I could see smaller business and schools having problems with this but I don't see this as being a very big deal for larger businesses with dedicated IT staff. It's really a matter of traffic analysis. If your seeing a lot of HTTPS traffic with out any corresponding DNS traffic it is going to stick out like a sore thumb and should warrant an incident response from the security team. Don't try this at work folks, depending on your employers Acceptable Use Policy it might just get you fired.
Cant you just enable this feature by going in General settings --> Network settings till the end and tick that option on Firefox? Instead of having to go to about: config network. trr. mode?
A big win for privacy? And a problem for companies? I do not think so. A company will simply lock the DNS port for everyone and provide its own DoH server. With that you can continue logging without problem which computer makes which requests and of course block connections. Then there are some drivers or redirects so that the old applications also use these DoH servers and all snoopers are satisfied. No matter if company or government.
also in firefox, you can enable dns over Https via the settings gui, by going to general and then all the way at the bottom by "network settings" click on "settings" then at the bottom of the new window you can enable it with just a click.
@Eden Vladia Yeah it will. No company is gonna expose its encryption keys, they'd just move their servers out of the UK. So you use a DNS provider that doesn't have servers in the UK, then connect to whatever the UK deems as "bad" sites over TLS 3 (which ofc won't be operating in the UK due to their legality, thus no encryption keys).
@Eden Vladia That isn't what I said, I said you will be able to find one that doesn't. All it takes is 1, or hell, just host your own out of the country on a VPS. The point is it's a cat and mouse game the UK can't win.
@@joselaw6669 Yup, I have my router setup so all clients send DNS queries over TLS, but all the Chrome still sends the SNI in plaintext right now, which is what the government uses to drop the connection.
@Eden Vladia I kinda dont like DNS over HTTPS- since firefox let's u just bypass it by blocking the doh provider the idea is to allow filtering to still work*why though lol filtering is litterally a MiTM attack if your goal is to "secure dns" but still allow ppl to view dns requests your implementation is flawed ..* an attacker could easily do it too just block the same shit and the protection is useless- plus it relys on normal DNS anyway so like you can still potentially attack it
BYOD might be an issue for schools and content filtering when this becomes used more frequently. Tough to make students install certs on their own devices to get on a guest network.
Yeh people will have to educate and supervise children properly on the internet! That is why i am against all the blocks on the internet the UK from the " would someone think of the children " crowd , err you dont need the government or ISPs to look after your kids you should do it yourself :)
True - parents should be keeping a close eye on what their kids do at home. And while I do agree that students should be given some latitude to learn digitization citizenship skills, here in the US public schools have to comply with federal regulations like CIPA, though, otherwise we miss out on much-needed funds. It’s also tough to pass it solely over to teachers as a classroom management practice; faculty and tech staff have to work together to make sure kids stay on task at school.
humm... very fucking interesting idea to let your isp to install certificates that let them do MITM as if that shit couldn't be hacked.... fucking lord they might as well ask for your bank password, facebook and google's password, and watever the shit they like.
lol if it makes shit harder for retards who want to censor the internet because "think of the children" then its great addition haha my school allready asked every student to install a SSL certificate of course i didnt do this. honestly its even worse because most students have no idea what it even means ugh why not just ask them to install spyware lmfao
This is great for privacy. But it seems like there's potential for things to go pear shaped as well. Hopefully cloudflare will honour their code of conduct for all eternity. I mean, they could end up like Google and just resell the statistics from all our queries to the highest bidder. That's the pessimist in me. 🤔
many of my network configurations rely on having the router (in my case pfsense) add dns entries for local devices that are inaccessible from the internet that I would not want to add to a world-authoritative dns server (such as internal ip's for printers, NAS, and other business devices that don't need direct external access). If browsers are configured to use an external dns server over https, they won't be able to do lookups for internal resources. given these constraints is it feasible for clients to be configured to use DOH to connect to the local pfsense router and also have the local router connect upstream via DOH? Further, is there any performance difference between typical dns and DOH? due to how much dns activity, i'm thinking that there could be an additional DDOS issue if it's significantly heavier per request. could someone please link me to some good documentation for this so I can try it out? thanks!
In even a small AD environment you can use a combination of GPOs and blocking Google's QUIC at the firewall and I've effectively negated any effect from this on my networks.
I been doing this with dnscrypt for a couple years already and I have it working system wide. You dont really need an extension or to set it up in the browser.
With pfSense can you block IP-address on port 443? @6:39 you show the DOH connection, can we block the connection to DOH provider? it's still TCPIP, even if you can't see inside, you can still tell to whom you connected to, yes? Can pfSense do a reverse IP-lookup in that list? most sites have static ip or a range of static ip.
How could the Chinese track traffic through their firewall: Use one of the Chinese trusted root CA's to establish a man in the middle for all DNS requests originating from their country. I'd be surprised if they're not using something similar right now to intercept regular https traffic. From a technical point of view it'd be achievable: build some ASIC's to handle the encryption and use regular CPU's to control and log traffic.
CHina dislikes: ESNI and DNSSEC in place. Along with TLS 1.3 - and they now block it already. Because all this sooner or later will prevent them (except for a compromised browser) to check what their people are browsing by the use of a simple firewall. The next step as a answer to these techniques might be: users are getting presented an online browser. (means: no machine-based browser might even work anymore, users would have to use an online portal - session-individually so they can use it for online shopping - for browsing the web). This is then what I call an entirely government-controlled webtraffic.
what if we could do ftp, http and torrents download over ICMP Internet Control Message Protocol? then isps could not throttle our downloads because they dare never try to throttle ICMP Internet Control Message Protocol packets otherwise ping and traceroute would fail can doh be implemented on a proxy or vpn level giving protection to everything connected? we or i dont care about if the protection ends at the localhost 127.0.0.1 level unless you have a state mandated firewall like "green dam". i think green dam is the chinese state mandated firewall that was supposed to live on the device.
How would you rate this compared with running your own resolving DNS + DNSSEC? I get that DoH is designed for client resolution, not DNS to DNS traffic, so in many ways I'm asking you to compare apples to oranges. From the perspective of the traffic seen outside your local network though, when weighing concerns for privacy, speed, man-in-the-middle resistance, block resistance, etc. The privacy of DoH seems like it has a lot of gains with one remaining (massive) hole. At the end of the day, you are still trusting the DNS service provider to respect your privacy and not data mine it and not freely hand over traffic data to 3rd parties including governments, advertisers, etc. That's not to say the pros don't outweigh the cons. I'm a huge advocate of encrypting net traffic and this is a huge step forward for privacy. I'm just saying it seems prudent to be aware of what you're getting and more importantly, who still has eyes on you. Just like a commercial VPN service, there's still at least one entity that can see your traffic. Sadly, DNSSEC isn't designed with privacy in mind. It is signing, not encrypting. I find myself legitimately torn between which I want to run.
DNS over TLS is a much better solution than over HTTPS, and keep it a system thing, not a browser thing and keep local network DNS (oTLS) recursors preserve the robustness of the hierarchical DNS system. Also remember the "personal" information being sent over DNS is literally just the domain names, NOT the URLs, protocols used, etc., so the amount of privacy it gains you compared to securing other payloads is pretty minimal.
Ok I may come off as an idiot here but couldn't you lock down your firewalls to force all http and https traffic to traverse your filtering program of choice? I guess you might still need to deploy certificates for https.
Inspecting HTTPS using what cryptographic protocol? TLS1.3? Inspecting and stripping is two different things as well, there will always be meta-data. But inspecting meta-data doesn't yield as much useful information for a UTM or a MITM attacker.
@@svettnabb If they work for a security company you can do usermode and kernelmode hooking on the functions before the data is encrypted and after it has been unencrypted on the way back to the machine. Also you can install certificates on all said machines and decrypt over the wire which takes more hardware but is possible. So yeah SSL inspection is possible and is already being done.
Anon 123 - inspecting traffic on the endpoint doesn't need decryption, since the endpoint already has access to the data in decrypted form. Behavior analysis is the way to go on the endpoint as well as traffic inspect, but decryption is mute. Out of bands decryption won't work effectively in tls 1.3, that is just by design.
DNS over HTTPS is ridiculous as it wastes resources and affords 0 extra privacy. The logs for whoever wants to track you are going to look like the logs you've shown us, a lot of 443 traffic, just put a simple algorithm in place looking up those IPs and you have the domain name, done, you now know as much as you did before as if the person wasn't using DoH. The only thing this protects are DNS queries you make without intending to visit the site, which is useless. If you want better privacy use a VPN or TOR, there's currently no other way.
Not really, DoH is encapsulating the DNS request in a HTTP layer and then getting the response in a HTTP response. I don't believe pfSense does DoH right now.
it also makes the web more unsecure, because you might get now to dangerous websites , or exploits getting loaded, etc I think in future we need to get to use more tor networks.
Well, firefox would first need to lookup the mozilla.cloudfare... in dns. so how bout zone "cloudfare-dns.com" { type master; notify no; file "empty"; } empty: $TTL 3600 @ IN SOA ns.xxxxxxxx. abuse.xxxxxxxx. ( 999 10800 10800 259200 3600 ) NS ns.xxxxxxxxxx. TXT "This domain is forged in local DNS to protect from known malware/viruses." I dont run latest firefox so those values are not in my version browser, looks like I wont be updating it either ;) EDITED: PS Yes, I know this might eventually turn into a game of wackamole
Unless the IP of cloudflare is static or is within a range that has been defined and 'hardcoded' in Firefox. No need to look it up then, just connect to that range. Should the range change, just push out a Firefox update.
