Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature (techcrunch.com) 273
An industry group of internet service providers has branded Firefox browser maker Mozilla an "internet villain" for supporting a DNS security standard. From a report: Internet Services Providers' Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K." Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.
Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.
Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.
Clearly Firefox is a villan!!! (Score:4, Insightful)
Worse than Google!
Worse than Microsoft!!!
Worse than Oracle!!!!!
Worse than Oracle's Salesmen!!!!!!!!!
Oh Noes!!!!
Re:Clearly Firefox is a villan!!! (Score:5, Interesting)
Worse than the Internet Services Providers' Association (ISPA), too.
Re:Clearly Firefox is a villan!!! (Score:4, Insightful)
Why do people resort to using hyperbole labeling for anyone they disagree with? If someone simply doesn't like something, that doesn't make it a "phobia".
Are vegetarians labeled as "carniphobes"? Is it some sort of phobia if you didn't care for a particular movie?
This guy simply voted with his wallet. He wasn't going around beating up people he thought were homosexuals or torching houses.
I disagree with his stance on this subject, but to use dishonest terminology simply dilutes the term and makes you look desperate.
Re: (Score:2, Insightful)
> Why do people resort to using hyperbole labeling for anyone they disagree with?
That's classic SJW (Stupid Juvenile Whiner) tactics Rule #4. When they have nothing of substance they resort to childish name callling.
The rules for reference are:
1. Turn brain off (Stupid)
2. Have a tantrum (Juvenile)
3. Complain about bullshit issues no one gives a fuck about (Whine)
4. Ad hominem fallacy -- scream insults at everyone who disagrees (Bully)
5. Never take responsibility -- blame others
6. Always lie
7. Double down
Re: (Score:2, Informative)
As if the right is any better? Don't try to make this into a chance to bash your political enemies.
Re: (Score:2)
Yeah, the right has shitty names for leftists, but as a conservative I refuse to use them. Maybe we could all do the same, which is what the GP suggested too.
Typical authoritarian government (Score:5, Insightful)
Anyone standing in the way of their control will be slandered and painted as a villain.
Re:Typical authoritarian government (Score:4, Interesting)
The ISPA isn't the government. And most of its members were very reluctant to have the burden of implementing the government's blocking scheme thrust on them in the first place. That's probably what's actually bothering them here too; if the blocking scheme gets broken, the government will expect the ISPs to fix it or find an alternative solution, at their own expense.
Re:Typical authoritarian government (Score:5, Insightful)
Only way to solve that "problem" for the government would be to block all traffic that's not clear text and suffer the consequences.
So we will then see "The Great Wall of Great Britain". It seems like the government there really uses 1984 and "Brave New World" and maybe also "Equilibrium" as a manuals. But I suspect that their vision is the official world of "Demolition Man".
Re: (Score:3)
These blocking schemes have been implemented in the name of preventing child grooming or terrorist recruitment or revenge porn or whatever the root password to the Internet was at the time. There is nothing an ISP can do if a government passes an actual law that says all ISPs must do something. The problem here is making bad law, not ISPs who, like any other business, must then obey it.
Re: (Score:3)
If I might differ, ISPs are not mere bystanders in the FCC regulatory process nor in Congressional lawmaking. They are deeply involved in the lobbying and the expert reporting to both bodies. The the repeal of net neutrality is exactly the sort of "bad law" some ISP's have sought hard to create, in this case by repealing an effective and citizen serving law.
Re: (Score:2)
Re: (Score:3)
In their possible defence, given the way UK and EU laws tend to be written, it may well be the case that the ISPs will be liable in some way for failing to implement various monitoring or blocking schemes, even if it will become technically difficult or impossible for them to comply if DNS-over-HTTPS is used. Based on their track record, the legislatures behind these laws really are that clueless when it comes to both understanding the relevant technologies and pointing the finger at targets like ISPs or so
Re: Typical authoritarian government (Score:4, Informative)
Pretty sure the lawyers I've spoken to who are specialists on this subject in the UK have said that if the ISP follows the order and blocks DNS on their resolvers, then the fact their customer might be using a VPN or DoH or similar privacy technology is *not* the ISP's fault.
Re: (Score:2)
They can block at the protocol level, if the packets are routed over their network.
Re: (Score:2)
Well, people in the UK/EU won't be...
Good for Mozilla (Score:5, Insightful)
Censorship is not a "safety standard".
Encryption not automatically good (Score:3)
Not necessarily good for Mozilla. There are many times that "security" features are used against the owners also. WIth everything encrypted and devices that use certificates that not even the owner of the device has access to and the rise of internet of things and/or phone home routines built into literally EVERYTHING now. Owners cannot even verify or block what their devices are sending about them. Depending on how this is implemented, it could be the same way. If Mozilla is hard coding the DNS resolution
Re: (Score:2)
I don't disagree. In this case we are assuming that Google or Cloudflare's DNS is more trustworthy than your ISP, which may not always be the case.
Still, it is a useful step. Hopefully DoH will become ubiquitous and then you can choose your DNS provider accordingly.
Re: (Score:3)
This was the point of "Trusted Computing", formerly known as "Palladium". It was architected by Brian LaMacchia at Microsoft, who failed to acknowledge the risk of leaving the private keys, and the signature authority keys, in Microsoft's hands with no judicial process or oversight in handing them over to private or governmental parties. The private keys are held in escrow by Microsoft, with nearly no recourse for hosting the private keys outside of Microsoft access.
One of its key points is that Microsoft c
Re:Good for Mozilla (Score:5, Insightful)
Every time I see an article discussing government-mandated internet filtering options I see people shouting "censorship!"
I fail to see how the government telling ISPs that if they're going to provide access to the internet, they need to also provide the means for parents to better protect their kids from unwanted exposure to unsavory elements on the internet constitutes censorship.
Personally, I think it's at best extremely negligent and at worst morally wrong for ISPs to not provide an opt-in filtering option ("option" being the key word). I think it's sad that the government has to impose a mandate to get this to happen.
In my opinion, it should be dead-simple for parents to limit access to, in particular, pornography -- in particular, the kinds of extreme pornography that are readily available on the internet -- and all [aifs.gov.au] of the negative [acpeds.org] impacts [psychologytoday.com] that can have, particular on a young mind.
If you want to look at it, by all means leave the filtering switch off.
1) Many ISPs do provide this option without any need of a government mandate. If there is a market, they will be happy to sell you a solution.
2) Whether this is done either locally by you, or by your ISP, smart kids will find a way around it. Technology is not a substitute for better parenting.
3) "We must do it for the children" is really lame.
Re: (Score:3)
3) "We must do it for the children" is really lame.
3) "We must do it for the children" is really dangerous.
Re: (Score:3)
2) Whether this is done either locally by you, or by your ISP, smart kids will find a way around it. Technology is not a substitute for better parenting.
I hate this meme. The reality is that technology is a *tool* to be used by better parenting. As are many things spread throughout society such as rules that prevent your child from leaving school mid class to go to a 7-eleven to get some beer.
Or do you propose hovering over your child 24/7? Of course not. In some cases you observe, in some cases you discuss, and in some cases you restrict.
Re: (Score:2)
2) Whether this is done either locally by you, or by your ISP, smart kids will find a way around it. Technology is not a substitute for better parenting.
I hate this meme. The reality is that technology is a *tool* to be used by better parenting. As are many things spread throughout society such as rules that prevent your child from leaving school mid class to go to a 7-eleven to get some beer.
Or do you propose hovering over your child 24/7? Of course not. In some cases you observe, in some cases you discuss, and in some cases you restrict.
Our 7-Elevens don't sell beer. Presumably to protect the children.
Anyway, in no way am I advocating helicopter parents. Simply pointing out my admittedly completely anecdotal evidence that most kids are far more technologically savvy than their parents. Outside of the Slashdot crowd, if you are relying on using technology against your kids, you are going to lose.
Re: (Score:2)
I fail to see how the government telling ISPs that if they're going to provide access to the internet, they need to also provide the means for parents to better protect their kids from unwanted exposure to unsavory elements on the internet constitutes censorship.
It doesn't. The Government are actually telling ISPs to censor content on the internet, and that's censorship.
Helping parents provide access controls is a very separate activity.
If you want to look at it, by all means leave the filtering switch off.
I can't. The Government wont let my ISP offer the ability to disable it. To access sites the Government have decided are unsafe for me I have to resort to further measures - e.g. DNS over HTTPS.
Re: (Score:2)
Unfortunately, I'm not sure that's a very strong argument any more. Even if my kids are responsibly supervised using the Internet at home and school, that doesn't mean their friends won't have smartphones available with less adult supervision. There is a reasonable argument for ISP-level blocking services that can be enabled for kids' connections to try to reduce this problem, but any such service has to be carefully considered so the costs and any unintended consequences don't outweigh the actual benefits.
Re: (Score:2)
There is a reasonable argument for ISP-level blocking services...
Strictly as an opt in extra service. We can't allow the ISP to determine what we can and can't see and hear. It's none of their business. We should be demanding the dumb pipe.
Re: (Score:2)
My sister raised her kids with their sole computer being in the living room.
That’s exactly what we did as well.
Re: (Score:2)
My sister raised her kids with their sole computer being in the living room.
Congratulations on your sister raising her kids in the early 90s. On a related note, anyone know where I can get a good time machine?
Re: (Score:2, Insightful)
sorry comrade, not willing to give up liberty for the pursuit of 'infinite' safety.
Re: (Score:3)
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
- Benjamin Franklin
Re:Good for Mozilla (Score:5, Funny)
"Right up until terrorists use this to avoid detection"
You do recognize the irony of posting this as an Anonymous Coward?
Re:Good for Mozilla (Score:5, Insightful)
It requires eternal vigilance.
It always did. The IRA was using political violence long before 9/11 happened, so some of us grew up in the UK at a time when bomb threats or, sometimes, actual bombs going off was a fact of life. And of course we've had more recent attacks as well. I live near London, and on 7/7, everyone around here knew someone who might have been caught up in the bombings and sadly some of us later found they had been.
But you don't protect freedom by surrendering it. Anyone tech savvy enough to avoid detection using this system understands DNS well enough to avoid detection in other ways as well. Fortunately, it turns out that most of the bad people aren't very good at using state-of-the-art technology to cover their tracks anyway. The problem often seems to be that the security services already had evidence to suggest that someone really was up to no good but either didn't realise it or didn't have the resources to act on it effectively and so that person slipped through the cracks and was able to commit a crime anyway. But instead of addressing those issues, we just see a seemingly endless stream of authoritarian measures that have all kinds of unwelcome and chilling effects on normal, everyday life for honest, innocent people, with dubious effectiveness at preventing what they claim to defend against.
Comment removed (Score:5, Insightful)
Re: (Score:3)
EDNS and SNI are better options then DNS over HTTPS, but the question at the end of the day will be how will these authoritarian governments respond. Besides the UK, you've also got AUS and NZ blocking websites based on their own morality policing, or because someone in a government position told or suggested it to them. Canada might be next on the list if Trudeau Jr wins again, since he wants to be able to block websites and restrict social media. The draft itself is as flawed and a charter violation, a
Re: (Score:2)
Re: (Score:2)
He has a hope, but it looks slimmer by the day. SNC-Lavalin did some serious damage, but his government has already been caught using elections canada to pay left-wing influencers [globalnews.ca] to influence the left-wing youth vote. For non-canadians, it would be like your independent federal election body that exists only to ensure that elections are conducted fair and legally, paying only one group of politically aligned people to show up and vote. And he just got nailed again engaging in patronage, giving high pow [globalnews.ca]
Re: (Score:3)
Justin's interference in SNC-Lavalin is serious, but not nearly as serious as Trump flat out lying on the campaign trail about whether he was still manipulating the pool table behind the scenes with sugar-plum visions of Trump Tower Moscow.
A sense of proportion is useful, here.
Lavalin employs a lot of people. Responsible politicians from any side of the aisle are going to sweat over those jobs.
Re: (Score:2)
Though it's already been commonly used to also block IP addresses, that is they block the resolution of the name and/or the IP addresses that resolve from the name.
However, you've always been able to get around it very easily using all manner of proxies. It's been inevitable the eventually the government would have to block encryption, proxies,
Re: (Score:3)
The cynic in me thinks this is what these law makers want. Some might be dumb enough to think its possible to construct a filter that isn't easily thwarted by instructions you pass to your buddy on pub napkin but many are not that dumb.
They know ultimately that blocking content a hopeless mission; you can't enumerate all the bad out there.
What they *want* is force providers to flip the script and only allow people to access a whitelist of curated content that does not start anyone thinking about anything t
Re: (Score:2)
Re: (Score:2)
Until you find out some SJW that works at your ISP is compiling lists of everybody that visits certain cites they deem unacceptable to their cause and put you on their 'list'.
Or, that the ISP is outright selling, in bulk, to some 3rd party all this information. Their right to do so is buried somewhere in their 50 page privacy notice that changes 2-3 times per year.
What about the IETF (Score:5, Insightful)
Are the IETF also internet villains, for DNSSEC? I suppose that isn't encrypted so you can still 'block' it but you can't redirect to your nanny/nag server if its enabled (well unless the client does not know the zone should be signed).
Uk fails at censorship (Score:5, Insightful)
Re: (Score:2)
Pretty much everyone fails at censorship.
Re: (Score:3)
>"This is one of the times Mozilla has done something right."
No, it is actually one of the MANY times Mozilla has done something right. Of course, no organization is perfect, Mozilla included.
Are we surprised though (Score:5, Insightful)
I mean the status of discourse these days is basically name calling.
The FSF calls Chrome, "malware". I happen to think that is a fair characterization but I don't know its really 'helpful' to apply such a label. Isn't it enough just to have a page detail their philosophical issues with Chrome?
Same here; lots of reasons to dislike Mozilla's proposal some even legitimate; but calling a browser make a villain?
Re: (Score:2)
Huh? You want arguments? Details? Nuances? Ain't no body got time for that. If you can't make it a buzzword then you've lost pretty much most of the world as an audience.
Re: (Score:2)
lots of reasons to dislike Mozilla's proposal some even legitimate
Such as?
I'm trying hard to think of a single legitimate reason to dislike it, and so far I've got nothing. Given the nature of the internet today, all communication needs to be encrypted. Anything that isn't encrypted is a huge security hole. And DNS is one of the most important. If DNS isn't secure, nothing on the web is secure. When you type "google.com" into your browser, you could easily get sent to a malicious page because someone has pulled a MITM attack and edited the response.
Re: (Score:2)
1) Instead of trusting your ISP, Personal, or Organizational DNS, you are now trusting Mozilla. That isn't really their decision to make its not clear this will be obvious that its on or easily turned off, by typical users
2) Rather than respecting your personal or organization DNS choices which might already implement behavior YOU want like certain types of filtering you are giving control to Mozilla.
3) HTTPS for DNS request will be a lot more network overhead.
4) Split horizon DNS and geographicall
Re: (Score:2)
I know (a lot of) what Chrome does or tries to do if you don't put preventative measures in place. As I said I agree with the FSFs objections to Chrome. I also think calling the most popular browser in the market place malware, the same label we assign things like cryptolocker - it makes them sound to some people like cranks and that might cause them to ignore the rest of the fairly well considered arguments.
Re: (Score:3)
Malware would likely install with out your permission before it acted maliciously or destructively. It would probably be better characterized as ad-ware since it's neither destructive or malicious but it does a lot of data collection for the purpose of advertising. Basically a marketing and advertising company is giving you a free service so they can advertise to you.
Better perfomance? (Score:5, Interesting)
" DNS-over-HTTPS also improves performance"
So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.
If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.
Re:Better perfomance? (Score:5, Interesting)
I suspect it improves performance in some instances. Consider how most places are configured. Odds are good there is some local nat box. It probably also runs a local NS server. Its like some slow-ass arm box from five years ago. So you send a few UDP packets to it the local name server decides if its got cached content it ought to serve and if not goes after its forwarders waits for the response and they relays it.
It IS probably faster to push a little more IP thru the highly optimized NAT path way.
Now if the client has been configured to go after 8.8.8.8 or 1.1.1.1 or the like; I'll be the response time of that vs DNS/HTTPS is blowout and traditional DNS will be a full order of magnitude faster.
How the performance is in larger organizations with real DNS infrastructure probably varies widely.
Re: (Score:2)
" DNS-over-HTTPS also improves performance"
So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.
If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.
I guess it basically comes down to that vs how much of a performance hit blocklists add.
Re: (Score:2)
Once the secure connection is established and it can send and receive more then one request per packet.
You need to check the whole transmission path (Score:2)
And the other be DNS request=>HTTP=>https=> Filtering tool knows nothing so forward it ad hoc => Root Server => decryption on root server.
Without knowing how quick the filtering tool are in UK ISP you can't tell that this is "reinventing the wheel" or slower. For all we know the ISP use 100 ms on a shitty programmed lookup to check if the url is porn.
Re: (Score:2)
If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.
It's worth thinking beyond "it's encrypted so must be slower". The reality is there are many reasons why it could be faster for example:
- Recursive lookups from your router to your ISP to the root server. vs simply going directly to Google who have a complete copy of the database.
- Handing the tasks to an OS to perform the lookup where it will likely try several other options including things like multicasting before going out to do a DNS lookup (ever wonder why digging a server directly is faster than lett
Re: (Score:2)
So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.
It depends on usage patterns. If you only need exactly one DNS request, and you do the full handshake, transfer of info, then disconnect, that would be slower due to the overhead. But Firefox is a web browser, and web pages have a different usage pattern.
HTTPS connections can persist and they allow for out-of-order pipeling so you can get the data as soon as available rather than waiting for prior requests. If you use the Internet in more typical web browsing patterns (make a burst of DNS requests every
Re: (Score:2)
Except whatever external server it ends up at has to do that anyway. So it might be faster out of your door, but overall? Don't think so.
ISP Privacy Invasion (Score:5, Insightful)
Re: (Score:2)
Plenty of us who run ISPs have quite the opposite desire. If we're able to gather the data, we're easily served a "technical capability notice" to send that data off somewhere else. If we don't gather the data already then the cost of that is passed back to the body asking us to build that capability.
Re: (Score:2)
Some privacy-minded ISPs have done exactly this — made open DoH resolvers: http://faelix.link/pdns [faelix.link]
(disclosure: I'm root at the linked ISP)
They woulda gotten away with it too if it weren't (Score:2)
Re: (Score:2)
That your dad wouldn't let you post stupid shit on the internet.
Who's the villain here? (Score:3, Insightful)
War is Peace; Freedom is Slavery; Ignorance is Strength.
They're both villains (Score:3, Interesting)
DNS-over-HTTPS does suck, but not because it annoys the UK nanny state.
First, DoH is a stupid layering violation: the sensible way to encrypt DNS traffic is to use [D]TLS directly. But when you're a web developer, HTTP is your hammer and everything looks like a nail.
Second, the current implementation of DoH protects your privacy by routing all your DNS queries through giant semi-monopolies like Cloudflare. I can only assume that Mozilla is being paid for selling out their users like that, or maybe Mozilla developers are so corrupted by the Silicon Valley culture that it seems completely normal to them. Either way, their definition of privacy is completely disconnected from reality.
Re: (Score:3)
Mozilla lets you choose which DoH resolver you use. For that reason I set one up at the ISP I run: http://faelix.link/pdns [faelix.link]
Mozilla is soliciting other trusted recursive resolver partners than Cloudflare, and I'm fully intending to speak to them about that.
Not compatible (Score:2)
But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.
Routing around damage...
Who is the villain here?!? (Score:3)
The internet group is seriously confused here. Who is the villain here?
1) Mozilla who is adding a feature to protect privacy, which just like any other encryption can be used for good and bad.
2) The UK government doing censorship?
And by that logic, isn't plain old HTTPS also evil? Plenty of porn can slip through HTTPS under the nose of the UK nanny state. Or is it ok because it is already established?
Censorship by a long boring name (Score:2)
"But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime".
"Website blocking regime"... does that simply mean "censorship"?
Re: (Score:3)
Re: (Score:3)
The UK has two current reasons for blocking websites nationally, and one proposed:
1. The secret list of child abuse. Produced by the IWF, and distributed to ISPs. A few people grumble about the severe lack of accountability involved - because of the nature of the material, the block list is obviously secret, to the point that some ISPs will produce fake 404 errors to make it difficult to spot that censorship is taking place at all - and there is no means of appeal. Few people of any importance dare to say t
They're fucked (Score:2)
"But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime."
Like a VPN?
Well, you people had one of the stupidest Internet blocking mechanism on this planet and now it doesn't work anymore.
You're fucked.
I think I know what's going on here. (Score:2)
The situation, presented in form of a conversation:
Government: "ISPs! I think most of the country can agree we need to block child abuse imagery, and the most blatant copyright infringement, and a couple more things. We'll force you if we have to, but we're in a deregulatory mood right now, so how about you just do it 'voluntarily' and we won't have to break out the regulatory stick?"
ISPs: "An offer we can't refuse kind of deal? Yeah, we can do that. Simple DNS block. Can you give us a list of sites to bloc
Sounds like not my problem (Score:2)
How is this firefox's problem?
It's not their job to help the UK ban porn or whatever.
If they want to control their citizens they should go full china and put the entire country behind a giant firewall that blocks all non sanctioned traffic.
ISP industry association you say? (Score:2)
The villains of the villains are the good guys.
If you want to villify, then don't praise! (Score:2)
That's because it isn't compatible. I'm not a fan of DNS-over-HTTPS, but even I have to admit that the UK's attack on its citizens' DNS is a great example of what DNS-over-HTTPS might be able to fix, for users who won't run their own DNS.
I'd think that if you want to criticize DNS-over-HTTPS, the UK's approach to censorship is something you should never bring up, and if someone else does, you should chang
Is it possible this is a Straw Man? (Score:2)
When I read this, first thing I thought was maybe ISPs in the UK do a lot of content caching to save bandwidth costs - in which case Firefox would be doing an end-around, to use an idiom from American football. But that’s not an argument which is going to resonate with anybody, except other ISPs... so they came up with the one we’re discussing.
Dumb question (Score:2)
How big are the DNS tables anyway? Is there some reason, esp. for just web browsing, that Mozilla couldn't just keep a local DNS lookup table it pulls updates from? I mean, are we talking about a hundred meg or a 5 gigs or what?
Re: (Score:3)
You're basically describing a local DNS cache. But it can't be pre-distributed because DNS is decentralized. There's no one location for all DNS data from which you could pull these tables. A name resolution process may need to involve several DNS servers, all managed by different entities, in order to determine the final result. This is a good thing, and has allowed DNS to scale.
Re: (Score:2)
I assume when someone uses Verizon's or Google's or Cloudflare's DNS, that those are centralized repositories of DNS cached lookups that are kept up-to-date. Why couldn't those just have up-to-date mirrors kept locally? Is it size?
It seems like all the DNS information for everything in the world could be under maybe a few hundred MB, and therefore every computer could trivially have a local cache.
Re: (Score:2)
No, there literally is no centralized location that has, or can have, all of the DNS information. By design, anybody can add a DNS server to the internet at any time, and they own 100% of the data served by that server. That means that they can change the content at any time, one whatever schedule or frequency they choose. Content served by that server is completely unknown to any other DNS server or client resolver until it is explicitly requested. Once the resolver (e.g. Cloudflare or Google) knows about
Re: (Score:2)
Yeah, I get that someone who owns randomdomain.com can add more subdomain records. But once Cloudflare or Google finds out about it, they'll query them regularly. And Cloudflare/Google have a cache that is 99.999% accurate at any given time. My question is, how large is that cache? Because you're talking about "I want to make sure that I have 100% information" and I'm talking about "This seems like it would prevent people from sniffing on DNS 99.999% of the time, and speed things up, just with a local c
Re: (Score:3)
Keep in mind that DNS was invented specifically to solve the problems with the solution you're proposing. Prior to the invention of DNS, name->IP mapping info was distributed exactly as you describe. That stopped being feasible in the mid 1980's, and it's certainly no more feasible now than it was then.
Further, data isn't "immediately out of date." TTL on DNS changes is canonically 24 hours.
The TTL on "google.com" is 300 seconds. Slashdot.org is 900 seconds. Amazon.com is 60 seconds.
Beyond that, you're ignoring the fact the DNS can, and regularly does, return different results to users in dif
Re: (Score:3)
It seems like all the DNS information for everything in the world could be under maybe a few hundred MB, and therefore every computer could trivially have a local cache.
(Splitting my reply across posts because slashdot's lameness filter is being rather lame)
As to how big the complete DNS dataset would be, I suspect you're underestimating by an order or two of magnitude, but again, because there is no centralized location for DNS information, it's literally impossible to know. But consider:
Per https://www.verisign.com/en_US... [verisign.com], there are 142,573,540 ".com" domains as of today (July 5 2019). We don't have statistics on the sizes of the individual names, but for the sake of a
"villain" (Score:2)
If I was Mozilla, I'd make a big poster celebrating the receipt of this award and display it proudly.
There’s a better solution (Score:2)
Re: (Score:2)
Re:Not compatible with UK blocking? (Score:5, Informative)
"and you know how the UK electorate will take to that once it gets out of the bag you've done it"
Ahhahahahahaaa, oh I do love a good laugh in the afternoon.
Most of the UK electorate couln't even tell you what a browser is: "Cos like I just use dis app on ma phone to catch up on love island init yeah?".
Re: (Score:3)
Nah, that was a load of religious fundamentalists too extreme even for protestant England, not much different to the Taliban tbh. But thats never mentioned when you lot get all misty eyed about your "founding fathers".
Re:The UK shouldn't be on the Internet (Score:5, Insightful)
"Separate networks for UK, China, Russia, Saudi Arabia - and then another one for the free world"
So what will the USA use then? Whats thaty, you think your country is still the land of the free? Oh you are funny :)
Re: The UK shouldn't be on the Internet (Score:2)
Whats that, you think your country is still the land of the free?
Wish we were dealing with absolutes ("completely free" would certainly be nice) but as we're dealing with relative freedom, I'd like to ask: are either marijuana or firearms legal where you're at?? I've smelled [relative] freedom and it smells, among other things, remarkably like weed and gunpowder.
Comment removed (Score:4, Insightful)
Re: (Score:2)
Umm, no. Prison population in the US is in the vicinity of 2.3M, which is about 0.7% of the population.
I'm curious - what country to do you consider the "most free"? And why?
Re: (Score:2)
Re: (Score:2)
IMHO, using encryption is OK but as long as it does NOT interfere w/ government law enforcement!!!
Historically speaking, governments are the entity people most need to be able to keep secrets from.
Re: (Score:2)
So everything you do is legal? That's swell. Will everything you do still be legal? Who knows what they'll outlaw next.
Can you prove that you stopped what you were fond of doing and is illegal now? Because one thing's sure, they'll certainly take a closer look at those that were constantly (insert new illegal thing here).
Re: (Score:2)
Re: (Score:2)
2) The way to solve this is to have more resolvers support DoH, not fewer. Then each user gets to choose.
3) Centralization is only a problem if it's hard coded to pick one for the end user. If the end user gets to