DNS over HTTPS Testing With Firefox and What it Means for Web Filtering and Privacy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

DNS over HTTP is coming whether ISPs and governments like it or not this is a good read over at naked security by Sophos and reason we have a picture of homer took me a second then I'm like don't literally do H DNS over HTTP is referred to as do H anyways uh enough of the Simpson references this is actually a really good article about the rise of do H and what it means for security what it means for privacy it's a big win for privacy it's a big lose for those that want to have visibility into the websites we go to and block them including the many ISPs and the UK's controversial porn block system which many systems do rely on DNS I've covered before DNS over TLS this is separate DNS over TLS means and this is a general common way you set it up and we're gonna refer to PF sense but other systems do support it where you set up a secure encrypted DNS to go from your firewall to whichever network you choose for your DNS you know cloud fair Google quad nine all support it and then your local connections that your computer make not just the browser one but your computer itself it needs more than just the browser for DNS it contacts your local firewall and then all that traffic once it leaves your networks encrypted making you invisible which is great unless you're a government that wants to spy on people this goes a step further and this is actually a big problem for filtering sites and filtering systems used by many companies and a common question I get so I wanted to break down a little bit how that works and what's going to break with this and how to enable it in Firefox because it's available in Firefox right now it's just not turned on by default and there's not a lot of places that support it but good news is CloudFlare does and by default Firefox comes with a CloudFlare pre-configured as a system you know so do this test first I wanted to make a rule this rule is not enabled right now this is the block for the demo port 53 block on a special VM I set up at 172 1669 dot 129 here is watching all the port 53 traffic kind of bouncing around on that particular system so is the default port for DNS and IBC this is really simple I'm just you could obviously move DNS to another port I'm not getting into those technical details I'm just looking at the default ports and the default way the VM works if we go over here we're gonna go in Apple comm and pain google.com you know you can see we're resolving addresses Apple apparently doesn't replies right away we see some port 53 traffic over to the Firefox browser and let's uh I don't know we'll pull up read it real quick so we pulled a couple things and we'll something while that's doing that YouTube comes up before that's interesting about us page not now so you know generating some traffic and we go over here lots and lots of DNS queries just you can see it's completely filled with them so everything is working as expected and of course by default and most people are running things that default port 53 being DNS is not encrypted ideally and the way it's set up in my network is we're using DNS over TLS which means it contacts our firewall and it goes encrypted out but that local traffic can be watched can be filtered and because it passes through DNS on my firewall the popular tools like PF blocker allow for blocking of websites and ads or whatever you want to block with PF blocker which is pretty cool but watch what happens when we block port 53 I turn this rule on apply all right so now all the DNS requests have timed out on this VM no more DNS requests the block is active they've all died so all the sessions have died so we can't establish new DNS connections on this particular computer let's see what happens in the VM now we try to pay something that's not cash I gotta come up with a new website meme dead air and do anything a website in Firefox open up any news crap anything it's thinking let's try to go to Google now it may have Google cached in there so yeah it has Google cached but that means if we look up Lawrence Systems again website we haven't been - hold on all right look up something completely different so if we go to News for resolving a new address looking calm that air go back over here establish DNS connections so let's talk about how to turn on this DNS over HTTP you go to network dot t RR dot mode and this is just the about config so you open up the Bao config you're gonna get a warning you're going to go to Network TR mode modify it you set this to two now we've changed the DNS inside of this now if you want to know where it's going the URI is right here the default string is mozilla.com cleared DNS DNS query this is sending all the connections over to this particular DNS the CloudFlare DNS I don't know which other companies I don't have a list right now who supports it but this is the default that you don't even make any modifications for the default that mozilla is working for and you can see it timed out server not found and i can still not paying anything here but now what happens refresh the page hey you are surfing the web again oops now pull up that website that I can't ping but I know it works W CRC comm is our Regional Chamber and open it up although I can't do anything here so here's different websites browsing away but I don't have any dns access how's that working perfectly fine here still no DNS queries it's completely bypassing and doing everything over port 443 if we look at port 443 on here all the connections are being established over here and nothing's being established on DNS so I am now my system is now blinded to this DNS now this can create like I said a real big problem for companies that want to monitor DNS that want to monitor and filter things the addenda DNS or create redirected urls rousers the good news is it adds a lot of privacy in this system the bad news is you have to rely on any type of sink holing you want to do if something in DNS ie ad blocking or blocking websites in general or even having visibility into websites at the end point and you'll have to do it as a browser extension you get this to work so I just wanted to show how to do this it's real easy to do is to my knowledge not supported in Chrome yet with the exception of Chrome on mobile so Android phones have been using this for a while which has caused problems because people try to block the bring-your-own-device or block mobile devices and chrome doesn't care about what DNS when it's on mobile it automatically uses its own encrypted DNS and bypasses anyways this is like I said it can be problematic in terms of you know if you're trying to do filtering it's a big win for privacy so they're gonna have to work on something else and obviously the other solution is going to be for a management or a business a use case would be to install certificates on the endpoints in order to get control over what websites are going or visibility and locking it down so it comes back to one of the things I've said many times monitoring at the firewall is a progressively losing battle it gets harder and harder you pretty much have to focus on doing it at the endpoint because once again this blinds the firewalls blinds the filtering systems because the only thing that can be seen across the system now is four four three connections which are all encrypted and without a certificate installed on that endpoint that matches a certificate on the firewall which also sometimes causes further breakage of things and more problems especially with manure banking websites and standards it becomes invisible again to you especially TLS 1.3 with a second diffie-hellman exchange that happens inside the encryption basically a second layer of encryption that even breaks installing the certificate option so the firewall once again becomes to it so like I said just want to bring this up it's gonna be interesting to see how companies try to handle this especially authentic Aryan governments because they're going to really not like this because they do so much DNS blocking but this is the way of the future and this is a big win for privacy so I want to show you how to do that that's all you got to do enable it is that little about config and like I said this is a beta feature in Firefox that is available to use at your own risk but a pretty cool feature I do like it alright thanks thanks for watching if you like this video give it a thumbs up if you want to subscribe to this channel to see more content hit that subscribe button and Abell like on and maybe YouTube will sense you and notice when we post if you want to hire us for a project that you've seen or discussed in this video head over to Lauren systems comm where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us also if you want to carry on the discussion further ahead over to forum SOT Lauren systems comm where we can keep the conversation going and if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again thanks again for watching this video and see you next time

Info

Channel: Lawrence Systems

Views: 39,384

Rating: undefined out of 5

Keywords: DNS over HTTPS, dns over https vs dns over tls, dns over https cloudflare, dns over https chrome, dns over https firefox, dns, cloudflare, 1.1.1.1, dns over tls, pfsense, doh

Id: NfJf_-7O00w

Channel Id: undefined

Length: 10min 12sec (612 seconds)

Published: Mon Apr 29 2019