Comcast And Mozilla Partner Up To Help Encrypt DNS

from the strange-bedfellows dept

Over at our Tech Policy Greenhouse, Article19's Joey Salazar and Consumer Reports' Benjamin Moskowitz just discussed how it's long past time to encrypt the Domain Name Server (DNS) system at the heart of the internet. Thanks to the GOP demolishing of FCC broadband privacy rules in 2017, ISPs have carte blanche to monetize this data as they see fit, storing and selling access to your DNS browsing data to data brokers who continue to build detailed user profiles with little to no meaningful oversight.

At the forefront of encrypting DNS have been Google and Mozilla, both of which have been pushing for a standard known as "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. The proposal doesn't come without downsides, and has seen opposition from ISPs that are either eager to continue to profit off of this data, or are worried that somebody else will (usually Google) if they can't.

Comcast, AT&T, and others had previously been trying to demonize the Google and Mozilla efforts any way they could, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah).

After Mozilla claimed to Congress that ISPs were being disingenuous with their opposition to the plan, at least one major ISP appears to have come around to the proposal. This week Mozilla announced that Comcast had joined the Firefox Trusted Recursive Resolver (TRR) program, which requires encrypted-DNS providers to not only meet privacy and transparency standards, but to promise not to block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates." From the blog post:

"This program aims to standardize requirements in three areas: limiting data collection and retention from the resolver, ensuring transparency for any data retention that does occur, and limiting any potential use of the resolver to block access or modify content. By combining the technology, DoH, with strict operational requirements for those implementing it, participants take an important step toward improving user privacy."

While Comcast has a well-deserved and terrible reputation for anti-competitive behavior, lobbying shenanigans and comically awful customer service, the company's engineering folks remain top notch, and obviously appreciate the benefits of encrypting the DNS in the wholesale snoopvertising age. In conversations, the company continues to insist to be they've never monetized this data (not that anybody in government would ever have the ability or courage to confirm this), and had been running a beta version of its own encrypted DNS offering since last year.

Mozilla helping to standardize this and forming a coalition with Comcast is foundational, and under the partnership, Comcast is promising to not "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser." Now it's just a matter of Comcast transparently proving that they're actually adhering to those standards.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dns, dns over https, encryption
Companies: comcast, mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Samuel Abram (profile), 26 Jun 2020 @ 6:31am

    Questionable

    I don't trust Comcast. Like, at all. Then again, Microsoft embraced Linux and FLOSS is still a thing, so this could work out. However, I fear the worst.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2020 @ 8:06am

      I know one thing

      Wait and see.
      Yes, it's a bit of a cliche, but we'll have to do that.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2020 @ 6:59am

    from the DNS queries sent from the Firefox browser

    Hard luck if you use any other browser.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 27 Jun 2020 @ 12:02am

      Re:

      Why? Firefox supporting the encryption won't make unencrypted DNS go away, unless it's effective enough that other browsers follow suit.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Jun 2020 @ 3:54am

        Re: Re:

        Full quote:

        Comcast is promising to not "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser."

        Rather then:
        Not to retain.......made to our DNS servers from any program..

        link to this | view in chronology ]

        • icon
          PaulT (profile), 27 Jun 2020 @ 4:43am

          Re: Re: Re:

          The statement is directly about this browser so it makes sense to specify it in the statement. That doesn't necessarily mean they're doing all those things elsewhere, just that they're stating they won't be doing it here.

          If course, if you're concerned about this, your main complaint should be that the market is so bad over there that you can't just move to another ISP if you don't trust Comcast.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2020 @ 7:09am

    "the company continues to insist to be they've never monetized this data "

    Lot of pants on fire at that company....

    The fact that they are now in sudden agreement to encrypt DNS, just tells me their "top notch" engineers have found a way around the obstacle of deciphering the data so they can still "not monetize" it.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2020 @ 7:14am

      Re:

      As a DNS server, they decrypt the data so that they can handle the query, no clever tricks required as they are the other end of the encrypted link.

      link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 26 Jun 2020 @ 7:45am

        Re: Re:

        Doesn't that depend upon whether one selects their own set of DNS servers or not? If a Comcast customer allows Comcast to select the DNS servers, then your right, but if there was say a tool that reset DNS servers to ones that weren't Comcast but were enabled to handle the encrypted requests then something different would be needed for Comcast to monetize those requests.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jun 2020 @ 8:59am

          Re: Re: Re:

          For other than Comcast DNS that is the same as Comcast breaking HTTPS by some means, like forcing people to use their proxy server and certificate.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jun 2020 @ 9:15am

          Re: Re: Re:

          Doesn't that depend upon whether one selects their own set of DNS servers or not? If a Comcast customer allows Comcast to select the DNS servers

          That's what I'd interpret from "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." Comcast can ensure their servers are always the fastest for their customers, in which case Firefox would choose them.

          I'm sure Firefox won't force users to stick with those servers. But only a tiny fraction of people choose their own servers. Probably the same troublemakers that contact their ISPs to opt out of stuff like data-sharing and forced arbitration. Those numbers are too small to matter.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Jun 2020 @ 9:26am

            Re: Re: Re: Re:

            Yeah, I can see.

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 28 Jun 2020 @ 9:07pm

            Re: Re: Re: Re:

            That's what I'd interpret from "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." Comcast can ensure their servers are always the fastest for their customers, in which case Firefox would choose them.

            Which then breaks the entire point of Encrypted DNS: To ensure those you don't want peeking at the lookup requests can't see them. After all if you can just run a "web browser corporate-backer approved" encrypted DNS server that the web browser trusts, what prevents the browser from using it if the user doesn't want to?

            I say this because the whole point of normal DNS is decentralization of the lookup queries, and network traffic shaping. If the web browsers only trust certain servers, it's trivial for an ISP or any other service provider to block all requests not destined for their
            "trusted" servers and claim that using other servers violates their ToS, breaks security, "you must be up to no good", etc. I.e. It's a very obvious trap that any enterprise network engineer has deployed to secure their networks against rogue users exfiltrating data. Further, given the current pushes for censorship and "neutrality" what's to prevent these "trusted" servers from denying lookups to sites the operators disapprove of? Or worse logging and reporting it without the user having alternatives? That's the whole problem with centralized services like DNS, but even more so when you start mandating who can be trusted and who cannot.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 29 Jun 2020 @ 11:13am

              Re: Re: Re: Re: Re:

              After all if you can just run a "web browser corporate-backer approved" encrypted DNS server that the web browser trusts, what prevents the browser from using it if the user doesn't want to?

              The lack of any code to do that prevents the browser from doing it. Firefox's idea, that Comcast's server is the one that Comcast users will want to use, is certainly questionable. But at least there's been no suggestion that browsers will make that the only option.

              Sure, Comcast could block other servers. They could also block Tor, HTTPS, whatever. Even they haven't yet shown signs of stooping to this level.

              link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jun 2020 @ 7:17am

    "At the forefront of encrypting DNS have been Google and Mozilla AND CLOUDFLARE"

    link to this | view in chronology ]

  • icon
    McKay (profile), 26 Jun 2020 @ 8:39am

    This scares me

    IMO, the purpose of encrypted DNS is that the ISPs like Comcast can't get your DNS data. Well, if Comcast is in on it, then they'll be building their own server, and we're back where we started. Sadly, Comcast getting in on it will make all the other dumb ISPs realize they can do the same thing. We can still choose another DNS server, but there'll be a lot of people who just leave it at default through DHCP.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2020 @ 9:10am

      Re: This scares me

      Centralizing it all at Cloudflare has its own problems. An independent service in each country could be an improvement, if clients used more than one. Domain-blocking orders would then need to target over 100 countries to be effective, at which point it's easier to target the registry or registrar. Running the DNS servers as onion services would additionally prevent court orders of the form "country X says to block all clients from country X", as geo-location would be impossible.

      A lot of uses of DNS, however, are kind of pointless when we have DNSSEC. Once you can authenticate data, it doesn't matter where you get it from. EG: when one website links to another, the target's DNS records could be provided by the source site.

      link to this | view in chronology ]

    • icon
      PaulT (profile), 27 Jun 2020 @ 12:05am

      Re: This scares me

      "IMO, the purpose of encrypted DNS is that the ISPs like Comcast can't get your DNS data"

      No, it's to ensure that things like DNS injection attacks and cache poisoning are much more difficult.

      "there'll be a lot of people who just leave it at default through DHCP."

      You're thinking of the wrong use of DNS.

      link to this | view in chronology ]

  • icon
    Alphonse Tomato (profile), 26 Jun 2020 @ 10:47am

    I'll be sticking to the DNS provided by my VPN, thank you. I trust them way more than I trust Comcast. Sure, the VPN is a potential single point of failure, but that's better than having multiple potential points of failure. And if the VPN is compromised, snooping on DNS is irrelevant.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 27 Jun 2020 @ 12:06am

      Re:

      "I'll be sticking to the DNS provided by my VPN, thank you."

      Good for you. Why does that mean that those who don't have one should not be protected?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 27 Jun 2020 @ 7:58am

        Re: Re:

        Why does that mean that those who don't have one should not be protected?

        Did you post this in the wrong thread? The comment you replied to didn't make any such claim.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Jun 2020 @ 11:57am

          Re: Re: Re:

          Also, if Comcast didn't participate in this, people without VPNs would be more protected from Comcast—because Firefox would've defaulted them to a non-Comcast DNS server. If one views Comcast as untrustworthy, that would be a better result.

          link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 28 Jun 2020 @ 10:15pm

    Waitaminnit

    Only a damned fool trusts comcast to get this right, which sheds light on how I feel about the direction Mozilla is going.

    link to this | view in chronology ]

    • identicon
      Annonymouse, 6 Jul 2020 @ 9:24am

      Re: Waitaminnit

      It all depends on what Mozilla does or doesn't do with the "help" from Comcast.

      My hope is that they treat it as what it is and look for, circumvent but not tell them about any features added by comcast untill after the fact. In other words let Comcast do Comcast and be proactive when it comes to the shenanigans.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.