Doh and Cloudflare

Doh and Cloudflare

I suppose that it should not be surprising that my first post here appertains to technology. After all, freedom of speech and the internet and writing are eternally yoked to one another until some other medium replaces the internet. Troublingly, under the guise of “better security” we find ourselves being coerced and somewhat “forced” to adopt technological solutions. The rollout of Mozilla using Cloudflare for DoH requests by default via Firefox on September the 11th of this year is such a solution. Why? Well, I am glad you asked.

What IS DoH? Is It a Deer, a Female Deer?

No, nor is it followed by ray, a drop of golden sun. DoH stands for DNS over Https. What is that? DNS is the way by which the internet translates IP addresses into memorable names. Instead of remembering 192.168.1.50 each time you want a webpage, you get a name mapped to it like ‘soundofmusic.com’. This lookup request is made each time you visit a new website. There is a cache on your computer that will store websites you have visited before locally so that the time it takes to lookup a certain page is reduced. It gets refreshed periodically. The important matter here, however, is that a DNS request is not necessarily encrypted when it is made. In other words, it can “leak information” about where you are going and what you are doing. Back before advertisers and ‘influencers’ roamed the vast Serengeti that is now the internet in search of wounded prey, not having your DNS encrypted was not a “huge deal”. In fact, it was somewhat a part of how the internet worked in the sense that DNS lookups were made to be decentralized in case of a nuclear attack. That meant that many DNS servers would exist on the web, and could perform lookups such that there was redundancy in case ‘the big one’ got dropped. Since there would hypothetically be many such DNS servers, then encryption was less of a priority for such traffic. The first obstacle to tracing anyone would be to discover what DNS resolver they were using.

Along Came Google

Then, Google came forth on the internet with its first motto of ‘Don’t Be Evil’ and became a hugely popular search engine that then underwent a conversion to the Dark Side and became more evil than anything evil before had dreamed of becoming. Google introduced ideas like traffic analysis to websites whereupon it began to own quite a bit of the infrastructure the world relied on to get work accomplished. So, instead of just owning hosting for websites for instance, Google also began to own its own DNS resolvers which, because it became huge, it could guarantee would work more reliably. Slowly everyone started using Google for pretty much everything. They owned a majority of all systems from the search command line to the DNS lookup to the mail traffic. This is where we are today.

Along Came Cloudflare

However, there was still a niche service other companies could provide, enters Cloudflare. Sometimes websites would get a Denial of Service attack. This basically meant that someone out there wanted said website down. Google was not in the business of preventing DoS attacks. Its job was simply to be huge and have access to a lot of information due to the adoption of all of its free services. Cloudflare, on the other hand, began to offer “in between” services that would offer ‘protection’ from DoS. Before your traffic ultimately wound up in Google’s hands, if you were willing to pay, in some instances anyway, some ‘protection money’ to Cloudflare, they would make sure that your website lived long enough to relay traffic to the ‘Google Monolith’.

So What?

So some companies offered services that became popular and did them so well that they made a lot of money. So what? Well, as these services grew, they began to supplant the architecture and original intention of the internet. DNS was not made with the idea of needing a ‘go-between’. It was made with the idea that the world might be on fire from nuclear attack and could very likely in such a situation benefit from having some form of communication present. The internet itself certainly was not made with the idea of a handful of companies controlling the majority of the internet infrastructure either. It was made with the perhaps academic utopian notion of free speech and interchange of information. One could say the internet was envisioned as the ultimate ‘First Amendment’ testament.

Cloudflare and the Q Movement

So, in about 2017, a new internet movement appeared that many classified as a “conspiracy” that called itself the Q movement that dealt with matters that seemed to be implicating the deep state in a way that one could safely say that those involved are traitors to the Constitution and to the country. It went about doing this in a curious way where clues were left or dropped, and other people who were interested had to knit together the narrative. These investigators or knitters were called ‘bakers’ as though they were baking bread. This movement stood heavily against issues such as pedophilia and Satanism. Most people would not have an issue with this, except that in this case, many governmental elite were being accused of being involved in these matters. Not more than a little of this was implied about Epstein before his unfortunate ‘demise’. The Q movement existed mostly on a board referred to as 8chan. 8chan was a peculiar place where one might find anything from Neo Nazis to Freedom Fighters. It saw itself as a ‘freedom of speech platform’. This was where the Q movement was headquartered. There were a series of shootings that occurred as many of us are aware. In one such shooting, before he went out and shot (in El Paso), supposedly the shooter posted his manifesto on 8chan. This was allegedly one of many such manifestos that had been posted on 8chan previous to a shooting. Let us suppose all of this is true. Is Mein Kampf still published? Has anyone decided to ‘storm the publishing offices’ of the places that still publish this tome in response to these shootings? We can answer this easily. No. The free speech first amendment guarantees us the ability to have freedom of the presses. Because someone can post or publish something vile means nothing about the platform. However, if someone wanted to remove a platform, would it not make sense to false flag the platform in question so it seems like the step taken is proactive? It must be the platform, right? Who was the responsible party for removing 8chan? I will give you one guess…

Cloudflare Removed 8chan

How did they remove 8chan? By denying them access to the Cloudflare service. Their rationale? The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Eh? So because some people allegedly posted up their manifestos and went on shooting sprees it means the entire platform is lawless? How many times has someone posted something up on Facebook and then went out and did said stupid thing? Does that prove that Facebook is lawless?

Regardless there are other services like Cloudflare, so what did Cloudflare do? Well, they tried to do this:

After losing Cloudflare protection, 8chan pivoted to a service called Epix. However, once the company that provides servers and >hardware to Epix, Voxility, found out, they kicked 8chan off as well.

The site is still down.

Two companies and the whole of 8chan is down.

Perhaps though we are being too hard and conspiratorial on Cloudflare right?

Back To DoH

The biggest backer of DoH is, any guesses? Cloudflare. Before all of the above indicated incidents, Cloudflare was asked by Israel to cut its links with Hamas. Here was its reply:

However, the spokesperson said compliance is challenging for tech companies because the U.S. government doesn’t provide a list >of IP addresses or websites that might be connected with sanctioned individuals and entities.

“Over the past few years, we have been engaged in ongoing discussions with a number of law enforcement and national security >organizations to determine the best way forward in this area and continue to review and update our compliance efforts,” the >spokesperson said.

So when it comes to Hamas whose name means ‘violence’ and has a clear history of terorrism, Cloudflare whines that it is ‘too hard to do anything about’. Perhaps they have had time to re-think their positions on Hamas. In December of 2018 though according to this report it would seem the answer is no. 8chan, which just so happens to house the Q movement though, well, clearly it is a ‘hate platform’.

So what is the game with DoH? Well, DoH traffic is being run through Cloudflare in a way that bypasses many other DNS servers in a centralization of DNS traffic. This is VERY convenient because it just so happens that Cloudflare is in a contract for some ‘research’ with a little company called apnic. So the centralization of DNS traffic over Https allows them to bypasses many “middle men” and have the ability to shut off a users ability to surf the net by axing their DNS provider–namely Cloudflare. One piece of analysis comes from someone with Apnic:

My first reaction to this work was to struggle to understand where the win is with DOH. The additional HTTP wrapping seems to >add little other than extraneous window dressing. And apart from the cheap thrills in trying to transform the external >appearance of one protocol into the guise of another I couldn’t appreciate any advantages for this approach.

If what we are after is the simple ability to conceal DNS queries within an encrypted channel, then the TLS part of DOH is >doing all the heavy lifting here while the HTTP/2 component appears to be little more than a source of extraneous adornment. So >why not just use DNS over TLS (DOT) and move on?

In other words, why would we take something out of the normal layer it occupies in the Tcp/Ip stack, and try to make it run at another unintended layer? The author goes on to note the possibility of a third party being able to block TLS and how DoH prevents this because it uses a well-known traffic port. But, the problem is more simple to understand via a comment from someone on Hacker News:

If your ISP is intercepting DNS requests and sending them to a slow or broken server, DNS over HTTPS ensures this won’t happen. >(Yes, they could block the traffic entirely, or slow it down for fun, but they can no longer intercept and redirect it.)

So the theme here is that you gain security in the sense of redirection at the expense of possibly being locked entirely out. An analogy might be that someone else will be deciding that you will either enter your house, or will be locked out of said house. Whereas with TLS you might open the door and wind up at your neighbors, but you can still always walk home.

In Conclusion

This technological solution (DoH) which defies common internet architecture, was pushed and brought to you by Cloudflare and Mozilla on the anniversary of 9-11–a day which we understand to be caused by Arabic terrorists–some of the same ones that support groups like Hamas. Send a message to Mozilla AND Cloudflare and do not allow them to use DoH by default. Likewise, for the parts of this website that knock up against Cloudflare, you have some s’planin to do. Until then, use TLS.

Avatar
Joe Bill Schirtzinger
Writer/Author

My preferred topics of interest are US History and Technology.