Alphabet's Intra App Encrypts DNS Queries To Help Users Bypass Online Censorship

Catalin Cimpanu, writing for ZDNet: Jigsaw, a technology incubator created by Google and operated as a subsidiary under the Alphabet brand, has released today an Android app named Intra that can encrypt DNS queries as a protection against DNS manipulation at the ISP (internet service provider) level. DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more. Intra protects against DNS manipulation by keeping DNS traffic hidden from third-parties with state-level surveillance capabilities, such as internet service providers in countries with autocratic regimes. Reports suggest that Alphabet tested the app with a few dozen political activists in Venezuela before the global roll-out.

Unless you're in China

Where your DNS queries will be logged by Alphabet and turned over to the proper authorities for consideration, comrade.

Re: Unless you're in China

Winner winner chicken dinner ^^^^^^^^^^^[

Re:Unless you're in China

Where your DNS queries will be logged by Alphabet and turned over to the proper authorities for consideration, comrade.

Perhaps, but I'd rather the overwatches (whether corporate or governmental) have to make some effort to get that information. Right now, without DNS-over-HTTP or DNS-over-TLS, they can 'tap glass' and do wholesale surveillance.

With services like Cloudflare's 1.1.1.1 there is at least some effort to make things at least a bit more challenging. At the very least it forces collaboration with increases the paper trail.

Notice it isn't Chinese activists

n/t

Most of those same countries restrict or outlaw...

Encryption, so all this really does is raise a huge red flag when all those dns queries start reading as gibberish.

The only real way this would work is say encryption+steganography inside of images sent via a regular http/https service that had no reason to be blacklisted by the country's authorities. Even then, as soon as the cat is out of the bag to one official it can be used to track down all those people who were using it there, assuming metadata collection.

Re:Most of those same countries restrict or outlaw

That's why you kill all rats. Snitches don't deserve sympathy.

I thought this was a joke

[CranberryKing]

at first. Google? Fighting Censorship? Give us a break.

Re:I thought this was a joke

It's only to funnel the traffic to THEIR encrypted DNS network so THEY can gather all the metadata not the pesky governments (apart from a list of approved governments who get their share of course).

Re:I thought this was a joke

[CranberryKing]

Yet they'll build a censored search engine for China's Communist Party.

Re:I thought this was a joke

[AmiMoJo]

It's almost like your model of treating a vast multi-faceted company like Alphabet/Google as a single monolithic block with entirely consistent behaviour and morals is somehow flawed.

Re:Most of those same countries restrict or outlaw

[viperidaenz]

It's not encrypted data sent in regular DNS queries, it's DNS over HTTPS. Like what Firefox started doing.
From a network monitoring point of view, it's regular HTTPS traffic.

Pretty cool. now you can do

[bobstreo]

TCP/IP and UDP through a DNS tunnel using HTTPS.

Thanks Jigsaw.

Re:Pretty cool. now you can do

[claude+j+greengrass]

Please sir! Can I have one for my Chromebook?

Some countries...

MITM all https connections using their own certificates, in that case encrypted dns of this form would not work anyways. Other countries connection reset or redirect to a 'banned in our country' page. This doesn't help censorship in any of the majority countries, and simply pushes them to tighten down, either by limiting the websites themselves, or their connections to the outside world. Or the third possibility, which this helps benefit: selling more Deep Packet Inspection hardware to censoring regimes.

Does this work though?

[DigitAl56K]

> DoH keeps third-party observers from knowing what websites a user is trying to access.

But isn't this information normally exposed by the TLS SNI extension anyway? You'd probably need to run a VPN to escape this particular risk.

Re:Does this work though?

:-( Seriously. They had a chance to fix things in TLS 1.3 but then decided not to even bother citing that some information would be leaked either way. So now they guarantee that information gets leaked.

Now that they have a DNS service, they could tunnel more than just DNS, but instead... let's just block domain fronting so now nobody except us can tunnel through our servers. Just give them the illusion of privacy.

This will fix big Google-owned websites like youtube.com because of a provision in HTTP that allows sharing connections between multiple websites that are hosted on the same web servers. Well, turns out youtube and google are hosted by the same IP address. So there you go.

Good luck connecting to any smaller websites that can't afford to share webservers with google.com or facebook.com to avoid the extra SNI that leaks the domain name anyway.

IPSec should be used more

Encrypt all the packets.

How naive can you be?

This is stupid, because the second you connect in any way to the target IP address, that's recorded, and it really doesn't matter what your DNS query was.

Even if your target is a computer that hosts multiple domain names, it's decrypted anyhow, by the DNS service.

You don't have any privacy, and Alphabet is named aptly - Alphabet agency, they work for the intelligence agencies, and they have shown, REPEATEDLY, they will gladly engage in censorship.

Re:How naive can you be?

[claude+j+greengrass]

The encryption of DNS insures your ISP cannot utilize a MITM attack on your DNS query. Privacy isn't being addressed here. It's a security issue

Re: Most of those same countries restrict or outla

I've started writing a seperate dns service which can stream dns over your choice of medium, even as a downloadable 2.5gb file for every zone you can cache on your laptop.

Google Tracking

[nuckfuts]

So it's not enough that Google tracks you via web browsing, Android phones, search queries, gmail, etc. Now they want you to use their DNS so they can track EVERY connection you make over the Internet, regardless of whether it originates from one of their products.

Re:Google Tracking

[fahrbot-bot]

So it's not enough that Google tracks you via web browsing, Android phones, search queries, gmail, etc. Now they want you to use their DNS so they can track EVERY connection you make over the Internet, regardless of whether it originates from one of their products.

To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ... depending on your network settings. I currently use my ISP (Cox) as my primary DNS resolver with Google's 8.8.8.8 as my secondary. I'm sure Cox logs and retains stuff (some of it as the law requires). Granted, using Google as your DNS resolver would give them *another* data set to track you with.

Re:Google Tracking

+1

The purpose of this app is to capture all your DNS queries so they will know your every move.

Re:Google Tracking

[khchung]

To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ...

This is NOT a fair comparison.

Your ISP already knows the destination of every IP packet you sent out, using the ISP's DNS only provide a little bit more information (the hostname you used) to them.

Most ISP do not have the analytics capabilities of Google, nor would most ISP correlation your internet activities across all your devices, INCLUDING THOSE NOT USING YOUR ISP'S LINK, such as your mobile phone.

Claiming "someone" will get the data anyway is obscuring the fact that Alphabet's main business as a data broker. My data scattered around 10 different companies gave me better privacy than having the same data collected by Google.

Re:Google Tracking

^ --- This --- ^. Plus people who knowningly use local hosts files are not vulnerable to dns interception. Ironically between Google, Mozilla, amazon and just about every other "Tech giant" mine are FILLED with blocking THEM more then malware.

Google cares very little about you or your privacy. They are in it to mine the fuck out of you. The entire thing is wrapped in Google's Echosystem of services, it's not just DNS. The analytics for example use firebase.

I feel bad for the developer(s?) who likely mean well but telling people this is afe to use is absolute insanity.

Re:Google Tracking

[AmiMoJo]

No actually, they let you freely configure the DNS server of your choice. It seems to come with Google and Cloudflare pre-configured but there is an option to enter any server you like.

There is actually a screenshot of the configuration screen showing this in TFA.

Re:Google Tracking

[AmiMoJo]

These days a lot of sites share an IP address via services like Cloudflare that offer caching and load balancing. So IP addresses alone aren't nearly as useful as seeing the hostname in the DNS query.

Google claims that it doesn't log DNS requests. Legally it isn't required to do so in some jurisdictions, because the relevant laws only apply to ISPs. Same situation for VPN providers. I suppose that being evil they must be lying, but at least in theory they are able to offer greater privacy than your ISP who is legally required to log.

Re:Google Tracking

[nuckfuts]

Just because they allow you to opt out doesn't mean they don't use it for tracking if you DO use their servers.

I do that avoiding dns tracking/redirect/down

I do that avoiding dns tracking/redirect/down via hosts files (where I keep my favorite 90 sites @ the TOP of hosts cached locally in RAM by the kernelmode diskcaching subsystem accessed by the kernelmode IP stack - most cpu priority/fastest possible way). Hardcodes allow you to remain safe (per my subject) vs. DNS requestlog tracking, DNS being REDIRECT POISONED (Kaminsky flaw MOST ISP dns are STILL NOT PATCHED vs.), OR dns down.

* It's SO effective even CHINA copied this from me (I did it 1st & ONLY hosts program that does) &?

Who did it 1st: China or me??

I did - dates are my proof http://theregister.co.uk/2017/... w/ the FACT China rampantly STEALS U.S. Intellectual properties & military secrets!

APK

P.S.=> * IMITATION truly IS the SINCEREST FORM of FLATTERY!!!... apk

Re:Most of those same countries restrict or outlaw

So what's the difference between this and Stunnel?

DNSSec and DNS-over(D)TLS

This problem has already been solved and those solutions are out there, today, in the wild.

Whoever invested in this “startup” didn’t do their due diligence.

At least you can change DNS Servers

[CanadianMacFan]

From the article:

"Intra is easy to install and run right away, and comes pre-configured to funnel encrypted DNS queries to Google's DoH-capable DNS servers by default. Users can also switch to Cloudflare's DNS system, or use a custom DoH-capable server as well."

Though only two browsers support this so I don't know why you would use it. Just use a VPN and everything from every app would be hidden.

Re:At least you can change DNS Servers

Yes, you can change it, but such is the power of the default that most will not. Source: https://en.wikipedia.org/wiki/Default_effect

Re:At least you can change DNS Servers

DoH...
Like the noise Homer Simpson makes when he learns of something that will not work the way he expected...
Like Department of Health...

Can those sources be considered "uncensored" when they are under legal jurisdiction of a country capable of censoring things? Should the service get hosted in the Principality of Sealand?

Is this a joke?

Re:At least you can change DNS Servers

[AmiMoJo]

VPNs are banned or blocked in some places. It's much harder to block HTTPS connections because that would break most web sites.

It is possible to exploit this fact to use Tor in places where it is blocked, like China. Route your data through an HTTPS connection to the Microsoft or Amazon cloud that is used by vast numbers of other sites and thus difficult to block entirely. Being cloud services the IP addresses rotate and change regularly.

Not just autocracies

[jouassou]

DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more.

It's not just stereotypical "oppressive regimes or unscrupulous ISPs" that do this. It's also commonly used to block sites like thepiratebay.

Re:Not just autocracies

[Antique+Geekmeister]

DNS manipulation has also been used against prostitution websites, such as "packpage.com", and the command-and-control services of botnets. Monitoring of DNS queries has long been a security problem. There's is good summary of the problem at https://ieeexplore.ieee.org/do...

Can someone can open-source that app, please?

If I can get the source of that app I can perhaps make a Windoze program (for both desktop and mobile) to help those users living in China, and in other oppressive countries !

Re: Can someone can open-source that app, please?

/*
Here's your source (for web browsing):

Copyright: everyone
*/

main() {
    goto(vps_hosting_service);
    run(minimal_linux_server);
    ssh(server, "install squid");
    set_browser_proxy(said_server); // with remote DNS set
    browse(porn);
    return;
} /*
Some more information:
https://serverfault.com/questions/169816/how-dns-lookups-work-when-using-an-http-proxy-or-not-in-ie
*/

Re: Can someone can open-source that app, please?

Oh, a bug:

Setting the proxy to that vps server should be tunneled through SSH, set to localhost and tunnel port

Re: Can someone can open-source that app, please?

[jabuzz]

Why do you need to install squid? Surely you can just use SSH to setup a SOCKS proxy server and then get your web browser to use that with remote DNS. No requirement for squid and everything is tunnelled through SSH. All anyone ever sees looking at the traffic is an SSH session.

Note if you are running Windows 10 April 2018 update or later you will have the appropriate SSH built right into Windows. Everyone else can just install putty.

Of course Linux and Mac users have this built in from the year dot.

I use it all the time for remote admin, better than a VPN because I don't have to set up a VPN server.

Re:Can someone can open-source that app, please?

The app has been open source from the beginning: https://github.com/Jigsaw-Code/intra/blob/master/README.md

Re: Can someone can open-source that app, please?

Good question. The setup with squid worked very reliably from behind the GFW of China. The basic "socks5 over SSH" connection kept getting dropped, no matter what keep alives, encryption algorithm, and random traffic combinations I tried from behind the GFW. I can't explain it, but this is the setup that worked in practice.

Confirmed, doesn't work in China

[Nocturrne]

What a waste...

Uh

[cascadingstylesheet]

Google?

You mean the one's who disappear content they don't like?

Never trust APK's lies

Never trust Alexander Peter Kowalski's lies.
Like how he claims the Chinese copied him but can't produce any evidence.
How about when he states that hosts does port filtering but again can't backup his statement which was shown to be false.
There is also his list of "experts" who support him but it turns out they don't say what he is claiming.
This also ignores his out of context quotes he uses to lie by omission.
The problem with APK is that his entire reputation is built upon the lie he told years ago that hosts is an effective security solution. It has been exposed numerous times as being a lie and when exposed APK fails to argue logically and instead will try to deflect criticism, change the subject, move the goal posts, return to a previously disproved statement, demand you prove you did better than his file concatenator, or just call people names. He will continue to lie by stating that he won or "dusted" you while failing to refute anything you said, will never provide real evidence, and generally try to dodge the issue.

Face it APK is one of the most detested individuals here for good reason. When ever his poor behavior, awful logic, over statements, and horrendous writing are called out he has a fit and has done so for years across the internet. He is a spammer, and is an abusive insecure little man who is washed up and never amounted to anything. Until he produces actual verifiable facts supporting his case, which he can't, nothing he says should be taken seriously. Because he can't actually refute anything he will now repeat all of his previously disproved lies because he is a retarded loser. By do so he will prove this for all to see.

3 questions & China... apk

See subject & 3 questions you won't answer: 1.) Do hosts stop threats served by hostname (the way threats are done most) by blocking them? Yes. 2.) Do hosts speed you up 2 ways in adblocking (preventing more infection/tracking/slowdown) & via hardcoded favorite sites resolving faster + protecting vs. dns down or redirect poisoned? Yes.

My hosts program's the only 1 that does the latter @ TOP of hosts cached in RAM (for best performance) & only 1 of its kind on Linux/BSD in easy to use flexible configuration GUI form.

(I also did that latter part LONG before the Chinese & 1st http://theregister.co.uk/2017/... )

APK

P.S.-> Lastly: 3.) Have you done work that's that effective doing more for less faster in kernelmode speed w/ less complexity for exploit + excess overheads vs. solutions KNOWN to be security-issue riddled (like addons (souled-out to NOT work by default OR easily detected & blocked that are BYPASSABLE & EXPLOITABLE), DNS & Antivirus)? No... apk

Security pros QUOTED on hosts

"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER

ZD NET http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"

SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...

Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/

Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/

Spybot S&D uses hosts.

APK

P.S.=> Malwarebytes' hpHosts hosts & RECOMMENDS my program http://forum.hosts-file.net/vi...

Hosts efficacy recently vs. threats

"It's working: Neville... it's working!" See subject & results from the past month https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... https://it.slashdot.org/commen... that's only recently while I've been on Linux (few months now only) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).

P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk

Registered /.ers disagree w/ you #1/6

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* SEE SUBJECT & TELL US: How does EATING YOUR WORDS taste?

APK

P.S.=> You're already VASTLY OUTNUMBERED but many more are coming

Registered /.ers disagree w/ you #2/6

Apk has the answer for that - really... kill automatic updates by adding a hosts file entry setting updates.steam.com or whatever to 127.0.0.1. You have to find the right hostname for each software you want to block updates on by raymorris (2726007) on Friday July 06, 2018

APK your posts on this and the hosts file posts, and more, have never been in error and/or bad advice by BlueStrat (756137) on Wednesday June 21, 2017

I support APK's stand on the hosts file and can't see why it's not used more than it is. My hosts file is 144247 lines long (4,332 Kb) it & a firewall serves me very well - by Trax3001BBS (2368736)

ABP is insufficient as a solid hosts file does everything APK reminds us about fast turtle September 17 2013

You need APK's hosts file - by Teun (17872) on Wednesday August 06, 2014

APK

P.S.=> You EATING YOUR WORDS != GOOD NUTRITION... apk

Registered /.ers disagree w/ you #3/6

Actually, APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa on Saturday May 16, 2015

APK solution STILL relevant Thud457 June 11 2015

In a footnote, I would like to note that I find your hosts file admirable - by vel-ex-tech (4337079) on Tuesday November 24, 2015

APK's monolithic hosts file is looking pretty good at the moment - by Culture20 on Thursday November 17

you're right about hosts files - by drinkypoo (153816) on Thursday May 26

APK, I know people give you a lot of shit regarding hosts, but please don't ever stop - by nasredin (958927) on Friday June 12, 2015 @03:34PM

APK

P.S.=> Are you ENJOYING the taste of EATING YOUR WORDS yet?... apk

Registered /.ers disagree w/ you #4/6

APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works. - by bmo (77928) on Thursday October 15, 2015

get around to 'installing' a hosts file list, not sure which one, likely the one from someonewhocares.org. If it works as well as what I used for a while about ten years ago, I'll be happy. And grateful to APK for the lesson and the reminder. - by kermidge (2221646) on Wednesday March 27

I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster. - by gl4ss (559668) on Thursday November 17

dammit MS, you proved APK right about something by lgw

APK

P.S.=> Your words YOU'RE EATING: You choking on them yet?... apk

Registered /.ers disagree w/ you #5/6

(APK) is still right a hosts file really does work. It even blocked a some of the video ads that were inserted into a stream OrangeTide February 10 2016

the Host File Engine performs exactly as promised - by mmell (832646) on Thursday February 16, 2017

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)

APK

P.S.=> You still haven't said how EATING YOUR WORDS tastes? apk

Registered /.ers disagree w/ you #6/6

I say the following as a caring human being who agrees with how useful HOSTS files are: Your zeal is to be respected - by dave420 (699308) on Monday September 08, 2014

But I love APK!The power of the hostfile compels you! by ratboy666 (104074) on Friday January 29, 2016

APK was right all along! C:\WINDOWS\HOSTS is the solution ;) - by sabri (584428) on Friday October 21, 2016

No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free. - by aaaaaaargh! (1150173) on Tuesday November 17, 2015

I'm a fan of apk. Yes he trolls, but he only trolls where it's contextually appropriate. I respect that - by Noah Haders (3621429) on Wednesday July 29, 2015

APK

P.S.=> YOU'RE OUTNUMBERED DOZENS TO 1 - toss on 100,000++ users of my program worldwide too & SEE SUBJECT: JUST FOR "GOOD MEASURE"... apk

On ArseHOLETechnica

Arstechnica = losers who stalked me (as you do now anonymously unidentifiably) to NTCompatible.com & Windows IT Pro magazine forums to their public dismay in Jeremy Reimer & Jay Little + Jarrett DeAngelis (who posts here on /. until I drove his ass off too) when their websites were REMOVED by their hosting providers in Shaw Canada & CrystalTech (for both email harassing me caught on a tracking ticket + stalking me & posting lies about me on them).

Right AFTER I destroyed them both PUBLICLY @ Windows IT Pro on Exchange Servers memory being freed UNHALTING them (which tells you Exchange is HEAVILY POINTER ORIENTED linked list driven, which leads to memory fragmentation that CAN halt a serverware).

Jay Little the "self-proclaimed 'EXCHANGE EXPERT'" HAD TO CONCEDE IT from MICROSOFT'S OWN DOCUMENTATION proving it FOR me there (where they as usual stalked me AS YOU ARE NOW)

Peter Bright/Dr. Pizza (alias GOITERMAN, lol) can tell you what happened to his IRC server after that (lol).

"The great arseHOLEtechnica" (not) RUN OUT of their own server chatrooms hahaha (by "yours truly").

In effete retaliation they edited my posts & impersonated me on their little private playpen of UNDERACHIEVER losers.

APK

P.S.=> ABOVE ALL ELSE: Thanks for outing yourself as 1 of the "few, the defeated" from arseHOLEtechnica - always a pleasure exposing your lame asses (that are nothing more than do-NOTHING "ne'er-do-wells" THAT CAN'T STAND THEMSELVES for it (lol, no shit) & that you are REDUCED to STALKING ME by UNIDENTIFIABLE anonymous too... lmao!)... apk

On Thor SCHMUCK

Ask him WHY his false accusation of an old ware of mine was 1st taken down to NO threat & CA sold off the SHITTY antivir he sold (as a paid pawn of theirs) & they are GONE, done. dead... lol!

Lookup "CA Accounting Scandal" on Google - scumbags & THEIR BIRDS OF A FEATHER just go down vs. me everytime!

APK

P.S.=> He's a FAT lying LOSER from podunk idaho... apk

Re:On Thor SCHMUCK

Looks like APK just coulnd't resist proving to everyone that he is a retarded loser.

Re:On Thor SCHMUCK

Aw! Is poor FAT short pig liar Thor SCHMUCK upset at being exposed he is a lying loser that lost? Yes. Hahahaha!

Re:On Thor SCHMUCK

Poor retarded APK upset that he never amounted to anything and others who expose him as being a shit head are successful.

Re:On Thor SCHMUCK

Being a SHORT fat fuckup from podunk idaho that got exposed for the fuckup you are isn't success SCHMUCK https://yro.slashdot.org/comme... lol!