Everyone's DNS requests logged in one easy placeFrom: AnonUserNewsgroups:
Tue, 14 Aug 2018 11:19 UTC
View all headers
Mozilla to send all your browser DNS requests to Cloudflare
At Mozilla, we feel strongly that we have a responsibility to protect our users and their data. We’ve been working on fixing these vulnerabilities.
We are introducing two new features to fix this — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three threats here:
You could end up using an untrustworthy resolver that tracks your requests, or tampers with responses from DNS servers.
On-path routers can track or tamper in the same way.
DNS servers can track your DNS requests.
the three threats—resolvers, on-path routers, and DNS servers
So how do we fix these?
Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
Protect against on-path eavesdropping and tampering using DNS over HTTPS.
Transmit as little data as possible to protect users from deanonymization.
Avoid untrustworthy resolvers by using Trusted Recursive Resolver
Networks can get away with providing untrustworthy resolvers that steal your data or spoof DNS because very few users know the risks or how to protect themselves.
Even for users who do know the risks, it’s hard for an individual user to negotiate with their ISP or other entity to ensure that their DNS data is handled responsibly.
However, we’ve spent time studying these risks… and we have negotiating power. We worked hard to find a company to work with us to protect users’ DNS data. And we found one: Cloudflare.
With this, we have a resolver that we can trust to protect users’ privacy. This means Firefox can ignore the resolver that the network provides and just go straight to Cloudflare. With this trusted resolver in place, we don’t have to worry about rogue resolvers selling our users’ data or tricking our users with spoofed DNS.
Why are we picking one resolver? Cloudflare is as excited as we are about building a privacy-first DNS service. They worked with us to build a DoH resolution service that would serve our users well in a transparent way. They’ve been very open to adding user protections to the service, so we’re happy to be able to collaborate with them.
But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them.
Protect against on-path eavesdropping and tampering using DNS over HTTPS
The resolver isn’t the only threat, though. On-path routers can track and spoof DNS because they can see the contents of the DNS requests and responses. But the Internet already has technology for ensuring that on-path routers can’t eavesdrop like this. It’s the encryption that I talked about before.
By using HTTPS to exchange the DNS packets, we ensure that no one can spy on the DNS requests that our users are making.
Transmit as little data as possible to protect users from deanonymization
In addition to providing a trusted resolver which communicates using the DoH protocol, Cloudflare is working with us to make this even more secure.
Normally, a resolver would send the whole domain name to each server—to the Root DNS, the TLD name server, the second-level name server, etc. But Cloudflare will be doing something different. It will only send the part that is relevant to the DNS server it’s talking to at the moment. This is called QNAME minimization.
image showing resolver only asking the relevant question
The resolver will also often include the first 24 bits of your IP address in the request. This helps the DNS server know where you are and pick a CDN closer to you. But this information can be used by DNS servers to link different requests together.
Instead of doing this, Cloudflare will make the request from one of their own IP addresses near the user. This provides geolocation without tying it to a particular user. In addition to this, we’re looking into how we can enable even better, very fine-grained load balancing in a privacy-sensitive way.
Doing this — removing the irrelevant parts of the domain name and not including your IP address — means that DNS servers have much less data that they can collect about you.
"But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want"
Does this mean that you can only use DoH supporting resolvers? Can you configure to use your own resolver?
Chrome has been redirecting DNS requests to their own servers for quite a while (they perform a test on your resolver and if it fails, they use their own).
Why should we think Cloudflare is safe? It does bring a nice database of DNS requests all in one place to be searched through. Not sure that's an increase in security.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS
Re: Everyone's DNS requests logged in one easy placeFrom: anonNewsgroups:
Tue, 14 Aug 2018 19:07 UTC
View all headers