Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alphabet's Intra App Encrypts DNS Queries To Help Users Bypass Online Censorship (zdnet.com)

Posted by msmash on from the how-about-that dept.

Catalin Cimpanu, writing for ZDNet: Jigsaw, a technology incubator created by Google and operated as a subsidiary under the Alphabet brand, has released today an Android app named Intra that can encrypt DNS queries as a protection against DNS manipulation at the ISP (internet service provider) level. DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more. Intra protects against DNS manipulation by keeping DNS traffic hidden from third-parties with state-level surveillance capabilities, such as internet service providers in countries with autocratic regimes. Reports suggest that Alphabet tested the app with a few dozen political activists in Venezuela before the global roll-out.

27 of 65 comments (clear)

  1. Unless you're in China by Anonymous Coward · · Score: 5, Insightful

    Where your DNS queries will be logged by Alphabet and turned over to the proper authorities for consideration, comrade.

  2. Most of those same countries restrict or outlaw... by Anonymous Coward · · Score: 1

    Encryption, so all this really does is raise a huge red flag when all those dns queries start reading as gibberish.

    The only real way this would work is say encryption+steganography inside of images sent via a regular http/https service that had no reason to be blacklisted by the country's authorities. Even then, as soon as the cat is out of the bag to one official it can be used to track down all those people who were using it there, assuming metadata collection.

  3. I thought this was a joke by CranberryKing · · Score: 3, Informative

    at first. Google? Fighting Censorship? Give us a break.

    1. Re:I thought this was a joke by Anonymous Coward · · Score: 2, Informative

      It's only to funnel the traffic to THEIR encrypted DNS network so THEY can gather all the metadata not the pesky governments (apart from a list of approved governments who get their share of course).

    2. Re:I thought this was a joke by CranberryKing · · Score: 1

      Yet they'll build a censored search engine for China's Communist Party.

    3. Re:I thought this was a joke by AmiMoJo · · Score: 1

      It's almost like your model of treating a vast multi-faceted company like Alphabet/Google as a single monolithic block with entirely consistent behaviour and morals is somehow flawed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Re:Most of those same countries restrict or outlaw by viperidaenz · · Score: 4, Informative

    It's not encrypted data sent in regular DNS queries, it's DNS over HTTPS. Like what Firefox started doing.
    From a network monitoring point of view, it's regular HTTPS traffic.

  5. Pretty cool. now you can do by bobstreo · · Score: 1

    TCP/IP and UDP through a DNS tunnel using HTTPS.

    Thanks Jigsaw.

    1. Re:Pretty cool. now you can do by claude+j+greengrass · · Score: 1

      Please sir! Can I have one for my Chromebook?

  6. Some countries... by Anonymous Coward · · Score: 1

    MITM all https connections using their own certificates, in that case encrypted dns of this form would not work anyways. Other countries connection reset or redirect to a 'banned in our country' page. This doesn't help censorship in any of the majority countries, and simply pushes them to tighten down, either by limiting the websites themselves, or their connections to the outside world. Or the third possibility, which this helps benefit: selling more Deep Packet Inspection hardware to censoring regimes.

  7. Does this work though? by DigitAl56K · · Score: 1

    > DoH keeps third-party observers from knowing what websites a user is trying to access.

    But isn't this information normally exposed by the TLS SNI extension anyway? You'd probably need to run a VPN to escape this particular risk.

  8. How naive can you be? by Anonymous Coward · · Score: 1

    This is stupid, because the second you connect in any way to the target IP address, that's recorded, and it really doesn't matter what your DNS query was.

    Even if your target is a computer that hosts multiple domain names, it's decrypted anyhow, by the DNS service.

    You don't have any privacy, and Alphabet is named aptly - Alphabet agency, they work for the intelligence agencies, and they have shown, REPEATEDLY, they will gladly engage in censorship.

    1. Re:How naive can you be? by claude+j+greengrass · · Score: 1

      The encryption of DNS insures your ISP cannot utilize a MITM attack on your DNS query. Privacy isn't being addressed here. It's a security issue

  9. Google Tracking by nuckfuts · · Score: 2

    So it's not enough that Google tracks you via web browsing, Android phones, search queries, gmail, etc. Now they want you to use their DNS so they can track EVERY connection you make over the Internet, regardless of whether it originates from one of their products.

    1. Re:Google Tracking by fahrbot-bot · · Score: 2

      So it's not enough that Google tracks you via web browsing, Android phones, search queries, gmail, etc. Now they want you to use their DNS so they can track EVERY connection you make over the Internet, regardless of whether it originates from one of their products.

      To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ... depending on your network settings. I currently use my ISP (Cox) as my primary DNS resolver with Google's 8.8.8.8 as my secondary. I'm sure Cox logs and retains stuff (some of it as the law requires). Granted, using Google as your DNS resolver would give them *another* data set to track you with.

      --
      It must have been something you assimilated. . . .
    2. Re:Google Tracking by khchung · · Score: 3, Interesting

      To be fair, unless you're running your own DNS server, someone is already processing, and probably tracking, all your DNS requests, be it Google, Cloudflare (another thing to disable in Firefox - thanks Mozilla), your ISP, etc ...

      This is NOT a fair comparison.

      Your ISP already knows the destination of every IP packet you sent out, using the ISP's DNS only provide a little bit more information (the hostname you used) to them.

      Most ISP do not have the analytics capabilities of Google, nor would most ISP correlation your internet activities across all your devices, INCLUDING THOSE NOT USING YOUR ISP'S LINK, such as your mobile phone.

      Claiming "someone" will get the data anyway is obscuring the fact that Alphabet's main business as a data broker. My data scattered around 10 different companies gave me better privacy than having the same data collected by Google.

      --
      Oliver.
    3. Re:Google Tracking by AmiMoJo · · Score: 2

      No actually, they let you freely configure the DNS server of your choice. It seems to come with Google and Cloudflare pre-configured but there is an option to enter any server you like.

      There is actually a screenshot of the configuration screen showing this in TFA.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Google Tracking by AmiMoJo · · Score: 1

      These days a lot of sites share an IP address via services like Cloudflare that offer caching and load balancing. So IP addresses alone aren't nearly as useful as seeing the hostname in the DNS query.

      Google claims that it doesn't log DNS requests. Legally it isn't required to do so in some jurisdictions, because the relevant laws only apply to ISPs. Same situation for VPN providers. I suppose that being evil they must be lying, but at least in theory they are able to offer greater privacy than your ISP who is legally required to log.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Google Tracking by nuckfuts · · Score: 1

      Just because they allow you to opt out doesn't mean they don't use it for tracking if you DO use their servers.

  10. At least you can change DNS Servers by CanadianMacFan · · Score: 3, Interesting

    From the article:

    "Intra is easy to install and run right away, and comes pre-configured to funnel encrypted DNS queries to Google's DoH-capable DNS servers by default. Users can also switch to Cloudflare's DNS system, or use a custom DoH-capable server as well."

    Though only two browsers support this so I don't know why you would use it. Just use a VPN and everything from every app would be hidden.

    1. Re:At least you can change DNS Servers by Anonymous Coward · · Score: 1

      Yes, you can change it, but such is the power of the default that most will not. Source: https://en.wikipedia.org/wiki/Default_effect

    2. Re:At least you can change DNS Servers by AmiMoJo · · Score: 1

      VPNs are banned or blocked in some places. It's much harder to block HTTPS connections because that would break most web sites.

      It is possible to exploit this fact to use Tor in places where it is blocked, like China. Route your data through an HTTPS connection to the Microsoft or Amazon cloud that is used by vast numbers of other sites and thus difficult to block entirely. Being cloud services the IP addresses rotate and change regularly.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Not just autocracies by jouassou · · Score: 1

    DNS manipulation is one of the most common forms of online censorship used by oppressive regimes or unscrupulous ISPs, used to block access to news sites, information portals, social media platforms, undesirable software, and more.

    It's not just stereotypical "oppressive regimes or unscrupulous ISPs" that do this. It's also commonly used to block sites like thepiratebay.

    1. Re:Not just autocracies by Antique+Geekmeister · · Score: 1

      DNS manipulation has also been used against prostitution websites, such as "packpage.com", and the command-and-control services of botnets. Monitoring of DNS queries has long been a security problem. There's is good summary of the problem at https://ieeexplore.ieee.org/do...

  12. Confirmed, doesn't work in China by Nocturrne · · Score: 1

    What a waste...

  13. Re: Can someone can open-source that app, please? by jabuzz · · Score: 1

    Why do you need to install squid? Surely you can just use SSH to setup a SOCKS proxy server and then get your web browser to use that with remote DNS. No requirement for squid and everything is tunnelled through SSH. All anyone ever sees looking at the traffic is an SSH session.

    Note if you are running Windows 10 April 2018 update or later you will have the appropriate SSH built right into Windows. Everyone else can just install putty.

    Of course Linux and Mac users have this built in from the year dot.

    I use it all the time for remote admin, better than a VPN because I don't have to set up a VPN server.

  14. Uh by cascadingstylesheet · · Score: 1

    Google?

    You mean the one's who disappear content they don't like?