Why DNS over TLS is so important, and if you are not using it you should be

[JWoo]

I picked up an Asus GS-AX3000 (same HW as RT-AX58U) running stock Asus firmware 3.0.0.4.386.43588 as they are really a great value right now and heavily discounted. The stock firmware does not support DNS over TLS unfortunately. I hope @GNUton will support the GS-AX3000 as part of extending Merlin to even more deserving routers.

Back to Earth, it appears that Comcast is hijacking DNS queries and redirecting them to their own DNS servers. I know they do that when you have their Comcast gateway, but I am using my own cable modem and router. Really maddening and it is hard to believe this is legal. @RMerlin a shout out for you including Stubby! You are an IT guy, are you seeing other ISPs doing this too?

1) Test case 1 using Asus GS-AX3000 with stock firmware

DNS set to Google

Yet Comcast is able to hijack the DNS queries as they are unencrypted and redirect to their own servers:

2) Test case 2 my old RT-AX56U running Merlin and set up with DNS over TLS in WAN settings

A mix of Cloudfare and Quad9 (aka WoodyNet) like a good stew:

Comcast cannot penetrate the encrypted DNS over TLS.... We call DoT the Comcast neuterer:

 

[dave14305]

I’ve been with Comcast for long time and I use Quad9 over regular 53/udp. I’ve never seen it hijacked. YMMV.

 

[Tech9]

No DNS hijacking observed on any of the ISPs I currently use or have used here in Canada. And Stubby has some issues.

 

[RMerlin]

I picked up an Asus GS-AX3000 (same HW as RT-AX58U) running stock Asus firmware 3.0.0.4.386.43588 as they are really a great value right now and heavily discounted. The stock firmware does not support DNS over TLS unfortunately.

Asus only added it recently, so there's a good chance that model will also get it once they release a newer firmware.

@RMerlin a shout out for you including Stubby! You are an IT guy, are you seeing other ISPs doing this too?

None of the local ISPs does this AFAIK.

 

[JWoo]

Thanks Merlin. You are in Canada if I remember correctly and I believe you have net neutrality. In the US, our FCC took away net neutrality in 2020, and in its place we have a 2021 executive order now suggesting the FCC put net neutrality back. Some states enacted their own net neutrality laws.

For disbelievers, ask yourself why would Comcast want to intercept my DNS queries? Well Comcast in addition to being an ISP owns NBC news, NBC sports and Peacock entertainment. Comcast can find out from my DNS queries which of their competitors I am using for these streaming services and target ads and communications to me based on that.. And yes they can throttle or slow down their competitors' streaming services which at least when I stream CBS it does seem like Comcast is throttling them.

 

[Tech9]

Comcast can find out from my DNS queries which of their competitors I am using for these streaming services

They don't need your DNS queries for that, especially for streaming services.

 

[JWoo]

I’ve been with Comcast for long time and I use Quad9 over regular 53/udp. I’ve never seen it hijacked. YMMV.

I am using DNS leak test https://www.dnsleaktest.com/ to test this. I was also surprised.

 

[JWoo]

They don't need your DNS queries for that, especially for streaming services.

They don't "need" the DNS queries but the domain name server is the most efficient place in the network to aggregate data and do analysis. That is the reason also why most government agencies use the domain name server for investigations of unlawful Internet activities. Looking at millions of TCP or UDP packets would not be an efficient way of figuring out what someone is doing.

 

[Tech9]

Looking at millions of TCP or UDP packets would not be an efficient way of figuring out what someone is doing.

They don't need to look at packets very closely. The ISP knows at any moment what places you connect to. Your browsing history can be recreated with very high accuracy. I used to work on a project with this subject. Streaming services? Instantly! You can run, but you can't hide.

 

[dave14305]

I am using DNS leak test https://www.dnsleaktest.com/ to test this. I was also surprised.

What leak test results do you get if you revert to 75.75.75.75? Same or different? Maybe Google dns anycast is using a Comcast network behind the scenes in your area.

 

[JWoo]

Comcast is using, among others, Cisco ASR 9000 and Juniper T Series Core routers. They are not saving every packet. Way too much data. Their surveillance functions are only used with legal court orders or for troubleshooting a specific technical problem. With a commercial domain name server, companies like Google and Cloudfare flush the data every 24 - 48 hours, both to protect user privacy and practically because a DNS otherwise would be collecting a ridiculous amount of data and they'd have to pay for the storage. A handful of companies, AT&T comes to mind immediately, save months of DNS data. Take care!

 

[tgl]

So ... to protect your privacy, instead of letting Comcast handle your DNS lookups you are going to let Google do it. This does not compute.

If you're actually serious about this, seems like you'd need to run your own in-house caching DNS server and make sure it's configured to use DNS-over-TLS whenever possible while fetching from domains' authoritative servers. That's not actually particularly hard, as long as you've got an always-on server or two that you can rely on for it.

 

[JWoo]

What leak test results do you get if you revert to 75.75.75.75? Same or different? Maybe Google dns anycast is using a Comcast network behind the scenes in your area.

Will try Comcast 75.75.75.75. It could happen, but Comcast + Google doesn't seem like a marriage made in heaven. Comcast has in the last couple of years taken a really hard line that if you have a Comcast gateway you cannot use anything but Comcast DNS. So even though I use my own cable modem + router, I am not surprised to see them hijack the DNS messages.

 

[JWoo]

So ... to protect your privacy, instead of letting Comcast handle your DNS lookups you are going to let Google do it. This does not compute.

If you're actually serious about this, seems like you'd need to run your own in-house caching DNS server and make sure it's configured to use DNS-over-TLS whenever possible while fetching from domains' authoritative servers. That's not actually particularly hard, as long as you've got an always-on server or two that you can rely on for it.

With DNS over TLS, I have mostly used Cloudfare and Quad9 as in the example in this thread. Without DNS encryption, I have used Google. Google has a completely different data policy than the telecoms. Google flushes the DNS every 24-48 hours. And Google has fought in the courts very hard to only turn over DNS data when required by law. As in my other post, a lot of the traditional telecom and datacom providers hold DNS data for months. Outside of this forum, there are lots of posts about AT&T hijacking DNS queries on port 53 also.

 

[Tech9]

a lot of the traditional telecom and datacom providers hold DNS data for months.

This is correct. As far as I know, 180 days in Canada by law. It doesn't say DNS data though. Can be something else as well.

 

[tgl]

With DNS over TLS, I have mostly used Cloudfare and Quad9 as in the example in this thread. Without DNS encryption, I have used Google. Google has a completely different data policy than the telecoms. Google flushes the DNS every 24-48 hours. And Google has fought in the courts very hard to only turn over DNS data when required by law. As in my other post, a lot of the traditional telecom and datacom providers hold DNS data for months. Outside of this forum, there are lots of posts about AT&T hijacking DNS queries on port 53 also.

lf what you are worried about is whether your DNS provider keeps records that could be obtained by law enforcement via court order, that's a completely different fear than what I understood from upthread. You said you were worried about the DNS provider doing their own data analysis/aggregation with the intent of marketing to you. If you think Google doesn't do that with DNS data, I've got bad news for you. They don't run a huge DNS server farm just because they want to be community benefactors. They do it to collect data. I don't believe Cloudflare's motives are any purer, either, though their method for monetizing their effort is probably different.

 

[RMerlin]

One potential reason for an ISP to want to intercept DNS queries is to redirect you to caching servers within their network for certain services like Netflix or Youtube. There are better ways to do that (through EDNS extensions and partnering with those providers), but that's one lazy way to do it.

Some providers also want to provide you with a generic error page when querying for a non-existent domain, so they want to point you to an internal server rather than the client getting an NXDOMAIN response. Yes, it's a completely stupid idea that breaks a lot of things such as spam control for mail servers, but quite a few ISPs experimented with that over the years.

Logging queries is unlikely to be a reason tho. They only need to monitor port 53 traffic to do that.

 

[Tech9]

Some providers also want to provide you with a generic error page

I've seen that, but only with Auto DNS configuration. No DNS interception and redirection, if custom DNS is used. I believe on Bell network.

 

[RMerlin]

I've seen that, but only with Auto DNS configuration. No DNS interception and redirection, if custom DNS is used. I believe on Bell network.

True. But some ISPs are stupider than others, and they might want to force you through their bastardized own servers

 

[JWoo]

lf what you are worried about is whether your DNS provider keeps records that could be obtained by law enforcement via court order, that's a completely different fear than what I understood from upthread. You said you were worried about the DNS provider doing their own data analysis/aggregation with the intent of marketing to you. If you think Google doesn't do that with DNS data, I've got bad news for you. They don't run a huge DNS server farm just because they want to be community benefactors. They do it to collect data. I don't believe Cloudflare's motives are any purer, either, though their method for monetizing their effort is probably different.

Thanks for your post. Totally agree that monetization of things that we don't pay for is gonna happen. The only point I was making about data collection is that players like Google Quad9 and Cloudfare are very specific about how long they keep DNS logs and what they do with it. Cloudfare is definitely one of the better players at the moment: "Our 1.1.1.1 resolver service does not log personal information, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours." Google replaces your IP address with a location or region to anonymize it and sell it; raw DNS queries are kept for 24 - 48 hours with Google. Quad9 claims not to store any identifiable data. Comcast has a lengthy DNS policy stating they do not use DNS data for marketing, but they oddly hijack port 53 anyway? This is my last post on this topic. Appreciate all the perspectives.