You're right to be suspicious. The DNS-over-HTTPS model favors those who run the servers (because they get exclusive access to monetizable end user name resolution data) and those who control the resolvers.
You might control the resolver on your personal computer (for now). You probably don't control it on your phone. You most likely won't control it on your embedded devices.
The root evil here is that you can't change the root certificates in such devices. Even if you controlled its DNS, the device could still just be programmed to fail if it doesn't reach its analytics/ad/whatever server.
The IKEA Tradfri "smart" lighting gateway will stop responding to commands if it can't phone home to some IKEA server. I noticed this when I changed my router to use NextDNS, which blocked the IKEA lookups. I was ready to return the device as broken until I realized this. I've also had issues with Bang & Olufsen speakers in the past, and inclined to believe it's for the same reasons.
I think it's insane that devices can effectively be bricked if they can't phone home. It's nothing short of waste, and I think environmental legislation should require device manufacturers to supply ways of disabling or overriding these mechanisms such that devices can continue to operate regardless of whether home servers are blocked or otherwise out of reach, e.g. company goes belly up, censorship etc.
I tend to cut DJI a break, because customer (non-)compliance with no-fly zones is a class-1 existential threat to their business selling consumer drones. Pinging DJI servers to check for altitude restrictions at every power-up cycle is intrusive, but I honestly don't see that they have much choice.
When I installed PiHole a few years back I blocked my tradfri gateway from connecting to Ikea's servers and everything kept working! I wonder if something has changed since then? Ikea devices are kind of nice because they don't actually rely on the internet at all and work completely locally (at least, they did a few years back).
All I can say is when I had NextDNS configured on my router it blocked requests to some IKEA domain, possibly smetrics.ikea.com from a cursory search through he logs, and my Tradfri gateway would just straight stop responding to anything at that point. I googled around for a while and found other people having issues with DHCP and QoS with Tradfri gateways, so I made sure it had a static IP set as well as all QoS “features” being disabled, but this didn’t help. It would work at first, for some period of time (30 min maybe?) and then stop responding. Once I saw the blocked DNS lookups I disabled NextDNS on the router and flushed any caches on the router, rebooted everything and it’s worked fine now for a good month or so.
I will admit I haven’t done any further investigation, but simply concluded that the gateway at some point started phoning home and if it didn’t receive a response went into some catatonic state. Maybe I’ll dig deeper at some point, time permitting.
You can go back from network settings back to settings or something like this. just poke around.
Discovered it when comcast went down for 4 days and wanted to run kodi on firetv
Amazon also tends to hide options until you "try" connecting to your network. My device refused to work without internet until I "tried" connecting to my network using an incorrect password. When I did that and the device failed, an option to skip network setup appeared. In small font at the bottom of the screen, of course.
I still prefer DoH giving "exclusive" access to resolvers, because the alternative is sending that data in plaintext for everyone along the path to read?
If your ISP is large enough it is only sent to ISP's name server which probably has everything you need cached, and if it isn't it might blend in with other queries. And your ISP can sniff SNI or guess target domains from target IPs already.
> The DNS-over-HTTPS model favors those who run the servers (because they get exclusive access to monetizable end user name resolution data)
Hold up. You are claiming that the fact that DoH prevents DNS requests from being visible in cleartext network traffic is a bad thing?
...what? In a world where the choice is between one party (the DNS provider) having access to my DNS requests and everyone on the network including my DNS provider having access to my DNS requests, I'll choose "DNS provider having exclusive access" every single time.
Hold up. You are claiming that the fact that DoH prevents DNS requests from being visible in cleartext network traffic is a bad thing?
It is when its my network. If they cared about people sniffing they would use DNSSEC, but still use the network DNS server. DNS over HTTPS is just a way for shady companies to hide what they're doing.
I believe that Google pushed DoH to track your cross-site browsing. TLS hides your URL, and blockers can break adsense tracking and/or any other call-home backlinks.
Using DoH, especially one served by an advert company is just signing up to be their open book.
Chrome didn't change the resolver, though. It just enables DoH if it's on a whitelist of known DoH-capable resolvers. It doesn't send your data to Google unless you already used Google's DNS.
My company makes IoT systems to support low power devices that use mobile (NB-IoT and LTE-M) connectivity and we have some similar problems having to do with mobile networks and APNs.
The way we solve this is that we assume any knowledge the device has about the outside world can become obsolete, so we do we have a two layer approach.
The bottom layer is that we have a set of semi hard-coded fallback values that are likely to work in the forseeable future. Updating these fallbacks requires an over the air firmware upgrade which isn't a terribly big deal since we regularly upgrade firmware over the air. The goal of these values is to make sure we can get the device online and direct it to somewhere where we can trigger firmware updates.
The second layer is that one or more times per day we ping a config server that sends a packet with configuration data to the unit. This is typically API endpoints etc. The configuration data is essentially a prioritized list of resources, so if one won't respond it will go to the next on the list (while still trying to determine if a higher priority resource becomes available).
Last week we got a chance to see how this failed over beautifully as multiple resources were removed and a fleet of devices just adapted as they should. (The shutdown of these resources were planned, but presented a good opportunity to do a fire drill).
Currently we’re using both Google and Cloudflare’s DNS, providing resiliency against one or the other being unavailable, but I’m looking at potentially using our own resolvers just to reduce the amount of data being exposed to third parties.
So the company you work for will be fighting for my privacy? I'd rather have a PiHole doing that.
These devices do usually have an UI. Why not provide some options to the user? Let him choose among different types and providers. I'd set mine to use the one provided by DHCP or enter the address of my resolver manually.
Have you ever had to do technical support for someone who changed settings they didn't understand? Or maybe someone who decided to "clean up" a bunch of system files that they thought were wasting space?
In my experience, product design is generally done with a well-meaning attempt to protect the average user from themselves. People who can and do manage their own networks in sophisticated ways are, unfortunately, far less common than people who have no idea that their ISP fscks with DNS lookups.
Personally, I'd bury this setting pretty deep in an advanced-usage-only tab and behind a notice SCREAMING about how using these settings is unsupported. And then tell support staff that they are not obligated to support whatever crazy configurations people cook up for their home networks.
I understand not doing it at all. A few people will complain, but the number of people who will refuse to buy a TV because it doesn't play nice with their pihole is almost certainly too small to register on any material financial statement, and attempting to please them will generally run into some other point they are unwilling to budge on. The number of people who screw up an advanced setting they don't understand will show up in support costs.
At this point it is really tough to find devices that don't leak data like a sieve.
I recently bought a car, and could not find one without a cellular modem and microphones. Removing the modem voids the warranty. The period where you can opt out is mostly over.
The Magnuson–Moss Warranty Act of 1975 ensures that’s not the case in the US. I suspect something similar is true in EU.
For the manufacturer to avoid a warranty claim due to a modification or aftermarket part, they must show that the defect was linked to the part or modification.
They might have to show that it was caused by, but in any case, if your paint fails prematurely, they can’t say your warranty is void because you disabled the cell connection.
To get 5 stars by EuroNCAP (and AFAIK EU law demands it too) the car have to call 911/112 automatically if it detect a crash. I doubt you can remove telemetry without also disabling this. If you do the car is illegal.
Interesting point. I wonder if an insurance company can argue the modification made the car lose the safety certification, and in effect the user made the car more dangerous by removing the SIM card, and that it would not pay out for injuries sustained in a crash.
Because it is probably part of the vehicle type approval, it would be a modification that needs to be authorized by whatever institution does that in your country.
Otherwise it is probably mostly equal to driving without registration. It may not be a felony, but it will be fined.
Given what I see driving around on US roads, there is epsilon-squared chance this would be found let alone fined here. (I’m also not nearly convinced that it’s even illegal in my state and likely not so in any of them, especially given that my car had a dealer service to remove the SIM card as a recall item.)
It definitely wouldn't be illegal to remove a vehicle's cell modem from your own car in the US. The US is very friendly to vehicle modifications compared to much of the world. At a federal level, pretty much the only thing you cannot do to your own vehicle is remove emission equipment. The US does not even have universal requirements for insurance or safety inspections. And even in the states that do have safety inspections, there are typically very few pieces of safety equipment that are required.
Theoretically illegal perhaps but I'd be very very surprised if this ever actually gets picked up by anyone even on an annual roadworthiness inspection. Maybe during some OEM servicing but then again maybe not.
It's not just shitty devices. By putting it on the HTTP layer which usually is even available to sandboxed applications they made it possible for every single application to bypass your own resolver. Pretty much a trojan horse.
I've hated DoH from the beginning, and not just because shoehorning everything into http is a silly idea, but as I suspected, we now live in a reality where you have to keep an adblock-esque list of DoH servers. Now you have yet another internet arms race.
DNS based blocking was already trivially bypassable before DoH was ever conceived so I don't see how DoH or its use by browsers is at fault for that problem.
As mentioned in TFA, configuring a firewall to redirect DNS traffic from broken or malicious software is also trivial. Or are you talking about hardcoding IP addresses?
There are plenty of other alternatives. The simplest (but least flexible) would be hardcoding an IP of the final server.
Somewhat more sophisticated would be hardcoding an IP to a server with a REST endpoint that returns the real final IP. (Basically just like what DoH does, but without calling it DoH).
Even more sophisticated would be hiding the final IP on some kind of public web service like Twitter or Github.
Note that malware of various sorts has done all of this for years. It used to be reasonably common to get command/control server info via IRC, basically DNS over IRC. DNS blocking has never been an effective network management strategy, and it never will be.
Should be done by your host/gateway/router, not each client app.. Same goes for SSL SNI filtering if that ever gets accepted... router should know where requests are going...
I am very suspicious of the push for https and the like. I feel it is mainly about hiding the payload from me not any third party.