Fedora and fallback DNS servers [LWN.net]

Fedora and fallback DNS servers

Posted Feb 25, 2021 20:24 UTC (Thu) by logang (subscriber, #127618)
Parent article: Fedora and fallback DNS servers

> One could even go further: the privacy level using those public DNS servers might actually be higher than using the DHCP-provided ones in many cases, simply because we can use DoT [DNS over TLS] on the former (admittedly not yet the default in resolved though, but hopefully soon), but almost never can on the latter, and what's worse the latter are usually provided by crappy edge networks like Internet Cafés and such where the fact we send stuff unencrypted is just awful.

I disagree with this statement. It's easy for people to understand the risks and privacy implications of using free internet at a Cafe. Most of my non-technical friends understand this is a concern and will adjust their behaviour accordingly, even if they don't know the specific risks.

There's a much bigger privacy implication of sending all of your DNS queries (encrypted or otherwise) to a single company so they know every website you go to, whether at home or at the cafe. Add to the fact that they can correlate this with your account information when you visit that company's services and it becomes even more egregious. So they know exactly who you are and every website you have ever visited. And to make matters worse, the non-technical person may never know they are giving up all this information because some random person mis-configured something and their system silently fell back to using a third party's services without their knowledge.

The focus on DoT misses the point entirely. Yes, it would be nice if more servers provided this extra security but it's beside the privacy issue. I'd much rather have my ISP have this information (as they largely have it anyway seeing they sit between me and the internet) than give it to a big tech company; and I'm willing to risk having someone intercept the data between me and my ISP than give away all my information freely to a single party.

But, yes, a fall back is fine *if* you complain loudly so the user can know that something bad has happened and can perhaps seek help. The message needs to be visible (so not hidden in some log somewhere) and acknowledge which third-party is actually being given what information.

to post comments

Fedora and fallback DNS servers

Posted Feb 25, 2021 21:38 UTC (Thu) by pizza (subscriber, #46) [Link] (8 responses)

> There's a much bigger privacy implication of sending all of your DNS queries (encrypted or otherwise) to a single company so they know every website you go to, whether at home or at the cafe.

This argument falls flat once you consider that most folks already send "all of their DNS queries" to "a single company" -- namely their home ISP -- and the historical record is full of examples of ISPs (and especially hotspot operators) being much less trustworthy (and less reliable) than the likes of Google or Cloudfare.

This whole discussion seems to be question about "fail closed" or "fail open" -- or alternatively, two points on the "usability vs security" curve. Which one is appropriate is _entirely_ context-dependent. and to be honest, for those scenarios where "fail closed" is appropriate, this default is just one of many things that need changing for their particular deployment environment. For most everyone/everything else, having a sane fallback is a GoodThing(tm), because the alternative is not "working" at all.

> But, yes, a fall back is fine *if* you complain loudly so the user can know that something bad has happened and can perhaps seek help.

Sure, though it's not entirely clear what mechanism could be used to do this complaining.

Fedora and fallback DNS servers

Posted Feb 25, 2021 23:56 UTC (Thu) by gdt (subscriber, #6284) [Link] (7 responses)

The user has a contract with their home ISP, and that ISP is usually regulated under telecommunications provider laws. The user's relationship with Google is very different. Whether that's good or bad comes down to the jurisdiction. But it's plain that failing over between the two cases -- from ISP's servers to Google, or Google's services to the ISPs -- is crossing between very different types of legal entities, and best not done without the user's explicit approval.

It makes sense that a law about privacy -- such as the EU's GDPR -- becomes involved and makes that approval that a firm requirement rather than just a good practice.

From a practical point of view, DNS is a useful leverage point to detect and control botnets and some sources of malware. Again, flipping out of that security environment into another with no approval by the user is not a great idea. And again, that applies to both moving from the ISPs servers to Google's, or from Google's servers to the ISPs.

Fedora and fallback DNS servers

Posted Feb 26, 2021 0:34 UTC (Fri) by pizza (subscriber, #46) [Link] (4 responses)

> The user has a contract with their home ISP, and that ISP is usually regulated under telecommunications provider law

Sure, and those laws say "the provider can collect whatever they want and do whatever they want with it". As does the contract, incidentally.

> It makes sense that a law about privacy -- such as the EU's GDPR -- becomes involved and makes that approval that a firm requirement rather than just a good practice.

So why limit this to your "upstream" DNS resolver? What about authoritative DNS server operators, TLD operators, and DNS root operators? (Since my household utilizes a private resolving DNS server, my "private" IP address and what I'm trying to resolve gets leaked to all of them, and there is *nothing* I can do short of not using DNS at all. Though I shouldn't have to point out that these DNS lookups are triggered by my explicit action, so isn't that actually my giving informed consent that my DNS lookups will have to leak out, by design?)

Fedora and fallback DNS servers

Posted Feb 26, 2021 3:30 UTC (Fri) by wahern (subscriber, #37304) [Link] (3 responses)

> Sure, and those laws say "the provider can collect whatever they want and do whatever they want with it". As does the contract, incidentally.

Some jurisdictions do prohibit ISPs from selling user data. And some ISPs are genuinely good netizens. People in these situations (a not insubstantial number, even in the U.S.) accidentally failing over to Google or Cloudflare are objectively in a *worse* situation.

Furthermore, small choices that push the entire Internet ecosystem into reliance on Google, Cloudflare, etc, means it becomes increasingly difficult to significantly improve the situation for everyone. It's not politically difficult (at least not in many jurisdictions outside the U.S.) to justify restrictions on ISPs collecting and leveraging personal data. But try to do that for Google and Cloudflare once a majority of the internet is relying on them to provide "free" DNS service, and then you'll find that you've burned all your bridges (port 53 is blocked everywhere except to Google and Cloudflare) and no longer have any real leverage. They can just take their ball and go home and then your citizens or clients will complain, "what use is privacy if I can't perform the activities I was interested in at all."

Look, it's a difficult problem juggling these competing demands--convenience vs privacy, security, etc. No doubt about it. But there's a difference between taking a path which we're not quite sure where it leads, and taking a path that very clearly leads to an undesirable end, even if it's slightly better than the status quo. Anyhow, the latter path isn't ever going away. Google and Cloudflare want you to use their DNS services because it not only makes them more money, it promises even greater dividends down the road as more people become reliant on them. That's true today and it will remain true for the foreseeable future.

Anyhow, if convenience is your primary objective, the solution is easy: just run a local recursing resolver. NLnet Labs' unbound is one of the most popular local resolvers in FOSS systems (perhaps second only to systemd-resolved). It's reputation is unimpeachable, supports all the latest standards to a much greater degree than systemd-resolved (including DoT and DoH, client- *and* server-side), and it's a first-class recursing, caching resolver. Moreover, it's composed of a collection of well documented APIs, meaning it's relatively easy to stitch together your own local resolver that transparently performs whatever fancy fallback magic you could ever want. OpenBSD does this: they provide unbound in the default install, but also provide their own bespoke "road warrior" resolver built on the unbound libraries. systemd could have decided to use these libraries if they had wanted to; it still can, in fact.

Conflation of the convenience and privacy issues is happening largely because of deficiencies in systemd-resolved itself. Only if you can't reliably perform recursive queries do you need to resort to choosing Google or Cloudflare as the fallback. And even then the options aren't mutually exclusive--you could first try the DHCP-declared server; if that doesn't work try recursing yourself; if that doesn't work fall back to Google over DoT/DoH. And to reiterate, libunbound puts all that within reach with a fraction of the effort that has gone into writing the systemd-resolved stack.[1]

[1] Not that I think the systemd-resolved stack is bad. I had no qualms relying on it to proxy upstream (to the DHCP-declared servers) for our clustering architecture.

Fedora and fallback DNS servers

Posted Feb 26, 2021 4:36 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

> Some jurisdictions do prohibit ISPs from selling user data.

Sure, some do. Many more don't.

Meanwhile, Google (and for that matter, Cloudfare) has never "sold user data".

(Now Google sells _advertising_ that uses that data to improve targeting. But so have my last two ISPs)

And your ISP has some pretty detailed user activity data that many jurisdictions mandate be collected and retained, for "law enforcement" purposes. This sort of thing was a prime reason for the https-everywhere push. (Which led to even more intrusive middleboxes, which led browsers to pin certificates to catch data interception, and so forth...)

> Google and Cloudflare want you to use their DNS services because it not only makes them more money, it promises even greater dividends down the road as more people become reliant on them. That's true today and it will remain true for the foreseeable future.

...And also because plenty of middlemen routinely muck with end-users' DNS queries (and anything else that can be intercepted) leading to all manner of shenanigans, from relatively benign (data collection), somewhat skeevy (injecting advertising), to outright hostile (MITM attacks, credential harvesting)

(TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

> Anyhow, if convenience is your primary objective, the solution is easy: just run a local recursing resolver.

Um, how is installing and appropriately configuring an additional software packages "convenient" or "easy"?

If "convenience" is truly the primary objective, then systemd-resolved's upstream behaviour is ideal, as it will use whatever your ISP/etc hands you and only fall back to well-known public services if what you were handed doesn't work (or is nonexistent) for whatever reason.

(And I say that as someone who has private recursive resolvers set up for all of the networks I'm responsible for. And who has long made sure that "internal" DNS zones are publicly resolvable due to corporate VPN clients overriding local resolver settings..)

Fedora and fallback DNS servers

Posted Feb 26, 2021 10:40 UTC (Fri) by smurf (subscriber, #17840) [Link]

> (TBH I'd be quite surprised if Google and/or Cloudfare make any money off of their public DNS resolver, much less enough to offset the cost of providing/maintaining the service..)

The systems running the public DNS resolvers are there anyway, they provide search / content acceleration. Data gained from them helps identify malicious users (if suddenly 100k random queries for random123.s0me0bscured0ma1n.com show up, something fishy may be going on) which helps both secure and/or run their other services. So I strongly suspect that their effect is net positive.

Fedora and fallback DNS servers

Posted Feb 27, 2021 6:40 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

Both Google and Cloudflare have reasoned that their profitability is inherently tied to the Internet. If they make the Internet work better, they get more profits. Certainly we can trivially analyse the most superficial version of this thinking as correct - if the Internet somehow goes away Google and Cloudflare are ruined.

For now this aligns their interests and mine very well. In principle the Network might some day be transitioning to a successor technology and we could imagine Google and Cloudflare, if they still existed when that happens, fighting this change, like a 1990s telco (profiting from the previous iteration of the Network the global PSTN) trying to stop the Internet rather than going with the flow, but if that happens it would be in the distant future and I expect to be long dead.

Anyway, under this rationale offering public DNS unbreaks the Internet for some non-trivial fraction of users, which in turn drives up your profitability.

For Cloudflare in particular there's an extra bonus, the 1.1.1.1 server gets to choose which of several valid answers to give in response to queries and so it can choose answers for Cloudflare services that reduce RTT between origin and server since it knows where they both are.

Historically there was effort to help other servers do this in DNS, by telling them the first few octets of the asking client's IP address. EDNS Client Subnet. Unfortunately of course as we see in this thread, people consider their IP address private information and don't want it leaked. So Cloudflare does not use EDNS Client Subnet at all.

Fedora and fallback DNS servers

Posted Feb 26, 2021 6:39 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (1 responses)

> The user has a contract with their home ISP

Nope. The user is just a user. Perhaps somebody in their home has such a contract, and perhaps it's with a "home ISP", and perhaps that home ISP operates a DNS server upstream which somebody in those actually actually chose to use, but likely not. In either case I can't see why you'd imagine this somehow creates a relationship between a user and an ISP regulated by law when the two don't even have or want a relationship.

I don't for one moment buy the theory that somehow the GDPR means the user needs to explicitly configure a protocol they've never heard of because of some tortured logic about IP addresses as identifiers. If your concern is that operators of big public DNS servers like 8.8.8.8 and 1.1.1.1 might invade your privacy I have great news - unlike most ISPs they've actually got good reasons not to and policies saying they won't.

Fedora and fallback DNS servers

Posted Feb 27, 2021 8:22 UTC (Sat) by gdt (subscriber, #6284) [Link]

In either case I can't see why you'd imagine this somehow creates a relationship between a user and an ISP regulated by law

Well I can't speak to the USA, but in Australia that's precisely what the Telecommunications Act exists to do. The ISP is a "carriage service provider" or a "telecommunications provider" and thus has a black-letter list of the occasions when the content of the user's telecommunications can be disclosed, with other disclosures being criminal.

If your concern is that operators of big public DNS servers like 8.8.8.8 and 1.1.1.1 might invade your privacy I have great news - unlike most ISPs they've actually got good reasons not to and policies saying they won't.

Whereas ISPs are controlled by telecommunications legislation rather than by self-interest. My point is that invisible failover between these two very different privacy scenarios is not desirable.

Fedora and fallback DNS servers

Posted Feb 26, 2021 3:19 UTC (Fri) by ibukanov (subscriber, #3942) [Link]

Browsers and so many other programs already show rather specific error message about DNS problems. What is missing is a link to system settings where the user can adjust DNS fallbacks and behavior.

And I really do not understand the issue with cloud images. I suspect that a probability of a cloud provider misconfiguring DNS in production is much lower than for ISP and when it happens it is not only DNS that will be done. So the nuisance in practice is when a developer misconfigure/underconfigure a VM/container engine on their laptop.