well well well. People on HN will be surprised to know that the internet is a complete shit hole. "I thought the internet was made for the good of humanity".
It's 39% of the IPs banned by the DNSs of the ISPs of Malaysia. It's not 39% of the internet.
That's how it _always_ starts out, the "its for your own good, trust me" excuse.
That would be cool?
You're kidding but I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.
You want privacy? It stamps out any attempts at fingerprinting by attempting to be the most common browser (and config) out there, it spoofs any and all identifying data, it redraws pages without paywalls, without cookie notices and puts all pages in simple text output mode removing all other ads in the process, but keeps pictures for fora that use them.
You want 1984? It won't let you see anything that is not approved by the party.
Onwards, to our glorious future.
edit:
Valuemaxx edition. Store pages with discounts have bruteforced discounts found and added for maximum value.
It already is crazy. I can't even begin to imagine it being more crazy.
Most people already only see the web the way Google wants them to see it.
The whole precedent of the language is also insane. Imagine if words COULD in reality cause harm. Monty Python satirized the concept here: https://www.youtube.com/watch?v=Qklvh5Cp_Bs The "online words cause harm" is as absurd as that skit. Really the damage is in people claiming to have been harmed, emotionally, by a word, them wielding that as victim-power aka crybullying - that can translate into school/career/legal problems that are more of a quantifiable harm. Further, if words were so damaging, as Monty Python shown us, they would immediately be weaponized, the sensitivity to this topic is extreme hyperbole.
Since the premise of works causing harm is nonsense, the definition of harm is equally superfluous. Talk to any student council president or HOA president who only did it for the power, about some initiative they alone are driving against the wishes of the group, and you will find hand waves and sugarcoats everywhere, their selfish intent somewhat easy to see behind the well-sounding good-intending reasons. Politics at the national scale is the same exact game, just that the power hungry people waving hands are much skilled and experienced.
but remember we have this (widespread from 90s to 2010) to this day in the USA, and they don't even bother with excuses. just shove advertising and hijack searches right on your face.
google didn't force httpsdns on your browser for nothing. it was digging in THEIR pockets.
Jacques Ellul and/or Ted Kaczynski might be a starting point on this matter.
As a user of the public internet, it feels like a bug.
As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.
In general they're not going to bother with IP blocking; once they've killed DNS, they're satisfied that most people will not be able to access it.
And for the most part, that's good enough. There's perhaps an argument that the US gov't should be blocking IPs/DNS of things like hacking rings and malware distributors that are hosted elsewhere, on TLDs out of their reach (where ISP blocking would probably be the only or at least best way), but they mainly only care about e.g. sites that threaten the copyright cartels, when it comes to legal takedowns, anyway. And for sites that host illegal content, they seem happy only prosecuting US residents who access them.
> We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.
Who could possibly be harmed by pornography or, even more ridiculous, copyright infringement? Feels like a lame excuse.
Internet censorship in my country (Russia) started the same way — "we're protecting children from suicide and drugs", but for some reason you couldn't opt out of the "protection" as an adult. To no one's surprise, over time, more and more things to non-consensually "protect" people from were added. In the end, unless you stick exclusively with local services, Russian-language content, and government-owned media, the internet is utterly broken without a VPN, packet fragmenter or other anti-censorship solution. Popular VPN protocols are also starting getting blocked, btw. All for your own safety, of course!
I deeply implore you to think of the stakeholders!
So I guess pornography is illegal in Malaysia?
I guess this is a great time for Malaysian users to switch to DoH.
Edit: Yes. Wikipedia:
> Pornography is illegal in Malaysia with fines of up to RM10,000 for owning or sharing pornographic materials
Of course there are still ways around this. Use a good VPN like Proton.
This is still for sure going to be copied by authoritarian regimes worldwide.
I think you're underestimating the amount of stuff being blocked everywhere. Even in Spain where I live the list of blocked domains would be pretty big already, and it's just one country.
OONI gives a good overview: https://explorer.ooni.org/
loving it
You really need a solution that works on every platform for everyone, which isn't easy.
Even for VPN like apps, well, they aren't allowed on China's Apple app store. Fortunately you can switch to a different store, download the app and switch back, and Android users can just sideload an apk as usual. But that's enough to show how complex this is.
(Another reason I absolutely hate Apple's walled garden.)
There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.
Are there? When Kazakhstan announced they were going to do this, all the major browser vendors blocked their CA... so they backed down. What other countries do this and get away with it?
Google 8.8.8.8 8.8.4.4
Control D 76.76.2.0 76.76.10.0
Quad9 9.9.9.9 149.112.112.112
OpenDNS Home 208.67.222.222 208.67.220.220
Cloudflare 1.1.1.1 1.0.0.1
AdGuard DNS 94.140.14.14 94.140.15.15
CleanBrowsing 185.228.168.9 185.228.169.9
Alternate DNS 76.76.19.19 76.223.122.150
They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.
If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.
Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward
https://blog.mozilla.org/en/products/firefox/encrypted-hello...
>‘You have shown determination’: Malaysian PM praises Putin, pledges closer ties 2 days ago"
reminder https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17 43 Malaysians killed by Putin.
https://www.thestar.com.my/tech/tech-news/2024/09/02/mcmc-ba...
I'd really be curious if said "protection" is actually real...
Between dynamic domain name generation (ala malware), and (potentially) a lack of public review... this sounds more like smoke and mirrors.
Hopefully there is a way for users to set up a VPN and get access to a better DNS server without triggering the redirect.
Malaysia has had a history of religious discrimination from both the state and citizens, despite there being a freedom to practice whatever religion you want. Their notion of religious freedom is also strange, since in order to be considered a Malay you MUST be Muslim. And Malays get all sorts of additional rights and privileges (such as affirmative action). The country also has Sharia law courts - and this is a very real problem for personal freedom, because the Sharia court prevents Muslims from converting to other religions typically, and this forces people to have secret double lives, where privacy is critical.
Restrictions on Internet access or violations of privacy/anonymity are a serious problem for those who may run into trouble due to religious discrimination built into Malaysia’s culture and law. Do not accept official explanations like protecting people from harm or stopping misinformation - control over the internet will be abused.
Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.
Funny enough, it wasn't a trading ship from the Middle East, but the then-Chinese empire:
https://www.scmp.com/week-asia/article/2006222/chinese-admir... (no paywall link: https://archive.ph/f8622)
Even Spain/Iberia had a huge Muslim population, until the Reconquesta Kingdoms committed large scale genocide and deportions of Muslims and Jews.
And speaking of Unexpectedly Muslim, the Golden Hord (AKA Tattars) which existed on the Crimean region as one of the offshoots from Genghis Khan's conquests, was Muslim. In fact, they allied with the Mamluk kingdom of Egypt against Holugu, leader of another Mongol horde, Ilkhanate.
What is the state of DNS over HTTPS?
nonetheless, a slippery slope
Shit mostly it exits a country via ground stations in that country or a compatible legal jurisdiction. Its not even magically flying out of the country via satellite. + Discussions about its ability to skirt censorship in this fashion with any significant capacity sort of paint it as a bad move, maybe that starlink 2.0 nonsense.
A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.
Of course, a client using encrypted DNS could just refuse to work when encryption is blocked, rather than falling back to traditional DNS. But that could mean the client is unusable in the country implementing the block.
This sort of reminds me of when Kazakhstan announced they were going to MITM all TLS sessions within the country, and all citizens would need to manually install a root cert. Google, Apple, and Mozilla chose to completely block their root cert, so it would be unusable even if users chose to go along with it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... Seems like the browser devs won that political standoff, but would they fight the same battle if DoH/DoT was blocked?
not if DNS is hosted on the same servers as eg google search itself. then they would have to block google search in order to block DNS.
Unencrypted DNS also has to be bootstrapped by a well-known set of IPs. None of the current DNS propagation system would work if it wasn't for the hardcoded IPs for the root DNS servers at *.root-servers.net.
And, of course, end-user devices still need an IP to query for DNS, it's just that it's almost always supplied automatically via DHCP or similar.
At least the companies I’ve been working for have a lot more laptops at coffee shops and weworks, and probably not on a VPN half the time either. DoH has been a way bigger win than a hassle for me.
Deep packet inspection hardware appliances have proliferated in their numbers in recent years, they are cheap, the hardware is highly performant, and they are capable of the highly sustained throughput. Redirecting DNS queries in UDP port 53 to any other destination of choice is what they can do without blinking an eye (if they had one). Or dropping / blackholing it.
Only a VPN tunnel can get through, however modern DPI appliances can also scan for VPN and VPN-like signatures in the traffic and drop those, too. The only viable and guaranteed to work solution to resist the tampering with the traffic is a VPN tunnel wrapped into a Shadow Socks tunnel that obfuscates traffic signatures and constantly changes ports it operates on to avoid detection.
https://mullvad.net/en/blog/introducing-defense-against-ai-g...
DoH is a double edged thing, advertisers are a more present and pervasive threat to most than their own government
In both instances it turns out that the difference in magnitude of those threats makes the direct comparison misleading.
And bad ISPs⁰.
And a small subset of MitM attacks.
> advertisers are a more present and pervasive threat to most than their own government
That is true for me¹ but I'd not agree with "most" globally. And while stalky corporates and the people who will get hold of my data subsequently due to lax security are my main concern, there are other ways to mitigate them. Less convenient ways, sure, and I loose a security-in-depth step of ashtray using them anyway, but I consider that inconvenience for me² to be less of an issue than the more serious problems DoH might mitigate for others.
----
[0] some people don't have a simple "just go elsewhere" option
[1] relatively speaking: I don't consider my government that trustworthy, and will do so even less in future if the Tories get back in without major changes in their moral core, and I'm sure many Americans feel similarly if they consider the implications of Project2025.
[2] both as an end user wanting to avoid commercial stalking and as someone who sometimes handles infrastructure for a B2B company that uses DNS based measures as part of the security theater we must present to clients when bidding for their patronage
Then transparently redirect the DNS request from all your machines at home to your own DNS resolver (so that you're in control of what gets resolved and what doesn't, like malware, phishing sites, porn so that kids don't get to see that, etc.) and have your own DNS resolver use DoH.
But asking for browsers to "make DoH ubiquitous" (they would force DoH and DoH only) is not a good thing. It also probably would clash with corporate policies, so it'd make the browser picking that path unusable in corporate settings (leaving the corporate market to competitor browsers).
DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.
I don't really trust many DNSes and neither do many yet we all have few choices
The lack of MitM isn't much comfort
Neither are guarantees of the chain of trust
Sounded more like a kneejerk reaction and a meme for something that's an improvement. UDP at this day and age? Come on
There is also nothing wrong with using UDP for DNS. And the latency can be better, and in this context that matters. The real problem is that the UDP DNS protocol isn't encrypted. But there is no reason it couldn't be, except that then nobody gets a new source of DNS queries to data mine, which is where the money comes from to push DoH.
A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I'm not going to get them all. And it's just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.
I assume this is a joke, since DoH3 (DNS over HTTP/3) uses QUIC which is UDP based.
https://wiki.safing.io/en/Portmaster/App/DNSConfiguration
https://applied-privacy.net/services/dns/
There are non standard transports for DNS via non standard providers | DNS proxies - this tool and that foundation are a start.
It’s sad that democracies are copying the playbook of China. Will definitely be using v2ray/X-ray while here
So, DoH should be work fine for now, but they'll (gov.) terminate HTTPS (or TLS) connection ASAP.
Why? I've never heard of a non-Islamist nation banning content as benign as porn.
The real issue is always control.
> there are democracies in Europe where its fine to jail people for what they write online.
And? You seem to believe that a democracy refers to a bundle of freedoms that you personally believe everyone should have. Democracy means governance by the will of the majority. If the majority want people to be jailed based on their writings or speech, than that's what happens in a democratic country.
I think that ship has sailed. Malaysia certainly isn't the first to pull this.
AFAIK Chrome has a hardcoded list of DNS servers which offer encrypted DNS. I.E. if your DHCP server tells your PC to use 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will instead connect to the equivalent DNS-over-HTTPS endpoint for that DNS provider. This is a compromise to avoid breaking network-level DNS overrides such as filtering or split-horizon DNS. It's not limited to public DNS providers either, ISP DNS servers are in there. (I've seen it Chrome connect to Comcast's DNS-over-HTTPS service when Comcast's DNS was advertised via DHCP.)
Of course, this is pretty limited. Chrome obviously can't hardcode ever DNS server, and tons of networks use private IPs for DNS even though they don't do any sort of filtering / split-horizon at all. (My Eero router has a local DNS cache, so even if my ISP's DNS servers were in Google's hardcoded list, it wouldn't use DNS-over-HTTPS, because all Chrome can see is that my DNS server is 192.168.4.1)
Firefox for sure has a "corporate" setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).
AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.
I force all my browsers / wife / kid's browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).
That DNS resolver can then, if you want, only use DoH.
To me it's the best of both worlds: "corporate" DNS setting to force UDP port 53 and then DoH from your own DNS resolver.
The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.
You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.
It's bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.
Assuming the AI is comparing screenshots of real versus phishing, it can only figure it out for poorly done phishing websites.
As phishing scams get more sophisticated with scam websites that look exactly like the real ones, the only things that truly matter are protocols (i.e., HTTP versus HTTPS), domains, URL’s, certificates, etc.
There’s an argument that Google should not cater to our preferences, but I don’t think I buy it.
So arguably google does not respond to customers anymore. Shareholders? Maybe. But probably those who prefer short term gain, not long term value.
Apartheid was implemented by the non-natives (i.e. white colonialists) towards the natives, while this is a different concept.
Regardless, when I look up the definition of apartheid it doesn't seem to require the non-natives being the ones to implement it.
the ideal situation would actually be to implement httpdns on the OS/router level and allow the user/local admin choose the policy. i expect that this is going to happen soon in most linux distributions.
It's the main reason google google pushed httpdns and chrome. So you go to google.com. google current money cow is literally AOL keywords.
Nobody has to worry about breaking Thai laws around defaming the King because Thailand isn’t a superpower with the ability to enforce its will beyond its borders.
Everyone has to be worried about breaking US law.
It makes it substantially more difficult. My firewall statistics are proof of that. On a production network you'd have everything blocked.
if thats your definition then a lot of countries where the majority tribe is in a form of dictatorial power are also democracies
Httpdns is too complex of a solution to the business goal you’re suggesting. There are much simpler / less expensive ways of doing it.
"Democracy" is a bit of a red herring here. Democracy doesn't mean the government can't censor you or restrict what information or media you can consume. Democracy just means that the voters have consented to whatever legal framework is in place, and to whatever their leaders want to do within that framework.
And that's the thing: in many democracies around the world, if there was a referendum on the law to blocking copyright infringement, online gambling, or pornography at the ISP level, I think many would pass that law.
(Certainly there are "democracies" out there that only pay lip service to the concept, and have fixed elections and repression of dissent or opposition. I'm not talking about those.)
DoH isn't "magic". It's just a simple, standardised protocol. It's existence makes it no more or less easy for adversarial actors to do name resolution.
DNS should be an OS level tool which is consistent to all applications, not an application by application setting.
As the device owner I expect dns to be ck distant whether I run Firefox, chromium, zoom, curl, steam, ping, or he dozens of other programs I run.
If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can't MITM your connection to the real antigovernment.com, they also can't trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.
DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.
For TV, use it as a dumb display for some FOSS TV box, running something like libreelec.
As for DRM attestation, that's not the responsibility of anyone but the DRM vendor, so ask them.
It's really not that rare even for non-Muslim countries, especially in Asia
When they've started to terminate TLS, the reason was to terminate illegally shared webtoon (web cartoon) sites.
For more info: https://en.wikipedia.org/wiki/Internet_censorship_in_South_K...
Not every country has this, so no, not "everyone has to be worried about breaking US law".
Regarding Thailand specifically, they have a principle of "double criminality", so people are only extraditable if what they're accused of is a crime both in Thailand and the country they're being extradited to. So maybe not the best example.
Besides, other countries have extradition treaties with other countries than the US too, even non-super power ones.
Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?
Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.
It doesn't show it, but I expect it would put up an error message if the DoH server's cert is invalid.
For instance : https://boingboing.net/2012/02/23/microsoft-google-and-netfl...
(But «bad actor» was perhaps a bad choice of words, since someone buying devices or using media with DRM is of course not as evil as someone pushing them. But they are engaging in bad behaviour nonetheless.)
Such devices have a pretty simple architecture: the highly performant data plane where DPI is implemented in the hardware (using either ASIC's or FPGA's – don't have enough information), and the control plane. The control plane comes with a SDK of sorts that DPI appliance users can use to tailor the appliance to their environment and that is used to «refine» the data plane behaviour, i.e. sending down / updating DPI pattern matching / processing rules.
I think the weak points are wholly untechnical e.g. Google would often give in to protect the $$$ they make in a region.
https://dns.google/dns-query – RFC 8484 (GET and POST)
https://dns.google/resolve? – JSON API (GET)
And tunneling obfuscated traffic is easy... =3
I wonder if DoH requests can be easily proxied? So if I set up https://www.mydomain.com/dns-query on a U.S.-based cloud server and proxy_pass all requests to Google or Cloudflare, and point my browser at my server, will it work?
Perhaps someone will put a configured wifi router image together over Christmas holidays for demonstration purposes... because it is fun to ignore tcp drop DoS too.
Tunneling well-obfuscated traffic is easier than most imagine... and IDS technology will fail to detect such things without an OS OSI layer snitch. =3
That's not how that works. DoH resolvers need an IP address, not a domain name. Sure, Google could host DoH on www.google.com, www.youtube.com, etc. but most users are not going to be savvy enough to find those IPs and use them.
Then again, perhaps users savvy enough to try to use DoH to bypass these blocks would also be fine with this.
Even the UK/China firewall can be tunneled over, but the ramifications for those that do so can be dire. =3
no VPN, rt.com works just fine in the UK, no issues.
i think they banned the live TV in the EU and UK. and i think they also banned the website in the EU, but apparently it’s not enforced? https://www.rferl.org/amp/russia-rt-sputnik-eu-access-bans-p...
haven’t found anything about rt.com being banned in the UK thou.
This is a notable area where the US is an exception, and is significantly more free than other western countries. No need to worry about art or materials being censored here, at least outside of specific contexts like some states banning books from schools.
It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.
The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.
Deploying an application protocol that does neither, such as DNS, directly over UDP is a bad idea. If you were to run DNS over DTLS (TLS over UDP), that would be a different beast, and probably ok.
And to clarify, encryption is important to prevent tampering and preserve users's privacy. Session management is important to protect agains redirect attacks with spoofed source IP, or session hijacking.
It's legal, but it's not a porn.
Same as why a lot of Japanese people seem to have pixelated genitals. ;)
Very few people configure DoH on their own. It's up to the DoH-enabled client software (mostly browsers) to obtain lists of resolver IPs and keep them up to date.
If Cloudflare, for example, really wanted to make their DoH traffic indistinguishable from other HTTPS traffic, they could literally host DoH on any domain or IP under their control and rotate the list every now and then.
I know you were implying the opposite, but how many suicides are you going to prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?
These are generalized rates, of course, but in point of fact, your claim is not substantiated by any real data.
Either you think that the majority of the population in Malaysia or the US identify identify as LGBT+ or you're really struggling with basic statistics and reasoning.
> prevent by making Malaysia’s rate (6/100k) similar to the US (14/100k)?
Presumably the idea would be to reduce it to some number lower than 6. Or do you believe the majority of people in the US are killing themselves because of "Awareness and acceptance on LGBT matters"?
If the idea is to reduce it below 6 by preventing a few suicides per year (which is not likely), how confident are you that destroying the culture of the nation in the process will not cause the number to rise to 14?
https://onlinelibrary.wiley.com/doi/abs/10.1002/ajcp.12553
https://www.sciencedirect.com/science/article/pii/S027795362...
https://www.thetrevorproject.org/survey-2022/#support-youth
There's plenty more if you care to just Google it.
The rest of your comment is ridiculous because obviously there is more than one contributing factor to suicide. Including (perhaps) latitude.
I’ve read about it in depth.
Encouraging people to be LGBT has resulted in massive increases in number of people claiming to be trans, for example. Assuming they have the “best” case scenario of an affirming home, apparently 14% attempt suicide, according to your third link.
Now let me ask you, how many people have we killed by “affirming” these things to the point that it’s actually cool to be trans in most schools?
We’re driving up the denominator on the highest risk category for suicide while pretending that that very thing will reduce suicide.
They were charged for money loundering...
But is there a possibility there is a distinction between "I can freely share my political opinions about things" versus "I can ask/cheer on people to commit crimes without consequence"?
For example, accidentally leaked internal network queries from companies are up to grabs. As is market data like what people are querying, how much, when, from where (geographical for example) and to whom, and so on.
The quality of the anonymization of private information are also not guarantied.
You can't possible make that assertion, because all it takes is one NSL and they will log and share it all.
Like the one they had that just circled back around to the ISPs that regularly data-mine their users' traffic?: https://arstechnica.com/tech-policy/2020/06/comcast-mozilla-...
I’ll trust my ISP over Google or Cloudflare or Microsoft or DuckDuckGo any day.
Some <bad people> abuse <x>, therefore it is totally justified for us to impose a wholesale replacement of <x> with a solution that we can control centrally. It's for your own safety!
Never mind all the people that don't have data-mining ISP's, and to hell with end-user consent. We don't need that, we're working for the good of everyone. My piety trumps all!
Separately from that, there's the issue of how to transition over to DoH, in a world in which many ISPs and networks are hostile. That is the point at which browsers are using the small handful of early-adopter DoH servers and assuming on behalf of some users that they want to use those instead of the servers from their ISP or other network. That part is debatable, and involves tradeoffs between protecting users who don't understand DNS or security and supporting users who do.
DoH gives users the ability to ensure they're talking to the server they think they are, and not get their queries spied on or hijacked. That is the part I'm advocating here: having a protocol that cuts out MITMs and prevents spying on the network traffic. That doesn't solve the problem of needing a trusted DNS server to talk to; it solves the problem of not being sure you're talking to the server you think you are, and not being sure if some part of the network between you and that server is spying on you.
If you have a DNS server you like and trust, whether that's from your ISP or something else entirely, that's great for you! DoH would still be a better protocol to use to talk to that DNS server, rather than the unencrypted DNS protocol.
With, say, a proxy app on MacOS, I don't see how they could do this without consent?
Actually they do ask, by querying use-application-dns.net.
Notice that you could do this the other way: Query a value in the existing (local) DNS or DHCP that not only allows you to enable DoH but also specify which server all the local devices should use. Then if the DNS server chosen by the local administrator/user supports DoH, it could respond by saying so and you could use the protocol without changing your DNS server. But that's not how they did it.
Seems unlikely, not suprising it got flagged to death, however it's there for anyone with ShowDead enabled to read.
I was responding to one speculation, with another, to show that the parent speculation — that censorship of LGBT information would lead to more death by denying sexually active people in the LGBT community with information on STI prevention drugs — was over simplifying the factors involved, to present their speculation as a matter of fact.
If my comment — which I disclosed as mere speculation — is to be censored on those grounds, the parent comment should definitely have been.
“The majority decided it. That’s not censorship.”
“The law decided it. That’s not censorship.”
“The users decided it. That’s not censorship.”
“You were just scared your neighbors would kill you, so you didn’t say anything. That’s not censorship.”
I’m having trouble drawing lines.
Given the repo name, I shouldn't have been surprised
Microsoft has invested in a startup that uses facial recognition to surveil Palestinians throughout the West Bank, in spite of the tech giant’s public pledge to avoid using the technology if it encroaches on democratic freedoms.
AnyVision, which is headquartered in Israel but has offices in the United States, the United Kingdom and Singapore, sells an “advanced tactical surveillance” software system, Better Tomorrow. It lets customers identify individuals and objects in any live camera feed, such as a security camera or a smartphone, and then track targets as they move between different feeds.
No. This is more similar to an ad blocker, but focused on helping Muslims respect their religious standards while they browse the web. I’m not a Muslim, but it makes perfect sense to me. Good for them—I see no problem with it.
Somebody installs it for him/her-self. Sure, power to you!
Neibhour in non-muslim state installs it for their children: their right, but feels fishy regarding child right to truth.
I’m not sure what’s fishy about it. Parents have always controlled what their children should have access to and consume. The entire concept of “parental controls” exists for this reason—we’ve always understood a parent’s rights over their children and none of that was at all controversial until like 5 minutes ago.
This is a digression anyway, so I’ll just stop there…
I’m sorry that everyone in the world doesn’t think the way you’d like them to.
I know lots of Muslims, both male and female, and they’re perfectly normal to me. In fact, some of them are some of the most wholesome folks I know: Humble and hardworking humans who build and love their families, and of course, believe in something much greater than themselves. I see nothing “backwards” about that.
>in point of fact, your claim is not substantiated by any real data.
I have provided data. You just avoided commenting on it entirely and responded with a theoretical, opinionated "question". The reason is obvious to any reader: You're wrong. Otherwise, where is your data!?
Anyways... science aside... it's not even like this is a controversial idea. You're actually challenging the idea that people feel better about their lives when they feel supported. Really? What a weird thing to suggest. There's a reason people like you get downvoted (or "censored" as you put it). It's because you don't engage honestly. You aren't driven by science but ideology and no amount of data will change your mind.
So far clients have chosen availability instead of fighting this fight.
It is quite easy for example, to bonce traffic through a reverse proxy on a Tor tunnel, and start ignoring spoofed drop-connection packets (hence these bypass local DNS, tunnel to a proxy IP to obfuscate Tor traffic detection, and exit someplace new every minute or so.) This is a common method to escape the cellular LTE/G5 network sandbox.
Ever played chase the Kl0wN? Some folks are difficult to find for various reasons.
Have a nice day, =3
It sounds like you're working with a model in which most users are conscious that they're very offended or inconvenienced by censorship, and want to research technical means of circumventing it. I wish that were true, but I doubt it's nearly as common as your intuition suggests.
However, one could be correct in that people may prefer to be ignorant. As YC karma is often negatively impacted by facts. QED =3
"Any" impact is weird phrasing, though. Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.
> Only a very small percentage of people will be savvy enough to attempt to circumvent these bans.
There are several one-button vpn/proxy+tor apps for unrooted phones already, and they are dodgy on a good day. =3
Chinese government couldn't have cared less about that "impact" -- even if only less than 1% of Wikipedia content mentions Chinese government at all, they are going to block the Wikipedia website.
I'm not against the core part of your argument, just against the blaming of a particular choice of transport layer, which is fundamentally irrelevant. Encryption is great. Meanwhile DNS doesn't really need the concept of a session, does it? At the end of the day it's just a single lookup which can very well be fire and forget. That we're encrypting the request (ideally) and also the response (ideally) is no reason to add in loads more complexity.
DoH3 means running DNS over HTTP over QUIC over UDP. Here QUIC does both session management and encryption.
In both cases, we are running a simple application protocol (DNS) over other protocols that handle the Internet-level problems I raised, so all is good.
The problem is with running your application protocol directly and strictly over UDP and nothing else.
And related to sessions, there are two things. For one, in reality today, you typically do a whole host of DNS requests even to load a single site (many common sites have upwards of 20 domains they use, and that's before loading any ads). So having a persistent session to send all of those requests on would not change much, even if it's not technically necessary. Secondly, even if you really want to avoid sessions, you then still need some other mechanism to prevent source IP spoofing.
Any protocol which allows a host to send a small request to a server and cause that server to send a large response to the src IP of that request is a major problem for the health of the internet. Requiring a handshake to solve this is one simple way to avoid the problem entirely. DNS implementations have had to find all sorts of other mitigations to address this (I believe they now typically don't allow responses more than a factor of 1.something larger than the request, or something like that? Which of course brings in all sorts of extra problems and unnecessary traffic)
Yes, and the person you're replying mentioned that it was perfectly possible to encrypt data over UDP. Presumably they meant DTLS. So what's your concern?
Change “significantly” to “technically” or at least to “”, and then I will agree with the statement.
I’m not opposed to all censorship. I’m just opposed to refusing to acknowledge it for what it is.
If you have your comment flagged by a couple of people, and removed, that is censorship. Plain and simple.
i.e. obfuscate the traffic using the hijacking DNS servers themselves.
Just a thought =3
the vpn provider, it's just a split tunnel thing; since that is a local process, yes they can hijack it. Originally when we switched to our current vpn provider it didn't even let us use localhost or loopback dns, but we needed that for the way we use docker in development, so now it's just anything except those being redirected.
This is a feature. That some people choose terrible ISPs is a trivial problem to avoid, far easier than avoiding terrible user agents which are beholden to their advertising masters.
There is also the global satellite uplinks... so its ultimately a pointless game to keep people ignorant, that is unless they plan to follow people around like a hot-air balloon villain from Pokemon Go. lol =3
You choose an isp with those features that’s on you. It’s not like the UK is a backwards country with a monopoly of one or two ISPs for a given location.
Since then City Fibre completed their rollout and I'm no longer an existing customer with BT so now I _do_ have a choice.
But bigger picture here: I mentioned my setup on a thread where a country is mandating all of their ISPs do this. Sometimes you don't have a choice.
https://www.stunnel.org/downloads.html
with the optional:
https://github.com/bfix/Tor-DNS.git
or go with the more modern:
https://github.com/erebe/wstunnel
Best regards, =3
Some states are doing that at a state level in limited contexts. Individuals are still free to post or publish whatever they want.
> It’s just that the restrictions the US has are determined by Americans to be the right levels and other restrictions (for example laws against glorifying nazism) are the wrong levels.
No, it's that in the US this kind of freedom is significantly more protected and culturally important.
> The sad thing is Americans believe the propaganda that they have freedom and nowhere else does and therefore their restrictions on speech aren’t real but others are.
I would say the sad thing is anti-US sentiment can be so high that people won't debate something like this in good faith and look at the various cases and histories.
Challenge one: Could it be that previous commenter touched certain dogma? (One possible definition from Wikipedia: “Dogma, in its broadest sense, is any belief held definitively and without the possibility of reform”)
Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise. (One possible definition from Wikipedia: “Censorship is the suppression of speech, public communication, or other information.”)
(No need to report results or reply / just try the exercise for elasticity of the mind)
BTW. A bit related, hopefully interesting, random fact you did not ask for:
“Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.
Maybe, but in my experience it's usually the dominating factor. Anti-US sentiment can be high, and a lot of people from western countries are skeptical that the US can be any more free than their own in any capacity.
> Challenge one: Could it be that previous commenter touched certain dogma?
I don't believe so. The comment I replied to was using state schools banning some books as an example, even though I mention that in my comment and explain why it doesn't apply.
You'd have to be clear on what you think the dogma here might be, but whatever it may be I'm confident my position is backed by facts and reason.
> Challenge two: please try to stretch the definition of “censorship” a bit till you can say that USA has SOME censorship, maybe in disguise.
I never claimed the US has no censorship, just that it has a lot more freedom due to cultural and legal reasons in contexts like we are discussing here.
> No need to report results or reply / just try the exercise for elasticity of the mind)
Critical thinking is an important step in reasoning and a great way to keep a mind sharp, for sure.
> “Freedom” is defined quite differently by people in different countries. While the U.S. often focuses on freedom from government interference, in France, freedom also includes the idea that the government has a role in ensuring social justice and protecting individual rights, and in Baltic countries the freedom usually means freedom from a certain country.
That is interesting. I would say that latter definition applies in the US as well though. For example, we all expect to be free of crime due to police and such, even if that expectation is not always met.
While the government may not arrest you, the consequences of expressing your opinions can still be excessive.
If I read your original comment right, you were agreeing that the US might be ahead as far as government censorship but not as far as the types you list here, is that correct?
I'm still not sold on the notion that limiting public infomation reduces the incidence of gay sex in a society; the Victorians famously did that and ended up with Polari, rent boys, Green Carnations, and generally no end of coded communication.
It made the puritans feel better but did little good otherwise.
Regardless, censorship is not the path to a healthy society and should be rejected on principle.
If a society is looking to decrease STI infection rates I don't see why they'd limit focus to LGBT material and expect any kind of useful result.
When AIDs first appeared Australia made public health announcements addressing all forms of sex as AIDs wasn't limit to male-to-male sexual transmission either, that was merely the demographic pool that STI first appeared in.
The reason I force DNS over UDP to my own DNS resolver is not so that chinese-internet-of-shitty-insecure-device (which I don't own) cannot phone home: I do it so that I'm in control of what the browsers can access over HTTPS (my browsers are all HTTPS-only).
> or not software written by someone else chooses to use the OS networking stack or even respect your desires when it comes to name resolution
Then meet firewalls. The users accounts running browsers on my setup can access HTTPS over port 443 and query UDP to my local DNS resolver. A webapp (i.e. a software written by someone else) is not bypassing that "networking stack" that easily.
Regarding name resolution: except some very rare cases where https shall work directly with IP addresses, a browser using https only will only work for domains that have valid certificates. Which is why blocking hundreds of thousands --or millions-- of domains at the DNS level is so effective.
And if there are known fixed https://IP_address addresses with valid certificate that are nefarious, they're trivial to block with a firewall anyway.
I'm in control of my LAN, my router, and my machines and webapps written by others either respect HTTPS or get the middle finger from my firewall(s). Not https over port 443? No network for you.
Reading all your nitpicking posts you make it sound like firewalls and local DNS intercepting and blocking DNS requests aren't effective. But in practice it is hugely effective.
The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.
It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.
An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source. It's just key=value like all the infinite other data that every app processes. normal dns and doh are nothing but standards and conveniences, they don't actually control or dictate anything.
You wish apps couldn't do that? So what? Do you also want a pony?
I'd say the same for this unnecessary ad hominem.
> The knowledge of what ip address correlates to some hostname is just data like any other data. There is nothing magically specially different about it, and no way to differentiate it from any other random data that every single process processes.
This is a basic truth that has no bearing on what I said above.
> It's a meaninless wish for something that you can't have, that we all agree would be nice, but is silly to expect.
It's how it worked for personal computing almost since it became popular in the 90s.
Most apps would use the OS set DNS setting. Apps choosing to ignore that and do their own queries is a much more recent thing.
> An app can simply include it's own hard coded list of ips if it wants, or some totally home grown method for resolving a name to a number from any source.
Yes. This also has no bearing on my point.
> You wish apps couldn't do that? So what? Do you also want a pony?
Wishing apps are not hostile to user intentions is not a fantastical or ignorant desire. Just because apps can be hostile to user intentions does not mean we should accept that as normal or advocate for it.
edit: Unless, naturally, I am no longer an admin and any control I have over my hardware is merely an illusion.
It doesn't matter how much you might want otherwise. It doesn't matter how important and virtuous the reason you want it is. Even invoking the mighty untouchable power of "my daughter" does not change such a simple fact of life.
When a DNS lookup request hits it, where does a UDP packet on 53 goes out to and what happens to it?
Annoying if you are trying to bring up a remote domain server, and thinking WTF while checking things out in dig. lol =)
The crux of the problem is that the device/application can't tell if the interference is friend or foe.
All the techniques you can legitimately use on your local network, and that network operators have used in the past, can all be used one hop beyond the network you control.
And, sadly, in 2024, most OS vendors are "in the game" of making sure they can 100% control the link and execution environment between themselves and their servers, without interference from the network operators along the way, OR the device owner.
Very brosd definition could be: “suppression of speech, public communication, or other information.”
> And it's not exactly censorship, it's people being fired as a consequence
I guess it all depends how picky we are about the definition of the term.
To an extent, but if people are calling firing sexual abusers censorship I'd say that doesn't fit any definition.
The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.
If you want to prevent an app or device on your network from accessing an IP, you must 1: Ensure the app or device has no wifi or cell or any other possible physical connection of it's own that could allow it to reach the internet without going through your router. 2: Block the ip, by ip, in your router, and also any other ip that could serve as a proxy or relay.
It is impossible to know what all those IPs are, so what is possible instead is whitelisting instead of blacklisting.
You could do that, but was it useful or interesting to even say? Didn't you and everyone else already know all that?
<< The point was that it's pointless to even think in terms of "apps and devices going around my choke point" because there never was a choke point in the first place.
I am not sure why I detect snark. Either it is possible or it is not possible. You argue that we can only assume that things are not communicating with outside world is if there is no network to begin with, which is not completely unreasonable position to take knowing what we know -- cat and mouse gaming being what it is. But even that is slowly becoming less of an option.
<< You could do that, but was it useful or interesting to even say?
Are you suggesting that this conversation is pointless? I don't see it that way. edit: after all, I am participating in this exchange.
But as you point out, STIs aren’t confined to any one group, so focusing exclusively on MSM activity would be a mistake.
With respect to HIV, its prevalence among MSM is 20 to 30 times higher than in the general population.
In 2022, Aboriginal and Torres Strait Islander peoples continued to experience significantly higher rates of STIs that non-Indigenous Australians.
“Aboriginal and Torres Strait Islander peoples are diagnosed with chlamydia two times more frequently than non-Indigenous people. For gonorrhoea and syphilis, the rate is more than five times as high.
This all points to the need for better community outreach programs to better inform specific communities, etc.