Alphabet's Intra App Encrypts DNS Queries To Help Users Bypass Online Censorship (zdnet.com) 65
Catalin Cimpanu, writing for ZDNet: Jigsaw, a technology incubator created by Google and operated as a subsidiary under the Alphabet brand, has released today an Android app named Intra that can encrypt DNS queries as a protection against DNS manipulation at the ISP (internet service provider) level. DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more. Intra protects against DNS manipulation by keeping DNS traffic hidden from third-parties with state-level surveillance capabilities, such as internet service providers in countries with autocratic regimes. Reports suggest that Alphabet tested the app with a few dozen political activists in Venezuela before the global roll-out.
Unless you're in China (Score:5, Insightful)
Re: (Score:2)
Why do you need to install squid? Surely you can just use SSH to setup a SOCKS proxy server and then get your web browser to use that with remote DNS. No requirement for squid and everything is tunnelled through SSH. All anyone ever sees looking at the traffic is an SSH session.
Note if you are running Windows 10 April 2018 update or later you will have the appropriate SSH built right into Windows. Everyone else can just install putty.
Of course Linux and Mac users have this built in from the year dot.
I use i
Most of those same countries restrict or outlaw... (Score:1)
Encryption, so all this really does is raise a huge red flag when all those dns queries start reading as gibberish.
The only real way this would work is say encryption+steganography inside of images sent via a regular http/https service that had no reason to be blacklisted by the country's authorities. Even then, as soon as the cat is out of the bag to one official it can be used to track down all those people who were using it there, assuming metadata collection.
Re:Most of those same countries restrict or outlaw (Score:5, Informative)
It's not encrypted data sent in regular DNS queries, it's DNS over HTTPS. Like what Firefox started doing.
From a network monitoring point of view, it's regular HTTPS traffic.
Some countries... (Score:1)
MITM all https connections using their own certificates, in that case encrypted dns of this form would not work anyways. Other countries connection reset or redirect to a 'banned in our country' page. This doesn't help censorship in any of the majority countries, and simply pushes them to tighten down, either by limiting the websites themselves, or their connections to the outside world. Or the third possibility, which this helps benefit: selling more Deep Packet Inspection hardware to censoring regimes.
I thought this was a joke (Score:3, Informative)
Re: (Score:2, Informative)
It's only to funnel the traffic to THEIR encrypted DNS network so THEY can gather all the metadata not the pesky governments (apart from a list of approved governments who get their share of course).
Re: (Score:1)
Re: (Score:2)
It's almost like your model of treating a vast multi-faceted company like Alphabet/Google as a single monolithic block with entirely consistent behaviour and morals is somehow flawed.
Pretty cool. now you can do (Score:2)
TCP/IP and UDP through a DNS tunnel using HTTPS.
Thanks Jigsaw.
Re: (Score:1)
Does this work though? (Score:2)
> DoH keeps third-party observers from knowing what websites a user is trying to access.
But isn't this information normally exposed by the TLS SNI extension anyway? You'd probably need to run a VPN to escape this particular risk.
How naive can you be? (Score:1)
This is stupid, because the second you connect in any way to the target IP address, that's recorded, and it really doesn't matter what your DNS query was.
Even if your target is a computer that hosts multiple domain names, it's decrypted anyhow, by the DNS service.
You don't have any privacy, and Alphabet is named aptly - Alphabet agency, they work for the intelligence agencies, and they have shown, REPEATEDLY, they will gladly engage in censorship.
Re: (Score:1)
Google Tracking (Score:3)
Re: (Score:3)
So it's not enough that Google tracks you via web browsing, Android phones, search queries, gmail, etc. Now they want you to use their DNS so they can track EVERY connection you make over the Internet, regardless of whether it originates from one of their products.
To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ... depending on your network settings. I currently use my ISP (Cox) as my primary DNS resolver with Google's 8.8.8.8 as my secondary. I'm sure Cox logs and retains stuff (some of it as the law requires). Granted, using Google as your DNS resolver would give them *another* data set
Re:Google Tracking (Score:4, Interesting)
To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ...
This is NOT a fair comparison.
Your ISP already knows the destination of every IP packet you sent out, using the ISP's DNS only provide a little bit more information (the hostname you used) to them.
Most ISP do not have the analytics capabilities of Google, nor would most ISP correlation your internet activities across all your devices, INCLUDING THOSE NOT USING YOUR ISP'S LINK, such as your mobile phone.
Claiming "someone" will get the data anyway is obscuring the fact that Alphabet's main business as a data broker. My data scattered around 10 different companies gave me better privacy than having the same data collected by Google.
Re: (Score:2)
These days a lot of sites share an IP address via services like Cloudflare that offer caching and load balancing. So IP addresses alone aren't nearly as useful as seeing the hostname in the DNS query.
Google claims that it doesn't log DNS requests. Legally it isn't required to do so in some jurisdictions, because the relevant laws only apply to ISPs. Same situation for VPN providers. I suppose that being evil they must be lying, but at least in theory they are able to offer greater privacy than your ISP who
Re: (Score:3)
No actually, they let you freely configure the DNS server of your choice. It seems to come with Google and Cloudflare pre-configured but there is an option to enter any server you like.
There is actually a screenshot of the configuration screen showing this in TFA.
Re: (Score:2)
At least you can change DNS Servers (Score:4, Interesting)
From the article:
"Intra is easy to install and run right away, and comes pre-configured to funnel encrypted DNS queries to Google's DoH-capable DNS servers by default. Users can also switch to Cloudflare's DNS system, or use a custom DoH-capable server as well."
Though only two browsers support this so I don't know why you would use it. Just use a VPN and everything from every app would be hidden.
Re: (Score:1)
Yes, you can change it, but such is the power of the default that most will not. Source: https://en.wikipedia.org/wiki/Default_effect
Re: (Score:2)
VPNs are banned or blocked in some places. It's much harder to block HTTPS connections because that would break most web sites.
It is possible to exploit this fact to use Tor in places where it is blocked, like China. Route your data through an HTTPS connection to the Microsoft or Amazon cloud that is used by vast numbers of other sites and thus difficult to block entirely. Being cloud services the IP addresses rotate and change regularly.
Re: (Score:2)
Re: (Score:2)
DNS manipulation has also been used against prostitution websites, such as "packpage.com", and the command-and-control services of botnets. Monitoring of DNS queries has long been a security problem. There's is good summary of the problem at https://ieeexplore.ieee.org/do... [ieee.org]
Confirmed, doesn't work in China (Score:2)
What a waste...
Uh (Score:2)
Google?
You mean the one's who disappear content they don't like?