By Cal Jeffrey on September 30, 2019, 11:22 AM
In brief: Both Google and Mozilla want to update their browsers to allow you to encrypt your web traffic at the DNS level. They say it would allow users more privacy and control over who sees their web habits. But internet service providers don't want to be locked out of this information and want US lawmakers to prevent it
Moves to encrypt domain name requests by Google and Mozilla are raising concerns among internet service providers and, in turn, Congress. According to sources with The Wall Street Journal, the US House Judiciary Committee has launched a probe into Google’s upcoming implementation of DNS over TLS in its Chrome browser.
The search giant maintains that it is adopting the technology to thwart the spoofing of domain names and spying by malicious parties. Internet service providers are concerned that this will give Google an “unfair” advantage by shutting them out of users’ browsing data, which they use for targeted advertising. So ISPs have petitioned Congress to investigate the matter on antitrust grounds.
On September 13, the Judiciary Committee sent a letter to Google, asking if it would use the encrypted data for commercial purposes. While the company has yet to respond, it has maintained all along that the move would give consumers more control over who uses and shares their browsing data. It also contends that it will not force people to use encrypted DNS.
On September 19, a coalition of ISPs sent a letter to Congress voicing concerns that the protocol would centralize Google as the primary DNS lookup provider, virtually shutting out competition.
“Because the majority of world-wide internet traffic…runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider, Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries.”
The ISP group wants lawmakers to block Google’s implementation of the technology.
The ISP group wants lawmakers to block Google’s implementation of the technology.
The EFF backs the use of DNS over TLS and DNS over HTTPS, saying that unencrypted DNS is the last big security gap on the internet. However, it too has concerns regarding centralization, suggesting broad deployment that includes ISPs as the solution.
“To avoid having this technology deployment produce such a powerful centralizing effect, EFF is calling for widespread deployment of DNS over HTTPS support by Internet service providers themselves,” said the foundation. “This will allow the security and privacy benefits of the technology to be realized while giving users the option to continue to use the huge variety of ISP-provided resolvers that they typically use now.”
Google is planning a slow rollout with about one percent of its Chrome browser users receiving the protocol in October. Likewise, Mozilla is implementing it similarly in Firefox in a few weeks, with plans of having it thoroughly in place by the end of the year.
Did you know that you can enjoy many members-only features simply by quickly registering (no CAPTCHA!)?
Registering gives you access to our giveaways, forum features, increased search performance, access to our Download Library, create your own blog & gallery, and more!
Once you have registered, stop by in 'Hello World', and introduce yourself.
Google to implement encrypted DNS, but ISPs want Congress to block it
Posted 01 October 2019 - 09:00 AM
Posted 01 October 2019 - 11:27 AM
Wow! and double Wow! Talk about the pot calling the kettle black!
I have already taken many steps to de-googlify my Internet usage! I use duckduckgo.com as a search engine...that claims they don't track your usage. NO they sell the data to others and they track you. The subject specific advertising doesn't change despite the ads being decided by google advertising on every web page.
I changed my router DNS servers off google that my ISP assigns automatically, from 220.127.116.11 and 18.104.22.168 (google) to 22.214.171.124 and 126.96.36.199. another immoral DNS service.
I avoid the usage of chrome. It has many problems that need to be debugged yet and encourages the google ownership.
I don't believe single ended encryption actually works. It isn't possible. If one server can decrypt it, so can anybody else. It keeps out the honest people and amateurs.
This is a power move by google and people should be very afraid. The masses put google into power by Microsoft hatred. It was the "go to" and now has become a worse problem.
Google is Skynet.
Edited by LarrylLix, 03 October 2019 - 07:11 AM.
Posted 01 October 2019 - 02:31 PM
Google is Skynet.
Absolutely. I avoid at all costs. I don't use their browser either.
Any ISP "service" (email, DNS, etc) is likewise evil. Don't trust them. For that matter, anything that isn't encrypted is at risk. I suspect many people still use unencrypted email transports (POP/IMAP/SMTP).
I haven't done it yet but I'm seriously considering moving everything to a private VPN that goes to my own virtual server in the cloud. Was thinking that I would setup multiple DHCP addresses to fan out outgoing stuff. Unfortunately DHCP assignments tend to be sticky so it probably won't help much. I'm highly suspect of VPN service providers as they likely just move the data collection point. Not sure what to do...
Posted 01 October 2019 - 11:50 PM
Maybe we need to get apps that randomly browse crap products while we are not using our PCs so that the data collection becomes so confused they don't find any value in it.
This would up our bandwidth but most ISPs are going unlimited anyway, these days.
The one I love is booking a vacation trip and get an email to confirm booking. Wife then finds the flights with numbers inserted into her calendar. Google scraped the email right down to the words with times and likely keep stats on the money spent too.
Posted 02 October 2019 - 11:41 AM
On the subject of DNS over HTTPS or really any tunnels (VPNs etc): 1.) It will hurt performance, a lot of websites load balance you to the closest data center and they can't do that properly if you tunnel your DNS, 2.) You have to trust the other end. All it does is move the trust boundary. I think the best solution for DNS these days is to stand up your own recursive resolver like on PFSense etc. Now you are talking directly to the destination AND they see your actual IP so they can load balance you optimally. Or less so, use something like 188.8.131.52. The ISP can still sniff it if they want, but I am not that concerned. DNS really needs to be encrypted and authenticate without being tunneled, unfortunately those proposed standards are big changes to the way things work today so adoption is going to be slow.
If you still want to do the DNS tunneling I would at least select a provider that is as distributed all over the US/World like Cloudfare. But they are still doing it to sell your data and control your traffic and promote their internet load balancing services. No one is doing this in the consumers best interest.
Edited by wuench, 02 October 2019 - 11:43 AM.
Posted 03 October 2019 - 07:13 AM
Today I recommend that you utilize the Internet but DIY your connections to it via purchase of your own equipment while you can still have the choice.
Soon you will not have the choice.
One of the issues with the internet that I wrote about here a few years ago has been DNS hijacking.
This is where I had recommended to use your own software or firewall to the internet instead of an ISP supplied combo or SOHO router combo.
Whether the ISPs agree or not agree with this; it'll happen anyways as you can see now the changes in the most commonly used browsers.
Once you are on the Internet it really doesn't matter any more as you are utilizing Google, Amazon, Microsoft et al. You cannot get away from it these days. There is no one ISP that is larger than any of the Internet players today.
Posted 04 October 2019 - 11:15 AM
A VPN could be the right solution. If VPN hosting was regional (I'm in Minnesota so if my VPN server was in a Twin Cities data center then that takes care of regional optimization).
A VPN provider could do the right thing to ensure legitimacy. They could open their infrastructure for 3rd party review & certification.
Posted 04 October 2019 - 11:28 AM
Here utilize a VPN provider sometimes, VPN to my home all the time and TOR browser sometimes when I care about it.
I am vigilant.
It doesn't keep me up at night and I do not wear a tin hat here.
That said I am not a social web site user, nor tweet, nor text much on my phone (fact is that the phone is mostly off).
IE: I am not and never have been tethered to my phone.
Posted 04 October 2019 - 11:29 AM
Posted 04 October 2019 - 11:43 PM
Yeah, I wrote about the need for encrypted DNS in 2017. http://cocoontech.co...sucks/?p=258724
Today I use I use a Pi running PiHole to encrypt my DNS for my network, and its nearly invisible. Yes, sure a VPN is better, but in many ways it isn't. Many service providers have mapped all the IP addresses for the VPN providers, and many block them, so often things don't work through a VPN because these service providers don't want them to. And some are just the opposite.
I just got back from a trip to Europe, and noticed when I went to USA Today, it just wouldn't work. Then I launched the VPN with a NYC end-point, and then it started working.
Posted 05 October 2019 - 12:14 AM
I started to write about this here with the implementation (build) of my 3rd generation PFSense Firewall in 2013. For years I had been using Smoothwall and after reading about PFSense starting to write about it. I really did bug the guys there on the PFSense forum.
That said I have reposted the DNS Spoofing wiki here about 3 times now in the last 10 years.
Personally the combo modem, router, switch WAP SOHO boxes rented or puchased are XXX. That is my opinion.
Recently built a new PFSense firewall for a family member on a tiny box.
Current one used here today has 2 WAN (ISP failover) and 4 LAN connections, GPS / PPS NTP time sync. Just updated to a Gb modem (I do not have Gb internet here at this time).
Software....NG Maxmind PF Blocker, Squid, Clam AV, DNS resolver, Snort, IPSec VPN.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users