Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Google addresses misconceptions about plans for improving DNS security

2 Weeks Ago   #1
Brink

64-bit Windows 10 Pro
 
 
Google addresses misconceptions about plans for improving DNS security

Quote:
Whenever you type a URL into your browser (for example “redcross.org”), this information is sent to a domain name system (DNS) provider that converts that request into the unique numerical “IP address” (e.g. 162.6.217.119) that identifies websites on the Internet. Your browser then uses that numerical IP address to take you to the site you were looking for. Unfortunately, today the requests from your browser to the DNS provider are not encrypted (which makes you vulnerable to passive monitoring by strangers) nor authenticated (which makes you vulnerable to online attackers). This is especially true when you’re connected to public WiFi, for example at a cafe or airport, since anyone else using the network can see and track the websites you visit and maybe redirect your browser to a malicious website.

In September, we announced an experiment in Chrome to improve online privacy and security by enabling secure DNS connections with DNS-over-HTTPS (DoH) for users already using DNS providers that support it. DoH is being developed by the Internet standards community as a step toward better security and privacy by encrypting the traffic between your browser and your DNS provider. It improves privacy by removing one of the ways used by malicious actors to observe the browsing habits of other users on the same network. DoH is also a significant security improvement, as it helps stop man-in-the-middle attacks on DNS lookups. Many privacy-minded organizations, journalists, other browser providers and internet service providers (ISPs) agree that these changes will improve your privacy and security.

Unfortunately, there has been some misinformation and confusion about the goals of our approach and whether DoH will impact existing content controls offered by ISPs. The confusion comes from two particular claims and we want to address both.

The first claim is that Google is going to redirect user DNS traffic to Google's own DNS or another DoH-compliant DNS provider. That is incorrect. Because we believe in user choice and user control, we have no plans to force users to change their DNS provider. Today, there are many independent DNS providers, although ISPs serve approximately 97% of user DNS needs. As long as these service providers keep catering to user needs and concerns, it will remain a diverse ecosystem. We’re simply enabling support in Chrome for secure DoH connections if a user’s DNS provider of choice offers it. Chrome will check if the user’s DNS provider is among a list of participating DoH-compatible providers and if so, it will enable DoH. If the DNS provider is not on the list, Chrome won’t enable DoH and will continue to operate as it does today. As DoH adoption increases, we expect to see the number of DoH-enabled DNS providers grow.

The second claim we’ve seen is that the secure DoH connection will limit the family-safe content controls offered by some ISPs. In fact, any existing content controls of your DNS provider, including any protections for children, should remain active. DoH secures the URL data only while it’s in transit between your browser and the DNS provider, so your provider’s malware protection and parental control features will continue to work as they have in the past. As a proof point, CleanBrowsing offers the same parental control features on its DoH service as it does on its unencrypted service.

As we said last month, we’re taking an incremental approach with this experiment, and our current plan is to enable DoH support for just 1% of our users, provided that they are already using a DoH compliant DNS provider. This will allow Google and DoH providers to test the performance and reliability of DoH. We’ll also monitor feedback from our users and from other stakeholders, including ISPs. Most managed Chrome deployments such as schools and enterprises are excluded from the experiment by default. We also offer policies for administrators to control the feature. Finally, Chrome users may opt-out of the DoH experiment entirely by going to chrome://flags/#dns-over-https, starting in Chrome 79.

We are optimistic about the opportunities DoH offers for improving user privacy and security, but we also understand the importance of DNS and that there could be implementation concerns we haven’t foreseen. That’s why we plan to move carefully and transparently. We’re open to feedback and welcome constructive collaboration and engagement. We are committed to ensure that the deployment of DoH does not create unintended consequences and we will continue to work with stakeholders including ISPs, DNS providers, and Internet and child safety advocates as we make progress.


Posted by Kenji Baheux, Chrome Product Manager


Source: https://blog.chromium.org/2019/10/ad...ons-about.html


My System SpecsSystem Spec
.
2 Weeks Ago   #2
TechnoMage2016

Windows 7 Professional, SP1, x86
 
 

All that, I guess, makes me a 'Bad Boy' because I refuse to use Chrome, and I have the DNS service permanently "Disabled", in Windows.



But I still seem to get to every place on the WWW that I want to, or Need to, Go. Go figure.


Happy Holidays!
TM
My System SpecsSystem Spec
2 Weeks Ago   #3
RoWin7

Win 7 Ult 64-bit
 
 

Can you imagine Google worries about our privacy? Verizon is already recording all my traffic, no matter what browser I use.
My System SpecsSystem Spec
.

2 Weeks Ago   #4
F22 Simpilot

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by TechnoMage2016 View Post
All that, I guess, makes me a 'Bad Boy' because I refuse to use Chrome, and I have the DNS service permanently "Disabled", in Windows.



But I still seem to get to every place on the WWW that I want to, or Need to, Go. Go figure.


Happy Holidays!
TM

This doesn't have anything to do with DoH. The DNS service in Windows is just a caching mechanism as far as I know and it just speeds up URL requests by first looking in your Windows DNS cache for that URL's IP address rather than going to your DNS provider like OpenDNS or your ISP's DNS provider, what ever you have configured in the NIC.

I was told long ago on another forum that disabling the DNS caching service in Windows breaks DNS. But like you, I had it off for may years as a form of security I had in mind. Now a days I keep it on and when ever I use Ccleaner and System Ninja to get rid of temp files, etc, CCleaner will purge the DNS cache as I have that option on. Sometimes I flush the DNS cache manually and this may be needed to see a change on a website if you're the Admin of a website using CloudFlare. I run a few websites myself that use CloudFlare and I've heard it being the case with the DNS cache having to be cleared while making changes to a website. Though, I've never encountered that myself (yet).
My System SpecsSystem Spec
2 Weeks Ago   #5
F22 Simpilot

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by RoWin7 View Post
Can you imagine Google worries about our privacy? Verizon is already recording all my traffic, no matter what browser I use.

While I agree that Google is not about privacy for more reasons then there are chapters in Genesis. But the use of TLS over DNS isn't really a privacy thing at all. In fact it's the very opposite. The only possible privacy evasion I see with DoH is that I think in Chrome or Chromium's case, they may be issuing their own TLS Certs. and maybe by that logic they can see what websites you browse through internal browser mechanisms. But I'm just speculating. This really should be a third question for Google. The article mentions just two and those two are pretty much common sense. At least to me anyway.
My System SpecsSystem Spec
2 Weeks Ago   #6
F22 Simpilot

Windows 7 Ultimate x64
 
 

And for the record. One can already secure their DNS with this project. Home page of the DNSCrypt project [DNS security]

I've had mixed results many years ago. But I may try it again and see what happens.
My System SpecsSystem Spec
Reply

 Google addresses misconceptions about plans for improving DNS security




Thread Tools




Similar help and support threads
Thread Forum
Google Chrome Improving Site Isolation for Stronger Browser Security
Source: Google Online Security Blog: Improving Site Isolation for Stronger Browser Security
News
Google Improving Security and Privacy for Extensions in Google Chrome
Source: Google Online Security Blog: Improving Security and Privacy for Extensions Users
News
Improving Google Search for the next 20 years
Source: Improving Search for the next 20 years
News
Google Chrome Improving extension transparency for users
Source: Chromium Blog: Improving extension transparency for users Latest Google Chrome Released for Windows
News
Google Announces Plans To Expand Fiber To 34 Additional U.S. Cities
Source A Guy
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:43.
Twitter Facebook