return to table of content

Malaysia started mandating ISPs to redirect DNS queries to local servers

happyopossum
88 replies
1d13h

As a network guy, the fact that I can transparently redirect DNS on my network to wherever I need to is a nice feature.

As a user of the public internet, it feels like a bug.

As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.

raverbashing
39 replies
1d12h

Honestly I never got the backlash against DoH.

Sounded more like a kneejerk reaction and a meme for something that's an improvement. UDP at this day and age? Come on

kelnos
17 replies
1d9h

My home router is running a (regular, port 53) DNS server that blocks requests to ads, scams, malware, etc. I have rules set up on the router so any port 53 traffic that tries to go to the public internet gets redirected to my router's DNS server.

A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I'm not going to get them all. And it's just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.

growse
16 replies
1d8h

An antagonistic device on your network that wants to resolve names doesn't need to use DNS at all.

DoH isn't "magic". It's just a simple, standardised protocol. It's existence makes it no more or less easy for adversarial actors to do name resolution.

chgs
15 replies
1d8h

The choice of DoH is not set from dhcp or the OS, it’s set by the application developer. And that’s wrong.

DNS should be an OS level tool which is consistent to all applications, not an application by application setting.

As the device owner I expect dns to be ck distant whether I run Firefox, chromium, zoom, curl, steam, ping, or he dozens of other programs I run.

HeatrayEnjoyer
14 replies
1d8h

Why should it be system wide? That's a broad and imprecise policy vs app by app.

ruthmarx
8 replies
1d6h

The bigger issue is that it should be an OS level setting. Different apps having a different option isn't the issue, it's any app being able to trivially override a user choice, sometimes without notification.

growse
5 replies
1d5h

Again, the existence of DoH has zero bearing on whether or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution.

ruthmarx
2 replies
1d

Again, the point is it should be an OS level setting and apps should respect it. Just because apps can be hostile to user intentions doesn't mean we should allow or worse advocate for that.

growse
1 replies
22h25m

I don't see anyone advocating for hostility. Merely the observation that wishing it away is naive.

ruthmarx
0 replies
3h33m

Well that's odd, since I don't see anyone 'wishing it away' so much as stating apps should respect OS settings and it's reasonable for that to be an expectation of well behaving programs.

TacticalCoder
1 replies
1d4h

A huge shitload of the Internet is the Web.

The reason I force DNS over UDP to my own DNS resolver is not so that chinese-internet-of-shitty-insecure-device (which I don't own) cannot phone home: I do it so that I'm in control of what the browsers can access over HTTPS (my browsers are all HTTPS-only).

or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution

Then meet firewalls. The users accounts running browsers on my setup can access HTTPS over port 443 and query UDP to my local DNS resolver. A webapp (i.e. a software written by someone else) is not bypassing that "networking stack" that easily.

Regarding name resolution: except some very rare cases where https shall work directly with IP addresses, a browser using https only will only work for domains that have valid certificates. Which is why blocking hundreds of thousands --or millions-- of domains at the DNS level is so effective.

And if there are known fixed https://IP_address addresses with valid certificate that are nefarious, they're trivial to block with a firewall anyway.

I'm in control of my LAN, my router, and my machines and webapps written by others either respect HTTPS or get the middle finger from my firewall(s). Not https over port 443? No network for you.

Reading all your nitpicking posts you make it sound like firewalls and local DNS intercepting and blocking DNS requests aren't effective. But in practice it is hugely effective.

jasonjayr
0 replies
1d3h

I hope you can appreciate that DoH is meant to protect against a nefarious intermediary between the device/application and the server it's trying to reach.

The crux of the problem is that the device/application can't tell if the interference is friend or foe.

All the techniques you can legitimately use on your local network, and that network operators have used in the past, can all be used one hop beyond the network you control.

And, sadly, in 2024, most OS vendors are "in the game" of making sure they can 100% control the link and execution environment between themselves and their servers, without interference from the network operators along the way, OR the device owner.

Brian_K_White
1 replies
1d4h

This is silly and not well thought out.

The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.

It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.

An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source. It's just key=value like all the infinite other data that every app processes. normal dns and doh are nothing but standards and conveniences, they don't actually control or dictate anything.

You wish apps couldn't do that? So what? Do you also want a pony?

ruthmarx
0 replies
1d

This is silly and not well thought out.

I'd say the same for this unnecessary ad hominem.

The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.

This is a basic truth that has no bearing on what I said above.

It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.

It's how it worked for personal computing almost since it became popular in the 90s.

Most apps would use the OS set DNS setting. Apps choosing to ignore that and do their own queries is a much more recent thing.

An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source.

Yes. This also has no bearing on my point.

You wish apps couldn't do that? So what? Do you also want a pony?

Wishing apps are not hostile to user intentions is not a fantastical or ignorant desire. Just because apps can be hostile to user intentions does not mean we should accept that as normal or advocate for it.

A4ET8a8uTh0
4 replies
1d4h

Because, as an example, as a person responsible for network at my house, I do not want to check whether my child installed another app and check each app one by one ( and that check has to be done and redone every time something changes or someone touches the app ). I want one global setting that says 'Non possumus'.

edit: Unless, naturally, I am no longer an admin and any control I have over my hardware is merely an illusion.

Brian_K_White
3 replies
1d4h

I hate to break it to you, but there is nothing special about hostnames and ips. They are just a tiny bit of key=value data that can be stored or transmitted infinitely different ways. dns and doh are nothing but convenient standards that no one and no app actually has to use.

It doesn't matter how much you might want otherwise. It doesn't matter how important and virtuous the reason you want it is. Even invoking the mighty untouchable power of "my daughter" does not change such a simple fact of life.

A4ET8a8uTh0
2 replies
1d

It seems like we are arguing for the same outcome. I want to be able to control things within my control. Based on what your wrote, it seems you would support that?

Brian_K_White
1 replies
23h28m

The question has no meaning. "control things within your control" is like a truism, grammatically and logically valid yet says nothing.

The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.

If you want to prevent an app or device on your network from accessing an IP, you must 1: Ensure the app or device has no wifi or cell or any other possible physical connection of it's own that could allow it to reach the internet without going through your router. 2: Block the ip, by ip, in your router, and also any other ip that could serve as a proxy or relay.

It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.

You could do that, but was it useful or interesting to even say? Didn't you and everyone else already know all that?

A4ET8a8uTh0
0 replies
21h34m

<< It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.

<< The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.

I am not sure why I detect snark. Either it is possible or it is not possible. You argue that we can only assume that things are not communicating with outside world is if there is no network to begin with, which is not completely unreasonable position to take knowing what we know -- cat and mouse gaming being what it is. But even that is slowly becoming less of an option.

<< You could do that, but was it useful or interesting to even say?

Are you suggesting that this conversation is pointless? I don't see it that way. edit: after all, I am participating in this exchange.

AnthonyMouse
12 replies
1d12h

The backlash against DoH is that the implementations switch your DNS server without asking to a centralized one which is presumably data mining the queries, default ignoring the one you configured in your operating system or DHCP server.

There is also nothing wrong with using UDP for DNS. And the latency can be better, and in this context that matters. The real problem is that the UDP DNS protocol isn't encrypted. But there is no reason it couldn't be, except that then nobody gets a new source of DNS queries to data mine, which is where the money comes from to push DoH.

JoshTriplett
7 replies
1d12h

ISPs regularly data-mine their users' traffic. Meanwhile, some of the major DoH servers specifically don't. (See, for instance, the deals Mozilla has with their default DoH providers.)

tremon
1 replies
23h23m

I'm sorry, but this is an argument straight out of the totalitarian's playbook, and I'm going to call you out on it.

Some <bad people> abuse <x>, therefore it is totally justified for us to impose a wholesale replacement of <x> with a solution that we can control centrally. It's for your own safety!

Never mind all the people that don't have data-mining ISP's, and to hell with end-user consent. We don't need that, we're working for the good of everyone. My piety trumps all!

JoshTriplett
0 replies
1h14m

Nothing about the DoH protocol is any more centrally controlled than DNS; that's the point. DoH treats the network as an adversary, and instead ensures the end-user's system can determine what DNS server to talk to and that their traffic can't be spied upon by an intermediary. That part is a feature, just as HTTPS was. (And there were people who complained about the push for universal HTTPS, too.)

Separately from that, there's the issue of how to transition over to DoH, in a world in which many ISPs and networks are hostile. That is the point at which browsers are using the small handful of early-adopter DoH servers and assuming on behalf of some users that they want to use those instead of the servers from their ISP or other network. That part is debatable, and involves tradeoffs between protecting users who don't understand DNS or security and supporting users who do.

DoH gives users the ability to ensure they're talking to the server they think they are, and not get their queries spied on or hijacked. That is the part I'm advocating here: having a protocol that cuts out MITMs and prevents spying on the network traffic. That doesn't solve the problem of needing a trusted DNS server to talk to; it solves the problem of not being sure you're talking to the server you think you are, and not being sure if some part of the network between you and that server is spying on you.

If you have a DNS server you like and trust, whether that's from your ISP or something else entirely, that's great for you! DoH would still be a better protocol to use to talk to that DNS server, rather than the unencrypted DNS protocol.

chgs
1 replies
1d5h

My ISP doesn’t but the people who run the increasingly centralised internet have a long track record of mining my data for commercial reasons.

I’ll trust my ISP over Google or Cloudflare or Microsoft or DuckDuckGo any day.

A4ET8a8uTh0
0 replies
1d5h

I think reasonable people these days don't really trust a provider even if they have explicit contract stating something. Personally, I just trust my ISP a little more than google when it comes to data. But I absolutely do not dream for one moment that they do not want to play with analyzing/monetizing/god knows what else with that data.

jjav
0 replies
1d9h

Meanwhile, some of the major DoH servers specifically don't.

You can't possible make that assertion, because all it takes is one NSL and they will log and share it all.

belorn
0 replies
1d8h

The policy that Mozilla ask providers to follow does not prohibit data-mining the traffic. Providers are requested to not store or share personal information, but any data-mining that removes personal identifiable information are allowed.

For example, accidentally leaked internal network queries from companies are up to grabs. As is market data like what people are querying, how much, when, from where (geographical for example) and to whom, and so on.

The quality of the anonymization of private information are also not guarantied.

diogocp
1 replies
1d

The backlash against DoH is that the implementations switch your DNS server without asking

Actually they do ask, by querying use-application-dns.net.

AnthonyMouse
0 replies
22h55m

The default is not for this to respond in a way that disables changing your DNS server, therefore they're changing the default without asking.

Notice that you could do this the other way: Query a value in the existing (local) DNS or DHCP that not only allows you to enable DoH but also specify which server all the local devices should use. Then if the DNS server chosen by the local administrator/user supports DoH, it could respond by saying so and you could use the protocol without changing your DNS server. But that's not how they did it.

55555
1 replies
1d

The backlash against DoH is that the implementations switch your DNS server without asking to a centralized one which is presumably data mining the queries, default ignoring the one you configured in your operating system or DHCP server.

With, say, a proxy app on MacOS, I don't see how they could do this without consent?

AnthonyMouse
0 replies
22h55m

It's not that there is no way to turn it off, it's that you have to take affirmative steps to turn it off, so now people are having their queries sent to a central server by default and you have to go out of your way to stop it. And then most people don't even know that it's happening, much less what to do about it.

watermelon0
7 replies
1d12h

UDP at this day and age? Come on

I assume this is a joke, since DoH3 (DNS over HTTP/3) uses QUIC which is UDP based.

tsimionescu
6 replies
1d11h

If DNS were running a full session-based encrypted protocol over UDP, like QUIC does, then no one would complain. But running anything that isn't streaming over plain UDP is basically a bad idea.

zeta0134
5 replies
1d11h

I feel like you've conflated "UDP" with "unencrypted." This is false; you can perfectly well encrypt data transmitted over UDP, and you can also perfectly well run connections "in the clear" over TCP, which is the thing you generally use instead of UDP. What you don't get with UDP is guaranteed packet delivery, which generally means the application layer is in charge of acknowledgements and retransmits. It's great for game servers where low latency is highly important.

tsimionescu
4 replies
1d11h

Let me put it like this: for a modern day protocol that should be deployed widely over the internet, the protocol should be expected to have (1) encryption, and (2) session management. Ideally, dedicated protocols should be used for these, for proper separation of concerns, but doing it at the application layer directly can also be acceptable.

Deploying an application protocol that does neither, such as DNS, directly over UDP is a bad idea. If you were to run DNS over DTLS (TLS over UDP), that would be a different beast, and probably ok.

And to clarify, encryption is important to prevent tampering and preserve users's privacy. Session management is important to protect agains redirect attacks with spoofed source IP, or session hijacking.

zeta0134
1 replies
1d9h

Okay, but DoH is DNS over HTTPS, which itself runs over TCP/IP, which *does not implement encryption.* (The TLS part of HTTPS is doing that.) You're still mixing the layers here :)

I'm not against the core part of your argument, just against the blaming of a particular choice of transport layer, which is fundamentally irrelevant. Encryption is great. Meanwhile DNS doesn't really need the concept of a session, does it? At the end of the day it's just a single lookup which can very well be fire and forget. That we're encrypting the request (ideally) and also the response (ideally) is no reason to add in loads more complexity.

tsimionescu
0 replies
1d8h

DoH means running DNS over HTTP over TLS over TCP. TCP does session management, TLS does encryption, HTTP is there just for "plausible deniability".

DoH3 means running DNS over HTTP over QUIC over UDP. Here QUIC does both session management and encryption.

In both cases, we are running a simple application protocol (DNS) over other protocols that handle the Internet-level problems I raised, so all is good.

The problem is with running your application protocol directly and strictly over UDP and nothing else.

And related to sessions, there are two things. For one, in reality today, you typically do a whole host of DNS requests even to load a single site (many common sites have upwards of 20 domains they use, and that's before loading any ads). So having a persistent session to send all of those requests on would not change much, even if it's not technically necessary. Secondly, even if you really want to avoid sessions, you then still need some other mechanism to prevent source IP spoofing.

Any protocol which allows a host to send a small request to a server and cause that server to send a large response to the src IP of that request is a major problem for the health of the internet. Requiring a handshake to solve this is one simple way to avoid the problem entirely. DNS implementations have had to find all sorts of other mitigations to address this (I believe they now typically don't allow responses more than a factor of 1.something larger than the request, or something like that? Which of course brings in all sorts of extra problems and unnecessary traffic)

kelnos
1 replies
1d9h

If you were to run DNS over DTLS (TLS over UDP), that would be a different beast, and probably ok.

Yes, and the person you're replying mentioned that it was perfectly possible to encrypt data over UDP. Presumably they meant DTLS. So what's your concern?

tsimionescu
0 replies
1d8h

I was explaining that saying "don't run DNS over UDP" is a completely different thing than saying "don't run DNS over anything that ultimately runs over UDP". It's not that I don't know you can encrypt things over UDP, it's that I wasn't talking about that.

profmonocle
13 replies
1d11h

As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.

A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.

Of course, a client using encrypted DNS could just refuse to work when encryption is blocked, rather than falling back to traditional DNS. But that could mean the client is unusable in the country implementing the block.

This sort of reminds me of when Kazakhstan announced they were going to MITM all TLS sessions within the country, and all citizens would need to manually install a root cert. Google, Apple, and Mozilla chose to completely block their root cert, so it would be unusable even if users chose to go along with it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... Seems like the browser devs won that political standoff, but would they fight the same battle if DoH/DoT was blocked?

em-bee
9 replies
1d5h

A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.

not if DNS is hosted on the same servers as eg google search itself. then they would have to block google search in order to block DNS.

brookst
7 replies
1d3h

…or use higher-level packet analysis to filter DoH.

zamadatix
3 replies
23h31m

With HTTP/3 there isn't much higher level packet analysis to do between anything useful in the headers being encrypted and the session being reused. All you see is there is a 443 UDP session to a Google server and encrypted packets keep getting sent back and forth... which looks exactly like any other HTTP/3 session to a Google server.

I think the weak points are wholly untechnical e.g. Google would often give in to protect the $$$ they make in a region.

toast0
2 replies
23h21m

Packet size (i forget if http/3 does padding) and packet rates are still available, dns looks a lot different than most http content.

zarzavat
1 replies
13h19m

In terms of packet size, DNS (DoH) doesn’t really look any different to an XHR request.

toast0
0 replies
12h21m

Request maybe, DoH responses are probably way shorter than anything else though.

ronsor
2 replies
1d2h

That kind of DPI is computationally expensive to the point China doesn't even do it much.

myrandomcomment
0 replies
23h59m

OMG, they very much do. It is not on 100% of the traffic but at any given time a more then smaller % is subject to DPI.

inkyoto
0 replies
17h31m

Not anymore and mainland Chinese manufacturers sell them on in large numbers to autocratic governments.

Such devices have a pretty simple architecture: the highly performant data plane where DPI is implemented in the hardware (using either ASIC's or FPGA's – don't have enough information), and the control plane. The control plane comes with a SDK of sorts that DPI appliance users can use to tailor the appliance to their environment and that is used to «refine» the data plane behaviour, i.e. sending down / updating DPI pattern matching / processing rules.

BlueTemplar
0 replies
21h48m

Then they will block Google Search and blame it on Google ?

zarzavat
0 replies
1d8h

This is the way. Few governments have the resources to play cat and mouse with OS or browser devs. Just look at the fuss over manifest v3, it shouldn’t be a big deal - just fork chromium and patch manifest v2 back in again - but it is because there’s no “just patching” chromium, it’s like a train.

klingoff
0 replies
1d9h

If we make sure clients support proxies what are they going to do about all the proxies that may allow the DoH server list and may be the only way to do something else?

Sophira
0 replies
15h36m

A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs.

Unencrypted DNS also has to be bootstrapped by a well-known set of IPs. None of the current DNS propagation system would work if it wasn't for the hardcoded IPs for the root DNS servers at *.root-servers.net.

And, of course, end-user devices still need an IP to query for DNS, it's just that it's almost always supplied automatically via DHCP or similar.

vFunct
10 replies
1d12h

DoH won't solve redirects. DoH only gets you to a secure query, it won't help you if the government decides to give you a falsified query. For that you'll need DNSSec, which maintains a cryptographic chain of authenticity to the root DNS servers. And DNSSec is even more rare than DoH.

xnyanta
6 replies
1d12h

DoH will prevent government from hijacking your query in the first place. These blockades are only possible because of DNS being clear text and suceptible to MITM

vFunct
5 replies
1d12h

That's one level of security, but even for DoH, it's possible for entities to attack and control an HTTPS server, returning falsified DNS queries, and now the antigovernment.com website you logged in to talk about anti-government politics is actually run by government. The only way to prevent that is via DNSsec to make sure that antigovernment.com goes to a real antigovernment.com server.

yegle
3 replies
1d12h

Wait what do you mean? They can have an HTTPS server and MITM, but how can they get a certificate for the DoH server I use?

labcomputer
2 replies
1d11h

They only need a certificate signed by an authority trusted by your resolver. And, unlike for the website itself, your browser does not show certificate information for the DoH server.

DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.

yegle
0 replies
1d11h

So, like, you are assuming someone using a resolver that ignores the certificate chain of trust, as an evidence that DoH is not useful?

Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?

Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.

kelnos
0 replies
1d9h

your browser does not show certificate information for the DoH server.

It doesn't show it, but I expect it would put up an error message if the DoH server's cert is invalid.

tsimionescu
0 replies
1d11h

This makes no sense whatsoever.

If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can't MITM your connection to the real antigovernment.com, they also can't trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.

tsimionescu
0 replies
1d11h

DNSSec is entirely useless here. The government has two goals here: block you from accessing certain sites, and perhaps prosecute you for the attempt. DNSSec does exactly nothing to help against either of these , even if perfectly deployed.

DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.

sublinear
0 replies
1d12h

https://dl.acm.org/doi/10.1145/358198.358210

I don't really trust many DNSes and neither do many yet we all have few choices

The lack of MitM isn't much comfort

Neither are guarantees of the chain of trust

mfenniak
0 replies
1d12h

DoH uses HTTPS; it solves redirects because you can use a trusted server, and not have the request intercepted and the response spoofed.

buro9
10 replies
1d11h

DoH helps us against governments, but doesn't help us against advertisers, i.e. what stops Google or an app maker talking to their own DNS endpoint via DoH and avoiding local measures to block malware and tracking.

DoH is a double edged thing, advertisers are a more present and pervasive threat to most than their own government

megous
3 replies
1d9h

Community based FOSS OSes/distros stop all this and avoiding the corporate SW/services.

HeatrayEnjoyer
2 replies
1d8h

How do I install a Foss OS to my TV or my kid's tablet? And without breaking DRM attestation?

megous
0 replies
1d4h

Pinetab2 as a tablet, or some x86_64 tablet of which there are many.

For TV, use it as a dumb display for some FOSS TV box, running something like libreelec.

As for DRM attestation, that's not the responsibility of anyone but the DRM vendor, so ask them.

BlueTemplar
0 replies
1d7h

If you use services requiring DRM, you are one of the bad actors, why should we care about what you think ?

logicchains
1 replies
1d11h

If by most people you mean most people globally, governments are absolutely a bigger threat; only a minority of the world's population live in countries with benevolent governments who don't censor the internet to hide the government's misdeeds.

whatwhaaaaat
0 replies
1d1h

don’t forget the us federal government paid twitter and Facebook to remove speech it didn’t like (speech that turned out to be true).

dspillett
1 replies
1d8h

> DoH helps us against governments

And bad ISPs⁰.

And a small subset of MitM attacks.

> advertisers are a more present and pervasive threat to most than their own government

That is true for me¹ but I'd not agree with "most" globally. And while stalky corporates and the people who will get hold of my data subsequently due to lax security are my main concern, there are other ways to mitigate them. Less convenient ways, sure, and I loose a security-in-depth step of ashtray using them anyway, but I consider that inconvenience for me² to be less of an issue than the more serious problems DoH might mitigate for others.

----

[0] some people don't have a simple "just go elsewhere" option

[1] relatively speaking: I don't consider my government that trustworthy, and will do so even less in future if the Tories get back in without major changes in their moral core, and I'm sure many Americans feel similarly if they consider the implications of Project2025.

[2] both as an end user wanting to avoid commercial stalking and as someone who sometimes handles infrastructure for a B2B company that uses DNS based measures as part of the security theater we must present to clients when bidding for their patronage

tzs
0 replies
1d3h

An ISP could effectively bypass DoH. Block outgoing requests to IP addresses that the ISP has not whitelisted, and automatically whitelist IP addresses that were obtained from non-DoH DNS requests.

chmod775
1 replies
1d11h

You could argue against seatbelts the same way: seatbelts can cause abrasion of the skin during everyday driving, which is a more present and pervasive threat to most than car crashes.

In both instances it turns out that the difference in magnitude of those threats makes the direct comparison misleading.

FireInsight
0 replies
1d5h

I've never heard of seatbelt skin abrasion, but car crashes are an exceptionally commom danger.

mcpherrinm
5 replies
1d11h

As an infrasec person, DoH is great because we can config manage all the corp devices to use DoH servers run by the company whether not a device is on VPN. Good visibility into what devices are looking up, easy internal domains, and ensuring malware domains are blocked on and off network.

At least the companies I’ve been working for have a lot more laptops at coffee shops and weworks, and probably not on a VPN half the time either. DoH has been a way bigger win than a hassle for me.

sidewndr46
3 replies
1d6h

how would you ever get online at a coffee shop? Almost all of this use a captive portal that redirects DNS to some internal webpage making you click a button that says "I agree to your completely absurd terms and conditions"

jeremyjh
0 replies
1d3h

I can use a mobile hotspot on my phone basically everywhere I go. Public Wifi is most often garbage throughput compared to 5g.

grishka
0 replies
23h28m

A good implementation of DoH/DoT would use regular DNS in these situations.

SoftTalker
0 replies
1d1h

I have found that fewer places seem to be doing captive portals and are just going back to open wifi or maybe a well-posted password. Maybe they are realizing there's not a lot of value to it as almost all browser traffic is encrypted these days.

chupasaurus
0 replies
1d5h

If you have any Windows devices they are leaking DNS requests no matter the setup as long as they are getting DNS servers from DHCP that aren't yours.

inkyoto
4 replies
1d11h

Even if DNS is redirected, where DNS lookup request goes to next depends on the next hop, which is – for the prevailing majority of the internet users – the ISP.

Deep packet inspection hardware appliances have proliferated in their numbers in recent years, they are cheap, the hardware is highly performant, and they are capable of the highly sustained throughput. Redirecting DNS queries in UDP port 53 to any other destination of choice is what they can do without blinking an eye (if they had one). Or dropping / blackholing it.

Only a VPN tunnel can get through, however modern DPI appliances can also scan for VPN and VPN-like signatures in the traffic and drop those, too. The only viable and guaranteed to work solution to resist the tampering with the traffic is a VPN tunnel wrapped into a Shadow Socks tunnel that obfuscates traffic signatures and constantly changes ports it operates on to avoid detection.

ruthmarx
1 replies
1d6h

DoH is sufficient to mitigate DPI.

inkyoto
0 replies
17h47m

Widely used DoH servers operate on fixed IP addresses (v4 and v6), connections to which can be dropped / blackholed, which is what people from at least the UK and Malaysia are reporting. DPI is not even required.

TacticalCoder
0 replies
1d4h

As a network guy ...

Then transparently redirect the DNS request from all your machines at home to your own DNS resolver (so that you're in control of what gets resolved and what doesn't, like malware, phishing sites, porn so that kids don't get to see that, etc.) and have your own DNS resolver use DoH.

But asking for browsers to "make DoH ubiquitous" (they would force DoH and DoH only) is not a good thing. It also probably would clash with corporate policies, so it'd make the browser picking that path unusable in corporate settings (leaving the corporate market to competitor browsers).

aussieguy1234
71 replies
1d13h

In this case, the "malicious sites" that the government approved DNS providers block almost certainly includes life saving LGBT resources. It will not stop there however, expect anything anti government to be blocked. Democracy does not have a good track record in Malaysia.

Of course there are still ways around this. Use a good VPN like Proton.

This is still for sure going to be copied by authoritarian regimes worldwide.

csomar
30 replies
1d12h

Malaysia doesn't have a stellar democratic record but it's still a democracy. Also, a stellar democratic Malaysia will still vote for this. Don't confuse Democracy with Liberal values.

aussieguy1234
28 replies
1d12h

Whatever they vote for, if uncensored information is not available, they are not making an informed decision and are likely only hearing one sides arguments.

graemep
26 replies
1d11h

Most countries have some sort of censorship. RT is banned (broadcasts and streams not allowed, and website blocked) in the UK. Libraries will not stock books with certain points of view reflecting the views of those who fund or run them (AFAIK LGBT stuff in some American schools, gender critical views in some British public libraries). Mein Kampf used to be effectively banned in Germany and has been actually banned in a few places.

ruthmarx
20 replies
1d6h

Most countries have some sort of censorship.

This is a notable area where the US is an exception, and is significantly more free than other western countries. No need to worry about art or materials being censored here, at least outside of specific contexts like some states banning books from schools.

chgs
8 replies
1d5h

No it’s not. The US is consistently banning free speech - including are you rightly say banning books in schools.

It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.

The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.

ruthmarx
4 replies
1d

No it’s not. The US is consistently banning free speech - including are you rightly say banning books in schools.

Some states are doing that at a state level in limited contexts. Individuals are still free to post or publish whatever they want.

It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.

No, it's that in the US this kind of freedom is significantly more protected and culturally important.

The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.

I would say the sad thing is anti-US sentiment can be so high that people won't debate something like this in good faith and look at the various cases and histories.

stoperaticless
1 replies
22h5m

Isn’t it too early to declare anti-US sentiment here?

Challenge one: Could it be that previous commenter touched certain dogma? (One possible definition from Wikipedia: “Dogma, in its broadest sense, is any belief held definitively and without the possibility of reform”)

Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise. (One possible definition from Wikipedia: “Censorship is the suppression of speech, public communication, or other information.”)

(No need to report results or reply / just try the exercise for elasticity of the mind)

BTW. A bit related, hopefully interesting, random fact you did not ask for:

“Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.

ruthmarx
0 replies
2h36m

Isn’t it too early to declare anti-US sentiment here?

Maybe, but in my experience it's usually the dominating factor. Anti-US sentiment can be high, and a lot of people from western countries are skeptical that the US can be any more free than their own in any capacity.

Challenge one: Could it be that previous commenter touched certain dogma?

I don't believe so. The comment I replied to was using state schools banning some books as an example, even though I mention that in my comment and explain why it doesn't apply.

You'd have to be clear on what you think the dogma here might be, but whatever it may be I'm confident my position is backed by facts and reason.

Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise.

I never claimed the US has no censorship, just that it has a lot more freedom due to cultural and legal reasons in contexts like we are discussing here.

No need to report results or reply / just try the exercise for elasticity of the mind)

Critical thinking is an important step in reasoning and a great way to keep a mind sharp, for sure.

“Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.

That is interesting. I would say that latter definition applies in the US as well though. For example, we all expect to be free of crime due to police and such, even if that expectation is not always met.

fragmede
1 replies
21h54m

Holocaust denial or vaccines have microchips or other nonsense is one thing. The two things that are censored so I can't post them (not that I want to) are CSAM and Disney Movies.

ruthmarx
0 replies
2h36m

CSAM, I would argue is an active harm so that's a little different from speech, although protected IP is a good example. I'd still say it's a little different and not exactly censorship, as it's not exactly 'speech', but certainly IP laws need an overhaul.

throwaway48476
0 replies
1d2h

My school library didn't have any of the hardy boys. Was it banned?

j-bos
0 replies
1d4h

When was the last time someone in the US was arrested for hate speech?

Hizonner
0 replies
1d2h

The US "levels" are quite a bit lower than almost anybody else's "levels".

jltsiren
5 replies
1d

Only in the narrow sense, where freedom of speech is only about the lack of government censorship. But in the wider sense, where censorship may also be due to business interests or cultural and societal pressure, I haven't seen any real differences between freedom of speech in the US and the European countries I'm familiar with.

ruthmarx
4 replies
1d

What would be some examples of voluntary censorship from large organizations due to business interests or cultural and societal pressure and not due to government censorship?

ruthmarx
0 replies
2h35m

That's a good example, although is that really more prevalent in the US than in other countries? And it's not exactly censorship, it's people being fired as a consequence or de-platformed, but they can still state their opinions somewhere, even if it's on an alt right platform with barely any subscribers.

jltsiren
1 replies
23h17m

Consider the content policies for popular social media platforms. Consider the platform unilaterally closing your account, which may be tied to many aspects of your life. Remember the cancel culture people used to talk about a few years ago. Think about the controversy around the Gaza war, with people on both sides being afraid to speak their minds due to potential consequences.

While the government may not arrest you, the consequences of expressing your opinions can still be excessive.

ruthmarx
0 replies
2h35m

That's true, but I don't think the US is any worse than this than say EU or Anglosphere countries, and indeed I'd still say it would be better than most countries just because of that particular freedom being more culturally significant.

If I read your original comment right, you were agreeing that the US might be ahead as far as government censorship but not as far as the types you list here, is that correct?

immibis
4 replies
1d3h

That is simply incorrect. Did you see the indictment against several unregistered Russian foreign agents to put them in jail for posting Russian propaganda to YouTube?

cubefox
2 replies
1d1h

He said "the US is [...] significantly more free than other western countries". Do you deny this is true?

stoperaticless
1 replies
22h54m

Yes.

Change “significantly” to “technically” or at least to “”, and then I will agree with the statement.

cubefox
0 replies
18h27m

I think you are wrong and I'm not from the US.

ruthmarx
0 replies
1d

The US dismantling a company they allege was being used as a weapon by a hostile country is different from the government preventing access to content that whoever is in charge doesn't personally like.

kmlx
2 replies
1d8h

RT is banned (broadcasts and streams not allowed, and website blocked) in the UK.

no VPN, rt.com works just fine in the UK, no issues.

i think they banned the live TV in the EU and UK. and i think they also banned the website in the EU, but apparently it’s not enforced? https://www.rferl.org/amp/russia-rt-sputnik-eu-access-bans-p...

haven’t found anything about rt.com being banned in the UK thou.

qingdao99
1 replies
1d2h

Blocked for me! Virgin Media is my ISP. Maybe your ISP is less restrictive/compliant (not sure if the block is actually mandated).

kmlx
0 replies
5h45m

could be. running on hyperoptic with cloudflare doh.

stop50
0 replies
1d10h

Tgey used copyright to prevent that simeone makes new copies. Old copies were not affected.

EasyMark
0 replies
20h22m

I think countries have the right to ban disinformation and lies dedicated to social unrest. If England did ban it, that would probably be the reason, “news” presented as facts and reporting, shouldn’t be outright lies.

timomaxgalvin
0 replies
1d6h

Most people want censorship.

seydor
0 replies
1d9h

Also dont confuse elections with democracy

dyauspitr
21 replies
1d12h

What could possibly be “life saving”? On the scale of things, it’s a relatively moderate Islamic country so the best you’re going to get is if you’re gay and keep it quiet, no one is really going to bother you.

aussieguy1234
10 replies
1d12h

PreP is near 100% effective at preventing HIV. For sure I could see access to information about PreP or other HIV prevention methods being blocked by an overzealous government.

ETH_start
8 replies
1d10h

Ironic that my comment was censored on a thread complaining about censorship.

HeatrayEnjoyer
4 replies
1d7h

No one has censored you... are you talking about your comment being flagged? That's from user votes, not HN directly.

jtbayly
2 replies
1d4h

“The algorithm decided it. That’s not censorship.”

“The majority decided it. That’s not censorship.”

“The law decided it. That’s not censorship.”

“The users decided it. That’s not censorship.”

“You were just scared your neighbors would kill you, so you didn’t say anything. That’s not censorship.”

I’m having trouble drawing lines.

Twistyfiasco
1 replies
1d3h

The comment was made and still stands.

jtbayly
0 replies
23h46m

Censorship by the majority is still censorship.

I’m not opposed to all censorship. I’m just opposed to refusing to acknowledge it for what it is.

If you have your comment flagged by a couple of people, and removed, that is censorship. Plain and simple.

wordofx
0 replies
22h24m

So… censorship. Just because you don’t like what someone said does not make what they said wrong. Flagging comments is censorship. Plain and simple. You’re trying to remove opinions you don’t agree with.

defrost
2 replies
1d7h

I read your comment about maybe "censoring STI prevention information" might reduce the frequency of gay males having sex.

Seems unlikely, not suprising it got flagged to death, however it's there for anyone with ShowDead enabled to read.

ETH_start
0 replies
11h52m

I was saying censoring LGBT material, not STI prevention literature, might reduce STI transmission rates.

I was responding to one speculation, with another, to show that the parent speculation — that censorship of LGBT information would lead to more death by denying sexually active people in the LGBT community with information on STI prevention drugs — was over simplifying the factors involved, to present their speculation as a matter of fact.

If my comment — which I disclosed as mere speculation — is to be censored on those grounds, the parent comment should definitely have been.

ETH_start
0 replies
1h44m

But after re-reading my comment, I see now that it could be read as me suggesting that censorship of STI prevention information could lead to less male-to-male sexual contact and thereby reduce STI infection rates and with it deaths. That wasn't what I intended to convey. I was referring to censorship of LGBT material in general potentially having that effect.

dyauspitr
0 replies
1d12h

PreP is not exclusive to LGBT communities (though they are at significantly higher risk than the general population). It’s free at (some) government clinics in Malaysia.

becquerel
7 replies
1d11h

Awareness and acceptance on LGBT matters can have a big impact on suicide rates.

jtbayly
6 replies
1d3h

Is that why the average suicide rate is lower in majority Muslim countries? Awareness presumably increases suicide?

I know you were implying the opposite, but how many suicides are you going to prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?

These are generalized rates, of course, but in point of fact, your claim is not substantiated by any real data.

mthoms
3 replies
1d1h

You're unaware of data to support the claim that social acceptance of LGBTQ people (particularly children) lowers their suicide rates? Really? This fact is well established and also makes perfect sense logically speaking.

https://onlinelibrary.wiley.com/doi/abs/10.1002/ajcp.12553

https://www.sciencedirect.com/science/article/pii/S027795362...

https://www.thetrevorproject.org/survey-2022/#support-youth

There's plenty more if you care to just Google it.

The rest of your comment is ridiculous because obviously there is more than one contributing factor to suicide. Including (perhaps) latitude.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9822839/

jtbayly
2 replies
17h22m

I’ve done much more than randomly Google it.

I’ve read about it in depth.

Encouraging people to be LGBT has resulted in massive increases in number of people claiming to be trans, for example. Assuming they have the “best” case scenario of an affirming home, apparently 14% attempt suicide, according to your third link.

Now let me ask you, how many people have we killed by “affirming” these things to the point that it’s actually cool to be trans in most schools?

We’re driving up the denominator on the highest risk category for suicide while pretending that that very thing will reduce suicide.

piperswe
1 replies
12h12m

What are the suicide rates of people who are trans but don't know they can even describe their experience as being trans due to lack of information?

What are the suicide rates of people who aren't trans but claim they are?

I would assume the former sits significantly higher than 14%, and the latter sits significantly lower - close to the baseline.

Why would simply claiming you're trans increase your chances of attempting suicide? When I see takes like this, I can't help but think that it comes from you thinking trans people don't actually exist and are just a modern fabrication, a sort of mass psychogenic illness.

jtbayly
0 replies
6h46m

If trans is real the only thing we have to go on is whether people claim they are or not. You deny their claim?

That’s what all of the data on the sites linked above is based on: people who claim they are trans.

Read the accounts of people working in the clinics about groups of girlfriends from the same class coming in and getting treatment, and it is clear there is a mass psychogenic illness that has been caused by the promotion of trans sexuality.

qwytw
1 replies
21h29m

Is that why the average suicide rate is lower in majority Muslim countries? Awareness presumably increases suicide?

Either you think that the majority of the population in Malaysia or the US identify identify as LGBT+ or you're really struggling with basic statistics and reasoning.

prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?

Presumably the idea would be to reduce it to some number lower than 6. Or do you believe the majority of people in the US are killing themselves because of "Awareness and acceptance on LGBT matters"?

jtbayly
0 replies
17h31m

As I said, “These are generalized rates, of course”

If the idea is to reduce it below 6 by preventing a few suicides per year (which is not likely), how confident are you that destroying the culture of the nation in the process will not cause the number to rise to 14?

praptak
0 replies
1d11h

Trans people suicide rate increases if they are left without help.

potamic
0 replies
1d11h

Quite plausibly, mental health resources. I assume connecting with like minded individuals and communities can go a long way in helping you understand yourself and reconcile your differences with broader society.

ekianjo
15 replies
1d11h

democracy as a word means nothing at all. there are democracies in Europe where its fine to jail people for what they write online.

chgs
11 replies
1d8h

Same in the US too.

ruthmarx
10 replies
1d6h

That's simply not true.

gray_-_wolf
3 replies
1d5h

Well did they not tried to jail Trump for what he wrote online in January after loosing the election?

rty32
0 replies
7h54m

I believe there is a difference between "ranting about election outcome on reddit as nobody" vs "encourage my supporters to invade the Congress and/or overthrow the government, as the President", because, you know, the latter actually could be illegal, and there are a bunch of laws around it.

qwytw
0 replies
21h36m

Did they? Can you share the text of the indictment instead of asking meaningless low effort questions?

diggan
0 replies
1d4h

I don't know exactly what you're referring to, I don't know the details of the events.

But is there a possibility there is a distinction between "I can freely share my political opinions about things" versus "I can ask/cheer on people to commit crimes without consequence"?

ruthmarx
0 replies
1d

A government dismantling a corporation being used as a weapon by a hostile country is not the same as a government blocking individuals access to websites they don't approve due to conservative values.

Wytwwww
0 replies
21h37m

So? Your point is what exactly?

They were charged for money loundering...

ruthmarx
0 replies
1d

What point are you making with this link?

ekianjo
0 replies
1d6h

not true yet.

markdown
2 replies
17h29m

It sounds like you just don't know what it means.

there are democracies in Europe where its fine to jail people for what they write online.

And? You seem to believe that a democracy refers to a bundle of freedoms that you personally believe everyone should have. Democracy means governance by the will of the majority. If the majority want people to be jailed based on their writings or speech, than that's what happens in a democratic country.

ekianjo
1 replies
17h26m

Democracy means governance by the will of the majority.

if thats your definition then a lot of countries where the majority tribe is in a form of dictatorial power are also democracies

markdown
0 replies
10h4m

If the person you're calling a dictator was elected in free elections by the majority, then yes, that's a democracy. Their political party, tribe, whatever you want to call it is irrelevant.

kelnos
0 replies
1d9h

This is still for sure going to be copied by authoritarian regimes worldwide.

I think that ship has sailed. Malaysia certainly isn't the first to pull this.

andai
0 replies
1d7h

Surprised VPNs are legal in Malaysia. Usually censorship and blocking VPNs goes together.

lemme_tell_ya
46 replies
1d7h

It has been falsely claimed that the measure undertaken by MCMC is a draconian measure. We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.

That's how it _always_ starts out, the "its for your own good, trust me" excuse.

mensetmanusman
28 replies
1d5h

Has anyone built the AI web browser yet? The one that redraws any image you might find offensive, rewords advertisements, and rephrases comments to be positive?

That would be cool?

jay-barronville
5 replies
1d2h

Yes: https://github.com/alganzory/HaramBlur

No. This is more similar to an ad blocker, but focused on helping Muslims respect their religious standards while they browse the web. I’m not a Muslim, but it makes perfect sense to me. Good for them—I see no problem with it.

umbra07
2 replies
18h53m

Yes, let's encourage gender divides and backwards thinking.

jay-barronville
1 replies
18h2m

Yes, let's encourage gender divides and backwards thinking.

I’m sorry that everyone in the world doesn’t think the way you’d like them to.

I know lots of Muslims, both male and female, and they’re perfectly normal to me. In fact, some of them are some of the most wholesome folks I know: Humble and hardworking humans who build and love their families, and of course, believe in something much greater than themselves. I see nothing “backwards” about that.

Log_out_
0 replies
1h14m

just dont seem to produce much art ,innovation and working institutions in any region they are culturally dominant. and when asked why that is digress fast into antisemitism and conspiracy babble.

stoperaticless
1 replies
21h38m

Mixed feelings.

Somebody installs it for him/her-self. Sure, power to you!

Neibhour in non-muslim state installs it for their children: their right, but feels fishy regarding child right to truth.

jay-barronville
0 replies
18h13m

[…] their right, but feels fishy regarding child right to truth.

I’m not sure what’s fishy about it. Parents have always controlled what their children should have access to and consume. The entire concept of “parental controls” exists for this reason—we’ve always understood a parent’s rights over their children and none of that was at all controversial until like 5 minutes ago.

This is a digression anyway, so I’ll just stop there…

UristMcPencil
2 replies
1d2h

Issue#92: boycott GitHub for Zionism

Given the repo name, I shouldn't have been surprised

aguaviva
1 replies
22h21m

Unfortunately there is a very pertinent context to the concerns raised by that user:

  Microsoft has invested in a startup that uses facial recognition to surveil Palestinians throughout the West Bank, in spite of the tech giant’s public pledge to avoid using the technology if it encroaches on democratic freedoms.

  AnyVision, which is headquartered in Israel but has offices in the United States, the United Kingdom and Singapore, sells an “advanced tactical surveillance” software system, Better Tomorrow. It lets customers identify individuals and objects in any live camera feed, such as a security camera or a smartphone, and then track targets as they move between different feeds.
https://www.nbcnews.com/news/all/why-did-microsoft-fund-isra...

thelittleone
0 replies
20h26m

They seriously called this app Better Tomorrow. Just wow.

kylebenzle
3 replies
1d4h

That is 100% what Facebook and Google are doing now with targeted ads and search results.

Most people already only see the web the way Google wants them to see it.

brookst
2 replies
1d3h

True, but to be fair this isn’t Google being ideological. They’re just responding to customer signals that customers prefer content to be shaped. If there was more CLV in one-size-fits-all search results, Google would do that.

There’s an argument that Google should not cater to our preferences, but I don’t think I buy it.

rvba
0 replies
1d2h

There was an article here 2 or 3 months ago about the person responsible for making google search so much worse.

So arguably google does not respond to customers anymore. Shareholders? Maybe. But probably those who prefer short term gain, not long term value.

https://news.ycombinator.com/item?id=40133976

Hizonner
0 replies
1d3h

Google's customers are advertisers, not you.

TacticalCoder
2 replies
1d5h

The one that redraws any image you might find offensive, rewords advertisements, and rephrases comments to be positive?

You're kidding but I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.

keeda
0 replies
23h50m

Very interesting, I'm working on exactly the same problem from a couple different angles, but I'm not having much luck. I have negligible background in AI/ML or computer vision however, so I'm most certainly Holding it Wrong (TM). My general approach has been trying to generate embeddings using smaller models like MobileNet and ResNet (not trained or finetuned or anything) and using similarity metrics like Cosine distance, but there's too many false positives. If you can disclose it, would you be willing to expand on what has worked for you?

jay-barronville
0 replies
1d1h

[…] I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.

Assuming the AI is comparing screenshots of real versus phishing, it can only figure it out for poorly done phishing websites.

As phishing scams get more sophisticated with scam websites that look exactly like the real ones, the only things that truly matter are protocols (i.e., HTTP versus HTTPS), domains, URL’s, certificates, etc.

echelon
1 replies
1d4h

This would kill Google if it caught on.

kylebenzle
0 replies
1d4h

This IS Google.

dudeinjapan
1 replies
1d1h

Startup idea #72831: Build "Nostalgia" browser which uses AI to convert every page to Web 1.0, complete with "Under Construction" banners and CGI visitor counters.

linotype
0 replies
19h38m

+1, I’d pay for a license.

A4ET8a8uTh0
1 replies
1d5h

Hah. It is still early morning so I let my mind run wild for a while. I am not aware of any public facing projects that do that, but in my minds eye I saw polymorphic browser adjusting its code to meet the new AI web that is constantly in flux.

You want privacy? It stamps out any attempts at fingerprinting by attempting to be the most common browser (and config) out there, it spoofs any and all identifying data, it redraws pages without paywalls, without cookie notices and puts all pages in simple text output mode removing all other ads in the process, but keeps pictures for fora that use them.

You want 1984? It won't let you see anything that is not approved by the party.

Onwards, to our glorious future.

edit:

Valuemaxx edition. Store pages with discounts have bruteforced discounts found and added for maximum value.

It already is crazy. I can't even begin to imagine it being more crazy.

mensetmanusman
0 replies
1d5h

This should exist. You could get to such low bandwidth with such a system. Every image could be replaced by a description. Etc.

lincon127
0 replies
1d3h

Well, that sounds horrifying.

krona
0 replies
1d5h

I would call it Soma in reference to Brave New World.

causality0
0 replies
1d2h

In the past I've had fun with extensions that randomize genders and ethnicities.

BlueTemplar
0 replies
21h52m

There have been a bunch of more or less jokey browser extensions over the years replacing some specific words by others.

AStonesThrow
0 replies
1d

"Guys, I am just pleased as punch to inform you that there are two thermo-nuclear missiles headed this way... if you don't mind, I'm gonna go ahead and take evasive action." -- Eddie, the Shipboard Computer (Douglas Adams)

1oooqooq
8 replies
1d6h

"think of the children" is never out of style.

but remember we have this (widespread from 90s to 2010) to this day in the USA, and they don't even bother with excuses. just shove advertising and hijack searches right on your face.

google didn't force httpsdns on your browser for nothing. it was digging in THEIR pockets.

spacemanspiff01
4 replies
1d5h

Why does Google benefit from httpsdns?

em-bee
3 replies
1d5h

httpsdns in the chrome browser will by default go to googles dns servers allowing them to collect all the tracking data.

selcuka
2 replies
1d5h

They could've done that without httpsdns too.

em-bee
1 replies
1d4h

yes, but then they would have upset local admins for bypassing the local resolver. that is still an issue with httpdns, but now they have a better argument against using the local resolver as default.

the ideal situation would actually be to implement httpdns on the OS/router level and allow the user/local admin choose the policy. i expect that this is going to happen soon in most linux distributions.

brookst
0 replies
1d3h

Surely they could just as easily report all DNS queries to Google under the guise of telemetry or search optimization or whatever. And of course let people disable that, which about 0.001% would do.

Httpdns is too complex of a solution to the business goal you’re suggesting. There are much simpler / less expensive ways of doing it.

pipes
2 replies
1d6h

Not exactly the same thing, as it isn't a law.

speedchess
1 replies
1d3h

Which makes it worse in many ways. The entire tech, business, etc world has adopted the same censorship regime without government orders. So who is giving out the orders?

linotype
0 replies
19h32m

Shareholders.

chaostheory
3 replies
1d3h

This is also coming from a country that’s implemented apartheid

vondur
2 replies
19h27m

Malaysia has an apartheid policy?

chaostheory
0 replies
9h22m

Yes, for anyone not part of the majority Malaysian population, specifically against Indian and Chinese people.

protomolecule
1 replies
1d4h

Every power can be used for good or for evil.

Aerbil313
0 replies
1d1h

No power used by humans exists in a vacuum. In the hands of human beings, most powers are heavily biased towards one extreme in the spectrum. Man doesn't shape the world with the tools of the time - technology shapes the world and the man.

Jacques Ellul and/or Ted Kaczynski might be a starting point on this matter.

zarzavat
0 replies
13h26m

Malaysia famously banned the movie Babe because a talking pig might offend religious sensibilities. It’s a safe to say that freedom of expression is not a high priority over there.

cebert
0 replies
1d3h

It’s for the children! Don’t you love children?

CAP_NET_ADMIN
43 replies
1d13h

I'm wondering if they thought about DoT, DoH and DNSCrypt.

Joel_Mckay
38 replies
1d13h

Or people setting the DNS IP on their routers and phones:

Google 8.8.8.8 8.8.4.4

Control D 76.76.2.0 76.76.10.0

Quad9 9.9.9.9 149.112.112.112

OpenDNS Home 208.67.222.222 208.67.220.220

Cloudflare 1.1.1.1 1.0.0.1

AdGuard DNS 94.140.14.14 94.140.15.15

CleanBrowsing 185.228.168.9 185.228.169.9

Alternate DNS 76.76.19.19 76.223.122.150

https://github.com/yarrick/iodine =3

bazzargh
18 replies
1d12h

I'm in the UK; my ISP hijacks dns requests on port 53 so nope, none of that works. They're not alone doing this https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_... For the most part this is not noticeable; but addresses to a bunch of my _work_ stuff don't resolve on whatever hacky dns replacement they offer, if I'm not on the work vpn.

They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.

If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.

Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward

ekianjo
8 replies
1d11h

what do you mean they hijack the port 53? this is a local setting on your OS. they cant hijack the DNS call if you set it to something else.

inkyoto
3 replies
1d10h

They absolutely can and some do. The destination UDP port number of a UDP packet traversing the core network of an ISP can be inspected and acted upon as one pleases.

ekianjo
1 replies
1d6h

my point is you can point a call to 53 on a machine on your own network and you isp cant do shit about that

inkyoto
0 replies
17h43m

Very well. You have pointed your DNS resolver to a host on your local network for the DNS name resolution.

When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?

Joel_Mckay
0 replies
1d8h

Unless it is tunneled over an binary obfuscation layer, and wrapped in a purposely weakened cryptography to booby-trap their parser.

There is also the global satellite uplinks... so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3

bazzargh
1 replies
1d7h

the isp blocks/redirects the traffic outside my network. so if you just try to send normal udp/tcp port 53 externally, it won't get there. This is why I mention a pihole; by setting my dns server to something on my local network and then having that use DoH I can get past the block. I can't configure every device to use eg DoT or DoH directly, but I usually can configure their port 53 nameserver, directly or via DHCP

the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.

ekianjo
0 replies
1d6h

port 53 requests are not limited to external requests. thats what I was implying in my comment.

chgs
0 replies
1d8h

I configure my router to divert all UDP/53 to my pi hole. The advertising industry hates this type of behaviour, but it means ever an IoT device using hard coded dns (rather than what I tell them from my dhcp or nd settings)

This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.

PhilipRoman
0 replies
1d10h

They can do anything unless constrained by cryptography. I assume it just means redirecting all port 53 traffic which 99% of time will be DNS regardless of IP.

glitchcrab
3 replies
1d8h

Out of interest, which ISP do you use?

bazzargh
2 replies
1d7h

Virgin Media. At the time I switched I needed more bandwidth for work - dealing with multi-gigabyte blobs all day; I was with BT, but BT wouldn't let me upgrade to a gigabit fibre connection, and the City Fibre network which is now everywhere wasn't yet in my street.

pixelpanic360
1 replies
1d

You can go to VM dashboard to disable the adult content filtering. It will then not block DoT and DoH.

Joel_Mckay
0 replies
14h9m

Many ISP will also auto-redirect un-allocated domain names to their own websites. Others will ban most inbound connections with a port under 1000 to prevent self-hosting/video-surveillance users.

Annoying if you are trying to bring up a remote domain server, and thinking WTF while checking things out in dig. lol =)

chgs
2 replies
1d8h

Why don’t you change ISP?

You choose an isp with those features that’s on you. It’s not like the UK is a backwards country with a monopoly of one or two ISPs for a given location.

bazzargh
1 replies
1d7h

I had just switched to this one when I discovered the problem, so was under contract for the next couple of years, and it's not like they advertise this as a feature where you'd have made that choice beforehand. Also, I didn't just need "an ISP" I needed a high speed connection and at the time my previous provider said they didn't offer that to existing customers, while the handful of others appeared to only offer 1/10 of the speed I wanted or only offered it bundled with tv/sport packages (I don't watch tv)

Since then City Fibre completed their rollout and I'm no longer an existing customer with BT so now I _do_ have a choice.

But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don't have a choice.

SoftTalker
0 replies
1d1h

Comcast/Xfinity does that in the USA, at least if you use the newer modem/routers that they provide. If you use your own router you can still set your own DNS provider. DoH is a workaround for web browsing.

Joel_Mckay
0 replies
1d12h

The UK government IPs show up on our ban lists often for illegal theft of service, and CVE scans. Have you tried a Bind9 relay with iodine/vpn tunnels for local transparent network traversal across the hostile sandbox?

i.e. obfuscate the traffic using the hijacking DNS servers themselves.

Just a thought =3

hales
9 replies
1d13h

This will not work if ISPs redirect DNS queries. Only the methods CAP_NET_ADMIN mentioned will work.

stingraycharles
3 replies
1d12h

These are being redirected by the Malaysian government as well.

Joel_Mckay
2 replies
1d12h

You do know what happens when people try to MiM SSL traffic correct?

Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3

kelnos
1 replies
1d8h

Yes, the connections fail, and most clients will fall back to regular ol' DNS on port 53, which then gets redirected to the government's DNS servers.

So far clients have chosen availability instead of fighting this fight.

Joel_Mckay
0 replies
1d8h

Unless your local router tunnels the DNS traffic via other means. The clients may see slightly higher latency, but for <16 host hotspots it would be negligible.

It is quite easy for example, to bonce traffic through a reverse proxy on a Tor tunnel, and start ignoring spoofed drop-connection packets (hence these bypass local DNS, tunnel to a proxy IP to obfuscate Tor traffic detection, and exit someplace new every minute or so.) This is a common method to escape the cellular LTE/G5 network sandbox.

Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.

Have a nice day, =3

kijin
3 replies
1d12h

An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service, so that governments can't block DoH without blocking all of Google or YouTube. Using a dedicated domain like that, they're just begging to be blocked.

I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?

kelnos
1 replies
1d8h

An easy solution would be for Google to host their DoH endpoints on the same domain(s) as their regular service

That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.

Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.

kijin
0 replies
1d8h

most users are not going to be savvy enough to find those IPs and use them.

Very few people configure DoH on their own. It's up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.

If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.

Joel_Mckay
0 replies
1d12h

Iodine will obfuscate the traffic using the redirected DNS hijack servers themselves.

Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.

Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3

noncoml
8 replies
1d13h

thats exactly what the redirection is trying to fight…

Joel_Mckay
7 replies
1d12h

They are going to have to ban around 3000 proxies as well to make any impact on users. =3

stackghost
1 replies
1d10h

Why do you keep signing your comments with '=3'?

Joel_Mckay
0 replies
1d8h

Don't worry about it friend =3

schoen
1 replies
1d12h

"Any" impact on users?

It sounds like you're working with a model in which most users are conscious that they're very offended or inconvenienced by censorship, and want to research technical means of circumventing it. I wish that were true, but I doubt it's nearly as common as your intuition suggests.

Joel_Mckay
0 replies
1d12h

Motives are complicated at times, but traditionally despotic movements are always hostile toward sources of truth that contradict official narratives.

However, one could be correct in that people may prefer to be ignorant. As YC karma is often negatively impacted by facts. QED =3

kelnos
1 replies
1d8h

3000 proxies seems like no big deal for the government to ban.

"Any" impact is weird phrasing, though. Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

Joel_Mckay
0 replies
1d8h

Except the lists often change every minute, and some types of proxies are just a compromised script/page sitting on commercial, private, and government servers.

Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.

There are several one-button vpn/proxy+tor apps for unrooted phones already, and they are dodgy on a good day. =3

rty32
0 replies
8h1m

That's rookie number for China's firewall.

Chinese government couldn't have cared less about that "impact" -- even if only less than 1% of Wikipedia content mentions Chinese government at all, they are going to block the Wikipedia website.

tsimionescu
2 replies
1d11h

I think most countries that do this also block/redirect the major DoH providers like CloudFlare or Google. Of course, you can always hide your DoH traffic by going to other servers or worse case using an HTTP proxy and avoid that.

There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.

kelnos
1 replies
1d8h

There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.

Are there? When Kazakhstan announced they were going to do this, all the major browser vendors blocked their CA... so they backed down. What other countries do this and get away with it?

schoen
0 replies
1d13h

I hope not!

Shank
31 replies
1d13h

Websites are only blocked when they are found to host malicious content, such as copyright infringements, online gambling, or pornography

So I guess pornography is illegal in Malaysia?

I guess this is a great time for Malaysian users to switch to DoH.

Edit: Yes. Wikipedia:

Pornography is illegal in Malaysia with fines of up to RM10,000 for owning or sharing pornographic materials
seungwoolee518
13 replies
1d13h

My country (Korea, South) is also prohibited to get pornography service. (And they also terminate TLS using TLS HELLO)

So, DoH should be work fine for now, but they'll (gov.) terminate HTTPS (or TLS) connection ASAP.

HeatrayEnjoyer
7 replies
1d7h

My country (Korea, South) is also prohibited to get pornography service.

Why? I've never heard of a non-Islamist nation banning content as benign as porn.

timomaxgalvin
2 replies
1d6h

Is porn benign?

Muromec
0 replies
1d5h

It's a thing of deprived bourgeoisie. So are drugs, alcohol and having a personal car.

Biganon
0 replies
1d2h

No, and neither is refined sugar. Your point?

seungwoolee518
0 replies
1d4h

So, they're not blocking only porn. They're blocking a wide range of sites with various reasons - for example: selling illegal drugs (including mental, abortion drugs), copyrighted sites (torrent, etc), praise about north korea, etc...

When they've started to terminate TLS, the reason was to terminate illegally shared webtoon (web cartoon) sites.

For more info: https://en.wikipedia.org/wiki/Internet_censorship_in_South_K...

inferiorhuman
0 replies
1d5h

Pornography was broadly illegal in the UK through the 1980s. It's still illegal in the Vatican, which is about as far from an "Islamist" country as you can get.

Muromec
0 replies
1d5h

Ukraine still has soviet-era law criminalizing possession, distribution and production of porn. It's only enforced against local producers, but it's a thing.

christophilus
3 replies
1d13h

The only hotel I remember from my visit to South Korea (20 years ago) had a whole bookcase full of porno DVDs in the lobby. Were they just breaking the law in plain view?

seungwoolee518
1 replies
1d13h

There are some movies out there (but it's not a porn.) as Ero(tic)-Movie.

It's legal, but it's not a porn.

kijin
0 replies
1d12h

There are conditions a producer must meet to make their wares legal.

Same as why a lot of Japanese people seem to have pixelated genitals. ;)

csomar
0 replies
1d12h

People break the law all the time, it's up to the government to enforce it and many times the government is unable to do that. See here in the case of Malaysia, it's not that Porn was legal, it's that they weren't competent enough to restrict it or know about DNS things.

38
0 replies
1d12h

You can spoof the TLS Hello since at least 2021

harrygeez
10 replies
1d13h

I'm Malaysian. They even messed up DoH for the popular DNS providers like Google and Cloudflare. I think they are routing 1.1.1.1 to their own DNS, so when you try to connect to DoH you get SSL_ERR_BAD_CERT_DOMAIN. The only option it seems is to VPN or play the cat and mouse game now to find a DNS that hasn't been rerouted yet

acheong08
7 replies
1d9h

Where are you? My DNS seems to work perfectly fine right now in Penang (with VPN off).

It’s sad that democracies are copying the playbook of China. Will definitely be using v2ray/X-ray while here

ProtoAES256
4 replies
1d6h

Sarawak here (on unifi). My network uses self setup multi DNS path with enforcing encryption so no biggie but I tried some nonetheless. Quad 8, 1 are fine atm, while Quad 9 traceroute returned !X.

harrygeez
3 replies
1d5h

can you share a little on your setup?

ProtoAES256
2 replies
1d4h

router DNS redir to pihole(Not the shitey FiberHome) -> pihole to internal(bind9 plain local to Adguard Proxy DoQ) -> self hosted tunneled whitelist DNS quicdoq DoQ, Adguard DNS DoQ (upstream quad 101, others.)

harrygeez
1 replies
23h5m

I have a similar setup, it will not be immune if they start implementing in your area. They were rolling out by areas before they reversed course. Your upstream will stop working unless you proxy it through another network

ProtoAES256
0 replies
14h29m

It is proxied towards a machine outside of Malaysia (A machine I've setup elsewhere). So yeah.

kelnos
0 replies
1d9h

It’s sad that democracies are copying...

"Democracy" is a bit of a red herring here. Democracy doesn't mean the government can't censor you or restrict what information or media you can consume. Democracy just means that the voters have consented to whatever legal framework is in place, and to whatever their leaders want to do within that framework.

And that's the thing: in many democracies around the world, if there was a referendum on the law to blocking copyright infringement, online gambling, or pornography at the ISP level, I think many would pass that law.

(Certainly there are "democracies" out there that only pay lip service to the concept, and have fixed elections and repression of dissent or opposition. I'm not talking about those.)

harrygeez
0 replies
1d9h

I'm in PJ. It seems that they have reversed the move after wide media coverage, claiming that it there has been a "confusion"

eptcyka
0 replies
1d3h

Are they rerouting traffic to port 443 and 853?

CAP_NET_ADMIN
5 replies
1d13h

Countries always fighting the most important battles :eyeroll:

RandomThoughts3
3 replies
1d13h

Backward countries being backward. The main flaw of modern liberal societies is that parts of them have stopped believing that liberalism is indeed progress. All hail the moral police and long live cultural relativism or whatever its currently trendy post-structural reconstruction is.

yarg
2 replies
1d12h

It doesn't help that the term 'liberal' has had its meaning so co-opted that it now refers to people who reject freedom of speech and belief.

CaptainFever
1 replies
1d9h

True, though I would say that is leftism. Leftists actually hate liberals and use it as a slur, believe it or not.

BlueTemplar
0 replies
21h20m

While they often go together, economic liberalism shouldn't be confused with social liberalism.

stackghost
0 replies
1d13h

Porn is just the justification. It's easy to find something repugnant on whatever streaming video site and then start with the "protect the children" nonsense.

The real issue is always control.

blackoil
12 replies
1d12h

Balkanization of the Internet is inevitable. As more and more people join it, there will be conflict between beliefs, values, and politics. Large markets like EU, India can keep companies aligned, but for smaller nations it will be easier to just selectively block global platforms and have local/compliant alternatives. China has shown it is possible and profitable.

profmonocle
8 replies
1d10h

I'm honestly surprised that the US doesn't have a legal framework to force ISPs to block IPs / DNS hostnames. I've been expecting that for 10+ years now, but it hasn't happened.

anal_reactor
6 replies
1d10h

It's because the US is so powerful they can take down any controversial website. See how literally all services with more than 10 users say in their terms of service "we don't want anything that might violate US law".

andai
4 replies
1d7h

Is that also sites operated outside the US?

diggan
3 replies
1d7h

Obviously no, other websites follow the laws of their business entity/where servers are hosted usually. Not sure what parent is talking about.

chgs
2 replies
1d5h

US will use all manner of tools to extradite foreign citizens who have never been to the US because they broke US law.

Nobody has to worry about breaking Thai laws around defaming the King because Thailand isn’t a superpower with the ability to enforce its will beyond its borders.

Everyone has to be worried about breaking US law.

diggan
1 replies
1d5h

Except what you wrote only applies to countries with extradition treaties with the US (meaning the government in those countries have agreed that US law can apply in their country too).

Not every country has this, so no, not "everyone has to be worried about breaking US law".

Regarding Thailand specifically, they have a principle of "double criminality", so people are only extraditable if what they're accused of is a crime both in Thailand and the country they're being extradited to. So maybe not the best example.

Besides, other countries have extradition treaties with other countries than the US too, even non-super power ones.

throwaway48476
0 replies
1d2h

Double criminality applies in every extradition case.

HeatrayEnjoyer
0 replies
1d8h

Isn't that just code for "don't post CSAM"?

kelnos
0 replies
1d9h

I think for the most part because it's not needed. Anything hosted on a .com, .net, .org (or any other TLD where the TLD's root DNS is managed by a US company) can be taken down with a court order. There's no need to involve ISPs.

In general they're not going to bother with IP blocking; once they've killed DNS, they're satisfied that most people will not be able to access it.

And for the most part, that's good enough. There's perhaps an argument that the US gov't should be blocking IPs/DNS of things like hacking rings and malware distributors that are hosted elsewhere, on TLDs out of their reach (where ISP blocking would probably be the only or at least best way), but they mainly only care about e.g. sites that threaten the copyright cartels, when it comes to legal takedowns, anyway. And for sites that host illegal content, they seem happy only prosecuting US residents who access them.

wyager
0 replies
1d5h

We were very fortunate to live through the aberrant time period in which there was a truly global data network. It feels almost like an inevitable fact of entropy that eventually the bureaucrats and petty fiefdoms would catch on to the existence of the system and demand their slice of the pie.

prpl
0 replies
1d11h

intronet

bamboozled
0 replies
1d8h

"the cat's out of the bag" on internet censorship so to speak.

kazinator
5 replies
1d13h

Maybe the time to start a grassroots network for exchanging giant /etc/hosts files.

boredhedgehog
2 replies
1d11h

It wouldn't have to be giant. Ideally, it would just include those entries that are censored for political reasons sorted by location.

sulandor
0 replies
1d10h

the dns-block block-list

loving it

diggan
0 replies
1d8h

It wouldn't have to be giant. Ideally, it would just include those entries that are censored for political reasons sorted by location.

I think you're underestimating the amount of stuff being blocked everywhere. Even in Spain where I live the list of blocked domains would be pretty big already, and it's just one country.

OONI gives a good overview: https://explorer.ooni.org/

rty32
0 replies
7h47m

Only meaningful if you are on a desktop machine with root privilege (which most people here do have on their personal machines)

You really need a solution that works on every platform for everyone, which isn't easy.

Even for VPN like apps, well, they aren't allowed on China's Apple app store. Fortunately you can switch to a different store, download the app and switch back, and Android users can just sideload an apk as usual. But that's enough to show how complex this is.

(Another reason I absolutely hate Apple's walled garden.)

sixthDot
4 replies
1d12h

online gambling (39 per cent)

well well well. People on HN will be surprised to know that the internet is a complete shit hole. "I thought the internet was made for the good of humanity".

giorgioz
2 replies
1d11h

online gambling (39 per cent)

It's 39% of the IPs banned by the DNSs of the ISPs of Malaysia. It's not 39% of the internet.

sixthDot
1 replies
1d9h

yes, that was well understood. A country decides to filter because the least poor citizen, those who have internet access, prefer to gamble online to make money.

ghnws
0 replies
1d7h

Make money gambling?

protocolture
0 replies
1d8h

I am not surprised by there being gambling on the internet, its not exactly hiding.

hunglee2
4 replies
1d10h

The tension between borderless internet vs national sovereignty is one of most important meta-conflicts occurring in the world today. What can be critiqued as draconian authoritarianism on one hand, can be defended as digital sovereignty on the other.

protocolture
3 replies
1d8h

authies always fall back on appeals to sovereignty why would fucking with the internet be any different

BlueTemplar
2 replies
21h13m

And those that look down on national sovereignty are suspect of being shills for imperialism (whether they realize it or not), which is an even worse kind of authoritarianism.

protocolture
1 replies
8h53m

people I dont like are just secretly this other kind of people I dont like, I have a very large brain.

BlueTemplar
0 replies
5h35m

I just have no idea how to parse that...

grishka
4 replies
23h19m

pornography/obscene content (31 per cent), copyright infringement (14 per cent)

We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.

Who could possibly be harmed by pornography or, even more ridiculous, copyright infringement? Feels like a lame excuse.

Internet censorship in my country (Russia) started the same way — "we're protecting children from suicide and drugs", but for some reason you couldn't opt out of the "protection" as an adult. To no one's surprise, over time, more and more things to non-consensually "protect" people from were added. In the end, unless you stick exclusively with local services, Russian-language content, and government-owned media, the internet is utterly broken without a VPN, packet fragmenter or other anti-censorship solution. Popular VPN protocols are also starting getting blocked, btw. All for your own safety, of course!

ronsor
0 replies
21h32m

copyright infringement

I deeply implore you to think of the stakeholders!

jope12
0 replies
17h3m

Malaysia is a Muslim country. Pornography is illegal. Homosexuality is illegal.

abdulhaq
0 replies
5h12m

imo millions of people, mainly young men, have been sexually, mentally and spiritually harmed by pornography

system2
3 replies
1d12h

Starlink sells and works there, will they block it? Also, how are they going to punish people with vpns and proxies?

sneak
0 replies
1d12h

Starlink has to comply with local laws in places it is sold. It’s like any other business.

protocolture
0 replies
1d8h

Starlink always complies with all ISP laws in every country. Its not some magic anti censorship button.

Shit mostly it exits a country via ground stations in that country or a compatible legal jurisdiction. Its not even magically flying out of the country via satellite. + Discussions about its ability to skirt censorship in this fashion with any significant capacity sort of paint it as a bad move, maybe that starlink 2.0 nonsense.

abdullahkhalids
0 replies
1d12h

The purpose of banning VPNs is repressing political opponents. The police doesn't have to go around finding people who use VPNs. It's just that when the police arrest someone at a protest or for some trumped up charge, and the police also finds a VPN on the person's phone or computer, it is an easy charge to tack on - one that is certain to get punishment.

blackeyeblitzar
3 replies
1d12h

Reminder: Malaysia is an officially Islamic country. It is strange given its location, but Islamization also took over other South and East Asian places as well, like the Maldives and Indonesia.

Malaysia has had a history of religious discrimination from both the state and citizens, despite there being a freedom to practice whatever religion you want. Their notion of religious freedom is also strange, since in order to be considered a Malay you MUST be Muslim. And Malays get all sorts of additional rights and privileges (such as affirmative action). The country also has Sharia law courts - and this is a very real problem for personal freedom, because the Sharia court prevents Muslims from converting to other religions typically, and this forces people to have secret double lives, where privacy is critical.

Restrictions on Internet access or violations of privacy/anonymity are a serious problem for those who may run into trouble due to religious discrimination built into Malaysia’s culture and law. Do not accept official explanations like protecting people from harm or stopping misinformation - control over the internet will be abused.

rognjen
2 replies
1d11h

is strange given its location,

Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.

ValentineC
0 replies
1d7h

Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.

Funny enough, it wasn't a trading ship from the Middle East, but the then-Chinese empire:

https://www.scmp.com/week-asia/article/2006222/chinese-admir... (no paywall link: https://archive.ph/f8622)

GreenWatermelon
0 replies
1d7h

And the entirety of India (until the Brits arrived) was "controlled" by the Mogul Empire, which was mainly Muslim.

Even Spain/Iberia had a huge Muslim population, until the Reconquesta Kingdoms committed large scale genocide and deportions of Muslims and Jews.

And speaking of Unexpectedly Muslim, the Golden Hord (AKA Tattars) which existed on the Crimean region as one of the offshoots from Genghis Khan's conquests, was Muslim. In fact, they allied with the Mamluk kingdom of Egypt against Holugu, leader of another Mongol horde, Ilkhanate.

MrThoughtful
3 replies
1d12h

Do FireFox, Chrome and Safari still use unencrypted channels for DNS queries?

What is the state of DNS over HTTPS?

profmonocle
0 replies
1d11h

`sudo tcpdump port 53` says yes, they do use unencrypted DNS.

AFAIK Chrome has a hardcoded list of DNS servers which offer encrypted DNS. I.E. if your DHCP server tells your PC to use 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will instead connect to the equivalent DNS-over-HTTPS endpoint for that DNS provider. This is a compromise to avoid breaking network-level DNS overrides such as filtering or split-horizon DNS. It's not limited to public DNS providers either, ISP DNS servers are in there. (I've seen it Chrome connect to Comcast's DNS-over-HTTPS service when Comcast's DNS was advertised via DHCP.)

Of course, this is pretty limited. Chrome obviously can't hardcode ever DNS server, and tons of networks use private IPs for DNS even though they don't do any sort of filtering / split-horizon at all. (My Eero router has a local DNS cache, so even if my ISP's DNS servers were in Google's hardcoded list, it wouldn't use DNS-over-HTTPS, because all Chrome can see is that my DNS server is 192.168.4.1)

caymanjim
0 replies
1d

I don't want my browser ignoring my DNS settings. I went through a lot of effort to set up Pihole in front of a local BIND server with split-horizon DNS for my VPS subdomains and my local subdomains, with caching and control over upstream resolvers, routed through Wireguard to avoid ISP snooping/hijacking.

It's bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.

TacticalCoder
0 replies
1d4h

Do FireFox, Chrome and Safari still use unencrypted channels for DNS queries?

Firefox for sure has a "corporate" setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).

AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.

I force all my browsers / wife / kid's browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).

That DNS resolver can then, if you want, only use DoH.

To me it's the best of both worlds: "corporate" DNS setting to force UDP port 53 and then DoH from your own DNS resolver.

The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.

You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.

Eumenes
2 replies
1d5h

I have no problem with this. They are a sovereign country. Third party DNS, like Google, the aggregation of DNS query data could be used for nefarious or for-profit purposes. I encourage everyone to setup unbound.

Aissen
1 replies
1d5h

How would unbound work if your recursive queries to authoritative servers are redirected to local ISP servers instead?

Eumenes
0 replies
1d5h

Oh I misunderstood. The government is redirecting requests to local servers, not local user machines.

djohnston
1 replies
1d6h

Sad to see Malaysia relegate itself to yet another Islamist backwater. They had so much potential.

timomaxgalvin
0 replies
1d6h

Somewhat hyperbolic.

userbinator
0 replies
1d12h

...and again the number of people who know what a VPN is increases.

tryauuum
0 replies
1d4h

yet another country decides to protect people from harmful information. What is harmful -- well, the government will decide

throwaway48476
0 replies
1d3h

Does anyone host zone files for local dns?

ra
0 replies
1d6h

Wouldn't this be trivial to get around by using DNS-over-TLS /QUIC?

nonetheless, a slippery slope

nurettin
0 replies
1d

This is just dns, so they don't get the entire url. I know, slippery slope and outrage and stuff, but at this point it is almost expected that any government in the world with access to sufficient IT skills would start political internet bans.

nubinetwork
0 replies
1d7h

protection provided by the local ISP’s DNS servers and that malicious sites are inaccessible to Malaysians.

I'd really be curious if said "protection" is actually real...

Between dynamic domain name generation (ala malware), and (potentially) a lack of public review... this sounds more like smoke and mirrors.

Hopefully there is a way for users to set up a VPN and get access to a better DNS server without triggering the redirect.

foobaw
0 replies
12h13m

Very scary...

dudeinjapan
0 replies
1d1h

Also in Malaysia (coincidentally around same time) MCMC hard blocking of SMS which contain URLs. Not clear if there's someway to whitelist certain URLs/domains--does anyone know? Broke our TableCheck reservation notifications.

https://www.thestar.com.my/tech/tech-news/2024/09/02/mcmc-ba...

consumerx
0 replies
1d7h

„It’s for our own good“, lol. Don’t buy it. Don’t comply.

99catmaster
0 replies
15h23m

For all the Malaysians on HN, how are y’all planning to handle this?