Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated

from the ill-communication dept

In a bid to avoid losing access to the cash cow that is your daily browsing data, ISPs like Comcast have been lying about Google and Mozilla's quest to encrypt DNS data. The effort would effectively let Chrome and Mozilla users opt in to DNS encryption -- making your browser data more secure from spying and monetization -- assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don't much like that.

As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah).

Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:

"Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage," the letter, signed by Marshall Erwin, senior director of trust and security and Mozilla, reads. "With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation."

While there's obviously plenty of perfectly legitimate criticism of Silicon Valley giants like Facebook and Google, we've been noting how telecom lobbyists have been quietly co-opting this backlash to help the telecom sector. So far you'd have to view these efforts as successful; while the government hyperventilates about Facebook and whether it should be broken up and heavily regulated, telecom has convinced lawmakers to effectively obliterate all oversight of telecom, despite the sector having historically been every bit as terrible as Facebook on the subjects of privacy, consumer rights, and competition.

As a result there are a few lawmakers (Marsha Blackburn comes quickly to mind) who claim to be utterly incensed at Facebook's behavior, but have chosen to give telecom a free pass. Mozilla's letter urges Congress to, you know, stop doing that if they want to be taken seriously:

"We believe that more information regarding ISP practices could be useful to the Committee as it continues its deliberations on this front, and we encourage the Committee to publicly probe current ISP data collection and use policies."

As we look to craft what the privacy standards and guidelines of tomorrow look like, it's another reminder of how focusing too exclusively on the missteps of Silicon Valley giants obscures the fact that these problems aren't just exclusive to "big tech." Mozilla's spot on when it notes that privacy solutions that don't consider telecom aren't much of a solution in the first place.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: congress, dns over https, doh, encrypted dns, privacy, security
Companies: at&t, comcast, google, mozilla, verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 8 Nov 2019 @ 7:00am

    "if they want to be taken seriously"

    Hahahaha - good one.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 8 Nov 2019 @ 7:37am

    The Reason Telecoms don't Want Encrypted DNS Lookups

    Be careful here though. I've seen people who claim that their ISP is hijacking their DNS lookups (regardless of whether they're using the ISP's DNS Server or not) and when pressed on it they point to how some ISPs are taking failed DNS lookups to their own DNS servers and returning their own search page (which they can obviously sell ads and placing on). A lot of experts claim this breaks certain functionality that relies on invalid domain errors (NXDOMAIN).

    If the DNS lookup was encrypted, then obviously the ISP could not hijack a DNS lookup that was going to another DNS Server and route it to their own, but as far as I can tell, there's no evidence that they are doing that. They also wouldn't be able to use DNS lookups that are going to third party DNS servers to accumulate lists of visited websites, but they can do that anyways since 99.999% of the time right after a DNS lookup is done, the next step is to actually go to that IP address. So they have that information anyways.

    So why are they opposing it? I suspect because they know if encrypted DNS lookups become standard, it will mean a cost to them to implement. Sure, there's also the failed DNS lookup aspect to it, but since pretty much every browser these days uses a unified address bar, most people expect a search page to show up if they mistype a domain name. So I'd be surprised if any ISPs even bother to hijack NXDOMAIN errors anymore since more often than not the browser is going to handle it.

    link to this | view in thread ]

  3. icon
    NoahVail (profile), 8 Nov 2019 @ 8:05am

    Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    I'd be surprised if any ISPs even bother to hijack NXDOMAIN errors

    C:\> nslookup

    server 4.2.2.2
    flubboxzing.org (returns 23.217.138.108)
    cheeorgeack.net (returns 23.217.138.108)

    Off the top of my head, Charter and Comcast are still doing it also.

    link to this | view in thread ]

  4. icon
    NoahVail (profile), 8 Nov 2019 @ 8:17am

    Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    Just a note for any "Level3 isn't an ISP" folks:
    When FiOS got handed over to Frontier, those DNS servers were often proposed for folks w/ static IPs. Frontier's current DNS servers return the same IPs for NXDOMAIN (as Level3's DNS).

    Synopsis: ISP's Buddy hijacking DNS != ISPs don't hijack DNS.

    ref: other Frontier DNS servers
    https://www.dslreports.com/forum/r31831677-Faster-Internet-Frontier-DNS-settings

    link to this | view in thread ]

  5. icon
    Zof (profile), 8 Nov 2019 @ 9:06am

    Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    Hijacking NXdomain and replacing them with landing pages was pioneered by Verizon, and they still do it.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 8 Nov 2019 @ 9:17am

    More privacy for consumers is a good thing,
    isp,s selling data to private companys could be a security risk,
    the less companys that have acess to your browsing data ,
    the less chance of it been hacked and even being leaked on the web
    and to being used to gain acess to financial info like credit card info ,
    purchasing info.
    Most people do not want info leaked of for instance the fact they pay to buy adult dvds or stream xx rated movies .
    Private companys have a bad record of securing user data from being hacked .
    Google and facebook are criticised for selling user data to advertisers ,
    meanwhile isp,s get a free pass to any small private company .
    i would trust google or mozilla than any isp .

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 8 Nov 2019 @ 10:03am

    Upvote Mozilla bug preventing DoH and ESNI from working together

    Please upvote Bug 1585395 under the "Details" dropdown menu, since both DoH and ESNI are needed to minimize ISP spying.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 8 Nov 2019 @ 10:11am

    Friday deep thoughts:

    The trick is: convincing people that online anonymity, online privacy, actually exist. Actual privacy is the fallacy.

    link to this | view in thread ]

  9. icon
    ECA (profile), 8 Nov 2019 @ 1:16pm

    BUT, BUT...

    Thats not fair..
    https://www.techdirt.com/articles/20191104/19421143323/cbp-now-has-access-to-nsa-cia-collecti ons.shtml

    gov. dont like it
    ISP's dont like it..
    VPN dont like it..
    Advert agencies dont like it..

    NOW, how much are the Congress going to get?? Backdoors open..

    link to this | view in thread ]

  10. icon
    Gary (profile), 8 Nov 2019 @ 2:40pm

    Re: Re: Re: The Reason

    ... The lair is pretty much correct. Verizon and Comcast have used that to hijack searches and inject content into streams.

    link to this | view in thread ]

  11. icon
    jlivingood (profile), 8 Nov 2019 @ 3:10pm

    Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    Comcast is definitely *not* doing that (I work there). Here is a demonstration using dig @ that server and a name that does not exist. 1st example results in NXDOMAIN. 2nd example gets a SERVFAIL, likely because the auth server does not respond to recursions from 4.2.2.2. dig @4.2.2.2 nonamehere.example.com ; <<>> DiG 9.10.6 <<>> @4.2.2.2 nonamehere.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19479 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 8192 ;; QUESTION SECTION: ;nonamehere.example.com. IN A ;; AUTHORITY SECTION: example.com. 1884 IN SOA ns.icann.org. noc.dns.icann.org. 2019101516 7200 3600 1209600 3600 ;; Query time: 84 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Fri Nov 08 18:06:57 EST 2019 ;; MSG SIZE rcvd: 107 dig @4.2.2.2 flubboxzing.org ; <<>> DiG 9.10.6 <<>> @4.2.2.2 flubboxzing.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38884 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;flubboxzing.org. IN A ;; Query time: 24 msec ;; SERVER: 4.2.2.2#53(4.2.2.2) ;; WHEN: Fri Nov 08 18:09:20 EST 2019 ;; MSG SIZE rcvd: 33

    link to this | view in thread ]

  12. icon
    jlivingood (profile), 8 Nov 2019 @ 3:12pm

    Re: Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    Wow - that is all mangled in plain text. Trying again in markdown:

    dig @4.2.2.2 flubboxzing.org

    ; <<>> DiG 9.10.6 <<>> @4.2.2.2 flubboxzing.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38884
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    dig @4.2.2.2 nonamehere.example.com

    ; <<>> DiG 9.10.6 <<>> @4.2.2.2 nonamehere.example.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19479
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 8192
    ;; QUESTION SECTION:
    ;nonamehere.example.com. IN A

    ;; AUTHORITY SECTION:
    example.com. 1884 IN SOA ns.icann.org. noc.dns.icann.org. 2019101516 7200 3600 1209600 3600

    ;; Query time: 84 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Fri Nov 08 18:06:57 EST 2019
    ;; MSG SIZE rcvd: 107

    ;; QUESTION SECTION:
    ;flubboxzing.org. IN A

    ;; Query time: 24 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Fri Nov 08 18:09:20 EST 2019
    ;; MSG SIZE rcvd: 33

    link to this | view in thread ]

  13. icon
    jlivingood (profile), 8 Nov 2019 @ 3:13pm

    Re: Re: Re: Re: The Reason

    Comcast's network does not do that (in FD I work there...) NXDOMAIN redirection was done for a short period that ended in January 2012 when DNSSEC Validation was turned on (1st large ISP in the US to do so).

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 8 Nov 2019 @ 3:41pm

    Re: The Reason Telecoms don't Want Encrypted DNS Lookups

    IP address alone isn't super useful to ISPs when more and more websites are using shared IPs via cloud hosting.

    link to this | view in thread ]

  15. identicon
    Garcia, 10 Nov 2019 @ 9:08pm

    Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers https://www.upsers.one/

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 11 Nov 2019 @ 2:47am

    Stop it with these links to news sites, rather than the doc

    Karl,

    Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:

    The link there is NOT to the letter but to a Vice article. Are they paying you or are you just being lazy?

    Dont give us:

    https://www.vice.com/en_us/article/zmj5p9/mozilla-firefox-asks-congress-to-investigate-internet- service-providers-data-selling-collection?utm_source=mbtwitterus

    Give us:

    https://assets.documentcloud.org/documents/6538356/Mozilla-Letter-to-Congress-on-DoH.pdf

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 11 Nov 2019 @ 7:02pm

    I don't see here why it makes any sense that DNS traffic should be directed by a browser breaking network automation and directing people to the worst violators of individuals privacy. I trust tech about as much as I trust ISPs, but the ISPs I can avoid. The big tech giants I have no way to avoid. So why does this make any sense. Don't give me a terms of service agreement that has zero penalties if broken.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 11 Nov 2019 @ 7:09pm

    Re:

    How can you avoid the ISP? Do you own one?

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 12 Nov 2019 @ 1:49am

    Re:

    but the ISPs I can avoid.

    Only if you give up using the Internet.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.