Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Google could easily take the initiative on the DNS query front and implement DNSCrypt by default on Chrome. It would booster client privacy and also block ISP from selling usage data. So it would be a win-win for Google.


That is not sufficient -- TLS Server Name Indication (SNI) is still cleartext in the handshake.


Wouldn't HSTS preloading solve that?


true, but as I said in another comment here: It will not hide the websites you are visiting. This is also a problem in the article... a secure DNS will not make you invisible it is only slightly harder to track the websites you are visiting. All IPs you are visiting can still be transformed through a reverse DNS and you will get all website addresses.

And Chrome cannot be use dnscrypt by default. It uses UDP ports which are sometimes closed on other networks. So there are technical limitations. Even using another DNS than the network one is often not allowed (you will experience that if you travel often).

Also some people will not like using a Google DNS by default ;)


IMHO this would still be a huge step because the URL path after the hostname reveals very specific information relative to the host (say, pornhub or webmd)


How would this help if they are using the ISP's DNS servers as most people do by default?


Nobody paying attention uses their ISP's DNS servers. See https://www.wikileaks.org/wiki/Alternative_DNS

Also, good VPN services run their own DNS servers, which are reachable only through the VPN tunnel.

See https://dnsleaktest.com/ to determine which DNS server(s) you're using.


> Nobody paying attention uses their ISP's DNS servers.

Very few people, as a proportion of the population, are paying attention.


I must not be paying attention. Is there a quick summary of why I shouldn't use my ISP's DNS servers?


Security: they can hijack requests (BT does this in the UK to censor requests to certain domains). I believe some ISP's intercept all queries on port 53.

Privacy: your ISP has a log of the DNS queries you've made. (of course, they have a log of the IP addresses you've made HTTP/HTTPS requests to, so that may be less relevant).


>I believe some ISP's intercept all queries on port 53.

I'd say most ISPs do it nowadays including some datacentre providers. I only noticed it when my ISP screwed up their DNS proxy making all Cloudflare domains inaccessible no matter which DNS server I point queries to, the packets simply disappear down a black hole.


ISPs block port 53? Where, might I ask?

Good reason to use a VPN, I guess.


Vodafone New Zealand. They did not block port 53 per se, merely redirecting everything to their proxy.

https://dnsleaktest.com/what-is-transparent-dns-proxy.html


Jesus, that sucks. Do they also block VPNs, say on ports 80 and 443? Some VPNs use SSH and/or SSL (stunnel) for obfuscation. iVPN uses obfsproxy. A few use OpenVPN hacks, or proprietary obfuscation.


As far as I can tell, no. But their home broadband division is a spectacular mess of four quasi-autonomous networks acquired through mergers and buyouts, so your mileage may vary depending on which block you land upon.

After all, it is really a lazy way to save transit costs by making sure that domain names resolve to a CDN they have peered with, or in the worst case, to a transparent HTTP caching proxy they have set up.


That's mostly an issue for those using VPN services. I should have made that clear.

Otherwise, it's mostly about how mistyped URLs get handled. Some DNS servers point mistyped URLs to neutral "did you mean?" pages. But others redirect to sites that pay for the service. Even worse, there's the possibility of outright MitM attacks.

And then there's censorship. Hit https://thepiratebay.se/ and see what you get. And that's just a torrent search site. To reach some sites, it takes some work to find a DNS server that will give you the IP address.


Oh yes, I see how for VPNs it would be a bad idea to use your ISP's DNS.

I get a database error visiting thepiratebay.se. I can't tell if that means my ISP is doing something naughty, or if it means they're not!


It probably means that you're using Google DNS ;)


TPB still works for me. Can you provide an example DNS for a site that's difficult to find a DNS server that will give you the IP address? Barring that, could you explain the type of content that is censored this way? I currently use Google's DNS service. If they censor known malware URLs I'd be happy with that. I'm not sure if there's other types of sites I'd like them to filter.


See https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censor...

Some DNS servers will show you a page about copyright infringement instead of TPB. Years ago, some German DNS servers were null-routing Nazi stuff. The FBI sometimes takes down sites through DNS spoofing aka cache poisoning. But normally, they go after root nameservers. In 2014, the Turkish government banned Twitter and YouTube through DNS cache poisoning: http://googleonlinesecurity.blogspot.com/2014/03/googles-pub...


This can be promoted by offering the user the choice of several dnssec enabled public dns servers in Chrome. Or someone makes an extension that does this by default, maybe that is easier to promote.


What we really neednis DNSCurve. CRypt is full of problems from what I hear. All hail djb.


So it would be a win-win for Google

Yes, but would it be win-win for us?

Google's already demonstrated that "don't be evil" is now just a sad memory. I'm not ready to believe them to "do the right thing". Their entire existence is predicated on increasing and refining their data collection and analysis, and acting on such.

Google's seedy behavior already directly impacts me every day. I, for one, don't welcome this new corporate overlord.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: