Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: AA trialling own servers for DNS over TLS and DNS over HTTPS  (Read 826 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 8450
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
AA trialling own servers for DNS over TLS and DNS over HTTPS
« on: September 19, 2019, 01:25:15 PM »

AA has started offering DNS over HTTPS (DoH) and DNS over TLS (DoT) from their own servers on a trial basis. Example uses: Firefox for DoH, or DoT supported by Android. More information: https://aa.net.uk/dns
Logged

jelv

  • Helpful
  • Kitizen
  • *
  • Posts: 1513
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #1 on: September 19, 2019, 02:55:35 PM »

I've configured it in W10 Firefox - seems OK
Logged
Line rental: Pulse8, Broadband: AAISP Home::1 FTTC 80/20, Mobile: id Mobile

underzone

  • Reg Member
  • ***
  • Posts: 333
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #2 on: September 19, 2019, 04:46:20 PM »

Cool, you should have access to The Pirate Bay, and any other UK blocked sites - should you wish of course  ;)
Logged
Plusnet 80/20, Huawei 288, Zyxel VMG8924-B10A (bridge mode with 1500 MTU, thanks to johnson), pfSense x64

grahamb

  • Member
  • **
  • Posts: 72
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #3 on: September 19, 2019, 05:07:18 PM »

Done on my Android 9 phone.  ;D  Have to wait one more version (possibly) to do it in Chrome.  :no:

Referencing underzone's post above, does this mean there'll no longer be any need for VPNs, should one already be using one?
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2026
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #4 on: September 19, 2019, 06:20:51 PM »

I don't think underzone is correct, I think that blocking tends to be done somewhere else, otherwise there wouldn't have been any need for VPNs before either.

Other types of blocking, like parental controls that people can opt in or out of, might be done by an ISP's DNS servers.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 8450
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #5 on: September 19, 2019, 07:53:31 PM »

This only affects dns. If you are worried about carriers BT and TalkTalk then your need a VPN as the carrier could be snooping on the data between AA and you.

Those of us who have Firebrick routers could use IP over PPP LCP in the Firebrick to talk to AA if we can persuade AA to turn this protocol on at their end. It’s only obfuscation so a very weak encryption of the traffic but it would be enough to confuse a carrier who is doing mass surveillance but no good if your data is sensitive or if you’re being targeted specifically. This would be faster than DoT if you don’t mind about it not being secure as it doesn’t use TCP so no connection setup time. Also no RAM usage in the form of per TCP connection state info in the AA servers, so it’s more massively scaleable by comparison. I have suggested this to AA as an option.

@underzone AA is uncensored anyway. I don’t understand the point about Pirate Bay etc. Are these ‘blocked’ by interferce with DNS? AA’s DNS servers will be giving you the unfiltered DNS anyway. I’m assuming that the likes of BT would be ‘blocking’ such sites by delisting entries in the BTs own DNS servers, but if you are an AA customer then you are using AA’s DNS servers (unless you have actively chosen otherwise) which are uncensored, and not using BT’s servers anyway, so there is no improvement as AA is uncensored anyway. Or are you thinking that BT filters out DNS requests in IP in PPP frames going to AA ? I don’t believe for one minute that BT tampers with PPP traffic of any sort, DNS requests included, and so I don’t see why you would experience DNS-based ‘blocking’ when using AA anyway.

Of course if a website is supposedly ‘blocked’ by DNS censorship, either censored servers belonging to some ISP or by filtered DNS traffic in transit through a carrier, then it is not really blocked, it’s just that clueless users will think it is because they don’t know how to reconfigure their DNS server choices, or if necessary use encryption - eg with a VPN - to prevent filtering.

@grahamb no you certainly will need a VPN still if you are not using AA. If you are using AA then you can trust AA so you don’t need a VPN unless you are concerned about the lack of encryption protection your data in transit outside AA, between you and AA and beyond AA over the rest of the internet. So if you need a vpn now then this won’t make any difference, and is a waste of time as you’re already fully protected anyway and DoX is going to slow your uncached DNS lookups down slightly too.
Logged

CarlT

  • Kitizen
  • ****
  • Posts: 1516
  • Next generation network design and deployment
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #6 on: September 19, 2019, 11:57:25 PM »

A vague segway but sending all IP traffic over the control plane of the PPP session is potentially not going to go down too well with the owners of the BRAS it'll go through on its way to A&A.
Logged
WiFi: Nighthawk® AX12 RAX120
Router: As above. Pending software release before using Ubiquiti UDM Pro.
Switching: 2 * Mikrotik CRS305-1G-4S-IN, various GigE
Interfaces: 2 * 5G. 4 * 10 G. Various 1 G.
ONT: Huawei 1+1
Exchange: Wakefield
ISP: BT

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 8450
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #7 on: September 20, 2019, 01:00:35 AM »

[off-topic]

@CarlT Agreed. AA and Firebrick thought this thing up, and I seem to recall that they have used it with one or two customers. When this was done it was found to restore high performance for AA customers who were suffering with congested overloaded exchanges or carrier-internal links, as if somehow it put those customers at high priority. It will defeat any traffic shaping, so forcing net neutrality; this was indeed a desideratum for AA in the past. Evil or otherwise carriers may not like that.

Speculation: Perhaps this behaviour is because all PPP LCP is mistakenly treated by carriers as an LCP Echo Request, and so is prioritised by queue jumping, in order to get accurate link latency time results that intentionally always exclude queuing time.

Does it mean that the traffic will escape charging/metering? I wonder if that will mean a free lunch for me if I use it over 3G/4G AA/Three ?

If so, then that makes it all even more desirable still for yours truly! It would give me more than half of the benefit of BT Priority traffic without me having to pay £12 per month; I also get AA-internal priority traffic handling currently too though for my money.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 8450
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #8 on: September 20, 2019, 05:32:57 AM »

AA are even allowing non-AA internet access users to access the DNS service. This is very generous, a bit too generous possibly and I hope that they route non-AA users onto a separate system to guard against abuse.

Mind you, actual AA internal access customers who are away from home and who need to use eg. Wi-Fi in a cafe or some random mobile network for a time will benefit greatly from still being able to use AA’s DNS servers regardless, so this generous move will actually benefit AA customers who ‘look like’ aliens.

AA write:
Quote
Our DoH and DoT servers are primarily for use by customer [sic] to whom we provide an Internet connection to. If you take your computer or mobile device away from your A&A connection - eg to a coffee shop or use your mobile data connection then our DoH and DoT servers will still work. Unlike our normal port 53 DNS servers, our DoH and DoT servers are open to the Internet.
« Last Edit: September 20, 2019, 05:44:24 AM by Weaver »
Logged

CarlT

  • Kitizen
  • ****
  • Posts: 1516
  • Next generation network design and deployment
Re: AA trialling own servers for DNS over TLS and DNS over HTTPS
« Reply #9 on: September 20, 2019, 08:36:11 PM »

A downside of DoH - it being done at the application layer forces this. DHCP usually supplies the DNS at the network layer so if off your ISP's network you get appropriate DNS from whomever is supplying the connection.

I doubt they will differentiate between on-net and off-net sessions.
Logged
WiFi: Nighthawk® AX12 RAX120
Router: As above. Pending software release before using Ubiquiti UDM Pro.
Switching: 2 * Mikrotik CRS305-1G-4S-IN, various GigE
Interfaces: 2 * 5G. 4 * 10 G. Various 1 G.
ONT: Huawei 1+1
Exchange: Wakefield
ISP: BT