DNS over HTTPS

[Vod]

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

[BitcoinGirl.Club]

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.

[Lauda]

Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.

I really hope that this is a joke gone wrong.
DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.
Note: Good read, if you're interested in malware that uses DoH.

[ibminer]

Maybe I haven't researched this enough but why wouldn't CloudFlare be capable of handling DoH?
https://developers.cloudflare.com/argo-tunnel/reference/doh/

[suchmoon]

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.

[Lauda]

IIRC Cloudflare provides the DNS service for Mozilla's half-assed centralized DoH implementation so I'm sure NSA will still be able to track everything you do on teh intertubes just fine.

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

[suchmoon]

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Total time logged in: 1004 days, 4 hours and 23 minutes.

[ibminer]

Modify your VPN software to enforce a strict DNS policy and use their DNS only (if available).

I got nothing to hide. I don't have any life outside of this forum anyway:

Total time logged in: 1004 days, 4 hours and 23 minutes.

Ok, a bit off topic but damn, that blows my total time logged in out of the water lol. Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.    
I spend a good chunk of time reading while not logged in though so I guess mine is not really an accurate representation of actual time I've spent visiting the forum, at least.. but you make me feel like a newbie.



.. I can't touch that.  


(To keep this somewhat on topic.. MC hammer is Lauda trying to run from CloudFlare/NSA. )

[suchmoon]

Out of the 2,107 days you've had an account, you've spent almost half of it logged into the forum.    

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.

[TryNinja]

To be fair, I'm pretty sure the number is bogus. It increased by 4 days since Wednesday. Even accounting for the fact that I run some scrapers under my login, this doesn't make any sense. It's likely that my logged-in time will EXCEED my total account age at some point.

Do you usually open more than one tab of the forum? The time increases times the number of tabs you have opened, so if you have 60, it goes up 1 minute per second. It's not that accurate.

[Vod]

Total time logged in: 1004 days, 4 hours and 23 minutes.

My profile scraper:
Total time logged in: 1070 days, 4 hours and 21 minutes

[Bitsky]

What is happening? I really do not like this cloudflare thing.
Somewhere I read theymos is too lazy to code a script that will save us from DDOS without cloudflare, my memory is not serving me well though.

You cannot just write a script to stop a DDoS. If it was that easy, every CMS system and OS would have it already implemented. DDoS works mostly by saturating your uplink; while a script on a server can still filter requests, it cannot reduce traffic before it reaches that server.

DoH is long overdue, but unfortunately has many downsides that weren't remedied properly. It's all good though, 99.9% of you guys are sheep.

It only has downsides.
1. Supporters say that it stops your ISP from snooping, but DoH would concentrate 99.9% of all requests at Cloudflare. If you do not trust your ISP, why trust Cloudflare? Because they promise not to spy? Yeah, sure.
2. Since DoH is just a HTTP request, every piece of software/malware can contact its own hardcoded resolver and ignore system DNS settings. That's a bullet into the head for most DNS based adware/malware filters. Yes, you can define your own resolver in Firefox, but how many average people will do that? Right now you block udp/tcp port 53 to stop access to resolvers except those you allowed.
3. If it would really be about securing DNS with encryption, Mozilla/Google/et al would support DoT which is already defined in RFC7858 which would smoothly integrate into current networks instead of risking to break a core functionality of the Internet.
4. DoT provides the same security as DoH, and still leaves users all the filter/blocking options DNS currently has. You would only enforce DoH if you want all user data concentrated at a single point, ripe for analysis, profiling, censorship, tracking and spying. There is no reason to trust Cloudflare more than your ISP, so the trust argument is entirely void.

[theymos]

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I can understand why Firefox etc. are doing it. ISPs have a history of screwing up / tampering with DNS; networks & operating systems often have DNS misconfigured; and Microsoft isn't going to fix anything at the OS level. So for the average user it's going to improve the experience.

But it's giving Cloudflare (ie. a probable NSA honeypot) an unprecedented level of data on users and websites, and also an unprecedented level of control. Cloudflare will be able to take down or redirect sites unilaterally now, only having to fear getting removed by Firefox as a result. Everyone uses ICANN's root servers because everyone else uses ICANN's root servers. If everyone starts to use Cloudflare, then Cloudflare becomes the new ICANN in practice.

Hopefully Tor isn't stupid enough to enable this in Tor Browser, since that'd allow for pretty trivial traffic analysis by Cloudflare, and you wouldn't be able to disable it without highlighting yourself as one of a few people behaving oddly.

It's really a demonstration of the failure of the Internet on a technical level. The Internet is decades of dirty hack on top of dirty hack, and now we're ending up with a world where the only easy way to get things working decently is "just put literally everything on Cloudflare". Very dangerous. The whole structure of the Internet needs to be rethought.

I agree with the idea of moving away from ISP resolvers and traditional port-53 DNS. It sucks. Though ideally it'd be done at the OS level, and in any case you can do a lot better than DoH, yet another dirty hack. For example, it probably wouldn't slow things down much for Firefox to just act as a recursive DNS resolver. That'd be maximally decentralized. Or you could at least use a private information retrieval protocol in order to rely on a single resolver like Cloudflare without actually giving them any information, and have the resolver also provide the full chain of DNSSEC authentication for every query answer.

[ibminer]

This isn't a Meta issue... DoH is unrelated to Cloudflare's DDoS protection service.

I'd think anything DNS-related is unrelated to a DDoS attack, in general.. not just CloudFlare. Unless the DDoS is targeting a DNS server with resolutions in an attempt to overwhelm it, they are typically attacking one or more IPs with some form of traffic and don't really need a DNS server at all. Might be why the thread started derailing.

If we're going to discuss DoH in general, it doesn't seem to me it is really protecting anyone from being tracked by ISPs or middle-men, if that's what the point of this is supposed to be. Outside of something like Tor, once this encrypted resolution is complete, you would still be connecting to a public IP address that could be tracked and identified potentially using RDNS or just a DB that is kept which conducts regular resolutions on domains they may want to monitor, and stores the IPs to cross-reference.

I don't think it is ever a good idea adding an additional point of failure for a DNS resolution inside of a browser as I'd think this could negatively effect a users experience within the browser if CF is having issues, I don't quite understand why DoT isn't more of an accepted solution in the situation.

[100bitcoin]

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

[retweeting]

This DoH thing appears to be new to me. Can anyone please provide an ELI5?

https://developers.cloudflare.com/1.1.1.1/dns-over-https/

[Chris Barth]

This as I believe isn't the end of cloudfare.
Tho I understand that increasing bandwidth won't prevent these attacks, I've come to see that it helps give some extra minutes before resources are completely claimed by the attacks.

[Bitsky]

https://developers.cloudflare.com/1.1.1.1/dns-over-https/

Conveniently, they do not mention that DoH does nothing for your privacy when someone can monitor your traffic.

Let's assume you used DoH to resolve a domain to its IP. Now you can be happy because your ISP (or any middlemen) cannot see where you go, right?

Wrong.

1a. If the target website has a dedicated IP, the bad guys can try a PTR lookup for the domain name,

Code:

dig +short -x 1.1.1.1

1b. or just check the certificate for the domain names it is valid for:

Code:

echo | openssl s_client -connect 1.1.1.1:443 2>&1 | openssl x509 -noout -text | grep 'DNS:'

2. If the target website is a virtual host (shares the same IP with other websites) then the bad guys just have to watch the traffic, because in order to offer the correct certificate, the server first needs to know where you want to go. And because you cannot have a TLS session without the certificate, your client sends out the server_name in plain over HTTP first to tell the server which certificate to send back.

3. Thanks to OCSP (not stapled), the browser will send a request to the CRL-URL of the CA via HTTP (not HTTPS) so it can be seen in plain text in your traffic.

4. If you use Firefox, the bad guys just need to reply to a DNS query for use-application-dns.net with NXDOMAIN to disable DoH (for now).

So, to sum it up, you get no additional privacy, but less. Having 99.9% of all DNS requests centralized will sooner or later get the attention and interest of not only data-analysts and advertising networks, but also governments.

DoH theoretically protects you from forged replies, but only if you really trust Cloudflare. However, DNSSEC was specifically designed to let the zone-master sign the reply and is already fully functional and available.

[Artemis3]

DoH!  Will this be the end of cloudflare?   How will this forum and other websites handle DDOS attacks?

DNS resolution has nothing to do with DOS attacks. Its simply hiding your dns requests from your ISP and other middleman, the site you connect to still gets your IP. Are you not confused with Tor? This is not the same thing.

And yes, browsers seem to be integrating this, and you can already manually change your DNS to use the safer ones.

The controversy is that DNS resolution was managed by ISPs or local network admins and this new trend is removing that entirely.

Oh and Cloudflare is one of those offering "public" (secure) dns resolution services. Rest assured, only them will collect your resolution history, not your ISP or your government.

If you are on Linux (many OSes supported), you can do this in the OS level using dnscrypt-proxy and cherry pick the type of servers you trust. It can serve your LAN and it caches too, very nice.