That's how it _always_ starts out, the "its for your own good, trust me" excuse.
That would be cool?
You're kidding but I've already toyed with using AI models to analyze browsers' screenshots and determining if it's likely phishing or not and it works very well.
You want privacy? It stamps out any attempts at fingerprinting by attempting to be the most common browser (and config) out there, it spoofs any and all identifying data, it redraws pages without paywalls, without cookie notices and puts all pages in simple text output mode removing all other ads in the process, but keeps pictures for fora that use them.
You want 1984? It won't let you see anything that is not approved by the party.
Onwards, to our glorious future.
edit:
Valuemaxx edition. Store pages with discounts have bruteforced discounts found and added for maximum value.
It already is crazy. I can't even begin to imagine it being more crazy.
Most people already only see the web the way Google wants them to see it.
The whole precedent of the language is also insane. Imagine if words COULD in reality cause harm. Monty Python satirized the concept here: https://www.youtube.com/watch?v=Qklvh5Cp_Bs The "online words cause harm" is as absurd as that skit. Really the damage is in people claiming to have been harmed, emotionally, by a word, them wielding that as victim-power aka crybullying - that can translate into school/career/legal problems that are more of a quantifiable harm. Further, if words were so damaging, as Monty Python shown us, they would immediately be weaponized, the sensitivity to this topic is extreme hyperbole.
Since the premise of works causing harm is nonsense, the definition of harm is equally superfluous. Talk to any student council president or HOA president who only did it for the power, about some initiative they alone are driving against the wishes of the group, and you will find hand waves and sugarcoats everywhere, their selfish intent somewhat easy to see behind the well-sounding good-intending reasons. Politics at the national scale is the same exact game, just that the power hungry people waving hands are much skilled and experienced.
but remember we have this (widespread from 90s to 2010) to this day in the USA, and they don't even bother with excuses. just shove advertising and hijack searches right on your face.
google didn't force httpsdns on your browser for nothing. it was digging in THEIR pockets.
Jacques Ellul and/or Ted Kaczynski might be a starting point on this matter.
As a user of the public internet, it feels like a bug.
As much hassle as things like DoH can be for securing and enforcing policy on a network, it’s about time it became ubiquitous enough that governments can’t leverage DNS for their own purposes anymore.
A caveat of encrypted DNS is that it has to be bootstrapped via traditional, unencrypted DNS or via a well-known set of IPs. Currently, most clients using DoH/DoT use one of a small handful of providers. Cloudflare, Google, Quad9, etc. A motivated government could block those endpoints pretty easily.
Of course, a client using encrypted DNS could just refuse to work when encryption is blocked, rather than falling back to traditional DNS. But that could mean the client is unusable in the country implementing the block.
This sort of reminds me of when Kazakhstan announced they were going to MITM all TLS sessions within the country, and all citizens would need to manually install a root cert. Google, Apple, and Mozilla chose to completely block their root cert, so it would be unusable even if users chose to go along with it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... Seems like the browser devs won that political standoff, but would they fight the same battle if DoH/DoT was blocked?
not if DNS is hosted on the same servers as eg google search itself. then they would have to block google search in order to block DNS.
Unencrypted DNS also has to be bootstrapped by a well-known set of IPs. None of the current DNS propagation system would work if it wasn't for the hardcoded IPs for the root DNS servers at *.root-servers.net.
And, of course, end-user devices still need an IP to query for DNS, it's just that it's almost always supplied automatically via DHCP or similar.
At least the companies I’ve been working for have a lot more laptops at coffee shops and weworks, and probably not on a VPN half the time either. DoH has been a way bigger win than a hassle for me.
Deep packet inspection hardware appliances have proliferated in their numbers in recent years, they are cheap, the hardware is highly performant, and they are capable of the highly sustained throughput. Redirecting DNS queries in UDP port 53 to any other destination of choice is what they can do without blinking an eye (if they had one). Or dropping / blackholing it.
Only a VPN tunnel can get through, however modern DPI appliances can also scan for VPN and VPN-like signatures in the traffic and drop those, too. The only viable and guaranteed to work solution to resist the tampering with the traffic is a VPN tunnel wrapped into a Shadow Socks tunnel that obfuscates traffic signatures and constantly changes ports it operates on to avoid detection.
https://mullvad.net/en/blog/introducing-defense-against-ai-g...
DoH is a double edged thing, advertisers are a more present and pervasive threat to most than their own government
In both instances it turns out that the difference in magnitude of those threats makes the direct comparison misleading.
And bad ISPs⁰.
And a small subset of MitM attacks.
> advertisers are a more present and pervasive threat to most than their own government
That is true for me¹ but I'd not agree with "most" globally. And while stalky corporates and the people who will get hold of my data subsequently due to lax security are my main concern, there are other ways to mitigate them. Less convenient ways, sure, and I loose a security-in-depth step of ashtray using them anyway, but I consider that inconvenience for me² to be less of an issue than the more serious problems DoH might mitigate for others.
----
[0] some people don't have a simple "just go elsewhere" option
[1] relatively speaking: I don't consider my government that trustworthy, and will do so even less in future if the Tories get back in without major changes in their moral core, and I'm sure many Americans feel similarly if they consider the implications of Project2025.
[2] both as an end user wanting to avoid commercial stalking and as someone who sometimes handles infrastructure for a B2B company that uses DNS based measures as part of the security theater we must present to clients when bidding for their patronage
Then transparently redirect the DNS request from all your machines at home to your own DNS resolver (so that you're in control of what gets resolved and what doesn't, like malware, phishing sites, porn so that kids don't get to see that, etc.) and have your own DNS resolver use DoH.
But asking for browsers to "make DoH ubiquitous" (they would force DoH and DoH only) is not a good thing. It also probably would clash with corporate policies, so it'd make the browser picking that path unusable in corporate settings (leaving the corporate market to competitor browsers).
DNSSec can help protect from fraudsters or others that might try to transparently direct you to a different site than the one you wanted to access. But the government here has no intention of serving you a fake porn site, they want to stop you accessing porn and log the fact that you were trying to access it.
I don't really trust many DNSes and neither do many yet we all have few choices
The lack of MitM isn't much comfort
Neither are guarantees of the chain of trust
Sounded more like a kneejerk reaction and a meme for something that's an improvement. UDP at this day and age? Come on
There is also nothing wrong with using UDP for DNS. And the latency can be better, and in this context that matters. The real problem is that the UDP DNS protocol isn't encrypted. But there is no reason it couldn't be, except that then nobody gets a new source of DNS queries to data mine, which is where the money comes from to push DoH.
A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I'm not going to get them all. And it's just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.
I assume this is a joke, since DoH3 (DNS over HTTP/3) uses QUIC which is UDP based.
In general they're not going to bother with IP blocking; once they've killed DNS, they're satisfied that most people will not be able to access it.
And for the most part, that's good enough. There's perhaps an argument that the US gov't should be blocking IPs/DNS of things like hacking rings and malware distributors that are hosted elsewhere, on TLDs out of their reach (where ISP blocking would probably be the only or at least best way), but they mainly only care about e.g. sites that threaten the copyright cartels, when it comes to legal takedowns, anyway. And for sites that host illegal content, they seem happy only prosecuting US residents who access them.
> We reiterate that Malaysia’s implementation is for the protection of vulnerable groups from harmful online content.
Who could possibly be harmed by pornography or, even more ridiculous, copyright infringement? Feels like a lame excuse.
Internet censorship in my country (Russia) started the same way — "we're protecting children from suicide and drugs", but for some reason you couldn't opt out of the "protection" as an adult. To no one's surprise, over time, more and more things to non-consensually "protect" people from were added. In the end, unless you stick exclusively with local services, Russian-language content, and government-owned media, the internet is utterly broken without a VPN, packet fragmenter or other anti-censorship solution. Popular VPN protocols are also starting getting blocked, btw. All for your own safety, of course!
I deeply implore you to think of the stakeholders!
So I guess pornography is illegal in Malaysia?
I guess this is a great time for Malaysian users to switch to DoH.
Edit: Yes. Wikipedia:
> Pornography is illegal in Malaysia with fines of up to RM10,000 for owning or sharing pornographic materials
https://wiki.safing.io/en/Portmaster/App/DNSConfiguration
https://applied-privacy.net/services/dns/
There are non standard transports for DNS via non standard providers | DNS proxies - this tool and that foundation are a start.
It’s sad that democracies are copying the playbook of China. Will definitely be using v2ray/X-ray while here
So, DoH should be work fine for now, but they'll (gov.) terminate HTTPS (or TLS) connection ASAP.
Why? I've never heard of a non-Islamist nation banning content as benign as porn.
The real issue is always control.
Of course there are still ways around this. Use a good VPN like Proton.
This is still for sure going to be copied by authoritarian regimes worldwide.
> there are democracies in Europe where its fine to jail people for what they write online.
And? You seem to believe that a democracy refers to a bundle of freedoms that you personally believe everyone should have. Democracy means governance by the will of the majority. If the majority want people to be jailed based on their writings or speech, than that's what happens in a democratic country.
I think that ship has sailed. Malaysia certainly isn't the first to pull this.
I think you're underestimating the amount of stuff being blocked everywhere. Even in Spain where I live the list of blocked domains would be pretty big already, and it's just one country.
OONI gives a good overview: https://explorer.ooni.org/
loving it
You really need a solution that works on every platform for everyone, which isn't easy.
Even for VPN like apps, well, they aren't allowed on China's Apple app store. Fortunately you can switch to a different store, download the app and switch back, and Android users can just sideload an apk as usual. But that's enough to show how complex this is.
(Another reason I absolutely hate Apple's walled garden.)
There are even countries that MITM all HTTPS traffic, and your choices are to install the government MITM root certificates into your trust store, or not use HTTPS.
Are there? When Kazakhstan announced they were going to do this, all the major browser vendors blocked their CA... so they backed down. What other countries do this and get away with it?
Google 8.8.8.8 8.8.4.4
Control D 76.76.2.0 76.76.10.0
Quad9 9.9.9.9 149.112.112.112
OpenDNS Home 208.67.222.222 208.67.220.220
Cloudflare 1.1.1.1 1.0.0.1
AdGuard DNS 94.140.14.14 94.140.15.15
CleanBrowsing 185.228.168.9 185.228.169.9
Alternate DNS 76.76.19.19 76.223.122.150
They also block port 853 (so no DoT), and https to well-known dns servers; so you can't use DoH to google, but others may work.
If you're on a vpn they never see the traffic, you can also bypass them using a pihole with unbound to proxy dns to a DoH server - as long as they haven't blocked it.
Ironically the corporate vpn I use also hijacks dns (but locally only), which bypasses all the ISP issues but makes debugging work DNS problems awkward
https://blog.mozilla.org/en/products/firefox/encrypted-hello...
>‘You have shown determination’: Malaysian PM praises Putin, pledges closer ties 2 days ago"
reminder https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17 43 Malaysians killed by Putin.
https://www.thestar.com.my/tech/tech-news/2024/09/02/mcmc-ba...
I'd really be curious if said "protection" is actually real...
Between dynamic domain name generation (ala malware), and (potentially) a lack of public review... this sounds more like smoke and mirrors.
Hopefully there is a way for users to set up a VPN and get access to a better DNS server without triggering the redirect.
Malaysia has had a history of religious discrimination from both the state and citizens, despite there being a freedom to practice whatever religion you want. Their notion of religious freedom is also strange, since in order to be considered a Malay you MUST be Muslim. And Malays get all sorts of additional rights and privileges (such as affirmative action). The country also has Sharia law courts - and this is a very real problem for personal freedom, because the Sharia court prevents Muslims from converting to other religions typically, and this forces people to have secret double lives, where privacy is critical.
Restrictions on Internet access or violations of privacy/anonymity are a serious problem for those who may run into trouble due to religious discrimination built into Malaysia’s culture and law. Do not accept official explanations like protecting people from harm or stopping misinformation - control over the internet will be abused.
Strange in the current context that it's not in the Middle East but not strange when you look at the map and see that it's a straight shot for a trading ship from the Middle East a thousand years ago.
Funny enough, it wasn't a trading ship from the Middle East, but the then-Chinese empire:
https://www.scmp.com/week-asia/article/2006222/chinese-admir... (no paywall link: https://archive.ph/f8622)
Even Spain/Iberia had a huge Muslim population, until the Reconquesta Kingdoms committed large scale genocide and deportions of Muslims and Jews.
And speaking of Unexpectedly Muslim, the Golden Hord (AKA Tattars) which existed on the Crimean region as one of the offshoots from Genghis Khan's conquests, was Muslim. In fact, they allied with the Mamluk kingdom of Egypt against Holugu, leader of another Mongol horde, Ilkhanate.
What is the state of DNS over HTTPS?
AFAIK Chrome has a hardcoded list of DNS servers which offer encrypted DNS. I.E. if your DHCP server tells your PC to use 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will instead connect to the equivalent DNS-over-HTTPS endpoint for that DNS provider. This is a compromise to avoid breaking network-level DNS overrides such as filtering or split-horizon DNS. It's not limited to public DNS providers either, ISP DNS servers are in there. (I've seen it Chrome connect to Comcast's DNS-over-HTTPS service when Comcast's DNS was advertised via DHCP.)
Of course, this is pretty limited. Chrome obviously can't hardcode ever DNS server, and tons of networks use private IPs for DNS even though they don't do any sort of filtering / split-horizon at all. (My Eero router has a local DNS cache, so even if my ISP's DNS servers were in Google's hardcoded list, it wouldn't use DNS-over-HTTPS, because all Chrome can see is that my DNS server is 192.168.4.1)
Firefox for sure has a "corporate" setting which guarantees that DNS queries are unencrypted, using port 53 (virtually always UDP although technically I take it TCP over port 53 is possible but a firewall only ever allowing UDP over port 53 for a browser works flawlessly).
AFAIK Chrome/Chromium also has such a setting and making sure that setting is on bypasses DoH.
I force all my browsers / wife / kid's browser to my own DNS resolver over UDP port 53 (my own DNS resolver is on my LAN but it could be on a server if I wanted to).
That DNS resolver can then, if you want, only use DoH.
To me it's the best of both worlds: "corporate" DNS setting to force UDP port 53 and then DoH from your own DNS resolver.
The benefit compared to directly using DoH from your browser is that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of ads/telemetry/malware/porn domains.
You can also, from all your machines (but not from your DNS resolver), blocklist all the known DoH servers IPs.
It's bad enough that so many devices and applications already ignore DNS settings or hard-code IPs. I want everything going through my DNS.
nonetheless, a slippery slope
Shit mostly it exits a country via ground stations in that country or a compatible legal jurisdiction. Its not even magically flying out of the country via satellite. + Discussions about its ability to skirt censorship in this fashion with any significant capacity sort of paint it as a bad move, maybe that starlink 2.0 nonsense.
well well well. People on HN will be surprised to know that the internet is a complete shit hole. "I thought the internet was made for the good of humanity".
It's 39% of the IPs banned by the DNSs of the ISPs of Malaysia. It's not 39% of the internet.
