Add Comcast DoH Resolver

[jlivingood]

Is your feature request related to privacy?

Yes - DNS over HTTPS (DoH)

Is there a patch available for this feature somewhere?

N/A

Describe the solution you would like

Add Comcast's DoH resolver to the Brave DoH experiment. The URI is https://doh.xfinity.com/dns-query

In terms of our DNS privacy, see https://corporate.comcast.com/privacy and https://corporate.comcast.com/stories/privacy-with-comcasts-xfinity-internet-service and note that we believe we can match privacy practices with any equivalent 'trusted recursive resolver'. I am happy to join a call or email to share additional details on all DNS practices.

General DNS policies:

• DNSSEC validation
• No NXDOMAIN or other DNS modification
• Dual stack IPv4 & IPv6 support
• Where you go on the Internet is your business, not ours.
• We do not sell information that identifies who you are to anyone.
• We do not sell your location data.
• We believe strong cybersecurity is essential to privacy.
• We give you tools and support to help you stay safe online. (like DNSSEC, DoH, DoT)
• We delete the DNS queries we have as an Internet Service Provider every 24 hours - except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request. We’ve never used that data for any sort of marketing or advertising – and we have never sold it to anyone.

Describe alternatives you have considered

N/A

[csagan5]

@jlivingood thanks for your submission; I will ask a few questions as I act following the spirit of this open source project and trying to protect its users' best interest.

What I like of your request is that Comcast is a big player and thus accountable (a privacy mishap would have measurable consequences), what I like a bit less is that - regardless of the current teams and people working on this specific DoH functionality - the brand has suffered from some incidents in the past. I think there will be user complaints when seeing this provider added because Bromite user base is very sensitive about these issues and (rightfully) not of the forgiving type.

405 can hopefully be soon implemented so that users can choose their own, a bit like for search engines.

Regardless, adding a DoH provider should be based exclusively on:

• accountability
• privacy policy

So I will ask you a few questions regarding the privacy policy, but I wanted to make it clear that there is a concern for the association with the brand.

General DNS policies:

I can see in your list items which are part of 3 groups:

1. technical features
2. privacy policy
3. philosophy

And references to popular privacy violations; we have to focus on (2) for now.

• We do not sell information that identifies who you are to anyone.

Is any other type of information sold? Like for example not related to identity: categories of the websites resolved etc.

If the information is not sold, is it still used internally for any purpose?

The privacy policy might mention what is not done, but not what is being done.

• We delete the DNS queries we have as an Internet Service Provider every 24 hours - except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request.

I have some questions:

• is the data copied anywhere before the 24 hours expire? is an aggregated and/or anonymized form created somewhere else before the 24 hours expire?
• how long can the exceptions be extended? this is not specified; one could run research for a year, or monitor performance for a similar long period of time, or provide blanket-access for specific legal requests for extended periods of time (the latter is not something all companies can counteract, even if they want, as I am aware of the legislation caveats)

In terms of our DNS privacy, see https://corporate.comcast.com/privacy and https://corporate.comcast.com/stories/privacy-with-comcasts-xfinity-internet-service and note that we believe we can match privacy practices with any equivalent 'trusted recursive resolver'. I am happy to join a call or email to share additional details on all DNS practices.

For this type of topics it's best to conduct a public conversation. I can see a Gateway timeout error for both pages, will check later, however the first URL pointed to a page looking a bit like a blog post.

[jlivingood]

What I like of your request is that Comcast is a big player and thus accountable (a privacy mishap would have measurable consequences), what I like a bit less is that - regardless of the current teams and people working on this specific DoH functionality - the brand has suffered from some incidents in the past. I think there will be user complaints when seeing this provider added because Bromite user base is very sensitive about these issues and (rightfully) not of the forgiving type.

We welcome the scrutiny and high expectations on us. We totally understand the past issues and where our reputation stands. Our actions will have to speak louder than our words & we're trying to lead the way for networks to deploy encrypted DNS. We have a strong engineering culture here & take seriously the role that we play in connecting users to the world and protecting them. We were the 1st ISP in North American to do DNSSEC validation many years ago and were a global ISP leader on native IPv6 deployment. On privacy, as an engineer, I used to have to argue strongly for user-facing investments in security & privacy. Now, the reverse is true - we are asked all the time what more we can do and what do we need to go faster, which is quite nice I must say! :-)

In addition, senior execs have made a decision to invest heavily in privacy & security services. All employees just started privacy training - including the notion of privacy by design and setting new expectations of how to minimize data collection, protect data, etc. So this is part of a shift for us that I believe is very important. In the coming weeks you will see more public indicators of this as well.

We do not sell information that identifies who you are to anyone. Is any other type of information sold? Like for example not related to identity: categories of the websites resolved etc. If the information is not sold, is it still used internally for any purpose?

No type of DNS-related info is ever sold. In fact, we delete the DNS queries generated by our Internet customers every 24 hours except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request. (An example might be a customer hits a malware C2 FQDN and so this is noted so we can then contact the customer to advise of likely infection & provide them with malware remediation advice.) We’ve never used that data for any sort of marketing or advertising – and we have never sold it to anyone.

is the data copied anywhere before the 24 hours expire? is an aggregated and/or anonymized form created somewhere else before the 24 hours expire?

We aggregate the data into query counts for capacity planning. For example, we track peak queries per second over time on a per-server basis, which is then totaled to per-datacenter location and national network counts. This supports capacity planning to know when and where we need to add server capacity & how well the system is performing. This is just counts of queries - nothing else is really that useful at our volume of around 600 billion queries per day (with peaks over 1 trillion). In that 24-hr window we also drop all identifying data (like source IP) and other data fields to study the potential hits on malware FQDNs in order to support R&D on how to remediate malware infections more effectively (this is done in a privacy-protective way - there's no need to ID specific users since the purpose is to track general patterns of malware profusion).

how long can the exceptions be extended?

Any activity that requires detailed DNS data fitting those exceptions needs to be completed before the 24-hr period expires.

I can see a Gateway timeout error for both pages, will check later, however the first URL pointed to a page looking a bit like a blog post.

Not sure why they timed out - maybe a temporary CDN issue? In any case, they are a policy and blog post from our Chief Privacy Officer. I believe an updated full privacy policy will be coming soon (in preparation for the CCPA going into effect on 1 January).

[csagan5]

@jlivingood thanks for your detailed explanation, it will be useful as a reference for users that want to use the resolver.

Next version of Bromite allows and requires user to specify the DoH resolver URLs they wish to use, thus there are no more pre-shipped DoH URLs.

Please submit the resolver to the DNS Privacy Project Public Resolvers page which is what is being used in Bromite as a reference for globally available public resolvers.

[jlivingood]

Sounds good. What is the ETA on the next Bromite version? (I was unable to find a release schedule - just past releases)

[csagan5]

@jlivingood releases are happening quite often but there is no schedule, you can follow the releases ATOM feed to be notified as soon as they happen.