With GA4, the tracker code is loaded from www.googletagmanager.com (even if the tag isn't loaded via a GTM container).
The measurement requests can be sent to (region1|www).google-analytics.com or analytics.google.com (to share cookies with Google login better).
> The entire point of DoH is to bypass the ability of the users to prevent browsers from providing browsing habits to their owners.
It is the entire point of DoH indeed, while hiding behind the idea that is somehow prevents the state/ISP from knowing which sites you go to (which it really doesn't).
There only one way to get best of both world:
- force your browser to never ever use DoH / DoT: force good old, in the clear, DNS over port 53
- run your own local DNS resolver (I run *unbound*)
- only ever allow DNS port 53 to/from your machine and your local resolver (I run *unbound* on an old Raspberry Pi)
- have your DNS resolver use DoH
This way you get the imaginary protection that your DNS traffic is "encrypted" between you and your ISP: I mean, it is encrypted... But it's an illusion to believe it prevents your ISP / friendly-state-after-your-well-being from knowing which sites you visit.
But you also get full control over which domains can be resolved or not.
As a sidenote unbound supports "wildcards" when blocking domains, which is sweet (as opposed to your typical OS's hosts files, which doesn't support wildcard).
FWIW I've configured unbound to return 0.0.0.0 for the millions (!) of (wildcarded) domains I'm blocking and then I use dnsmasq, locally, to convert any 0.0.0.0 to transform into NXDOMAIN. It's versatile and I like that way.
It's Linux so you set that up once and it works for years.
No, that is not the entire point of DoH. That’s like saying the entire point of TLS is to prevent users from looking at the traffic being sent to a website.
DNS without DoH, DoT, or DoQ, is wide open to anyone snooping traffic in the raw, that’s not necessarily information you want to share with the world.
Which (for people not handing all of their DNS traffic over to google anyway) usually just means that their ISP can see their DNS traffic which is kind of a moot point because your ISP can see the domains you go to even with DoH.
If somebody is on your local network capturing packets or they've cracked your wifi you've got bigger problems than your DNS leaking a list of domains. They'll also see the IP of every server you visit online anyway
The way DoH is implemented usually means that all of your DNS traffic is collected by some third party for-profit corporation like cloudflare anyway (who admittedly will already know most of the domains you visit anyway because of how often cloudflare's IP space is where DNS will point you).
There really aren't any good options for DNS and privacy, just a lot of compromises. Host your own. Or, if your ISP is trustworthy, you might be better off using what they provide. The DNS traffic between you and your ISP's servers should never leave their network.
ISPs seeing the domains of user traffic is not a given. And DoH is a step toward mitigating that.
People were setting their DNS resolver to custom values before DoH.
I agree that DoH would ideally be enabled at the OS level, or that the browser flow would default to still checking host file before sending out the query.
Unless you are using an VPN, your ISP can see the IPs you are communicating with regardless of the hostnames associated with them and in turn resolve those back to hostnames or at least netblock owners.
True, but n the cloud era, destination IPs don't mean what they used to. If peopel wash their blog with AWS or Cloudflare or Netlify, etc., dest. IP means little.
They're not talking about IP's. They're talking about SNI, which communicates the target hostname in the clear before the https session is established. ECH addresses that problem, but that is only recently starting to see wider use.
DoH is pushed by goggle et al to ensure you continue to provide your data to them.
The browser should respect the OS. The OS should respect the network (dhcp/slacc). If you want to override this then that should be an active choice by the user.
I am quite happy with my OS using normal dns (via WireGuard when out) to my dns server which blocks bad domains before they even reach my firewall, I don’t need DoH, although I have no problem with that as a concept.
What I don’t like is my browser taking away my choice and breaking the model. It should defer to the OS (and I can’t see any time I wouldn’t want it to defer to the OS)
The entire point of DoH is to take away control of DNS from the OS vendor to the browser.
There were other encrypted standards(dnscrypt for example) that didn't require you to do that, but the one that bypasses the OS was forced by adtech monopolist in charge.
No, the point of DoH is to take control of DNS from ISPs (and related middlemen) and give it back to site/service owners (so their settings are not overridden for whatever reason) and the end-user (so their habits are not as easy to disrupt or track at the ISP level).
> but the one that bypasses the OS was forced by adtech monopolist in charge.
Assuming by “adtech monopolist in charge” you mean Google, I don't think taking control from OS would benefit them given they effectively have control of more than two thirds of the mobile market share globally¹ so they are shooting themselves in the foot as much as anyone else – so I assume there are practical reasons², or purely technical ones, for DoH being their preferred choice (assuming that are pushing a preference).
And anyway, there is nothing that says applications have to implement DoH instead of letting the OS do that, Chrom{e|ium} and FF have gone that way in part because base OS support wasn't (isn't?) commonly available/enabled.
----
[1] A less than two thirds if you only count the US, as some published figures do, because Apple does rather better there compared to global averages.
[2] isn't dnscrypt's standard still officially a work-in-progress?
If it was implemented at an OS level and respected standard configuration then fine, DoH, DoT, whatever, I’m happy.
However it wasn’t, and it doesn’t defer to the OS or the network. I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser. I additionally get different reaults depending what I use, my browser will contact a different server than any other application.
That’s broken behaviour which benefits AdTech companies like Google.
> I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser.
But at that point, you are effectively the ISP trying to control how users do DNS, in a way that might enable you to track/block/redirect. You might be trustworthy to your users so that is fine, but that isn't the case for every user's relationship with their service providers.
Is there an arrangement that would stop less trusted networks from tracking/redirecting/blocking DNS requests without (accidentally) helping AdTech by making DNS-based blocking harder?
Completely forgot to take to this a week ago (busy times…) but this more recent (that is touching in the same issues of inconvenience for some and whether it should take precedence over safety concerns of others) reminded me: https://news.ycombinator.com/item?id=41471510#41472889
First, you can disable encrypted DNS, second you can set up your own DNS server and setup browser to use it. And your own DNS server will respect DHCP config.
Personally I would like OS to completely ignore DHCP config (like proxy or DNS server address) because those features can be misused for malicious purposes.
A lot of mobile apps use TLS connections when communicating with their backends.
You can MITM the traffic, and continue to deliver the traffic using a self signed certificate that you’ve trusted on your mobile device, and boom, you can capture the traffic at your proxy point and be happy.
A lot of mobile apps use certificate pinning to ensure that the backend certificate matches what the app expects. Now your self signed certificate, even though it’s trusted at the OS level, no longer matches the certificate that the app is expecting, and no data is exchanged after TLS handshake fails.
A lot of mobile apps use TLS with certificate pinning, so even if the user installs a system-wide root CA, the app doesn't accept it and won't let the user look at what data is being sent to the servers.
DoH and similar technologies don't override /etc/hosts. They're just a different way of making DNS queries. The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.
DoH means that each application does its own DNS queries, instead of using the OS's functionality. Whether that includes reading /etc/hosts is up to the application, and it looks like high profile applications like Chrome and Firefox don't read /etc/hosts.
> The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.
More correctly, the point is to shift all that from one organization to another. Maybe you trust Google or Mozilla more than you trust your ISP, but I don't think it's the same for everyone.
You could even argue that your ISP can already see which hosts you connect to, so using it's DNS resolvers doesn't add much information for them. Using DoH means that both your ISP and another party can see that.
Excluding leaks, the ISP does not see the hostnames, what it sees are the IPs you're connecting to. 20% of internet traffic goes through Cloudflare, so at least for those, the IPs are meaningless.
Both privacy and security are layered, and perfect is the enemy of good. Securing the DNS is an obvious first step, forcing the Internet to HTTPS by default was another. Google and Mozilla have contributed to better privacy. People that want more privacy, depending on needs, can also use a VPN or for the more extreme cases, something like Tor.
Not sure what you mean about having to trust Google or Mozilla. I'm not using either Google's or Mozilla's DoH servers. But yes, I would trust them more than my local ISP. Google, at least, proved quite competent in handling whatever data they collect.
In TLS 1.3 server certs are encrypted. And while browsers support ECH (Encrypted Client Hello) to encrypt SNI, almost no server supports it. Cloudflare has ECH disabled globally for some "issues" they do not disclose [1].
> DoH means that each application does its own DNS queries, instead of using the OS's functionality.
HUH?! No! You aren't supposed to implement DNS on the application level! Most modern OSes support some form of DNS over TLS at the system level. You should use that.
You’re not but that’s the point. Google realise they don’t control the OS (in many cases) and thus struggle to monetise it.
I don’t have a problem with doing dns lookups over http, or any other protocol you want to use, if I configure my OS resolver to do that.
When people don’t like DoH they tend to mean they have a problem with bypassing the OS.
Theres then the concept of DoH, network admins have a harder job blocking it without MitMing traffic (and in some cases installing new root certificates and thus reducing security for users).
I’m less concerned about that. The argument for DoH often goes to “I don’t trust my network but I do trust Google” but I can see why some don’t trust their network. Personally I’d tunnel all traffic if I were on an untrusted network.
As someone who doesn’t trust Google (as their income comes from selling my personal data against my will) but does trust my network (as I am the network admin) I lean in the “anti DoH” camp, but regardless of which camp, DNS should be configured at the OS level (whether that’s a manual choice to use Google or cloudflare or whatever, or to accept the network hints)
What you mean is that network admins have a harder time controlling people's devices.
I have a DoH server set in my Chromium browser, installed on my corporate laptop, and I love it, because my DNS queries don't leak to my network admin.
The perspective is significantly different when you're both the user and network admin. From your vantage point, you're picking the lesser of two evils.[1] But there's a third option that keeps you in even greater control, yet it's increasingly becoming more onerous to preserve. It's something like a collective action problem.
[1] Or at least you think you are. If your employer is running provisioning and "security" malware, I wouldn't take any bets on what they're logging or not logging.
Add this to /etc/hosts