat)
by excors (subscriber, #95769)
[Link] (7 responses)
With DoH, Mozilla/Cloudflare don't want to reveal even 24 bits of the user's IP, for privacy reasons; but they still want to allow CDN nameservers to do their location-based stuff. I presume they also want to work with CDNs that don't implement RFC 7871. To achieve that, they simply make the DNS request from a Cloudflare server that's close to the user. The CDN will return an IP that's close to the Cloudflare server (like it would for any normal request), which will therefore be close to the user.
The system's effectiveness depends on Cloudflare having servers relatively near every user, so their server's location is a good approximation of the user's location. Cloudflare is pretty big so they probably do already; and if they don't, the approximation will just get incrementally worse. There's no need for Cloudflare to have servers near other CDNs.
None of this should affect CDNs using anycast routing (like Cloudflare itself), where they have servers around the world sharing a single IP address and the routing protocol will direct every user to their nearest server, but it appears some major CDNs do still use DNS for this. I guess there is a bit of a conflict of interest for Cloudflare there, but if Cloudflare starts behaving anti-competitively and worsening the performance of other CDNs then Mozilla (whose priority is their user experience) can switch to a different provider or disable DoH, so it's probably not worth it for Cloudflare to mess around.
Posted Jun 2, 2018 11:53 UTC (Sat)
by Sesse (subscriber, #53779)
[Link] (6 responses)
Posted Jun 3, 2018 11:33 UTC (Sun)
by tialaramex (subscriber, #21167)
[Link] (5 responses)
I suppose other options might include:
1. Recruit one or more other DoH providers willing to offer privacy, pick a random one (at start-up, for each query, or whatever)
2. Switch off privacy, preferring to give better CDN and sacrifice the user's privacy (or maybe do so outside the porn-viewing mode)
3. Incorporate this functionality but leave it unused by default (so 99% + of users never benefit)
When it comes to item (1) I think you've got the same situation as the Search box. Users _can_ pick GoodSearch, or whatever, but by default they get the search engine Mozilla picked. The DoH configuration absolutely can be changed by anybody who knows what DNS even is in the first place. Should the Mozilla corporation sell that default (assuming multiple bidders offer equivalent privacy) for $1M? It is, after all, just a default. How about for $10Bn? That's a LOT of evangelism and software development for the price of a default...
Posted Jun 6, 2018 14:37 UTC (Wed)
by buchanmilne (guest, #42315)
[Link] (4 responses)
Well, the question is, privacy from whom.
There is still no privacy from Cloudflare in this case.
How is this any better than using my ISPs DNS? The contents of my DNS requests are still (theoretically) visible by one entity (the same entity that may also be able to determine by other means the content I am viewing with varying levels of accuracy).
O, right, the US is broken and has insufficient competition in the ISP market, where in most other countries this is a solved problem (capitalistic free market!).
Thanks, but I will definitely not be enabling this feature, and will drop firefox if they make this a default.
In my country, ISPs are well regulated, we have adequate privacy laws, and my ISP:
For example, many ISPs have many different CDN deployments with different geographic deployments. The ISP I worked for a while ago had CDN deploymens for 4 different CDNs in 3 different data-centres. The biggest (by data volume) was deployed in 3, the next 2 were deployed in 2 DCs, the 4th in 1. And this ignores the off-network open-peering CDNs that are co-located with the CloudFlare POPs in our country.
To me it looks suspiciously like Firefox is being paid by Cloudflare to make them more attractive than other CDNs/DDoS prevention companies.
Posted Jun 6, 2018 15:54 UTC (Wed)
by excors (subscriber, #95769)
[Link] (3 responses)
I think the difference is that, by choosing to use Firefox, you have already chosen to trust Mozilla to respect your privacy rights, which implies trusting their agreements with any third parties they choose to share your data with. (You can evaluate that trust based on their privacy policy, and the privacy policy they got Cloudflare to agree to, and their past record in following such policies, and comments from developers about their intentions, etc, and decide whether that trust is justified or not.)
Meanwhile you might or might not trust your ISP - that's an independent decision. (Some ISPs have a history suggesting they shouldn't be trusted as anything more than a dumb pipe, sometimes from malice and sometimes incompetence). If you trust both Mozilla and your ISP, then DoH provides no privacy benefit (well, except from anyone passively monitoring your network traffic, which is a significant benefit) but also no privacy harm. If you trust Mozilla but not your ISP, then it does provide an obvious benefit. If you don't trust Mozilla, you shouldn't be using Firefox anyway because there's a million other ways they could harm you.
Posted Jun 6, 2018 17:10 UTC (Wed)
by jwilk (subscriber, #63328)
[Link] (2 responses)
Trust is not binary.
I trust Mozilla not to put backdoor in Firefox. I don't trust them at all to care about my privacy. In fact, I'm pretty sure they don't. (Hilariously, when you run Firefox for the first time, it phones home in order to show you the privacy policy.)
Similarly, I trust my ISP not to inject malicious code into my Internet traffic. I don't trust them that they don't snoop on me. I would be surprised if they didn't.
Posted Jun 20, 2018 18:20 UTC (Wed)
by mstone_ (subscriber, #66309)
[Link]
Posted Jun 26, 2018 20:10 UTC (Tue)
by flussence (guest, #85566)
[Link]
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
[1] The argument for the X-Y path being liklely charged in the long run: (1) If X-Y is a transit path then the path is already charged. (2) If X-Y is a peering path then the huge increase in traffic from Y to X will make a large enough change to the X:Y peering ratio such that is no longer in Y's interest to peer.DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
* The country has 3 major public peering locations.
** Cloudflare has presence at 2
** Major CDNs have presence at 3
** Smaller CDNs have presence at 1 or 2
* The ISP had 3 DCs, not co-located with the peering locations
** The ISP had 1 major CDN at 3 DCs, this CDN was actually only present at the largest peering location
** The ISP had 2 major CDNs in 2 DCs that were not at any local peering locations, and didn't want to be advertised to this ISP's peers
** The ISP had 1 major CDN in 2 DCs that were present at local peering locations, and were ok being advertised to this ISP's peers, but wanted to avoid sending any of this ISPs customers to the deployment at the peering location (as it was resource constrained).
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
- Is legally obligated to not give this data to any 3rd party without a warrant
- Has a much better view of the network topology than any 3rd party
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
Have they apologised yet for their use of a pre-existing backdoor to push Comcast ads in-browser to several million users last November? The closest I've seen to them even acknowledging that they got caught is a pageful of sneering corporate spin-doctoring congratulating themselves on the “shared user experience”.