Google addresses misconceptions about plans for improving DNS security

    Google addresses misconceptions about plans for improving DNS security


    Posted: 29 Oct 2019
    Whenever you type a URL into your browser (for example “redcross.org”), this information is sent to a domain name system (DNS) provider that converts that request into the unique numerical “IP address” (e.g. 162.6.217.119) that identifies websites on the Internet. Your browser then uses that numerical IP address to take you to the site you were looking for. Unfortunately, today the requests from your browser to the DNS provider are not encrypted (which makes you vulnerable to passive monitoring by strangers) nor authenticated (which makes you vulnerable to online attackers). This is especially true when you’re connected to public WiFi, for example at a cafe or airport, since anyone else using the network can see and track the websites you visit and maybe redirect your browser to a malicious website.

    In September, we announced an experiment in Chrome to improve online privacy and security by enabling secure DNS connections with DNS-over-HTTPS (DoH) for users already using DNS providers that support it. DoH is being developed by the Internet standards community as a step toward better security and privacy by encrypting the traffic between your browser and your DNS provider. It improves privacy by removing one of the ways used by malicious actors to observe the browsing habits of other users on the same network. DoH is also a significant security improvement, as it helps stop man-in-the-middle attacks on DNS lookups. Many privacy-minded organizations, journalists, other browser providers and internet service providers (ISPs) agree that these changes will improve your privacy and security.

    Unfortunately, there has been some misinformation and confusion about the goals of our approach and whether DoH will impact existing content controls offered by ISPs. The confusion comes from two particular claims and we want to address both.

    The first claim is that Google is going to redirect user DNS traffic to Google's own DNS or another DoH-compliant DNS provider. That is incorrect. Because we believe in user choice and user control, we have no plans to force users to change their DNS provider. Today, there are many independent DNS providers, although ISPs serve approximately 97% of user DNS needs. As long as these service providers keep catering to user needs and concerns, it will remain a diverse ecosystem. We’re simply enabling support in Chrome for secure DoH connections if a user’s DNS provider of choice offers it. Chrome will check if the user’s DNS provider is among a list of participating DoH-compatible providers and if so, it will enable DoH. If the DNS provider is not on the list, Chrome won’t enable DoH and will continue to operate as it does today. As DoH adoption increases, we expect to see the number of DoH-enabled DNS providers grow.

    The second claim we’ve seen is that the secure DoH connection will limit the family-safe content controls offered by some ISPs. In fact, any existing content controls of your DNS provider, including any protections for children, should remain active. DoH secures the URL data only while it’s in transit between your browser and the DNS provider, so your provider’s malware protection and parental control features will continue to work as they have in the past. As a proof point, CleanBrowsing offers the same parental control features on its DoH service as it does on its unencrypted service.

    As we said last month, we’re taking an incremental approach with this experiment, and our current plan is to enable DoH support for just 1% of our users, provided that they are already using a DoH compliant DNS provider. This will allow Google and DoH providers to test the performance and reliability of DoH. We’ll also monitor feedback from our users and from other stakeholders, including ISPs. Most managed Chrome deployments such as schools and enterprises are excluded from the experiment by default. We also offer policies for administrators to control the feature. Finally, Chrome users may opt-out of the DoH experiment entirely by going to chrome://flags/#dns-over-https, starting in Chrome 79.

    We are optimistic about the opportunities DoH offers for improving user privacy and security, but we also understand the importance of DNS and that there could be implementation concerns we haven’t foreseen. That’s why we plan to move carefully and transparently. We’re open to feedback and welcome constructive collaboration and engagement. We are committed to ensure that the deployment of DoH does not create unintended consequences and we will continue to work with stakeholders including ISPs, DNS providers, and Internet and child safety advocates as we make progress.


    Posted by Kenji Baheux, Chrome Product Manager


    Source: https://blog.chromium.org/2019/10/ad...ons-about.html
    Brink's Avatar Posted By: Brink
    29 Oct 2019



  1. Posts : 714
    Win 7 Pro, SP1, x86, Win-11/Pro/64
       #1

    All that, I guess, makes me a 'Bad Boy' because I refuse to use Chrome, and I have the DNS service permanently "Disabled", in Windows.



    But I still seem to get to every place on the WWW that I want to, or Need to, Go. Go figure.


    Happy Holidays!
    TM
      My Computer


  2. Posts : 1,384
    Win 7 Ult 64-bit
       #2

    Can you imagine Google worries about our privacy? Verizon is already recording all my traffic, no matter what browser I use.
      My Computer


  3. Posts : 0
    Windows 7 Ultimate x64
       #3

    TechnoMage2016 said:
    All that, I guess, makes me a 'Bad Boy' because I refuse to use Chrome, and I have the DNS service permanently "Disabled", in Windows.



    But I still seem to get to every place on the WWW that I want to, or Need to, Go. Go figure.


    Happy Holidays!
    TM

    This doesn't have anything to do with DoH. The DNS service in Windows is just a caching mechanism as far as I know and it just speeds up URL requests by first looking in your Windows DNS cache for that URL's IP address rather than going to your DNS provider like OpenDNS or your ISP's DNS provider, what ever you have configured in the NIC.

    I was told long ago on another forum that disabling the DNS caching service in Windows breaks DNS. But like you, I had it off for may years as a form of security I had in mind. Now a days I keep it on and when ever I use Ccleaner and System Ninja to get rid of temp files, etc, CCleaner will purge the DNS cache as I have that option on. Sometimes I flush the DNS cache manually and this may be needed to see a change on a website if you're the Admin of a website using CloudFlare. I run a few websites myself that use CloudFlare and I've heard it being the case with the DNS cache having to be cleared while making changes to a website. Though, I've never encountered that myself (yet).
      My Computer


  4. Posts : 0
    Windows 7 Ultimate x64
       #4

    RoWin7 said:
    Can you imagine Google worries about our privacy? Verizon is already recording all my traffic, no matter what browser I use.

    While I agree that Google is not about privacy for more reasons then there are chapters in Genesis. But the use of TLS over DNS isn't really a privacy thing at all. In fact it's the very opposite. The only possible privacy evasion I see with DoH is that I think in Chrome or Chromium's case, they may be issuing their own TLS Certs. and maybe by that logic they can see what websites you browse through internal browser mechanisms. But I'm just speculating. This really should be a third question for Google. The article mentions just two and those two are pretty much common sense. At least to me anyway.
      My Computer


  5. Posts : 0
    Windows 7 Ultimate x64
       #5

    And for the record. One can already secure their DNS with this project. Home page of the DNSCrypt project [DNS security]

    I've had mixed results many years ago. But I may try it again and see what happens.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:58.
Find Us