Google, UK ISPs and Gov Battle Over Encrypted DNS and Censorship
The UK Government, broadband ISPs and the National Cyber Security Centre (NCSC) are set to meet on the 8th May 2019 in order to discuss Google’s forthcoming implementation of encrypted DNS (DoH – DNS over HTTPS), which politicians fear could break their internet censorship plans.
The existing Domain Name System (DNS), which works to convert Internet Protocol (IP) addresses into a human readable form (e.g. 123.56.32.1 to examplefakeblah.co.uk) and back again, is currently unencrypted and usually managed automatically by your ISP. This gives providers a lot of control over related traffic and enables various support features (Parental Controls, network performance testing etc.).
By comparison DNS over HTTPS (DoH) sends DNS requests via the encrypted HTTPS protocol and some major website browsers, such as Chrome (Google) and Firefox (Mozilla), are planning to introduce their own DoH solution. The result could be that ISPs lose a lot of their control over DNS, which would break some of their services including DNS based website blocking (e.g. the new porn site blocks will use DNS based censorship).
At this point we should remind readers that ISPreview.co.uk covered this topic in a lot more detail earlier this month (here), which is worth a read if you want to understand why the big ISPs have concerns about DoH; despite it effectively being a security improvement for consumers.
According to The Sunday Times, the Government are particularly concerned about the impact that all of this could have on their wider plans for internet censorship (i.e. not just breaking their porn block but also disrupting future ambitions under the Online Harms White Paper).
One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage (note: they can already do this without DoH), which they say might be held by Google under Californian law.
At this point we rather suspect that a collective “meh..“, possibly followed by some distinct shoulder shrugging, will be emanating from anybody with moderate I.T. experience. This is because DNS based blocking has always been easy to circumvent and consumers have always had the ability to adopt a third-party DNS provider (OpenDNS, Google Public DNS etc.).
One key difference here, other than encryption, is that Chrome and Firefox could make their own DoH solutions the default (so far neither have done so – it’s still optional, for now). Similarly if third-parties want to adopt DoH then there’s precious little that ISPs can do about that, save for perhaps making more extensive use of expensive Deep Packet Inspection (DPI) technology, but even this has its limits and problems.
Meanwhile the question that consumers may end up having to ask themselves is whether or not they’d rather let ISPs have access to their DNS data or Google/Mozilla. It’s also worth considering that many other third-parties may launch their own default DoH solutions in the future, which may further complicate matters. Some of the DNS based support features offered by ISPs are also quite useful, thus breaking them with DoH isn’t always desirable (likely to give ISP support teams a complex headache).
Suffice to say, it would be interesting to be a fly on the wall at next month’s meeting.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« A Quick Price Comparison of G.fast Ultrafast Broadband ISP Packages
Swapping to Broadband VoIP from a UK Copper Home Phone Line »
Latest UK ISP News
- FTTP (5541)
- BT (3518)
- Politics (2543)
- Openreach (2300)
- Business (2268)
- Building Digital UK (2248)
- FTTC (2045)
- Mobile Broadband (1979)
- Statistics (1790)
- 4G (1670)
- Virgin Media (1625)
- Ofcom Regulation (1467)
- Fibre Optic (1396)
- Wireless Internet (1393)
- FTTH (1382)
“One unnamed government official is reported to have said that their ability to investigate paedophiles and terror cells would be hampered. Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage ”
Nice juxtaposition. The gov want to monitor browsing habits but fane outrage at others theoretically doing the same. While google data collection might be a risk doubtless others will deliver anonymised E-DNS
There are quite a few things we permit government to do but would resist handing over to the private sector.
That might be true but there is hypocracy in the gov attacking the privacy issues with private dns while wanting to breach the same privacy.
Not really. That’s what government does. You pay your taxes to government that’s normal, another private citizen tries to tax you that’s extortion.
It’s actually quite legitimate to be concerned about Google processing data under California state law. UK and EEA entities have to obey GDPR.
It’s pretty rich coming from the state that’s second only to China in CCTV per capita but is not unreasonable.
In most cases the Gov is bound by the same data regs as private entities. It just doesn’t like it which is why it so regularly loses court cases by breaching data protections.
Not that I’m a fan of GDPR – its monumentally dim legislation.
I’d rather Google has my data than UKgov. UKgov has no interest in anything other than a token effort to secure our data. They are acting how a fascist state does, taking your privacy and your voice in the interests of security in a manner akin to using a nuke to crack a nut – it is that proportional.
Google / Alphabet has a vested interest is protecting your data and their entire business model is intrinsically tied to it being secure.
Let’s see who we should trust here? a government with a lousy track record for record keeping, corruption and inane decisions to cripple freedom and privacy, or do we trust a major business who’s entire business model is entirely and exclusively about keeping your data secure from 3rd party access and a track record to prove it?
I know where my data is safest and the current law changes are no different to Tony Blair when he tried to kill off habeas corpus and the Bill of rights in an attempt to weaken our freedoms and rights.
Anything that inhibits state overreach can only be a good thing.
If filters are based around Cleanfeed and equivalents encrypted DNS isn’t really worth that much.
That tech uses IP addresses to select traffic for further inspection and DPI on that subset can be used.
If someone is accessing a site whose certificate indicates it is pornography it’s a fair bet the site in question is pornographic. This can be done in less than 10 packets per flow.
Can hide the DNS, can’t hide the Common Name in the certificate.
Obviously it covers off DNS leaks with various proxies/vpns and the like
“Can hide the DNS, can’t hide the Common Name in the certificate.”
I believe TLS 1.3 deals with that too, as I though the exact same thing initially. The only thing which can’t be hidden is the IP address of the server…
Correct it encrypts the certificate.
https://www.cloudflare.com/ssl/encrypted-sni/
Server Name Indication?
Saves waiting for the certificate from the server. Have the client send the address it’s looking for over the datapath to the server.
Aware that a fully encrypted standard, ESNI, is in progress. It will be interesting to see what the next step in eavesdropping is once this is widely implemented.
For the curious this gives a couple of ways that a client can get keying material to encrypt the TLS handshake. DNS is one of those so it’s a great fit for DNS over HTTPS.
An extension of 1.3
https://tools.ietf.org/html/draft-ietf-tls-esni-03
Yes, read it. Thank you, both.
I think this article covers a lot of the conundrums
http://www.circleid.com/posts/20190407_dns_privacy_at_ietf_104/
Perhaps if the browsers give the users an ability to choose a different DoH resolver, then a lot of peoples concerns of “all in the hands of Google” would be somewhat dissipated.
karen: Individual apps do that anyway, indeed various browsers allow manual DNS setting or default options setting aside the OS itself. Many VPNs take over DNS requests
For example: Just about:config in firefox and then add any of these:
https://github.com/curl/curl/wiki/DNS-over-HTTPS
I havent used my various ISPs DNS servers since last century (dial-up). My router is set to use TWO different services, on the off-chance one goes down.
Given the fact history in this country shows when ISPs and our government lose private information of job public or worse when it comes to government security information and equipment and it then takes them ages to admit it, i know who i would sooner have my “browsing habits and device usage” information out of them and Google.
Sure the likes of Google and the like also stuff up but they actually try to fix things when things go wrong.
I would not trust Talk Talk and their previously hacked systems or BT and its history of Cleanfeed and similar with no notification (only admitting it when caught out).
As for our own inept governments of the past 30 or so years who have as some highlights have lost hundreds of computers and left things like documents about Al-Qaida and Iraq on a train. The government even trying to convince me this is about security in any way, rather than them controlling the internet is laughable.
“…Meanwhile intelligence and law enforcement officials have noted that Google could use DoH to amass vast detail on people’s browsing habits and device usage”
Perhaps whoever that clown was should be more concerned about departments like the MOD, who regularly lose ammunition, computers, phones, explosives and detonators. YES really folks.
My only hope is Google do not go all Snowflake as they do too often and cave to whatever stupid demands our government make.
If people are genuinely concerned about DNS records being collected they should probably set their router up to use a VPN anyway – decent VPN providers are pretty cheap so there isn’t really much of a barrier to doing this.
I’d none of them had my data like that, UKgov will abuse that data and google well google is google, ut to be perfectly clear, what the Ukgov is trying to pull off (in the end will fail). We’ll have to wait and see how this whole process will play out (looks like a pandora box mess) waiting to explode on the table of UkGov, just like universal credit.
Don’t know about Chrome’s implementation yet but Firefox uses Cloudflare for DoH resolution. Therefore this doesn’t give Mozilla any more visibility of users DNS requests than it did before, as is being implied here that they would be handling the DNS requests in DoH. Cloudflare’s DNS server is also known for making privacy a priority.
Cloudflare loves Privacy? Ha-ha… Microsoft loves Linux, I remember.
Try to use Tor to love Cloudflare and Privacy at the same time.
There are already ways to hide this traffic, but won’t somebody please think of the children?!?!!!
Typical BS and rhetoric from the government.
There exists tools to let you mix your ISP and 3rd party DNS solutions so you can have secure DNS for 99 percent of everything and keep your ISP’s DNS magic for whatever they’re providing if you want.
If you have nothing to hide, you’ve got nothing to fear, right? Well how about the government let us check out their DNS queries?
They are claiming terrorists and pedophiles won’t be as easy to track but they already aren’t as the clever ones will be using tools to hide their online activity including VPN. People have always stood by and accepted the government’s excuse that they need to monitor and record internet traffic, invading privacy to prevent crime, when most of the criminals are invisible already as they are the ones using VPN and other secure means of access.
A random thought: surely a browser defaulting to its own encrypted dns would also break internal DNS services
I’ll be keeping an eye on Pi Hole’s progress in this regard. It’s served me beautifully at home so far.
Could not care less and TBH, I’m glad they’re in a tailspin over it as it shows how clueless they really are to all this.
Looks like Sky already acted and blocked ANY third-party DNS in its latest Hub firmware update. What do you say?
BT have said on there messaging service that ipv6 is not supported for consumers I am using my own billion bipac 8800nl router on adsl can anybody tell me if what bt have said is correct I had entered the Google open fans settings in the advanced settings but when I tested it it said no ipv6 found
I meant Google open dns sorry