Enhancing User Privacy and Access in Russia: A Call for DoH Activation

[Alexey Balyberdin]

Dear Chromium Development Team,

In light of recent geopolitical events and escalating digital censorship within Russia, I urge the consideration of enabling DNS-over-HTTPS (DoH) by default for Russian users, through the simple activation: bool allow_dns_over_https_upgrade = true; as per the setting in Chromium's codebase.

This proposal is driven by several critical factors:

1. War and Propaganda: The Putin regime's ongoing war in Ukraine and the subsequent propagation of state censorship and disinformation campaigns underscore the urgent need for secure and uncensored internet access.

2. Legal and Human Rights Concerns: Putin's status as a wanted criminal by the International Criminal Court, along with the recent event that happened to the opposition figure like Alexei Navalny, highlight the regime's disregard for legal norms and human rights.

3. State Censorship and Control: Russia's legal landscape, increasingly crafted by those prioritizing oppression, has led to the implementation of sophisticated Deep Packet Inspection (DPI) techniques. These are used to block access to opposition websites, such as navalny.com, and major social networks, effectively silencing dissent.

4. Google's Ethical Responsibility: Given that all Google offices in Russia have been closed following the onset of the war, the corporation has no jurisdictional obligations that should prevent it from taking a stand against digital oppression. Upholding the "Don't be evil" principle, Google has a unique opportunity to protect its users in Russia from state-imposed censorship.

5. Market Influence: With Chrome holding a 50% market share in Russia, implementing DoH by default can have a profound impact on safeguarding user privacy and ensuring access to uncensored information.

The implementation of DoH by default would not only prevent the interception of DNS queries by DPI but also signify a strong stance against digital censorship and surveillance. This change is straightforward but has the potential to make a significant difference in the lives of millions of Russians, offering them a safer, more open internet.

I hope you will consider this proposal seriously and recognize the positive impact it could have on human rights and digital freedom in Russia.

--

Best regards,

Alexey Balyberdin

[Eric Orth]

For the sake of understanding this proposal, what exactly do you mean by "enabling DNS-over-HTTPS (DoH) by default"? Specifically, you point to the `allow_dns_over_https_upgrade` configuration flag, but that flag is already typically enabled for all the big platforms via an override here: https://source.chromium.org/chromium/chromium/src/+/main:services/network/network_service.cc;l=695;drc=f4a00cc248dd2dc8ec8759fb51620d47b5114090

[Alexey Balyberdin]

Thank you for your reply Eric,

Honestly I'm not familiar with the Chromium codebase, nor am I a system developer or a DNS, DPI, networks expert.

I was just wondering what we as a developers community can do to make the life of Roskomnadzor harder.

The Russian government is clamping down on free speech and civil liberties and it's using DPI technology to do that.

I wondered if there exists a counter-measure to ISP sniffing on the traffic and discovered that DoH/DoT is capable of doing just that by encrypting the plaintext dns queries.

This sounds like a good idea but I haven't found any information about the rollout in Russia. The censorship is still in place and the users cannot access information freely.

Therefore I made a conclusion that it's not enabled by default and after scanning the relevant part of Chromium codebase I found the boolean flag that looked promising, so I stopped looking further. I apologise for that.

So, if you allow me to reformulate my question:
Is it possible to enforce encryption of DNS queries in countries that have a track-record of human rights violations? Why can't browser developers protect the users from the censorship, given that all the infrastructure for that is already in place and there are numerous non-censored DNS resolvers ?

I read that Firefox was going to try to do something about it, but it seems like the Russian authorities still manage to block the access.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https

I also saw a letter from EFF on the same subject:
https://www.eff.org/document/eff-letter-congress-doh

Sorry for being naive and asking questions outside my area of expertise.

[Eric Orth]

Adding in some additional people who might have thoughts on this subject or at least might want to see this.

But overall, I'm not sure there's much more that could be done beyond the current state (where Chrome DoH is globally launched to use DoH as the first DNS attempt by default if the system-configured DNS server has a known DoH equivalent and fallback to non-DoH on failure).  From a purely technical perspective, Chrome could select an arbitrary known DoH server when the configured DNS server does not have a known equivalent, and could enforce that DoH is always used or requests fail.  Use-DoH-or-fail is possible today from configuration, but is not the default behavior for any users.  The big problem is that it's fairly easy for networks to block access to known DoH servers, so if Chrome attempted to make this all the default behavior for all users in a country, if it had significant impact on that country's censorship capabilities, I would expect the country to just block all the DoH servers Chrome is using in its default config if not already doing so (I don't personally know what countries are currently blocking what specific DoH servers).

[Shivan Kaul Sahib]

On Wed, 28 Feb 2024 at 10:10, Eric Orth <eric...@chromium.org> wrote:

Adding in some additional people who might have thoughts on this subject or at least might want to see this.

But overall, I'm not sure there's much more that could be done beyond the current state (where Chrome DoH is globally launched to use DoH as the first DNS attempt by default if the system-configured DNS server has a known DoH equivalent and fallback to non-DoH on failure).  From a purely technical perspective, Chrome could select an arbitrary known DoH server when the configured DNS server does not have a known equivalent, and could enforce that DoH is always used or requests fail.  Use-DoH-or-fail is possible today from configuration, but is not the default behavior for any users. 

You could also fallback to a DoH provider opportunistically. So if the system-configured DNS server does not support DoH, fallback to a default DoH provider, and if that doesn't work either, fall back to Do53. This makes the decision to block DoH an explicit one for the censor, while providing encrypted DNS for most users. 

 

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAMOjQcFEM8Q8Q88MAOXwyiL4c%3D8fRHBWzs8KtkQj6u%2Bv7my%2BgQ%40mail.gmail.com.

[Alexey Balyberdin]

I'm really grateful for your replies, I really believe that this is a technical problem that can be solved.

What about root DNS servers? Can they be used as last resort DoH resolvers?

As far as I understand it's not possible to block them without bringing Internet access in Russia to a halt?

I do realise that it's not their original purpose and they were not designed to serve end-users, but they can just load-balance this additional traffic to the regular DNS resolvers.

Sorry for being a complete amatuer and asking silly questions.

[Matt Menke]

The root servers are run by charitable organizations, and putting additional load on them is not something we should do.  Beyond that, anyone doing even the most basic packet inspection can pretty easily block DoH connections to them (even if they support DoH in the first place, which I'm not sure they do), while allowing all other traffic through.  Also possible to block end user traffic to them, while allowing authorized intermediate DNS resolvers through.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CALJEuvc8hAa6-2LoM0sfMj5o68k5Gxx6sjPGAkqB%2BY_JtQ%2B9-A%40mail.gmail.com.

[Alexey Balyberdin]

As Shivan noted:

You could also fallback to a DoH provider opportunistically. So if the system-configured DNS server does not support DoH, fallback to a default DoH provider, and if that doesn't work either, fall back to Do53. This makes the decision to block DoH an explicit one for the censor, while providing encrypted DNS for most users. 

I want also to add:

I don't understand how https with DNS over it can be distinguished from any other query to 1.1.1.1 8.8.8.8 CDNs.

I'm a bit green when it comes to DPI and Wireshark, but here's my understanding: DNS-over-HTTPS (DoH) is tls traffic that there's not way to sniff on tls traffic with Deffi Hellman key exchanges, remember 1.1.1.1 and 8.8.8.8 are also DoH servers as well as CDNs already, I think it's maybe a flag from the ISP to downgrade to plain DNS.

Or maybe a blacklist from the Kremlin war criminals being enforced by DNS resolvers instead of punishing them with inability to block DNS over tls that you can enforce instead.