Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Firefox Mozilla

Firefox To Enable DNS-over-HTTPS by Default To US Users (techcrunch.com) 101

Mozilla will bring its new DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks, the browser maker has confirmed. From a report: It follows a year-long effort to test the new security feature, which aims to make browsing the web more secure and private. Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits. DoH works at the app-level, and is baked into Firefox. The feature relies on sending DNS queries to third-party providers -- such as Cloudflare and NextDNS -- both of which will have their DoH offering baked into Firefox and will process DoH queries.
This discussion has been archived. No new comments can be posted.

Firefox To Enable DNS-over-HTTPS by Default To US Users

Comments Filter:
  • What a sad joke (Score:5, Insightful)

    by OneHundredAndTen ( 1523865 ) on Tuesday February 25, 2020 @09:11AM (#59764580)

    DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP. In the meantime your ISP will know exactly where you are going, unless you are using a VPN. Plus DoH will simplify things enormously for those keen on using DNS for encapsulating all sorts of protocols in a way that will be essentially undetectable.

    Thanks so much, Mozilla.

    • .Onion promotion (Score:5, Informative)

      by DrYak ( 748999 ) on Tuesday February 25, 2020 @09:24AM (#59764604) Homepage

      DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP.

      If you are interested in privacy from Cloudflare:
      You might be interested to know that Cloudflare can auto-promote HTTPS connection to .Onion TOR service.

      It's available for websites using CDN by Cloudflare, and Cloudflare themselves use it for DoH [cloudflare.com].

      So, if you have either Tor running or some Foxy Proxy rules to redirect addresses ending .onion to your Tor socks proxxy, whenever Firefox is sending a DoH, it will be actually sending it over Tor, helping you *hide* more efficiently your requests from Cloudflare themselves.

      (Also, they have drastically cut down the captcha hell for Tor users:
      now instead of considering only every IPv4 hitting their HTTPS server as a separate users (and thus all traffic coming out of a single exit node will look like a single user and will get a bad reputation due to some of the malevolent traffic from a minority of Tor users)
      their will consider each Tor circuit to their .Onion Tor service as a separate user. Different users definitely use different conduit, so the fact that a few bad player on Tor do bad shit will not automatically discriminate against you just because you happen to also use Tor and the same exit node
      But that's another story).

      • Re: (Score:2, Informative)

        If you are interested in privacy from Cloudflare

        Cloudfare's CEO has twice "removed sites from the Internet" on a personal lark. I wouldn't even trust Cloudfare with something as benign as the local path to my Firefox installation. Now you're telling me I should trust Cloudfare to promote my sensitive traffic to TOR? Ahahahahahahahahahahaha

        • by DrYak ( 748999 ) on Tuesday February 25, 2020 @11:05AM (#59764930) Homepage

          Now you're telling me I should trust Cloudfare to promote my sensitive traffic to TOR?

          Please read the source I am pointing to.

          It's the other way around: You can now more reliabily put Tor onion routing between you and cloudflare if you wish so, to hide your self from the aforementioned evil CEO.

          You're not counting on Cloudflare to take care of your TOR traffic.
          You're counting on Tor to hide you from Cloudflare and now it works better.

          It used to be that Tor + Cloudflare == barage of Captchas.
          Now it basically works. (Both for DoH and for any website using CDN from Cloudflare that activates Tor on their website).

          Really, try it: fire up Tor, test a few Cloudflare CDN-ed websites and notice how now a lot of them just work out of the box instead of complain that your (exit node's) IPv4 has been banned due to abuse and asking you to solve a couple of dozen of captchas.

          DoH works exactly the same as above.

          You're not protected from the CEO just deciding to STOP serving some name (for that you would be needing some distributed name resolving platform... something like namecoin but done better) (or at least you need to setup a couple of alternative services in your local resolver).
          But you're protected from Cloudflare snooping what server names you're connecting. They will not be able to track that the request for the address of the website "barelylegaltinypetitegirlzvsmassivegiantrapistcocks.xxx" has been requested by your IPv4 address, and later if that website uses Cloudflare CDN and has enabled Tor support, Cloudflare won't be able to track either that it is your IPv4 address that is requesting "revenge snuff porn" category from that website.

          Cloudfare's CEO has twice "removed sites from the Internet" on a personal lark.

          Cloudflare hasn't removed sites from the internet: it's not even hosting websites.
          It's only a CDN provider.

          It is a corporation (not a public utility) and thus can freely decide with which customer to do business.
          Just as the owner of 8chan are free to ask Akamai or any other CDN provider [wikipedia.org] to serve as a CDN in front of their website.
          (Or switch to a website provider that guarantees their own distribution. Or roll their own multiple servers accross Amazon's or Google's Cloud. etc.)

      • Instead of a whitelist.

        Aka full of unknowns and potential holes. Like anti-virus instead of a firewall.

        Not that it is worse than this DoH clusterfuck.

        I'd say everything over TOR *except* for very specifit things in a very specific separated containment zone.

      • While I like the idea overall, it's ultimately a losing battle until tls is changed to no longer send the host certificate in cleartext. The certificate contains all of the details that an isp would need. So say you visited slashdot.org, the server you connect to will send you the certificate containing its domain name (as well as all aliases and alternates) in order to prove itself. Easy for the isp to snoop that, making doh useless for now, though it could be useful later on. Closing this loophole would r

    • Re:What a sad joke (Score:5, Informative)

      by DRJlaw ( 946416 ) on Tuesday February 25, 2020 @09:30AM (#59764620)

      DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP.

      You can choose your DoH source. You cannot shield your remote DNS lookups from your ISP.

      In the meantime your ISP will know exactly where you are going, unless you are using a VPN.

      Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.

      Plus DoH will simplify things enormously for those keen on using DNS for encapsulating all sorts of protocols in a way that will be essentially undetectable.

      Yes, DoH will be the log that breaks the dam open there. Nobody thought to use other protocols to do that before now.

      • Re: (Score:3, Informative)

        Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.

        You're not hiding from your ISP regardless in these cases (which are many/most). Remember that SNI [wikipedia.org] is sent in plain text.

        Run your own recursive DNS resolver [nlnetlabs.nl] if you're paranoid.

        • by DRJlaw ( 946416 )

          You're not hiding from your ISP regardless in these cases (which are many/most). Remember that SNI is sent in plain text.

          Remember that eSNI [eff.org] is the other half of this. It's also the more difficult half because it requires support throughout the server-side chain, i.e. load balancers and reverse proxies, web severs, etc.

        • by ftobin ( 48814 )

          Remember that SNI is sent in plain text.

          This is only temporarily true. eSNI.

          • This is only temporarily true. eSNI.

            So is lack of support for encrypted transports in operating system resolvers.

            • by ftobin ( 48814 )

              So is lack of support for encrypted transports in operating system resolvers.

              Agreed. People are letting the perfect become the enemy of the good.

          • ESNI is good, but I do not like the implementation. I would have much preferred rather than use DNS shenanigans, the initial connection was made to the destination IP address (e.g. https://10.11.12.13/ [10.11.12.13]) and then the domain name is connected through a second tunnel (kind of like how EAP works for network authentication where you have an outer and inner authentication). Unfortunately this is stymied because LetsEncrypt do not issue certificates to IP addresses by policy.
      • You can choose your DoH source.

        If this was about providing choice Mozilla would simply provide an option enabling people to turn it on if they wanted to. If they simply did that nobody would care.

        Saying you can choose when majority have no idea what any of this crap even means is not credible.

        You cannot shield your remote DNS lookups from your ISP.

        Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.

        We know that SNI and PKI identity are sent in the clear. We also know fingerprinting of encrypted sessions to public sites has been demonstrated with high accuracy. Nothing is currently preventing an evil ISP from collecting the same data outsid

        • by DRJlaw ( 946416 )

          You can choose your DoH source.

          If this was about providing choice Mozilla would simply provide an option enabling people to turn it on if they wanted to. If they simply did that nobody would care.

          They simply did that [mozilla.org]. You're quibbling about opt-in versus opt-out as if your decision that "majority have no idea what any of this crap even means" should default to being out is "credible."

          We know that SNI and PKI identity are sent in the clear.

          For now. [eff.org]

          We also know fingerprinting of encrypted sessions to public

          • You're quibbling about opt-in versus opt-out as if your decision that "majority have no idea what any of this crap even means" should default to being out is "credible."

            I don't view ANY of the excuses in support of Mozilla's scheme as credible. Not a single one. I've yet to hear one justification of any technical merit that passes basic test of logic. Changing existing behavior by default with very real risk of change exposing users to additional harm is not something that should ever be "opt-out". There is no technical reason the system could not be architected in a way that avoids such risks. Mozilla has completely failed to even try.

            Mozilla could have followed othe

            • by DRJlaw ( 946416 )

              The EFF cares about it, it has a decent amount of value, it's no more of an added round trip than the DNS query, and is only insecure against active attack (by which I presume you mean forcing a fallback to DNS) because the tinfoil hat brigade is screaming about any mechanism that doesn't automagically follow their blessed DNS settings.

              Except for the massive computational load and expense of conducting that fingerprinting versus simply logging DNS queries.

              Extracting identity from TLS is absolutely trivial.

              • The EFF cares about it,

                It would be awesome if website operators cared. They currently seem to be stuck doing the exact opposite of what the EFF would prefer them do. Pervasive mass cross site surveillance of hundreds of millions is what you can expect more of with DoH as DNS based protections are bypassed.

                it has a decent amount of value, it's no more of an added round trip than the D.N.S query, and is only insecure against active attack (by which I presume you mean forcing a fallback to D.N.S)

                Personally I would be very surprised to see this widely deployed within the next decade.

                While it doesn't seem like much it's an added round trip over the top of normal D.N.S and TLS operations.

                To outfits like Google who counts

                • by DRJlaw ( 946416 )

                  It would be awesome if website operators cared.

                  Goalpost shifting, I see.

                  Pervasive mass cross site surveillance of hundreds of millions is what you can expect more of with DoH as DNS based protections are bypassed.

                  What DNS based protection is it bypassing? The piholes that the "majority [that] have no idea what any of this crap even means" are running?

                  While it doesn't seem like much it's an added round trip over the top of normal D.N.S and TLS operations.
                  To outfits like Google who counts each milli

                • by DRJlaw ( 946416 )

                  "Pervasive mass cross site surveillance of hundreds of millions is what you can expect more of with DoH as DNS based protections are bypassed..."

                  There has been no evidence provided to support that being the case. [CloudFlare [cloudflare.com]] has denied it and there is only guessing and innuendo on the other side of the ledger.

                  FTFY. Live up to your own standard rather than being an obvious hypocrite.

                • by DRJlaw ( 946416 )

                  The comically circular assertion is these large providers are against it therefore they must be collecting DNS data therefore DoH is needed to protect against these large ISPs. There has been no evidence provided to support that being the case.

                  Actually the assertion was "If it's not worth anything, then why are ISPs crying foul [arstechnica.com]," in rebuttal to:

                  The underlying idea that for any site visited an in-path eavesdropper may or may not be able to tell explicitly what the true domain of site being

      • by MeNeXT ( 200840 )

        For some reason you think you answered his valid points.

        The sources for DNS servers were already chosen and overwritten. Having to manually re-enter DNS servers just defeats the purpose not to mention it breaks existing privacy settings. It publishes the requests to a select few.

        "Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist."

        And? Why do you think t

    • Re:What a sad joke (Score:4, Interesting)

      by coofercat ( 719737 ) on Tuesday February 25, 2020 @09:38AM (#59764652) Homepage Journal

      The likes of Cloudflare and Google are the only games in town right now - but there's nothing stopping your ISP, or indeed you, or your router manufacturer from providing a DoH service. In the short term, I suspect you'll need an about:config change to use your own servers, but in the future I'd expect the browser to use the same DNS servers as the system it's running on, possibly with the big names as fallback.

      As an aside, we all love to hate Systemd - it's got very big and annoying. One of the things it wants to do is to run a local DNS resolver (and then fiddles with resolv.conf to make everything use it). Right now, that mostly just ends up talking to whatever you'd normally have put in resolv.conf, but one of the purposes of it was to be able to perform DNSSEC queries, thus making any piddly client on your computer DNSSEC aware. I haven't checked, but I'd imagine they could or will implement DoH too, so Firefox could end up using 127.0.0.1 as the DoH service, leaving systemd to work out the details after that. Of course, you'll need a suitably afflicted system for that to work, so I guess the initd holdouts will need to run Unbound or something to simulate the same.

      • The likes of Cloudflare and Google are the only games in town right now

        You're an idiot. There are multiple providers of encrypted DNS, including OpenNIC and DNSCrypt-proxy (which allows chaining DNS servers so even the DNS server doesn't know who made the request). Mozilla doesn't want to use those because they're building the framework for enabling them and Cloudfare to block access to domains that allow "wrongthink" on the Internet.

      • You don't need systemd. You can already get a DoH plugin for normal glibc.

      • systemd does a very nasty privacy violation: if a lookup fails, it is hard-baked into the code to send the request to 8.8.8.8, google's servers. This pretty much guarantees oppressive regimes can trace and find dissidents. NOT cool.
      • Comment removed based on user account deletion
      • by MeNeXT ( 200840 )

        So I'm a malicious ISP and I see this implementation by browsers. So I create a script that queries every IP that a client requests with a DoH request. If it's positive and an IP is returned I just block the IP and the client still gives me the data. This is what computers are most efficient at. Repetitive tasks.

        Meanwhile personal browsing habits of millions is aggregated to a few who already said that they will monetize the information as they have claimed they will.

        Malicious ISPs aren't affected and gener

        • by ftobin ( 48814 )

          So I create a script that queries every IP that a client requests with a DoH request.

          This doesn't make sense -- what do you mean by "queries every IP"? DoH works by making an HTTPS request with SNI. You don't even know the DoH URL.

          If it's positive and an IP is returned I just block the IP and the client still gives me the data.

          Gives what data?

    • DoH 'solves' the privacy issue by sharing all of your DNS

      But not quite all. It only "solves" requests made by the browsers that implemented it.

      I'm not opposed to DoH -- but the browser should really point at a local DNS cache; and that local DNS cache should be configured by the user.

      That local DNS cache should in turn either goes straight to the authoritative DNS servers for a domain (by default, which has pretty good privacy properties); or DNS over tor if you care about privacy.

      But in no scenario is sending all requests to Google a win for privacy.

      • Actually, resource-wise, everyone could just run their own DNS server. No forwarding, nothing.
        Given that it doesn't even register, CPU- and memory-wise, or a 1GB RAM first-gen Raspberry Pi clone.
        All that is missing, is a ready-made package that even a clueless user can just install.

        Or, on Linux, a ready-made config directory to untar.

    • DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP.

      Chrome will only use DNS over TLS if you explicitly change your DNS provider to one of a whitelisted set. The one mentioned in Google's docs is Quad9 (9.9.9.9), which has no affiliation with Google, AFAICT.

      And why in the world would Google need to monitor your DNS traffic? If you're using Chrome, the browser already knows every site you visit; DNS lookups are irrelevant.

      • "And why in the world would Google need to monitor your DNS traffic?"

        Big Brother Google likes to watch.

        • "And why in the world would Google need to monitor your DNS traffic?"

          Big Brother Google likes to watch.

          Did you not read the sentence after the one you quoted?

          • It's not that Big Brother needs to watch your DNS. You're right, he doesn't, your browser is already fully snooped. It's that Big Brother _wants_ to watch your DNS. The same was the local drunk doesn't _need_ to drink another beer, but does anyway.

            • It's not that Big Brother needs to watch your DNS. You're right, he doesn't, your browser is already fully snooped. It's that Big Brother _wants_ to watch your DNS. The same was the local drunk doesn't _need_ to drink another beer, but does anyway.

              That makes no sense whatsoever. Even if we were to assume that Google is the sort of Big Brother you do (which I flatly deny, but will go with it for the hypothetical), there's no value in getting a subset of the data when you already have more of it from a better source.

    • by ftobin ( 48814 )

      You must think there are only two DoH providers out there. I use two that aren't in your list.

      Quad9: https://www.quad9.net/doh-quad... [quad9.net]
      Clean Browsing Security: https://cleanbrowsing.org/guid... [cleanbrowsing.org]

  • This is the wrong way to do DNS (at the app level). They are essentially selling your data to their corporate partners (Cloudflare). Firefox guys: you sold out. I hope you guys go out of business soon.

  • another sale of individuals data to me. This just makes sure those paying for the hook in Firefox get the traffic to save/sell if the feature is not disabled by the uninformed.

    Just my 2 cents ;)
  • by xack ( 5304745 ) on Tuesday February 25, 2020 @09:43AM (#59764672)
    They just kept making Chrome Clone after Chrome Clone instead of defending browser neutrality.. Now with Firefox under the hand of Cloudflare, Waterfox under system1 and Pale Moon blocking addons for political reasons there is no one left.,

    I hope you like browser dictatorships in the name of security, because you made your bed.
    • E.g. under Gentoo, patching is trivial.

      p=$(equery w firefox)
      ebuild $p prepare
      cd /var/tmp/portage/*/*/work/
      mv *firefox* a
      cp -a a b
      # now edit stuff in b
      mkdir -p /etc/portage/patches/firefox
      diff -u a b > /etc/portage/patches/firefox/remove-crap.patch
      ebuild $p clean
      emerge firefox
      # It will automatically pull in the patch, If I remembered this procedure correctly.

  • If you host your own DNS, here's a KB that Mozilla says should prevent your clients from using DoH. https://support.mozilla.org/en... [mozilla.org]
    • How would they know if I run my own?

      I AM my ISP!

      At least from the browser and OS and internal network users and router perspective.

      This is just lies.

      • Hey BAReFO0t. From what I gather in the link, Firefox will attempt to resolve the domain "use-application-dns.net" using the DNS server set on the device. If it can, it assumes DoH will work, and will use it. If it can't, it won't enable DoH. If you're running DNS on your own network, ensure that use-application-dns.net is unresolvable, and DoH should remain inactive.
        • by q4Fry ( 1322209 )

          I have a hard time understanding why "the DNS server set on the device" (probably the ISP) won't just make that special lookup unresolvable and continue selling your coarse browsing data.

          • Hi q4Fry. This technique is primarily for enterprises that need to configure large numbers of devices, but you can use it home setups as well if you feel up to managing your down DNS server. For home users, you'll typically get the DNS server address from your router where you also receive your IP address from. You can always change this yourself in the network settings on your device: https://www.windowscentral.com... [windowscentral.com] Much of the time, the DNS server address you get will be your router's IP address. Your r
  • Why is the focus on DNS over HTTPS?

    It seems it'd make much more sense just to run DNS on a secure socket (just like HTTP or SMTP is currently done).

    What is the reasoning behind doing DNS over HTTPS but not SMTP?

    It seems messy and like it'll be a PITA in the long run.
    • Comment removed based on user account deletion
      • by MeNeXT ( 200840 )

        What are you talking about? At a lower level you will make an IP request to your ISP in order for them to request your HTTP/HTTPS DoH connection. Your ISP then sends a DoH request to the IP you requested and sees whether it's a DoH server and if it is, blocks the request. Your browser then sends the DNS request to your ISP. Nothing gained here except where the ISP is not malicious. The malicious actors here are the Browsers which will monetize this information with the DoH providers. That is why they make

    • It's way harder for an oppressive regime or a data-hoarding ISP to block, for one. Can't really block access to 445 while it would be trivially easy to enforce the use of your "official" DNS server and block whatever secure one is being run at a non-sanctioned port.

      And if it's done over HTTPS, even deep-packet inspection won't be able to identify that you're trying to resolve something that whoever controls your connection doesn't want you to resolve.

      • 443. Sorry. It's time to shut down for today. Can you tell I spent way too much time today hunting down ancient SMB implementations?

      • Re: (Score:2, Informative)

        by MeNeXT ( 200840 )

        It's way harder for an oppressive regime or a data-hoarding ISP to block, for one.

        You have to give your ISP an IP address no matter what connection you wish to establish. Your ISP makes a DoH request to the IP you provided. If a positive response is received the ISP blocks the IP. Your DoH solution was simply disabled by the malicious ISP that you are trying to protect yourself from.

        When the ISP is not malicious and doesn't collect your data your browser just ensured that your data can now be monetized by the worst offenders. All this with the protection of HTTPS.

        The hens sleep well at n

        • Fortunately our governments usually know jack shit about the internet and mostly use DNS blocking these days. Not to mention that IP blocking is kinda useless in the times of cloud computing. What do you want to block, AWS?

    • by geek ( 5680 )

      Why is the focus on DNS over HTTPS?

      It seems it'd make much more sense just to run DNS on a secure socket (just like HTTP or SMTP is currently done).

      What is the reasoning behind doing DNS over HTTPS but not SMTP?

      It seems messy and like it'll be a PITA in the long run.

      Because no one port blocks 443. If you stick it on it's own port everyone can easily block it. It's why so many people choose to run SSH over 443 also.

    • There is already a hack for DNS-over-SMTP. There was no hack for DNS-over-HTTP. Next they will have DNS-over-AvianCarriers because, well, you can. Note that there is also a setting to enable DNS-over-Telegram (the old morse code longwire telegram, not the new fangled shit that goes by the same name).

  • I don't need Mozilla to spy on me!

    I run a DNS server at home, and on my server, which everyone of my friends and clients can use.

    This shit deliberately circumvents that, and even leaks internal network structures through VPNs, TOR, everything!

    And now we have a single point of failure. Guess where every state and corporation and other evildoer will go to grab my metadata!

    No fuckin thanks, you self-centered, ego-inflated, condescending assholes!

  • In other words, they are deliberately breaking any/all DNS-based adblocking and content filtering. So much for OpenDNS protecting my kids from pr0n or malware or etc., and no more pfblockerNG or pihole adblock filtering.

    • What money? None of those people are paying them. Following the money lens following me, not making up random shit. And if you don't like it, use normal dns instead. Such a storm in a teacup

      • You have no idea what quid-pro-quos exist between Mozilla and the services they funnel their browser users into by default.
        None.
        They have given nobody, anywhere, any reason to think there isn't such a quid-pro-quo, because they have a track history of doing exactly that.

        The storm-in-a-teacup is over it being the default.
        To those who reasonably distrust the Mozilla Corporation's motives, this is them showing their hand.
        It's no storm in a teacup. This is a real issue with a lot of people.
        • They have given nobody, anywhere, any reason to think there isn't such a quid-pro-quo, because they have a track history of doing exactly that.

          [citation needed]

          • Really? Have you lived under a rock?

            Mozilla's business model is to sell their default parameters to people interested in their user base's behavior. [zdnet.com]
            I almost have to wonder if you're trolling, or if you legitimately did not know that.
            • I think I can see the comparison you're making between a default search provider and defaulting DNS to be funneled to another company by default which is probably interested in your browsing habits. Not that our ISPs aren't also interested in that data. But I didn't distinctly get the impression of anything evil happening by changing one default search to another. Except that I might have preferred seeing one that is supposed to be less of a stalker, like Duck Duck Go maybe.

              I'm sure it's not an entirely

              • Not that our ISPs aren't also interested in that data.

                I'm the senior network engineer at a large regional ISP.
                We're not interested in that data. At all.
                I care about networks you're going to, and I get that from the layer-3 headers of your traffic, not your DNS queries.
                Though, having access to your live DNS queries cuts support call times by over half, I'd estimate. So that's going to be awesome for our front-line support personnel.
                (Currently, over half of support calls are internal problems that can general be located quickly simply by seeing if the custom

                • I'm the senior network engineer at a large regional ISP.
                  We're not interested in that data. At all.
                  I care about networks you're going to, and I get that from the layer-3 headers of your traffic, not your DNS queries.
                  Though, having access to your live DNS queries cuts support call times by over half, I'd estimate. So that's going to be awesome for our front-line support personnel.
                  (Currently, over half of support calls are internal problems that can general be located quickly simply by seeing if the customer is hitting our resolver)

                  Perhaps I used too strong wording, and should have said that I assumed ISPs had an interest in the data. I mean, I can certainly understand and appreciate from a diagnostic point of view how this could be useful in a way that directly benefits the user.

                  My opinion stems from work I did as a contractor (well an employee of a company that contracted out to communications providers) to help build platforms on top of IPTV middle-ware. And while quite a bit different than DNS queries, we were at one point contr

                  • Regarding the IPTV stuff, I mean... Everyone is in the business of monetizing as much information about you as they can.
                    The big ISPs may be in that business too. I don't know.
                    All I do know, is that we are not, nor were any of the 6 other ISPs we purchased.
                    The board would have a very difficult time pushing that through me (and those below me if I capitulated) without a revolt.
                    Furthermore, I just don't think they'd do it. That's not our business, and it's frankly not something we want to have to throw in
                    • For what it's worth as a random guy on the internet, I think you are a good actor.
                      I happen to be Canadian, and ISP's, our choices, how much we spend etc largely depends on prices agreed upon by the big three. (for some reason not touched by our collusion laws)
                      my story though, that was for a large ISP in the southwestern US, not Canada, but we deal with similar shit here.
                      It's enough for me to know good actors exist in large corporations, it's never the big ISP that has my back, it's the folk I deal with.
                      I ap

  • Is how the hell do they plan to enable it by default? Are they going to reach into every FIrefox install and change the configuration? Without permission?

    This seems to be far more problematic than just using the Homer Simpson protocol. It will be interesting to see this work given that I have specifically disabled the Homer Simpson protocol *AND* the ability for Mozilla to do remote-fuckery with my computer. I guess we shall see what happens ...

    • Is how the hell do they plan to enable it by default?

      By changing what the defaults are in the next version. If you install or update to a new version of Firefox then you'll have whatever defaults are built into that version. If you don't then you will continue to use the old version with its old defaults.

      Are they going to reach into every FIrefox install and change the configuration? Without permission?

      No, they are not going to remotely change configurations. This is only about defaults. If you chose not to use DoH then you will continue to not use it.

  • Good step for privacy but Cloudfare is a US based company. Like every other US based IT company (or Chinese for that matter) they would have no choice but to hand over their data and/or put in a backdoor for the US government on request (And it could all be hidden behind a National Security letter) Does the FF implementation allow users to easily point to whatever DoH server they want/trust?
    • Of course. But they can also change what you have set on a whim and change whatever setting they want to whatever their little hearts and pocketbooks desire. You can, of course, disable this "remote-management", at least in theory. It is called "app.normandy.enabled" and the default is true. You can set it to false and then Mozilla cannot fuck with your settings via remote control.

  • Well, that totally screws any organization that uses internal / external DNS views.

    Also makes data exfiltration via DNS much, much easier-- the bad guys thank you, Mozilla!

  • If the feds get to decide only websites that support their politics get to be online it's game over for the internet.

    Is that the direction this is going?

    If you don't think that's possible consider that the IRS was auditing people based on their political views in the last administration, and the FBI was spying on and trying to stop opposition to the current party in the 2016 election.
  • I will continue to use my provider's DNS - keep that tracking all-in-the-family thanks.

    Why do I want a third party to see all my DNS requests? No thank you. Who actually trusts cloudflare? Please keep DNS services spread around multiple companies. Sounds like a DNS take over attempt to me.

    Hell at this point why not just give us all dumb terminals and go back to the massive mainframes so that all the data companies can just pull your data from there in real time?
  • Don't know how the impending update will change things (especially value 0), but here are the current "user.js" additions to control this:

    // Control DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR).
    // https://blog.nightly.mozilla.o... [mozilla.org]
    // https://wiki.mozilla.org/Trust... [mozilla.org]
    // 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
    // 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

    user_pref("network.trr.mode", 5);

  • Side effect (Score:5, Informative)

    by vanyel ( 28049 ) on Tuesday February 25, 2020 @02:14PM (#59765808) Journal

    We discovered a minor side effect of DNS over HTTPS: host file overrides no longer work. We believe it's because the resolver is now in the browser and no longer uses the system resolver. IMHO, it's a bug in the DoH implementation that should be fixed.

    • by kalpol ( 714519 )
      no, that's exactly what they want to do. Unless I missed the implied sarcasm in your post.
      • by vanyel ( 28049 )

        I can think of reasons why they would want to do that, but it was very puzzling when we were trying to do some testing

  • "Since our work on DoH began, many browsers have joined in announcing their plans to support DoH"

    Mozilla is alone in this scheme to override local DNS resolvers without regard for source and direct all traffic to a different provider. No other browser vendor is doing this. Not even Google.

    They are intentionally trying to confuse the issue by leading people to assume some kind of equivalence where absolutely none exist.

  • It follows a year-long effort to test the new security feature, which claims to make browsing the web more secure and private.

    FTFY.

    Meanwhile, in the real world:

    • This is going to provide a marketable stream of user behaviour data to a select few DoH resolvers like Cloudflare.
    • It won't stop ISPs monitoring or even blocking the web sites that you visit because they can still see the domains you're requesting in the unencrypted SNI (Server Name Indication) portion of your TLS Client Hello packets.
    • Mozilla has backdoored its own DoH implementation by providing a Canary domain - use-application-dns.net [mozilla.org] which will allow ISPs to disable DoH
  • by Fly Swatter ( 30498 ) on Tuesday February 25, 2020 @05:14PM (#59766424) Homepage
    If your app can't be bothered to use the standard OS resolver I can't be bothered using your app. If it is so important then get this feature into the OS and make all DNS servers compatible.
    • by ftobin ( 48814 )

      What makes you think Firefox can't use the standard OS resolver?

      The feature is important. As to why it's not in the OS, why don't you ask the glibc people how difficult it would be to put it into the stack or why they didn't do it yet, instead of making the perfect the enemy of the good.

Every cloud has a silver lining; you should have sold it, and bought titanium.

Working...