As a network guy, the fact that I can transparently redirect DNS on my network to wherever I need to is a nice feature.
As a user of the public internet, it feels like a bug.
As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.
In this case, the "malicious sites" that the government approved DNS providers block almost certainly includes life saving LGBT resources. It will not stop there however, expect anything anti government to be blocked. Democracy does not have a good track record in Malaysia.
Of course there are still ways around this. Use a good VPN like Proton.
This is still for sure going to be copied by authoritarian regimes worldwide.
Malaysia doesn't have a stellar democratic record but it's still a democracy. Also, a stellar democratic Malaysia will still vote for this. Don't confuse Democracy with Liberal values.
Whatever they vote for, if uncensored information is not available, they are not making an informed decision and are likely only hearing one sides arguments.
Most countries have some sort of censorship. RT is banned (broadcasts and streams not allowed, and website blocked) in the UK. Libraries will not stock books with certain points of view reflecting the views of those who fund or run them (AFAIK LGBT stuff in some American schools, gender critical views in some British public libraries). Mein Kampf used to be effectively banned in Germany and has been actually banned in a few places.
Most countries have some sort of censorship.
This is a notable area where the US is an exception, and is significantly more free than other western countries. No need to worry about art or materials being censored here, at least outside of specific contexts like some states banning books from schools.
No it’s not. The US is consistently banning free speech - including are you rightly say banning books in schools.
It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.
The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.
No it’s not. The US is consistently banning free speech - including are you rightly say banning books in schools.
Some states are doing that at a state level in limited contexts. Individuals are still free to post or publish whatever they want.
It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.
No, it's that in the US this kind of freedom is significantly more protected and culturally important.
The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.
I would say the sad thing is anti-US sentiment can be so high that people won't debate something like this in good faith and look at the various cases and histories.
Isn’t it too early to declare anti-US sentiment here?
Challenge one: Could it be that previous commenter touched certain dogma? (One possible definition from Wikipedia: “Dogma, in its broadest sense, is any belief held definitively and without the possibility of reform”)
Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise. (One possible definition from Wikipedia: “Censorship is the suppression of speech, public communication, or other information.”)
(No need to report results or reply / just try the exercise for elasticity of the mind)
BTW. A bit related, hopefully interesting, random fact you did not ask for:
“Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.
Isn’t it too early to declare anti-US sentiment here?
Maybe, but in my experience it's usually the dominating factor. Anti-US sentiment can be high, and a lot of people from western countries are skeptical that the US can be any more free than their own in any capacity.
Challenge one: Could it be that previous commenter touched certain dogma?
I don't believe so. The comment I replied to was using state schools banning some books as an example, even though I mention that in my comment and explain why it doesn't apply.
You'd have to be clear on what you think the dogma here might be, but whatever it may be I'm confident my position is backed by facts and reason.
Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise.
I never claimed the US has no censorship, just that it has a lot more freedom due to cultural and legal reasons in contexts like we are discussing here.
No need to report results or reply / just try the exercise for elasticity of the mind)
Critical thinking is an important step in reasoning and a great way to keep a mind sharp, for sure.
“Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.
That is interesting. I would say that latter definition applies in the US as well though. For example, we all expect to be free of crime due to police and such, even if that expectation is not always met.
Holocaust denial or vaccines have microchips or other nonsense is one thing. The two things that are censored so I can't post them (not that I want to) are CSAM and Disney Movies.
CSAM, I would argue is an active harm so that's a little different from speech, although protected IP is a good example. I'd still say it's a little different and not exactly censorship, as it's not exactly 'speech', but certainly IP laws need an overhaul.
My school library didn't have any of the hardy boys. Was it banned?
When was the last time someone in the US was arrested for hate speech?
The US "levels" are quite a bit lower than almost anybody else's "levels".
Only in the narrow sense, where freedom of speech is only about the lack of government censorship. But in the wider sense, where censorship may also be due to business interests or cultural and societal pressure, I haven't seen any real differences between freedom of speech in the US and the European countries I'm familiar with.
What would be some examples of voluntary censorship from large organizations due to business interests or cultural and societal pressure and not due to government censorship?
First thing comming to mind : https://en.m.wikipedia.org/wiki/Cancel_culture
That's a good example, although is that really more prevalent in the US than in other countries? And it's not exactly censorship, it's people being fired as a consequence or de-platformed, but they can still state their opinions somewhere, even if it's on an alt right platform with barely any subscribers.
Consider the content policies for popular social media platforms. Consider the platform unilaterally closing your account, which may be tied to many aspects of your life. Remember the cancel culture people used to talk about a few years ago. Think about the controversy around the Gaza war, with people on both sides being afraid to speak their minds due to potential consequences.
While the government may not arrest you, the consequences of expressing your opinions can still be excessive.
That's true, but I don't think the US is any worse than this than say EU or Anglosphere countries, and indeed I'd still say it would be better than most countries just because of that particular freedom being more culturally significant.
If I read your original comment right, you were agreeing that the US might be ahead as far as government censorship but not as far as the types you list here, is that correct?
That is simply incorrect. Did you see the indictment against several unregistered Russian foreign agents to put them in jail for posting Russian propaganda to YouTube?
He said "the US is [...] significantly more free than other western countries". Do you deny this is true?
Yes.
Change “significantly” to “technically” or at least to “”, and then I will agree with the statement.
I think you are wrong and I'm not from the US.
The US dismantling a company they allege was being used as a weapon by a hostile country is different from the government preventing access to content that whoever is in charge doesn't personally like.
RT is banned (broadcasts and streams not allowed, and website blocked) in the UK.
no VPN, rt.com works just fine in the UK, no issues.
i think they banned the live TV in the EU and UK. and i think they also banned the website in the EU, but apparently it’s not enforced? https://www.rferl.org/amp/russia-rt-sputnik-eu-access-bans-p...
haven’t found anything about rt.com being banned in the UK thou.
Blocked for me! Virgin Media is my ISP. Maybe your ISP is less restrictive/compliant (not sure if the block is actually mandated).
could be. running on hyperoptic with cloudflare doh.
Tgey used copyright to prevent that simeone makes new copies. Old copies were not affected.
I think countries have the right to ban disinformation and lies dedicated to social unrest. If England did ban it, that would probably be the reason, “news” presented as facts and reporting, shouldn’t be outright lies.
Most people want censorship.
Also dont confuse elections with democracy
What could possibly be “life saving”? On the scale of things, it’s a relatively moderate Islamic country so the best you’re going to get is if you’re gay and keep it quiet, no one is really going to bother you.
PreP is near 100% effective at preventing HIV. For sure I could see access to information about PreP or other HIV prevention methods being blocked by an overzealous government.
Ironic that my comment was censored on a thread complaining about censorship.
No one has censored you... are you talking about your comment being flagged? That's from user votes, not HN directly.
“The algorithm decided it. That’s not censorship.”
“The majority decided it. That’s not censorship.”
“The law decided it. That’s not censorship.”
“The users decided it. That’s not censorship.”
“You were just scared your neighbors would kill you, so you didn’t say anything. That’s not censorship.”
I’m having trouble drawing lines.
The comment was made and still stands.
Censorship by the majority is still censorship.
I’m not opposed to all censorship. I’m just opposed to refusing to acknowledge it for what it is.
If you have your comment flagged by a couple of people, and removed, that is censorship. Plain and simple.
So… censorship. Just because you don’t like what someone said does not make what they said wrong. Flagging comments is censorship. Plain and simple. You’re trying to remove opinions you don’t agree with.
I read your comment about maybe "censoring STI prevention information" might reduce the frequency of gay males having sex.
Seems unlikely, not suprising it got flagged to death, however it's there for anyone with ShowDead enabled to read.
I was saying censoring LGBT material, not STI prevention literature, might reduce STI transmission rates.
I was responding to one speculation, with another, to show that the parent speculation — that censorship of LGBT information would lead to more death by denying sexually active people in the LGBT community with information on STI prevention drugs — was over simplifying the factors involved, to present their speculation as a matter of fact.
If my comment — which I disclosed as mere speculation — is to be censored on those grounds, the parent comment should definitely have been.
But after re-reading my comment, I see now that it could be read as me suggesting that censorship of STI prevention information could lead to less male-to-male sexual contact and thereby reduce STI infection rates and with it deaths. That wasn't what I intended to convey. I was referring to censorship of LGBT material in general potentially having that effect.
PreP is not exclusive to LGBT communities (though they are at significantly higher risk than the general population). It’s free at (some) government clinics in Malaysia.
Awareness and acceptance on LGBT matters can have a big impact on suicide rates.
Is that why the average suicide rate is lower in majority Muslim countries? Awareness presumably increases suicide?
I know you were implying the opposite, but how many suicides are you going to prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?
These are generalized rates, of course, but in point of fact, your claim is not substantiated by any real data.
You're unaware of data to support the claim that social acceptance of LGBTQ people (particularly children) lowers their suicide rates? Really? This fact is well established and also makes perfect sense logically speaking.
https://onlinelibrary.wiley.com/doi/abs/10.1002/ajcp.12553
https://www.sciencedirect.com/science/article/pii/S027795362...
https://www.thetrevorproject.org/survey-2022/#support-youth
There's plenty more if you care to just Google it.
The rest of your comment is ridiculous because obviously there is more than one contributing factor to suicide. Including (perhaps) latitude.
I’ve done much more than randomly Google it.
I’ve read about it in depth.
Encouraging people to be LGBT has resulted in massive increases in number of people claiming to be trans, for example. Assuming they have the “best” case scenario of an affirming home, apparently 14% attempt suicide, according to your third link.
Now let me ask you, how many people have we killed by “affirming” these things to the point that it’s actually cool to be trans in most schools?
We’re driving up the denominator on the highest risk category for suicide while pretending that that very thing will reduce suicide.
What are the suicide rates of people who are trans but don't know they can even describe their experience as being trans due to lack of information?
What are the suicide rates of people who aren't trans but claim they are?
I would assume the former sits significantly higher than 14%, and the latter sits significantly lower - close to the baseline.
Why would simply claiming you're trans increase your chances of attempting suicide? When I see takes like this, I can't help but think that it comes from you thinking trans people don't actually exist and are just a modern fabrication, a sort of mass psychogenic illness.
If trans is real the only thing we have to go on is whether people claim they are or not. You deny their claim?
That’s what all of the data on the sites linked above is based on: people who claim they are trans.
Read the accounts of people working in the clinics about groups of girlfriends from the same class coming in and getting treatment, and it is clear there is a mass psychogenic illness that has been caused by the promotion of trans sexuality.
Is that why the average suicide rate is lower in majority Muslim countries? Awareness presumably increases suicide?
Either you think that the majority of the population in Malaysia or the US identify identify as LGBT+ or you're really struggling with basic statistics and reasoning.
prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?
Presumably the idea would be to reduce it to some number lower than 6. Or do you believe the majority of people in the US are killing themselves because of "Awareness and acceptance on LGBT matters"?
As I said, “These are generalized rates, of course”
If the idea is to reduce it below 6 by preventing a few suicides per year (which is not likely), how confident are you that destroying the culture of the nation in the process will not cause the number to rise to 14?
Trans people suicide rate increases if they are left without help.
Quite plausibly, mental health resources. I assume connecting with like minded individuals and communities can go a long way in helping you understand yourself and reconcile your differences with broader society.
democracy as a word means nothing at all. there are democracies in Europe where its fine to jail people for what they write online.
Same in the US too.
That's simply not true.
Well did they not tried to jail Trump for what he wrote online in January after loosing the election?
I believe there is a difference between "ranting about election outcome on reddit as nobody" vs "encourage my supporters to invade the Congress and/or overthrow the government, as the President", because, you know, the latter actually could be illegal, and there are a bunch of laws around it.
Did they? Can you share the text of the indictment instead of asking meaningless low effort questions?
I don't know exactly what you're referring to, I don't know the details of the events.
But is there a possibility there is a distinction between "I can freely share my political opinions about things" versus "I can ask/cheer on people to commit crimes without consequence"?
A government dismantling a corporation being used as a weapon by a hostile country is not the same as a government blocking individuals access to websites they don't approve due to conservative values.
So? Your point is what exactly?
They were charged for money loundering...
What point are you making with this link?
not true yet.
It sounds like you just don't know what it means.
there are democracies in Europe where its fine to jail people for what they write online.
And? You seem to believe that a democracy refers to a bundle of freedoms that you personally believe everyone should have. Democracy means governance by the will of the majority. If the majority want people to be jailed based on their writings or speech, than that's what happens in a democratic country.
Democracy means governance by the will of the majority.
if thats your definition then a lot of countries where the majority tribe is in a form of dictatorial power are also democracies
If the person you're calling a dictator was elected in free elections by the majority, then yes, that's a democracy. Their political party, tribe, whatever you want to call it is irrelevant.
This is still for sure going to be copied by authoritarian regimes worldwide.
I think that ship has sailed. Malaysia certainly isn't the first to pull this.
Surprised VPNs are legal in Malaysia. Usually censorship and blocking VPNs goes together.
It has been falsely claimed that the measure undertaken by MCMC is a draconian measure. We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.
That's how it _always_ starts out, the "its for your own good, trust me" excuse.
Has anyone built the AI web browser yet? The one that redraws any image you might find offensive, rewords advertisements, and rephrases comments to be positive?
That would be cool?
Yes: https://github.com/alganzory/HaramBlur
No. This is more similar to an ad blocker, but focused on helping Muslims respect their religious standards while they browse the web. I’m not a Muslim, but it makes perfect sense to me. Good for them—I see no problem with it.
Yes, let's encourage gender divides and backwards thinking.
Yes, let's encourage gender divides and backwards thinking.
I’m sorry that everyone in the world doesn’t think the way you’d like them to.
I know lots of Muslims, both male and female, and they’re perfectly normal to me. In fact, some of them are some of the most wholesome folks I know: Humble and hardworking humans who build and love their families, and of course, believe in something much greater than themselves. I see nothing “backwards” about that.
just dont seem to produce much art ,innovation and working institutions in any region they are culturally dominant. and when asked why that is digress fast into antisemitism and conspiracy babble.
Mixed feelings.
Somebody installs it for him/her-self. Sure, power to you!
Neibhour in non-muslim state installs it for their children: their right, but feels fishy regarding child right to truth.
[…] their right, but feels fishy regarding child right to truth.
I’m not sure what’s fishy about it. Parents have always controlled what their children should have access to and consume. The entire concept of “parental controls” exists for this reason—we’ve always understood a parent’s rights over their children and none of that was at all controversial until like 5 minutes ago.
This is a digression anyway, so I’ll just stop there…
Issue#92: boycott GitHub for Zionism
Given the repo name, I shouldn't have been surprised
Unfortunately there is a very pertinent context to the concerns raised by that user:
Microsoft has invested in a startup that uses facial recognition to surveil Palestinians throughout the West Bank, in spite of the tech giant’s public pledge to avoid using the technology if it encroaches on democratic freedoms.
AnyVision, which is headquartered in Israel but has offices in the United States, the United Kingdom and Singapore, sells an “advanced tactical surveillance” software system, Better Tomorrow. It lets customers identify individuals and objects in any live camera feed, such as a security camera or a smartphone, and then track targets as they move between different feeds.
They seriously called this app Better Tomorrow. Just wow.
That is 100% what Facebook and Google are doing now with targeted ads and search results.
Most people already only see the web the way Google wants them to see it.
True, but to be fair this isn’t Google being ideological. They’re just responding to customer signals that customers prefer content to be shaped. If there was more CLV in one-size-fits-all search results, Google would do that.
There’s an argument that Google should not cater to our preferences, but I don’t think I buy it.
There was an article here 2 or 3 months ago about the person responsible for making google search so much worse.
So arguably google does not respond to customers anymore. Shareholders? Maybe. But probably those who prefer short term gain, not long term value.
Google's customers are advertisers, not you.
The one that redraws any image you might find offensive, rewords advertisements, and rephrases comments to be positive?
You're kidding but I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.
Very interesting, I'm working on exactly the same problem from a couple different angles, but I'm not having much luck. I have negligible background in AI/ML or computer vision however, so I'm most certainly Holding it Wrong (TM). My general approach has been trying to generate embeddings using smaller models like MobileNet and ResNet (not trained or finetuned or anything) and using similarity metrics like Cosine distance, but there's too many false positives. If you can disclose it, would you be willing to expand on what has worked for you?
[…] I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.
Assuming the AI is comparing screenshots of real versus phishing, it can only figure it out for poorly done phishing websites.
As phishing scams get more sophisticated with scam websites that look exactly like the real ones, the only things that truly matter are protocols (i.e., HTTP versus HTTPS), domains, URL’s, certificates, etc.
This would kill Google if it caught on.
This IS Google.
Startup idea #72831: Build "Nostalgia" browser which uses AI to convert every page to Web 1.0, complete with "Under Construction" banners and CGI visitor counters.
+1, I’d pay for a license.
Hah. It is still early morning so I let my mind run wild for a while. I am not aware of any public facing projects that do that, but in my minds eye I saw polymorphic browser adjusting its code to meet the new AI web that is constantly in flux.
You want privacy? It stamps out any attempts at fingerprinting by attempting to be the most common browser (and config) out there, it spoofs any and all identifying data, it redraws pages without paywalls, without cookie notices and puts all pages in simple text output mode removing all other ads in the process, but keeps pictures for fora that use them.
You want 1984? It won't let you see anything that is not approved by the party.
Onwards, to our glorious future.
edit:
Valuemaxx edition. Store pages with discounts have bruteforced discounts found and added for maximum value.
It already is crazy. I can't even begin to imagine it being more crazy.
This should exist. You could get to such low bandwidth with such a system. Every image could be replaced by a description. Etc.
Well, that sounds horrifying.
I would call it Soma in reference to Brave New World.
In the past I've had fun with extensions that randomize genders and ethnicities.
There have been a bunch of more or less jokey browser extensions over the years replacing some specific words by others.
"Guys, I am just pleased as punch to inform you that there are two thermo-nuclear missiles headed this way... if you don't mind, I'm gonna go ahead and take evasive action." -- Eddie, the Shipboard Computer (Douglas Adams)
"think of the children" is never out of style.
but remember we have this (widespread from 90s to 2010) to this day in the USA, and they don't even bother with excuses. just shove advertising and hijack searches right on your face.
google didn't force httpsdns on your browser for nothing. it was digging in THEIR pockets.
Why does Google benefit from httpsdns?
httpsdns in the chrome browser will by default go to googles dns servers allowing them to collect all the tracking data.
They could've done that without httpsdns too.
yes, but then they would have upset local admins for bypassing the local resolver. that is still an issue with httpdns, but now they have a better argument against using the local resolver as default.
the ideal situation would actually be to implement httpdns on the OS/router level and allow the user/local admin choose the policy. i expect that this is going to happen soon in most linux distributions.
Surely they could just as easily report all DNS queries to Google under the guise of telemetry or search optimization or whatever. And of course let people disable that, which about 0.001% would do.
Httpdns is too complex of a solution to the business goal you’re suggesting. There are much simpler / less expensive ways of doing it.
Not exactly the same thing, as it isn't a law.
Which makes it worse in many ways. The entire tech, business, etc world has adopted the same censorship regime without government orders. So who is giving out the orders?
Shareholders.
This is also coming from a country that’s implemented apartheid
Malaysia has an apartheid policy?
Yes, for anyone not part of the majority Malaysian population, specifically against Indian and Chinese people.
Every power can be used for good or for evil.
No power used by humans exists in a vacuum. In the hands of human beings, most powers are heavily biased towards one extreme in the spectrum. Man doesn't shape the world with the tools of the time - technology shapes the world and the man.
Jacques Ellul and/or Ted Kaczynski might be a starting point on this matter.
Malaysia famously banned the movie Babe because a talking pig might offend religious sensibilities. It’s a safe to say that freedom of expression is not a high priority over there.
It’s for the children! Don’t you love children?
I'm wondering if they thought about DoT, DoH and DNSCrypt.
Or people setting the DNS IP on their routers and phones:
Google 8.8.8.8 8.8.4.4
Control D 76.76.2.0 76.76.10.0
Quad9 9.9.9.9 149.112.112.112
OpenDNS Home 208.67.222.222 208.67.220.220
Cloudflare 1.1.1.1 1.0.0.1
AdGuard DNS 94.140.14.14 94.140.15.15
CleanBrowsing 185.228.168.9 185.228.169.9
Alternate DNS 76.76.19.19 76.223.122.150
I'm in the UK; my ISP hijacks dns requests on port 53 so nope, none of that works. They're not alone doing this https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_... For the most part this is not noticeable; but addresses to a bunch of my _work_ stuff don't resolve on whatever hacky dns replacement they offer, if I'm not on the work vpn.
They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.
If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.
Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward
what do you mean they hijack the port 53? this is a local setting on your OS. they cant hijack the DNS call if you set it to something else.
They absolutely can and some do. The destination UDP port number of a UDP packet traversing the core network of an ISP can be inspected and acted upon as one pleases.
my point is you can point a call to 53 on a machine on your own network and you isp cant do shit about that
Very well. You have pointed your DNS resolver to a host on your local network for the DNS name resolution.
When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?
Unless it is tunneled over an binary obfuscation layer, and wrapped in a purposely weakened cryptography to booby-trap their parser.
There is also the global satellite uplinks... so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3
the isp blocks/redirects the traffic outside my network. so if you just try to send normal udp/tcp port 53 externally, it won't get there. This is why I mention a pihole; by setting my dns server to something on my local network and then having that use DoH I can get past the block. I can't configure every device to use eg DoT or DoH directly, but I usually can configure their port 53 nameserver, directly or via DHCP
the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.
port 53 requests are not limited to external requests. thats what I was implying in my comment.
I configure my router to divert all UDP/53 to my pi hole. The advertising industry hates this type of behaviour, but it means ever an IoT device using hard coded dns (rather than what I tell them from my dhcp or nd settings)
This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.
They can do anything unless constrained by cryptography. I assume it just means redirecting all port 53 traffic which 99% of time will be DNS regardless of IP.
Out of interest, which ISP do you use?
Virgin Media. At the time I switched I needed more bandwidth for work - dealing with multi-gigabyte blobs all day; I was with BT, but BT wouldn't let me upgrade to a gigabit fibre connection, and the City Fibre network which is now everywhere wasn't yet in my street.
You can go to VM dashboard to disable the adult content filtering. It will then not block DoT and DoH.
Many ISP will also auto-redirect un-allocated domain names to their own websites. Others will ban most inbound connections with a port under 1000 to prevent self-hosting/video-surveillance users.
Annoying if you are trying to bring up a remote domain server, and thinking WTF while checking things out in dig. lol =)
Why don’t you change ISP?
You choose an isp with those features that’s on you. It’s not like the UK is a backwards country with a monopoly of one or two ISPs for a given location.
I had just switched to this one when I discovered the problem, so was under contract for the next couple of years, and it's not like they advertise this as a feature where you'd have made that choice beforehand. Also, I didn't just need "an ISP" I needed a high speed connection and at the time my previous provider said they didn't offer that to existing customers, while the handful of others appeared to only offer 1/10 of the speed I wanted or only offered it bundled with tv/sport packages (I don't watch tv)
Since then City Fibre completed their rollout and I'm no longer an existing customer with BT so now I _do_ have a choice.
But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don't have a choice.
If you need decent speed, than could also try this:
https://www.stunnel.org/downloads.html
with the optional:
https://github.com/bfix/Tor-DNS.git
or go with the more modern:
https://github.com/erebe/wstunnel
Best regards, =3
Comcast/Xfinity does that in the USA, at least if you use the newer modem/routers that they provide. If you use your own router you can still set your own DNS provider. DoH is a workaround for web browsing.
The UK government IPs show up on our ban lists often for illegal theft of service, and CVE scans. Have you tried a Bind9 relay with iodine/vpn tunnels for local transparent network traversal across the hostile sandbox?
i.e. obfuscate the traffic using the hijacking DNS servers themselves.
Just a thought =3
This will not work if ISPs redirect DNS queries. Only the methods CAP_NET_ADMIN mentioned will work.
DoH APIs at these endpoints:
https://dns.google/dns-query – RFC 8484 (GET and POST)
https://dns.google/resolve? – JSON API (GET)
And tunneling obfuscated traffic is easy... =3
These are being redirected by the Malaysian government as well.
You do know what happens when people try to MiM SSL traffic correct?
Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3
Yes, the connections fail, and most clients will fall back to regular ol' DNS on port 53, which then gets redirected to the government's DNS servers.
So far clients have chosen availability instead of fighting this fight.
Unless your local router tunnels the DNS traffic via other means. The clients may see slightly higher latency, but for <16 host hotspots it would be negligible.
It is quite easy for example, to bonce traffic through a reverse proxy on a Tor tunnel, and start ignoring spoofed drop-connection packets (hence these bypass local DNS, tunnel to a proxy IP to obfuscate Tor traffic detection, and exit someplace new every minute or so.) This is a common method to escape the cellular LTE/G5 network sandbox.
Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.
Have a nice day, =3
An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service, so that governments can't block DoH without blocking all of Google or YouTube. Using a dedicated domain like that, they're just begging to be blocked.
I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?
An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service
That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.
Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.
most users are not going to be savvy enough to find those IPs and use them.
Very few people configure DoH on their own. It's up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.
If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.
Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.
Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.
Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3
thats exactly what the redirection is trying to fight…
They are going to have to ban around 3000 proxies as well to make any impact on users. =3
Why do you keep signing your comments with '=3'?
Don't worry about it friend =3
"Any" impact on users?
It sounds like you're working with a model in which most users are conscious that they're very offended or inconvenienced by censorship, and want to research technical means of circumventing it. I wish that were true, but I doubt it's nearly as common as your intuition suggests.
Motives are complicated at times, but traditionally despotic movements are always hostile toward sources of truth that contradict official narratives.
However, one could be correct in that people may prefer to be ignorant. As YC karma is often negatively impacted by facts. QED =3
3000 proxies seems like no big deal for the government to ban.
"Any" impact is weird phrasing, though. Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.
Except the lists often change every minute, and some types of proxies are just a compromised script/page sitting on commercial, private, and government servers.
Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.
There are several one-button vpn/proxy+tor apps for unrooted phones already, and they are dodgy on a good day. =3
That's rookie number for China's firewall.
Chinese government couldn't have cared less about that "impact" -- even if only less than 1% of Wikipedia content mentions Chinese government at all, they are going to block the Wikipedia website.
I think most countries that do this also block/redirect the major DoH providers like CloudFlare or Google. Of course, you can always hide your DoH traffic by going to other servers or worse case using an HTTP proxy and avoid that.
There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.
There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.
Are there? When Kazakhstan announced they were going to do this, all the major browser vendors blocked their CA... so they backed down. What other countries do this and get away with it?
South Korea has some requirement like this for banking if I recall correctly https://palant.info/2023/02/06/weakening-tls-protection-sout...
I hope not!
Websites are only blocked when they are found to host malicious content, such as copyright infringements, online gambling, or pornography
So I guess pornography is illegal in Malaysia?
I guess this is a great time for Malaysian users to switch to DoH.
Edit: Yes. Wikipedia:
Pornography is illegal in Malaysia with fines of up to RM10,000 for owning or sharing pornographic materials
My country (Korea, South) is also prohibited to get pornography service. (And they also terminate TLS using TLS HELLO)
So, DoH should be work fine for now, but they'll (gov.) terminate HTTPS (or TLS) connection ASAP.
My country (Korea, South) is also prohibited to get pornography service.
Why? I've never heard of a non-Islamist nation banning content as benign as porn.
Is porn benign?
It's a thing of deprived bourgeoisie. So are drugs, alcohol and having a personal car.
No, and neither is refined sugar. Your point?
https://en.m.wikipedia.org/wiki/Pornography_laws_by_region
It's really not that rare even for non-Muslim countries, especially in Asia
So, they're not blocking only porn. They're blocking a wide range of sites with various reasons - for example: selling illegal drugs (including mental, abortion drugs), copyrighted sites (torrent, etc), praise about north korea, etc...
When they've started to terminate TLS, the reason was to terminate illegally shared webtoon (web cartoon) sites.
For more info: https://en.wikipedia.org/wiki/Internet_censorship_in_South_K...
Pornography was broadly illegal in the UK through the 1980s. It's still illegal in the Vatican, which is about as far from an "Islamist" country as you can get.
Ukraine still has soviet-era law criminalizing possession, distribution and production of porn. It's only enforced against local producers, but it's a thing.
The only hotel I remember from my visit to South Korea (20 years ago) had a whole bookcase full of porno DVDs in the lobby. Were they just breaking the law in plain view?
There are some movies out there (but it's not a porn.) as Ero(tic)-Movie.
It's legal, but it's not a porn.
There are conditions a producer must meet to make their wares legal.
Same as why a lot of Japanese people seem to have pixelated genitals. ;)
People break the law all the time, it's up to the government to enforce it and many times the government is unable to do that. See here in the case of Malaysia, it's not that Porn was legal, it's that they weren't competent enough to restrict it or know about DNS things.
You can spoof the TLS Hello since at least 2021
I'm Malaysian. They even messed up DoH for the popular DNS providers like Google and Cloudflare. I think they are routing 1.1.1.1 to their own DNS, so when you try to connect to DoH you get SSL_ERR_BAD_CERT_DOMAIN. The only option it seems is to VPN or play the cat and mouse game now to find a DNS that hasn't been rerouted yet
Where are you? My DNS seems to work perfectly fine right now in Penang (with VPN off).
It’s sad that democracies are copying the playbook of China. Will definitely be using v2ray/X-ray while here
Sarawak here (on unifi). My network uses self setup multi DNS path with enforcing encryption so no biggie but I tried some nonetheless. Quad 8, 1 are fine atm, while Quad 9 traceroute returned !X.
can you share a little on your setup?
router DNS redir to pihole(Not the shitey FiberHome) -> pihole to internal(bind9 plain local to Adguard Proxy DoQ) -> self hosted tunneled whitelist DNS quicdoq DoQ, Adguard DNS DoQ (upstream quad 101, others.)
I have a similar setup, it will not be immune if they start implementing in your area. They were rolling out by areas before they reversed course. Your upstream will stop working unless you proxy it through another network
It is proxied towards a machine outside of Malaysia (A machine I've setup elsewhere). So yeah.
It’s sad that democracies are copying...
"Democracy" is a bit of a red herring here. Democracy doesn't mean the government can't censor you or restrict what information or media you can consume. Democracy just means that the voters have consented to whatever legal framework is in place, and to whatever their leaders want to do within that framework.
And that's the thing: in many democracies around the world, if there was a referendum on the law to blocking copyright infringement, online gambling, or pornography at the ISP level, I think many would pass that law.
(Certainly there are "democracies" out there that only pay lip service to the concept, and have fixed elections and repression of dissent or opposition. I'm not talking about those.)
I'm in PJ. It seems that they have reversed the move after wide media coverage, claiming that it there has been a "confusion"
Are they rerouting traffic to port 443 and 853?
You might get some joy from using Portmaster (windows OS) and|or the Foundation for Applied Privacy
https://wiki.safing.io/en/Portmaster/App/DNSConfiguration
https://applied-privacy.net/services/dns/
There are non standard transports for DNS via non standard providers | DNS proxies - this tool and that foundation are a start.
Countries always fighting the most important battles :eyeroll:
Backward countries being backward. The main flaw of modern liberal societies is that parts of them have stopped believing that liberalism is indeed progress. All hail the moral police and long live cultural relativism or whatever its currently trendy post-structural reconstruction is.
It doesn't help that the term 'liberal' has had its meaning so co-opted that it now refers to people who reject freedom of speech and belief.
True, though I would say that is leftism. Leftists actually hate liberals and use it as a slur, believe it or not.
While they often go together, economic liberalism shouldn't be confused with social liberalism.
Porn is just the justification. It's easy to find something repugnant on whatever streaming video site and then start with the "protect the children" nonsense.
The real issue is always control.
Balkanization of the Internet is inevitable. As more and more people join it, there will be conflict between beliefs, values, and politics. Large markets like EU, India can keep companies aligned, but for smaller nations it will be easier to just selectively block global platforms and have local/compliant alternatives. China has shown it is possible and profitable.
I'm honestly surprised that the US doesn't have a legal framework to force ISPs to block IPs / DNS hostnames. I've been expecting that for 10+ years now, but it hasn't happened.
It's because the US is so powerful they can take down any controversial website. See how literally all services with more than 10 users say in their terms of service "we don't want anything that might violate US law".
Is that also sites operated outside the US?
Obviously no, other websites follow the laws of their business entity/where servers are hosted usually. Not sure what parent is talking about.
US will use all manner of tools to extradite foreign citizens who have never been to the US because they broke US law.
Nobody has to worry about breaking Thai laws around defaming the King because Thailand isn’t a superpower with the ability to enforce its will beyond its borders.
Everyone has to be worried about breaking US law.
Except what you wrote only applies to countries with extradition treaties with the US (meaning the government in those countries have agreed that US law can apply in their country too).
Not every country has this, so no, not "everyone has to be worried about breaking US law".
Regarding Thailand specifically, they have a principle of "double criminality", so people are only extraditable if what they're accused of is a crime both in Thailand and the country they're being extradited to. So maybe not the best example.
Besides, other countries have extradition treaties with other countries than the US too, even non-super power ones.
Double criminality applies in every extradition case.
Isn't that just code for "don't post CSAM"?
I think for the most part because it's not needed. Anything hosted on a .com, .net, .org (or any other TLD where the TLD's root DNS is managed by a US company) can be taken down with a court order. There's no need to involve ISPs.
In general they're not going to bother with IP blocking; once they've killed DNS, they're satisfied that most people will not be able to access it.
And for the most part, that's good enough. There's perhaps an argument that the US gov't should be blocking IPs/DNS of things like hacking rings and malware distributors that are hosted elsewhere, on TLDs out of their reach (where ISP blocking would probably be the only or at least best way), but they mainly only care about e.g. sites that threaten the copyright cartels, when it comes to legal takedowns, anyway. And for sites that host illegal content, they seem happy only prosecuting US residents who access them.
We were very fortunate to live through the aberrant time period in which there was a truly global data network. It feels almost like an inevitable fact of entropy that eventually the bureaucrats and petty fiefdoms would catch on to the existence of the system and demand their slice of the pie.
intronet
"the cat's out of the bag" on internet censorship so to speak.
Maybe the time to start a grassroots network for exchanging giant /etc/hosts files.
It wouldn't have to be giant. Ideally, it would just include those entries that are censored for political reasons sorted by location.
the dns-block block-list
loving it
It wouldn't have to be giant. Ideally, it would just include those entries that are censored for political reasons sorted by location.
I think you're underestimating the amount of stuff being blocked everywhere. Even in Spain where I live the list of blocked domains would be pretty big already, and it's just one country.
OONI gives a good overview: https://explorer.ooni.org/
Only meaningful if you are on a desktop machine with root privilege (which most people here do have on their personal machines)
You really need a solution that works on every platform for everyone, which isn't easy.
Even for VPN like apps, well, they aren't allowed on China's Apple app store. Fortunately you can switch to a different store, download the app and switch back, and Android users can just sideload an apk as usual. But that's enough to show how complex this is.
(Another reason I absolutely hate Apple's walled garden.)
online gambling (39 per cent)
well well well. People on HN will be surprised to know that the internet is a complete shit hole. "I thought the internet was made for the good of humanity".
online gambling (39 per cent)
It's 39% of the IPs banned by the DNSs of the ISPs of Malaysia. It's not 39% of the internet.
yes, that was well understood. A country decides to filter because the least poor citizen, those who have internet access, prefer to gamble online to make money.
Make money gambling?
I am not surprised by there being gambling on the internet, its not exactly hiding.
The tension between borderless internet vs national sovereignty is one of most important meta-conflicts occurring in the world today. What can be critiqued as draconian authoritarianism on one hand, can be defended as digital sovereignty on the other.
authies always fall back on appeals to sovereignty why would fucking with the internet be any different
And those that look down on national sovereignty are suspect of being shills for imperialism (whether they realize it or not), which is an even worse kind of authoritarianism.
people I dont like are just secretly this other kind of people I dont like, I have a very large brain.
I just have no idea how to parse that...
pornography/obscene content (31 per cent), copyright infringement (14 per cent)
We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.
Who could possibly be harmed by pornography or, even more ridiculous, copyright infringement? Feels like a lame excuse.
Internet censorship in my country (Russia) started the same way — "we're protecting children from suicide and drugs", but for some reason you couldn't opt out of the "protection" as an adult. To no one's surprise, over time, more and more things to non-consensually "protect" people from were added. In the end, unless you stick exclusively with local services, Russian-language content, and government-owned media, the internet is utterly broken without a VPN, packet fragmenter or other anti-censorship solution. Popular VPN protocols are also starting getting blocked, btw. All for your own safety, of course!
copyright infringement
I deeply implore you to think of the stakeholders!
Malaysia is a Muslim country. Pornography is illegal. Homosexuality is illegal.
imo millions of people, mainly young men, have been sexually, mentally and spiritually harmed by pornography
Starlink sells and works there, will they block it? Also, how are they going to punish people with vpns and proxies?
Starlink has to comply with local laws in places it is sold. It’s like any other business.
Starlink always complies with all ISP laws in every country. Its not some magic anti censorship button.
Shit mostly it exits a country via ground stations in that country or a compatible legal jurisdiction. Its not even magically flying out of the country via satellite. + Discussions about its ability to skirt censorship in this fashion with any significant capacity sort of paint it as a bad move, maybe that starlink 2.0 nonsense.
The purpose of banning VPNs is repressing political opponents. The police doesn't have to go around finding people who use VPNs. It's just that when the police arrest someone at a protest or for some trumped up charge, and the police also finds a VPN on the person's phone or computer, it is an easy charge to tack on - one that is certain to get punishment.
Reminder: Malaysia is an officially Islamic country. It is strange given its location, but Islamization also took over other South and East Asian places as well, like the Maldives and Indonesia.
Malaysia has had a history of religious discrimination from both the state and citizens, despite there being a freedom to practice whatever religion you want. Their notion of religious freedom is also strange, since in order to be considered a Malay you MUST be Muslim. And Malays get all sorts of additional rights and privileges (such as affirmative action). The country also has Sharia law courts - and this is a very real problem for personal freedom, because the Sharia court prevents Muslims from converting to other religions typically, and this forces people to have secret double lives, where privacy is critical.
Restrictions on Internet access or violations of privacy/anonymity are a serious problem for those who may run into trouble due to religious discrimination built into Malaysia’s culture and law. Do not accept official explanations like protecting people from harm or stopping misinformation - control over the internet will be abused.
is strange given its location,
Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.
Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.
Funny enough, it wasn't a trading ship from the Middle East, but the then-Chinese empire:
https://www.scmp.com/week-asia/article/2006222/chinese-admir... (no paywall link: https://archive.ph/f8622)
And the entirety of India (until the Brits arrived) was "controlled" by the Mogul Empire, which was mainly Muslim.
Even Spain/Iberia had a huge Muslim population, until the Reconquesta Kingdoms committed large scale genocide and deportions of Muslims and Jews.
And speaking of Unexpectedly Muslim, the Golden Hord (AKA Tattars) which existed on the Crimean region as one of the offshoots from Genghis Khan's conquests, was Muslim. In fact, they allied with the Mamluk kingdom of Egypt against Holugu, leader of another Mongol horde, Ilkhanate.
Do FireFox, Chrome and Safari still use unencrypted channels for DNS queries?
What is the state of DNS over HTTPS?
`sudo tcpdump port 53` says yes, they do use unencrypted DNS.
AFAIK Chrome has a hardcoded list of DNS servers which offer encrypted DNS. I.E. if your DHCP server tells your PC to use 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will instead connect to the equivalent DNS-over-HTTPS endpoint for that DNS provider. This is a compromise to avoid breaking network-level DNS overrides such as filtering or split-horizon DNS. It's not limited to public DNS providers either, ISP DNS servers are in there. (I've seen it Chrome connect to Comcast's DNS-over-HTTPS service when Comcast's DNS was advertised via DHCP.)
Of course, this is pretty limited. Chrome obviously can't hardcode ever DNS server, and tons of networks use private IPs for DNS even though they don't do any sort of filtering / split-horizon at all. (My Eero router has a local DNS cache, so even if my ISP's DNS servers were in Google's hardcoded list, it wouldn't use DNS-over-HTTPS, because all Chrome can see is that my DNS server is 192.168.4.1)
I don't want my browser ignoring my DNS settings. I went through a lot of effort to set up Pihole in front of a local BIND server with split-horizon DNS for my VPS subdomains and my local subdomains, with caching and control over upstream resolvers, routed through Wireguard to avoid ISP snooping/hijacking.
It's bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.
Do FireFox, Chrome and Safari still use unencrypted channels for DNS queries?
Firefox for sure has a "corporate" setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).
AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.
I force all my browsers / wife / kid's browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).
That DNS resolver can then, if you want, only use DoH.
To me it's the best of both worlds: "corporate" DNS setting to force UDP port 53 and then DoH from your own DNS resolver.
The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.
You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.
I have no problem with this. They are a sovereign country. Third party DNS, like Google, the aggregation of DNS query data could be used for nefarious or for-profit purposes. I encourage everyone to setup unbound.
How would unbound work if your recursive queries to authoritative servers are redirected to local ISP servers instead?
Oh I misunderstood. The government is redirecting requests to local servers, not local user machines.
Sad to see Malaysia relegate itself to yet another Islamist backwater. They had so much potential.
Somewhat hyperbolic.
Due to the public backlash, Malaysia has changed their stance and not proceeding with mandating of DNS redirection. https://www.nst.com.my/news/nation/2024/09/1102836/updated-m...
...and again the number of people who know what a VPN is increases.
yet another country decides to protect people from harmful information. What is harmful -- well, the government will decide
Does anyone host zone files for local dns?
Malaysia, the land of:
‘You have shown determination’: Malaysian PM praises Putin, pledges closer ties 2 days ago"
reminder https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17 43 Malaysians killed by Putin.
Wouldn't this be trivial to get around by using DNS-over-TLS /QUIC?
nonetheless, a slippery slope
This is just dns, so they don't get the entire url. I know, slippery slope and outrage and stuff, but at this point it is almost expected that any government in the world with access to sufficient IT skills would start political internet bans.
protection provided by the local ISP’s DNS servers and that malicious sites are inaccessible to Malaysians.
I'd really be curious if said "protection" is actually real...
Between dynamic domain name generation (ala malware), and (potentially) a lack of public review... this sounds more like smoke and mirrors.
Hopefully there is a way for users to set up a VPN and get access to a better DNS server without triggering the redirect.
Very scary...
Also in Malaysia (coincidentally around same time) MCMC hard blocking of SMS which contain URLs. Not clear if there's someway to whitelist certain URLs/domains--does anyone know? Broke our TableCheck reservation notifications.
https://www.thestar.com.my/tech/tech-news/2024/09/02/mcmc-ba...
„It’s for our own good“, lol. Don’t buy it. Don’t comply.
For all the Malaysians on HN, how are y’all planning to handle this?
Honestly I never got the backlash against DoH.
Sounded more like a kneejerk reaction and a meme for something that's an improvement. UDP at this day and age? Come on
My home router is running a (regular, port 53) DNS server that blocks requests to ads, scams, malware, etc. I have rules set up on the router so any port 53 traffic that tries to go to the public internet gets redirected to my router's DNS server.
A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I'm not going to get them all. And it's just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.
An antagonistic device on your network that wants to resolve names doesn't need to use DNS at all.
DoH isn't "magic". It's just a simple, standardised protocol. It's existence makes it no more or less easy for adversarial actors to do name resolution.
The choice of DoH is not set from dhcp or the OS, it’s set by the application developer. And that’s wrong.
DNS should be an OS level tool which is consistent to all applications, not an application by application setting.
As the device owner I expect dns to be ck distant whether I run Firefox, chromium, zoom, curl, steam, ping, or he dozens of other programs I run.
Why should it be system wide? That's a broad and imprecise policy vs app by app.
The bigger issue is that it should be an OS level setting. Different apps having a different option isn't the issue, it's any app being able to trivially override a user choice, sometimes without notification.
Again, the existence of DoH has zero bearing on whether or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution.
Again, the point is it should be an OS level setting and apps should respect it. Just because apps can be hostile to user intentions doesn't mean we should allow or worse advocate for that.
I don't see anyone advocating for hostility. Merely the observation that wishing it away is naive.
Well that's odd, since I don't see anyone 'wishing it away' so much as stating apps should respect OS settings and it's reasonable for that to be an expectation of well behaving programs.
A huge shitload of the Internet is the Web.
The reason I force DNS over UDP to my own DNS resolver is not so that chinese-internet-of-shitty-insecure-device (which I don't own) cannot phone home: I do it so that I'm in control of what the browsers can access over HTTPS (my browsers are all HTTPS-only).
Then meet firewalls. The users accounts running browsers on my setup can access HTTPS over port 443 and query UDP to my local DNS resolver. A webapp (i.e. a software written by someone else) is not bypassing that "networking stack" that easily.
Regarding name resolution: except some very rare cases where https shall work directly with IP addresses, a browser using https only will only work for domains that have valid certificates. Which is why blocking hundreds of thousands --or millions-- of domains at the DNS level is so effective.
And if there are known fixed https://IP_address addresses with valid certificate that are nefarious, they're trivial to block with a firewall anyway.
I'm in control of my LAN, my router, and my machines and webapps written by others either respect HTTPS or get the middle finger from my firewall(s). Not https over port 443? No network for you.
Reading all your nitpicking posts you make it sound like firewalls and local DNS intercepting and blocking DNS requests aren't effective. But in practice it is hugely effective.
I hope you can appreciate that DoH is meant to protect against a nefarious intermediary between the device/application and the server it's trying to reach.
The crux of the problem is that the device/application can't tell if the interference is friend or foe.
All the techniques you can legitimately use on your local network, and that network operators have used in the past, can all be used one hop beyond the network you control.
And, sadly, in 2024, most OS vendors are "in the game" of making sure they can 100% control the link and execution environment between themselves and their servers, without interference from the network operators along the way, OR the device owner.
This is silly and not well thought out.
The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.
It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.
An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source. It's just key=value like all the infinite other data that every app processes. normal dns and doh are nothing but standards and conveniences, they don't actually control or dictate anything.
You wish apps couldn't do that? So what? Do you also want a pony?
I'd say the same for this unnecessary ad hominem.
This is a basic truth that has no bearing on what I said above.
It's how it worked for personal computing almost since it became popular in the 90s.
Most apps would use the OS set DNS setting. Apps choosing to ignore that and do their own queries is a much more recent thing.
Yes. This also has no bearing on my point.
Wishing apps are not hostile to user intentions is not a fantastical or ignorant desire. Just because apps can be hostile to user intentions does not mean we should accept that as normal or advocate for it.
Because, as an example, as a person responsible for network at my house, I do not want to check whether my child installed another app and check each app one by one ( and that check has to be done and redone every time something changes or someone touches the app ). I want one global setting that says 'Non possumus'.
edit: Unless, naturally, I am no longer an admin and any control I have over my hardware is merely an illusion.
I hate to break it to you, but there is nothing special about hostnames and ips. They are just a tiny bit of key=value data that can be stored or transmitted infinitely different ways. dns and doh are nothing but convenient standards that no one and no app actually has to use.
It doesn't matter how much you might want otherwise. It doesn't matter how important and virtuous the reason you want it is. Even invoking the mighty untouchable power of "my daughter" does not change such a simple fact of life.
It seems like we are arguing for the same outcome. I want to be able to control things within my control. Based on what your wrote, it seems you would support that?
The question has no meaning. "control things within your control" is like a truism, grammatically and logically valid yet says nothing.
The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.
If you want to prevent an app or device on your network from accessing an IP, you must 1: Ensure the app or device has no wifi or cell or any other possible physical connection of it's own that could allow it to reach the internet without going through your router. 2: Block the ip, by ip, in your router, and also any other ip that could serve as a proxy or relay.
It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.
You could do that, but was it useful or interesting to even say? Didn't you and everyone else already know all that?
<< It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.
<< The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.
I am not sure why I detect snark. Either it is possible or it is not possible. You argue that we can only assume that things are not communicating with outside world is if there is no network to begin with, which is not completely unreasonable position to take knowing what we know -- cat and mouse gaming being what it is. But even that is slowly becoming less of an option.
<< You could do that, but was it useful or interesting to even say?
Are you suggesting that this conversation is pointless? I don't see it that way. edit: after all, I am participating in this exchange.
The backlash against DoH is that the implementations switch your DNS server without asking to a centralized one which is presumably data mining the queries, default ignoring the one you configured in your operating system or DHCP server.
There is also nothing wrong with using UDP for DNS. And the latency can be better, and in this context that matters. The real problem is that the UDP DNS protocol isn't encrypted. But there is no reason it couldn't be, except that then nobody gets a new source of DNS queries to data mine, which is where the money comes from to push DoH.
ISPs regularly data-mine their users' traffic. Meanwhile, some of the major DoH servers specifically don't. (See, for instance, the deals Mozilla has with their default DoH providers.)
I'm sorry, but this is an argument straight out of the totalitarian's playbook, and I'm going to call you out on it.
Some <bad people> abuse <x>, therefore it is totally justified for us to impose a wholesale replacement of <x> with a solution that we can control centrally. It's for your own safety!
Never mind all the people that don't have data-mining ISP's, and to hell with end-user consent. We don't need that, we're working for the good of everyone. My piety trumps all!
Nothing about the DoH protocol is any more centrally controlled than DNS; that's the point. DoH treats the network as an adversary, and instead ensures the end-user's system can determine what DNS server to talk to and that their traffic can't be spied upon by an intermediary. That part is a feature, just as HTTPS was. (And there were people who complained about the push for universal HTTPS, too.)
Separately from that, there's the issue of how to transition over to DoH, in a world in which many ISPs and networks are hostile. That is the point at which browsers are using the small handful of early-adopter DoH servers and assuming on behalf of some users that they want to use those instead of the servers from their ISP or other network. That part is debatable, and involves tradeoffs between protecting users who don't understand DNS or security and supporting users who do.
DoH gives users the ability to ensure they're talking to the server they think they are, and not get their queries spied on or hijacked. That is the part I'm advocating here: having a protocol that cuts out MITMs and prevents spying on the network traffic. That doesn't solve the problem of needing a trusted DNS server to talk to; it solves the problem of not being sure you're talking to the server you think you are, and not being sure if some part of the network between you and that server is spying on you.
If you have a DNS server you like and trust, whether that's from your ISP or something else entirely, that's great for you! DoH would still be a better protocol to use to talk to that DNS server, rather than the unencrypted DNS protocol.
My ISP doesn’t but the people who run the increasingly centralised internet have a long track record of mining my data for commercial reasons.
I’ll trust my ISP over Google or Cloudflare or Microsoft or DuckDuckGo any day.
I think reasonable people these days don't really trust a provider even if they have explicit contract stating something. Personally, I just trust my ISP a little more than google when it comes to data. But I absolutely do not dream for one moment that they do not want to play with analyzing/monetizing/god knows what else with that data.
You can't possible make that assertion, because all it takes is one NSL and they will log and share it all.
The policy that Mozilla ask providers to follow does not prohibit data-mining the traffic. Providers are requested to not store or share personal information, but any data-mining that removes personal identifiable information are allowed.
For example, accidentally leaked internal network queries from companies are up to grabs. As is market data like what people are querying, how much, when, from where (geographical for example) and to whom, and so on.
The quality of the anonymization of private information are also not guarantied.
Like the one they had that just circled back around to the ISPs that regularly data-mine their users' traffic?: https://arstechnica.com/tech-policy/2020/06/comcast-mozilla-...
Actually they do ask, by querying use-application-dns.net.
The default is not for this to respond in a way that disables changing your DNS server, therefore they're changing the default without asking.
Notice that you could do this the other way: Query a value in the existing (local) DNS or DHCP that not only allows you to enable DoH but also specify which server all the local devices should use. Then if the DNS server chosen by the local administrator/user supports DoH, it could respond by saying so and you could use the protocol without changing your DNS server. But that's not how they did it.
With, say, a proxy app on MacOS, I don't see how they could do this without consent?
It's not that there is no way to turn it off, it's that you have to take affirmative steps to turn it off, so now people are having their queries sent to a central server by default and you have to go out of your way to stop it. And then most people don't even know that it's happening, much less what to do about it.
I assume this is a joke, since DoH3 (DNS over HTTP/3) uses QUIC which is UDP based.
If DNS were running a full session-based encrypted protocol over UDP, like QUIC does, then no one would complain. But running anything that isn't streaming over plain UDP is basically a bad idea.
I feel like you've conflated "UDP" with "unencrypted." This is false; you can perfectly well encrypt data transmitted over UDP, and you can also perfectly well run connections "in the clear" over TCP, which is the thing you generally use instead of UDP. What you don't get with UDP is guaranteed packet delivery, which generally means the application layer is in charge of acknowledgements and retransmits. It's great for game servers where low latency is highly important.
Let me put it like this: for a modern day protocol that should be deployed widely over the internet, the protocol should be expected to have (1) encryption, and (2) session management. Ideally, dedicated protocols should be used for these, for proper separation of concerns, but doing it at the application layer directly can also be acceptable.
Deploying an application protocol that does neither, such as DNS, directly over UDP is a bad idea. If you were to run DNS over DTLS (TLS over UDP), that would be a different beast, and probably ok.
And to clarify, encryption is important to prevent tampering and preserve users's privacy. Session management is important to protect agains redirect attacks with spoofed source IP, or session hijacking.
Okay, but DoH is DNS over HTTPS, which itself runs over TCP/IP, which *does not implement encryption.* (The TLS part of HTTPS is doing that.) You're still mixing the layers here :)
I'm not against the core part of your argument, just against the blaming of a particular choice of transport layer, which is fundamentally irrelevant. Encryption is great. Meanwhile DNS doesn't really need the concept of a session, does it? At the end of the day it's just a single lookup which can very well be fire and forget. That we're encrypting the request (ideally) and also the response (ideally) is no reason to add in loads more complexity.
DoH means running DNS over HTTP over TLS over TCP. TCP does session management, TLS does encryption, HTTP is there just for "plausible deniability".
DoH3 means running DNS over HTTP over QUIC over UDP. Here QUIC does both session management and encryption.
In both cases, we are running a simple application protocol (DNS) over other protocols that handle the Internet-level problems I raised, so all is good.
The problem is with running your application protocol directly and strictly over UDP and nothing else.
And related to sessions, there are two things. For one, in reality today, you typically do a whole host of DNS requests even to load a single site (many common sites have upwards of 20 domains they use, and that's before loading any ads). So having a persistent session to send all of those requests on would not change much, even if it's not technically necessary. Secondly, even if you really want to avoid sessions, you then still need some other mechanism to prevent source IP spoofing.
Any protocol which allows a host to send a small request to a server and cause that server to send a large response to the src IP of that request is a major problem for the health of the internet. Requiring a handshake to solve this is one simple way to avoid the problem entirely. DNS implementations have had to find all sorts of other mitigations to address this (I believe they now typically don't allow responses more than a factor of 1.something larger than the request, or something like that? Which of course brings in all sorts of extra problems and unnecessary traffic)
Yes, and the person you're replying mentioned that it was perfectly possible to encrypt data over UDP. Presumably they meant DTLS. So what's your concern?
I was explaining that saying "don't run DNS over UDP" is a completely different thing than saying "don't run DNS over anything that ultimately runs over UDP". It's not that I don't know you can encrypt things over UDP, it's that I wasn't talking about that.
A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.
Of course, a client using encrypted DNS could just refuse to work when encryption is blocked, rather than falling back to traditional DNS. But that could mean the client is unusable in the country implementing the block.
This sort of reminds me of when Kazakhstan announced they were going to MITM all TLS sessions within the country, and all citizens would need to manually install a root cert. Google, Apple, and Mozilla chose to completely block their root cert, so it would be unusable even if users chose to go along with it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... Seems like the browser devs won that political standoff, but would they fight the same battle if DoH/DoT was blocked?
A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.
not if DNS is hosted on the same servers as eg google search itself. then they would have to block google search in order to block DNS.
…or use higher-level packet analysis to filter DoH.
With HTTP/3 there isn't much higher level packet analysis to do between anything useful in the headers being encrypted and the session being reused. All you see is there is a 443 UDP session to a Google server and encrypted packets keep getting sent back and forth... which looks exactly like any other HTTP/3 session to a Google server.
I think the weak points are wholly untechnical e.g. Google would often give in to protect the $$$ they make in a region.
Packet size (i forget if http/3 does padding) and packet rates are still available, dns looks a lot different than most http content.
In terms of packet size, DNS (DoH) doesn’t really look any different to an XHR request.
Request maybe, DoH responses are probably way shorter than anything else though.
That kind of DPI is computationally expensive to the point China doesn't even do it much.
OMG, they very much do. It is not on 100% of the traffic but at any given time a more then smaller % is subject to DPI.
Not anymore and mainland Chinese manufacturers sell them on in large numbers to autocratic governments.
Such devices have a pretty simple architecture: the highly performant data plane where DPI is implemented in the hardware (using either ASIC's or FPGA's – don't have enough information), and the control plane. The control plane comes with a SDK of sorts that DPI appliance users can use to tailor the appliance to their environment and that is used to «refine» the data plane behaviour, i.e. sending down / updating DPI pattern matching / processing rules.
Then they will block Google Search and blame it on Google ?
This is the way. Few governments have the resources to play cat and mouse with OS or browser devs. Just look at the fuss over manifest v3, it shouldn’t be a big deal - just fork chromium and patch manifest v2 back in again - but it is because there’s no “just patching” chromium, it’s like a train.
If we make sure clients support proxies what are they going to do about all the proxies that may allow the DoH server list and may be the only way to do something else?
Unencrypted DNS also has to be bootstrapped by a well-known set of IPs. None of the current DNS propagation system would work if it wasn't for the hardcoded IPs for the root DNS servers at *.root-servers.net.
And, of course, end-user devices still need an IP to query for DNS, it's just that it's almost always supplied automatically via DHCP or similar.
DoH won't solve redirects. DoH only gets you to a secure query, it won't help you if the government decides to give you a falsified query. For that you'll need DNSSec, which maintains a cryptographic chain of authenticity to the root DNS servers. And DNSSec is even more rare than DoH.
DoH will prevent government from hijacking your query in the first place. These blockades are only possible because of DNS being clear text and suceptible to MITM
That's one level of security, but even for DoH, it's possible for entities to attack and control an HTTPS server, returning falsified DNS queries, and now the antigovernment.com website you logged in to talk about anti-government politics is actually run by government. The only way to prevent that is via DNSsec to make sure that antigovernment.com goes to a real antigovernment.com server.
Wait what do you mean? They can have an HTTPS server and MITM, but how can they get a certificate for the DoH server I use?
They only need a certificate signed by an authority trusted by your resolver. And, unlike for the website itself, your browser does not show certificate information for the DoH server.
DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.
So, like, you are assuming someone using a resolver that ignores the certificate chain of trust, as an evidence that DoH is not useful?
Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?
Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.
It doesn't show it, but I expect it would put up an error message if the DoH server's cert is invalid.
This makes no sense whatsoever.
If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can't MITM your connection to the real antigovernment.com, they also can't trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.
DNSSec is entirely useless here. The government has two goals here: block you from accessing certain sites, and perhaps prosecute you for the attempt. DNSSec does exactly nothing to help against either of these , even if perfectly deployed.
DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.
https://dl.acm.org/doi/10.1145/358198.358210
I don't really trust many DNSes and neither do many yet we all have few choices
The lack of MitM isn't much comfort
Neither are guarantees of the chain of trust
DoH uses HTTPS; it solves redirects because you can use a trusted server, and not have the request intercepted and the response spoofed.
DoH helps us against governments, but doesn't help us against advertisers, i.e. what stops Google or an app maker talking to their own DNS endpoint via DoH and avoiding local measures to block malware and tracking.
DoH is a double edged thing, advertisers are a more present and pervasive threat to most than their own government
Community based FOSS OSes/distros stop all this and avoiding the corporate SW/services.
How do I install a Foss OS to my TV or my kid's tablet? And without breaking DRM attestation?
Pinetab2 as a tablet, or some x86_64 tablet of which there are many.
For TV, use it as a dumb display for some FOSS TV box, running something like libreelec.
As for DRM attestation, that's not the responsibility of anyone but the DRM vendor, so ask them.
If you use services requiring DRM, you are one of the bad actors, why should we care about what you think ?
If by most people you mean most people globally, governments are absolutely a bigger threat; only a minority of the world's population live in countries with benevolent governments who don't censor the internet to hide the government's misdeeds.
don’t forget the us federal government paid twitter and Facebook to remove speech it didn’t like (speech that turned out to be true).
> DoH helps us against governments
And bad ISPs⁰.
And a small subset of MitM attacks.
> advertisers are a more present and pervasive threat to most than their own government
That is true for me¹ but I'd not agree with "most" globally. And while stalky corporates and the people who will get hold of my data subsequently due to lax security are my main concern, there are other ways to mitigate them. Less convenient ways, sure, and I loose a security-in-depth step of ashtray using them anyway, but I consider that inconvenience for me² to be less of an issue than the more serious problems DoH might mitigate for others.
----
[0] some people don't have a simple "just go elsewhere" option
[1] relatively speaking: I don't consider my government that trustworthy, and will do so even less in future if the Tories get back in without major changes in their moral core, and I'm sure many Americans feel similarly if they consider the implications of Project2025.
[2] both as an end user wanting to avoid commercial stalking and as someone who sometimes handles infrastructure for a B2B company that uses DNS based measures as part of the security theater we must present to clients when bidding for their patronage
An ISP could effectively bypass DoH. Block outgoing requests to IP addresses that the ISP has not whitelisted, and automatically whitelist IP addresses that were obtained from non-DoH DNS requests.
You could argue against seatbelts the same way: seatbelts can cause abrasion of the skin during everyday driving, which is a more present and pervasive threat to most than car crashes.
In both instances it turns out that the difference in magnitude of those threats makes the direct comparison misleading.
I've never heard of seatbelt skin abrasion, but car crashes are an exceptionally commom danger.
As an infrasec person, DoH is great because we can config manage all the corp devices to use DoH servers run by the company whether not a device is on VPN. Good visibility into what devices are looking up, easy internal domains, and ensuring malware domains are blocked on and off network.
At least the companies I’ve been working for have a lot more laptops at coffee shops and weworks, and probably not on a VPN half the time either. DoH has been a way bigger win than a hassle for me.
how would you ever get online at a coffee shop? Almost all of this use a captive portal that redirects DNS to some internal webpage making you click a button that says "I agree to your completely absurd terms and conditions"
I can use a mobile hotspot on my phone basically everywhere I go. Public Wifi is most often garbage throughput compared to 5g.
A good implementation of DoH/DoT would use regular DNS in these situations.
I have found that fewer places seem to be doing captive portals and are just going back to open wifi or maybe a well-posted password. Maybe they are realizing there's not a lot of value to it as almost all browser traffic is encrypted these days.
If you have any Windows devices they are leaking DNS requests no matter the setup as long as they are getting DNS servers from DHCP that aren't yours.
Even if DNS is redirected, where DNS lookup request goes to next depends on the next hop, which is – for the prevailing majority of the internet users – the ISP.
Deep packet inspection hardware appliances have proliferated in their numbers in recent years, they are cheap, the hardware is highly performant, and they are capable of the highly sustained throughput. Redirecting DNS queries in UDP port 53 to any other destination of choice is what they can do without blinking an eye (if they had one). Or dropping / blackholing it.
Only a VPN tunnel can get through, however modern DPI appliances can also scan for VPN and VPN-like signatures in the traffic and drop those, too. The only viable and guaranteed to work solution to resist the tampering with the traffic is a VPN tunnel wrapped into a Shadow Socks tunnel that obfuscates traffic signatures and constantly changes ports it operates on to avoid detection.
DoH is sufficient to mitigate DPI.
Widely used DoH servers operate on fixed IP addresses (v4 and v6), connections to which can be dropped / blackholed, which is what people from at least the UK and Malaysia are reporting. DPI is not even required.
Co-incidentally Mullvad recently mentioned they're fighting back
https://mullvad.net/en/blog/introducing-defense-against-ai-g...
And now available for macOS and Linux https://mullvad.net/en/blog/defense-against-ai-guided-traffi...
Then transparently redirect the DNS request from all your machines at home to your own DNS resolver (so that you're in control of what gets resolved and what doesn't, like malware, phishing sites, porn so that kids don't get to see that, etc.) and have your own DNS resolver use DoH.
But asking for browsers to "make DoH ubiquitous" (they would force DoH and DoH only) is not a good thing. It also probably would clash with corporate policies, so it'd make the browser picking that path unusable in corporate settings (leaving the corporate market to competitor browsers).