 Somebody's on the phone, I'll wait. If the phone rings, it costs a round of gin tonics. For you? No, for the round. Is my phone off? Hello, everybody. I'm sure most of you have seen Danielle's DNS over HTTPS talk yesterday. And we just had another intro from Fittorio. And now, under supervision of Jampiedmans, these three gentlemen will discuss over to you. Thank you, Peter. Good morning. I'm Jampiedmans. Welcome. I hope you can all hear me. I hope the microphone hears us. I'm here in order to be able to get into the room. That's the reason I accepted the job of a moderator. Otherwise, I would feel be somewhere else. But anyway, so I would like to introduce this illustrious panel and in order to apply to the slide, I'll start on the right. You have Mr. Daniel Stanberg from Sweden. Everybody knows or everybody uses software that he has written, for example, Curl. And Daniel is a very well-versed in all sorts of internet protocols. He worked. Please note the past tense for Mozilla. He has not spoken for Mozilla in the past. And he will probably not speak for Mozilla today. And if I am not mistaken, Daniel now works for the company Wolf TLS. Oh, I'm sorry. Wolf SSL. Am I right? Ooh. Ooh. In the center, Mr. Stefan Dorzmaier. Stefan is an old dinosaur of the internet. He knows all RFC numbers backwards and forwards. He is a distinguished member of AFNIC. He is the internet architect alconium of the French Network Information Center. He's an IETF member. He's written a book recently called Cyber Structure, l'Internet, and Espace Politique. And his Twitter avatar is a modem. So he's been around for a while. On the left, I'm sounding as though I'm presenting a ring, a ring match. On the left, we have Mr. Bert Hubert, a founder, I think it was in 1999, of PowerDNS. And it's, at least at the time, principal author. I think invented the DNS test, a load balancer. He doesn't write it anymore, but I think he invented it. Used to write it, OK. Be afraid, be very afraid. He's very well versed in a huge number of topics, including DNA and philosophy and all sorts of things. And he is not ashamed of wearing extremely ugly hats. So this is our panel. And in order to get us started and in order to introduce people and get these gentlemen started, I'm going to ask a question, I'm going to ask a number of questions, and we'll start way at the beginning in the under the assumption that people who will watch the video later on or are watching the stream now have not been in this room the whole day. Stefan, would you be so kind? I'm expecting the terms DOT and DOH to be used quite frequently. Could you in just two or three sentences explain what these are and what the differences are? DNS, when you said just DNS, it's a protocol which is unclear, which means that anyone on the network can read the queries, read what you are asking for, on even modifying them, which is quite common in many places. DOT, DNS over TLS, is using the well-known encryption security protocol TLS to protect the DNS queries. So people can no longer know that you are visiting pornhub.com. Nobody here do it, but it's an example. What domain did you say? Pornhub.com? No. And the good thing about DOT about DNS over TLS is that TLS is well-known and well-used, but it can be blocked because it uses a dedicated port. That's why we have DOH, which is a DNS over HTTPS. Again, it's a TLS protocol in Donis because it's HTTPS. But running over the HTTPS has the advantage that it's much more difficult to pinpoint that it's DNS traffic. So it's more difficult to block or. Thank you very much. Bert, it appears, at least from news and so on, it appears that US telecommunication giants are now selling location data of customer mobile phones just for the hell of it, and in particular, without their owner's knowledge. And people don't seem to be caring very much about privacy, in particular, if we look at the Facebook-type scandals, which are forgotten directly the weekend passes. In view of this, how relevant is DNS privacy at all? I think it's far more important, apparently, for us than it is for the general population. We have seen very large numbers of people, for example, move their DNS to Quad 8 from Google. That's because it's a superior service. It works really well, and it also frequently gets you around government censorship. So people do care about a free and open DNS and are willing to open dialogue boxes that say, do not open or void the warranty, and they will still do it. So people do care a lot about working DNS. If you go on the street and ask people, are you worried about Cloudflare or Google or Mozilla getting a copy of your DNS traffic, they will not care. We are discussing this sort of on behalf of users that are not themselves present in the room. So in that case, we need to imagine a lot, how are these people thinking? And that is my main beef where we can come to, if we start tell people, say, look, just press OK here, because this is more secure, then we have made a decision on their behalf because they will click that button. And then we have to be very, very sure that we made the right decision for them. And that is because the answer to your question is people don't care that much. Thank you. Daniel, which technology would you say is better suited to provide more privacy or more privacy in the DNS DOT or DOH? Thank you for that question. And the right answer is? I spent a few hours doing these. So. Well, of course, the answer is not 1 or 0 here. It'll depend on the situation. And going back to pretty much what Bert said, it's also about what you can ask the users to do and who sets things up. Because these are difficult questions. And handing over the choice to the users are never going to be the right way either. But at this moment in time, we don't even, we don't have the correct way to do it automatically or by the systems either. So I would say that right now, we're in a weird situation where, yeah, we have DOT and we have DOH. And they are both good ways to secure DNS. But as long as we're doing everything opportunistically and just trying out things and go with what works, then DOH is going to be the better option. Because DOH is right now just because you're forced to sort of the customer's customability to the user, which is wrong. But since we do that, it offers better privacy because you know who you're talking to. You know, you picked that server. I see a head shake here. Yeah, because actually a user does not know. The user gets a button that says, do you agree with us getting, sending your DNS to this cloud mountain company in the US or whatever, and it will be better. And they will, okay, this is not an informed consent. Compared to what you mean, your DOT selection. But you didn't select that either. Someone else did for you. So you mean one selection and the other selection, which selection is best. The user doesn't know either way. So this is actually a great point. Where did the user choose? So because we cannot have a content, they will not be involved with the technical discussion because they just pick a browser or they pick a service provider. And if they pick a service provider, they get the Boximus or the Telia DNS with that because they picked that company to provide their internet services. And in the future, they will say, we're gonna move that choice from picking a provider to picking a browser. But it's still a choice. And it's still a choice where a user has actually only voted by who they're gonna pay or which software they're gonna download. It's not a very informed choice. Well, unfortunately, most choices of the user are not well informed. I suspect that many users don't even clearly make a difference between a browser and an ISP. So it's a big problem for security and privacy for everyone, but for the specific case of the DNS because we are in the DNS dev room, it's even worse because DNS is something which is in the infrastructure, which is well hidden. So even we cannot already have, we don't have already an informed consent when people choose a browser and ISP and very often they don't have a choice anyway. So DNS is even worse, which means that in the meantime we have to take our responsibility. We have to decide by ourselves because we cannot reasonably ask the user to do so. But for the future, we still need to explain to the user to explain so that in the future when people will be better informed, at least know why we did that. Yeah. I'd like to add, okay, this is really hard for users to make this decision because they won't. They will never know, so we have to make up this decision for them. But I would add to that, yeah, we can discuss dot and do exactly how much dot traffic can we see today. That depends on your system being set up for that and that's basically not used today at all. So right now we can offer a browser. Let's say there's a billion Windows computers out there. They can only run that browser today, I mean, theoretically, and they could use dough tomorrow. So that's also, I think that's also something to take into account. That's much easier to deploy. Is the question here from the audience? Yeah, rather more a comment. I indeed think the user is not making the choice here. They're choosing their provider, but not making thinking about this particular problem. So indeed, actually we on behalf of the users have to make that choice or at least pick a same default. So what would be a good default? In my opinion, I think the more local you resolve, it's better to adapt for that community rather than picking something that is very centralized, that has to cover all users with all different ideas on how to do things. So I guess the question could be, what is the good default here? Thank you very much. I don't, well, choice is a very loaded word for most people don't choose really the ISP. Very often they have no choice and even if they do, basically they are all the same. So there is often very little difference, not a real choice. Now for the door client, what is the same default? I know that system D, for instance, use 8888 as a default, which is certainly by ID privacy-wise. At the present time, unfortunately, there is no way to have a proper default here. But one of the reasons is that we don't have enough door providers. One of the biggest mistakes in Vittorio Bertola talk before was to confuse the door protocol with the door services. Today, the big door services are Cloudflare, Google, and a few others, not a lot. But though itself as a protocol, you can talk door with anyone if you want to talk door with, I don't know, except for all the door servers when they have one, you can do it. So really the issue now is to write more software to have door servers and to deploy them so we have a real choice, so we have a lot of door servers. But when Vittorio Bertola was talking about concentration, it has nothing to do with door in the same way that the dominance of Gmail has nothing to do with the SMTP protocol. I mean, you can use door to talk with anyone and then users will really have a problem of a choice which door server, which door resolver to use. But today, the problem is that there is no choice. There are only a few providers and they are basically all the same, GAFA, US company, et cetera. So that's the first thing we should address, I believe. Brief call, I think this panel will agree that DNS over HTTPS as a protocol is not the thing we're worried about. It is, we're worried about what would people do with that. And that moves it on to the door provider selection. Power DNS runs a door server. Out of nothing, we've got thousands of users. Many of them in Indonesia. Because it turns out the Indonesian government blocks large parts of the internet, also blocks all the large door providers. But apparently we are small enough that we fit in the Indonesian window of opportunity. I'm not going to tell them that. Sorry, I will, but to briefly round up my remark, the big question isn't going to be, if we think though as a service is a good thing, how are we going to make sure that users actually get a good choice and that they get presented with that choice? And on that front, there is some bad news because there's a whole bunch of door providers that have been aching to get into the Mozilla program and it's not working. The phone calls are not getting returned. There are mysterious privacy arrangements. There are secret contracts that cannot be shown. And if we are serious that having more door choice is good, the browser vendors that are offering us this DOE button, this DOE recommendation should have a transparent program that says these are the constraints under which you can become a DOE provider. If you have the following attributes, we will gladly list you. And maybe we'll even give you a score in terms of your privacy commitment and other stuff. But what we cannot have is the browser vendors as a gatekeeper sitting there in California and saying, well, you can be part of the program but you cannot be part of the program. That is a big problem. Thank you, Bert. Start in the back, after each other. Why didn't you get a more agile moderator? You need me to do the walking. So actually, Stefan covered my initial question but what do you all think of something where if there's an existing ISP resolver, that is configured. And it turns out that the browser or application can determine that it also supports DNS over TLS or DNS over HGPS to automatically upgrade to using that. Does anybody have unhappiness with that? Oh. You won't recognize me in an hour. Unhappiness. No, I think that's, again, that goes back. Sure, that's opportunistic. That's good. That'll keep us from all the passive Eavesdropper everywhere in the spies and it'll take us a huge step forward. So yes, that's good. And there's a draft going on with basically that idea. But we'll still come back to the case that, yeah, that's your ISP but what about Foster here, right? Who's telling you which server it is today? It might have been my computer that handed out the server and then you talk to my computer instead. So doing it opportunistically, yeah, going to save us from the passive attackers, not the active ones. And that's a tricky question. I don't have any answers actually to do it in a good way. Stefan, why are, I'll be with you in a second. Well, why are so many people scared of their ISPs spying on them? Is that a differentiation that is made on the American continent, North American continent respectively in Europe? Or is it generally also here a problem in Europe that people are scared of their ISPs spying on them? It's not all, only spying. It's also modifying as a request like in the Indonesian case. Or like it is mandatory in most European countries, in most European countries, ISPs are compelled by law to lie about some domains for reasons of file sharing, promotion of terrorism, et cetera, et cetera. So for spying, the biggest problem with spying is of course it's very difficult to know if you are really spied upon or not. It leaves no trace. But I can notice that a few years ago I was at a big meeting in France on the representative for the number one ISP in France, complained that because of the rise of encryption that no longer can see the user traffic. And he was also winning that GAFA can still see it because of the endpoint. So apparently there is really a news in DNS traffic and unlike what has been said, we are not protected by laws like GDPR because the data protection authority today are already overloaded with HTTP issues and they don't care about the DNS. I spent a lot of time with the French data protection authority trying to motivate them about DNS privacy and it was impossible. First, because DNS is an infrastructure that most people don't see and don't care about. Second, because they have enough work with HTTP so they don't wish to have something more to do. So spying is a real problem. And data manipulation is also one, one of the reasons why people switch to 8888 read any user form where users help themselves, the blind leading the blind. That often most of the time it's, I cannot see this site because it's censored. So switch to 8888 and you will be happy. On the second case is failure, a problem. One of the biggest one in France was when the number one ISP loaded instead of the normal blacklist of terrorist domains, they loaded a test list including Google and Wikipedia. So every visitor of Wikipedia or Google was redirected to a webpage of the government saying, hey, you are a bad guy, you try to visit a terrorist site. So after this, a lot of users switch to 8888 and it will be very hard to convince them that the local ISP following local laws is better. Thank you very much. Pornhub was not blocked at that day. You said something about how is the list of the DOH providers vetted. Couldn't they use probably something similar what they use with certificate authorities? Let me duck now. Well, of course, I mean, that could be done. But then you would just pour it over to the user and say, sure, I already have 12 different providers, pick one and everyone will go with the default anyway. Like they do with search engines and that's an economy that powers the entire internet today. So sure, we can do that and everyone will use the default. So who's gonna be the default? The one who pays the most, right? Because that's what we do already with the search engine. So I'm sure it could be done. But is that, I don't know, might be better than today. Instead of let's encrypt, it's let's DNS, let's DNS or something of that. Sure, that could be. I mean, you could have something for the public driven. Maybe. As I said, the good solution is to have a large number of possible door providers. For the user, it will mean that the choice will be difficult and we don't have an easy way to present to the user their differences. So let's try something wild. Maybe asking the application author to choose a door resolver at random in order to spread the load. But if we do something like that, then you have the problem of split DNS, things like internal zones, which can't be found, external zones, which can't be found, VPN, et cetera, et cetera. Well, a whole mass of new problems would arise. So I'm actually one of the people with that problem. So I run DOH exclusively on my browsers for the past few months and it breaks my VPN. Because at the moment I turn on my VPN, I'm still using my DOH server and it doesn't see inside the VPN. So we are making choices on behalf of users to make their life better, which is nice. But we're actually in the process also breaking some of the stuff that they may be relying on working. So it's not that clear that it's always an improvement. Bert, we'll keep the microphone please. The quads, what I call the quads, the quad eight, quad one, quad nine, et cetera, are getting quite a bit of DNS traffic from all of the world. And they don't seem to stop advertising or desiring that people actually use them. Why are they doing this? I'm sure they're doing, I'm sure they're not doing it for my good. I would love to give Warren the opportunity to say something right now, so. Let me go, let me go, let me go. It's okay, I'll manage, I won't faint. Maybe. Oh dear, I'm just like thinking what all my lawyers are saying now. So yes, at least the Google 8888 one, it's not doing it for purely altruistic reasons. I will happily tell you, and I know this for a fact, it does exactly what it says on the privacy policy. It's not mining it for stuff, et cetera, go read the privacy policy. The reason that Google provides 8888 is it makes things go faster. People who have faster internets use the internet more. People who use the internet more see ads more. People who see ads more make us more money. So yeah, it's not done just out of the goodness of anybody's heart. A ISP resolver, especially in some countries, just sucks. 8888 is faster, 1111 is faster. Having people use those is better. Having people not be censored is better. So you know, people use the internet, people see ads, people click on ads, Google makes money. The ads for, thank you. The ads for Quad 8, I can understand, but what about a Quad 1 or Quad 9? I'm not speaking to those. What's going on? Would somebody like that answer, that question? Well, this has been discussed before, but so I can't speak for any one of them, but sure, go read their privacy policy, what they do with the data. But I think a man over there can speak for one of them, at least. Watch your toes. Yeah, hi, Christian, I work on DNS for Cloudflare on the resolver team there. And we do it for very much the same reasons that Google does, but of course we don't make money from ads, but we make it from our paying customers who pay for our other services. And what we do is we make their domains faster as well. So if people are using our resolver to resolve our customers' domains, they get a really, really fast answer. And as Warren said, people that get a faster response use the internet more and they use our customer services. Thank you very much. Apropos fast, are there definitive, I've had that question asked me several times, I'll give it to Daniel. Are there definitive measurements, have definitive measurements been done as to the performance, as to the fastness of DOE versus a local installed DNS test? Yeah, I mean, while I worked at Firefox, we did a lot of experiments and we got a lot of crap for our attempts to actually figure this out. But okay, yeah, of course DOE is slower than your native resolver in many cases, but in the tail end you gain a lot, but because the worst cases become much better. So it's a balance, it's a penalty, of course, because you get added privacy and encryption, but it's slightly slower responses. And then I know there's also this bigger concern, yeah, but what about getting the wrong IP back, right? So maybe you get bad, sort of, that's not the correct server you're downloading your huge files from, so maybe that isn't added. And I know there's been tests going on with that too, but I don't know the final outcome, how exactly that penalty is. Thank you. I have a question here. So for a very long time people have said that you can't run your own resolver in your machine because it's too slow. And now we have changed to that, the average resolver, at least the worst case scenario, is also too slow, so we should show us these other alternatives, though, because it is faster than the slow alternative, but it's slow in average. Why is the first option now still bad again? Is just running on your solver and have it encrypted for the normal ways, is not just better? Thank you. Bert, would you like that? Or Stéphane? Well, first, evaluating the speed, performance of a resolver is very difficult because it depends if it's in cache or not in cache. It depends on the authoritative name servers when it's not in cache. It depends on whether you're interested in the better case or the worst case. So I will not talk about performance, it's too difficult. Now for the point of view of privacy, having your own resolver on your own machine, which is probably something very easy for most of the people in the room, it's not very good for privacy because in that case, request to authoritative name servers will be from your own address, not even the address of the resolver. From the point of view of control, having exactly the resolution you want, the filtering you want, on, I don't want my DNS resolver to claim that this or that is malware or thing like that. I want them to tell the truth, not to modify anything. So for the point of view of control, having a local resolver on your machine, at least on your network, I invite everybody here to go to see the tourism booth here at Fosdem. It's a router which is also a DNS resolver which that you control, you are wood on it, you can do whatever you want with it and you can filter what you want. Something that ISP don't do on their DNS resolver. If they were doing my will, they would filter googleanalytics.com first. So the choice of having your own resolver on your own machine or in your own network is not of use. There is performance, there is privacy, there is control on the three of them and maybe difficult to get together. A good solution would be probably to have your own resolver locally, validating locally, but also when they don't have the data in the cache that they could ask another resolver with DOE, for instance, to get the information. It's not difficult technically, a stubby already does it, so it's probably, it should be the future. Thank you very much. We have another two and a half or something minutes. I think any questions from the audience? Peter? Why is everyone concerned with the data transmission from me as an end user to the first DNS server and not within encryption of, for example, the resolver to an author of name server? So DOE is for the last mile and what about the rest of the miles, Daniel? I think we are concerned about that, but I think that's, I mean, yeah, sure, we need that encrypted too. Stefan wrote a draft about that. And we really want that to work. We are all pro encryption. We want to have that happen. But the very interesting, strange thing is that a resolver that is used by a million people is in itself a privacy mixing device because you no longer know who made that lookup or not. So it is important to encrypt all the things and we want that. I'm very happy also to hear Warren remark that we have been stimulating the service provider community to say, please turn on DNS over TLS on all the RV solvers because modern Android phones will now attempt to use it for you. More encryption is good. We need to have that. And simultaneously, you can actually benefit from this million user resolver for being a privacy mixing device. Assuming you don't send your client submits.