I’m not sure if this really belongs here, but given the nature of privacy oriented discussion that often occurs, I believe it would be of some interest to many folks here. This is a discussion of the nature of the centrality of publicly available DNS resolvers, many of which are offering DoH and DOT:
For a while, I was running my own resolver that only had the root hint addresses available to it. Initially lookups were slow, but once the results were cached, it seemed to be fairly speedy. I would be assured that I should be getting the correct results from the authoritative servers within some margin of error/expectation.
However, these DNS queries happen on an easily filterable port with the data in the clear. This pushed me to start using DoT, which I currently use, so that my queries would no longer be loggable by my ISP, but also to prevents my ISP from polluting my DNS results through packet filtering and manipulation.
Has anyone heard of any movement where authoritative servers provide their data over DoH/DoT so that one could build their own resolver outside of interference by ISPs and not have to rely on main central open resolvers like Cloudflare or Google?
First, it’s not just about the root servers. In particular, the root zone itself is small and changes infrequently (has high TTLs), so there are ways to have all of it locally – we implemented one such as well.
After asking root servers, the iterating resolver asks the TLD servers (for cz, org, com, etc.), and then it goes at least one level deeper. All of these layers would need to support encryption, and this isn’t standardized yet – in particular the ways of signalling (non-)support and establishing trust, though I daresay there’s a clear consensus on DNS-over-TLS. There was a pilot project between Cloudflare and Facebook, and the corresponding IETF workgroup re-chartered to also target encryption towards authoritative servers, but… not much is happening currently. I suspect too much attention is stolen by the recent heated topics around the application/stub end, usually related DNS-over-HTTPS (example).
Whilst encryption, least as of TLS version 1.3, is currently deemed relatively safe from 3rd party content snooping/manipulation there is no way to prevent the ISP from profiling/filtering/blocking DoT or DoH traffic, or any other traffic (pattern) for that matter.
Lucky enough if one gets a liberal ISP/legislation that does not interfere with the user’s DNS business. Unlucky if one does not.
With the right DPI tools any traffic can be profiled/blocked, never mind whether encrypted/encapsulated.
I could see how they would filter or block the packets, but I’m not sure how they could profile you unless they can read what DNS you’re looking up. Part of the reason to capture your DNS is that it’s much less resource intensive than watching where you actually go.
I don’t think most ISPs care where you go, except to sell your data. If it costs them more to collect your data than it does to sell it, they wont do it. ATM, I suspect saving that information by means more complicated than DNS logging (or some sort of cookie) might be too costly. But that’s just a guess on my part.
I believe this only applies to default behavior of browsers and wouldn’t likely effect ones own resolver infrastructure like I’m describing here.
If someone is really interested in where I go and what I do online, there’s not much that can be done to stop that. Also, if they’re really that interested, I likely have more problems than just trying to keep my activity from 3rd party advertisers.
Yes, it’s just about the default, at least in case of Firefox (as announced). Explicit choice of DoH will avoid the canary. Overall the discussion is mainly about defaults, as vast majority of users stay with defaults, and it’s also a harder problem (informed consent, etc.)