back to article Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this

Mozilla has started rolling out encrypted DNS-over-HTTPS (DoH) by default for US users of the nonprofit's Firefox browser. DoH encrypts DNS (Domain Name System) traffic, which has both security and privacy benefits, though use of the DoH protocol itself is not the only issue here. The other question is, whose server do you use …

  1. JohnFen Silver badge

    Good and bad

    I object to DoH for security reasons.

    While it certainly does increase security in one way, it does so at the cost of security from other directions. Given that it is possible to obtain the security benefits of DoH in other ways that don't bring a security hit with them, this seems like an unnecessary compromise to me.

    1. big_D Silver badge

      Re: Good and bad

      Agreed. I use a local (to my network) DNS server which connects upstream to a main DNS server using DNS over TLS (same security as DNS over HTTPS, just using the standard DNS protocol) and DNSSEC.

      That then covers all services and all devices on the network.

      It makes trouble shooting much easier. If the browser stops working, you can use other tools to check the network connection and they respond in the same way.

      I also have around 2.5 million tracking, malvertising and malware websites blocked by my DNS server. I don't want the browser ignoring that.

      If I am out-and-about

      1. Anonymous Coward
        Anonymous Coward

        Re: Good and bad

        I don't understand why DNS over TLS isn't being pushed as the way to go. It seems like a far more sensible way to go, but seems to be pretty-much ignored

        1. big_D Silver badge

          Re: Good and bad

          Because the browser already does HTTPS... Implementing DNS in the browser is a hard science problem. ;-)

          They should be promoting the use of DNS over TLS and helping users set their machines / networks up to do that.

          1. EnviableOne Silver badge

            Re: Good and bad

            DNS is not the browsers job, HTTP is

            DNS is a network function, best handled by the network stack, not the browser.

            DNS over TLS or DoT (RFC 7858) is the better protocol for this

            Google just want to use DoH so they can get the data on what you are resolving

            1. teknopaul Silver badge

              Re: Good and bad

              Google dont care because they already know.

              No matter how you resolve ips. Chrome has plaintext everything.

            2. big_D Silver badge

              Re: Good and bad

              Yes. That is my point. If they want to do something to help users, they should be helping them learn how DNS works and to secure their networks. Instead, Google are breaking DNS in a way that cuts other data gobblers out of the equation and allows them to get all the information on a connection.

              Firefox are going half-way and providing a, theoretically, indepedent DNS provider, who won't log your lookups.

            3. phuzz Silver badge

              Re: Good and bad

              "Google just want to use DoH so they can get the data on what you are resolving"

              If that's true, why haven't they enabled it in Chrome? (It's only available in Firefox so far).

              Why haven't they set up a DoH host? (Firefox are using Cloudflare so far).

              At least try to remember which companies you're ranting about.

        2. A.P. Veening Silver badge

          Re: Good and bad

          I don't understand why DNS over TLS isn't being pushed as the way to go. It seems like a far more sensible way to go, but seems to be pretty-much ignored

          Because the OS builders didn't get behind it, DNS resolving isn't a browser function but a network/OS function. For lack of DoT DoH was developed.

    2. popetackler

      Re: Good and bad

      You can't make a sweeping comment like:

      "it does so at the cost of security from other directions."

      and not give examples.

      Well you can because you did. But you shouldn't.

      1. Tigra 07 Silver badge
        Trollface

        Re: Good and bad

        You can't start a sentence with the word "but". Thousands of Junior school teachers are currently screaming into their hands.

        1. A.P. Veening Silver badge
          Trollface

          Re: Good and bad

          You can't start a sentence with the word "but". Thousands of Junior school teachers are currently screaming into their hands.

          But I don't care

        2. onebignerd

          Re: Good and bad

          Ah, yes you can.

          Famous and respected writers have been starting sentences "but" and "and" for hundreds of years. There are limits on use and hazards in over use, but there is no hard rule. It depends on style.

    3. Anonymous Coward
      Anonymous Coward

      Re: Good and bad

      I disagree on so many levels. First off, your DNS config has always been forced on you (unless you're a technical person) by your ISP since the days of dial-up. Nobody objected to ISPs forcing *their* DNS service on their users.

      Also, DoH protects people where they need it the most. Public WiFi.

      Chrome's approach seems sensible, but it's unlikely your ISP will switch on DoH as they will receive considerable pressure from Gov, Law enforcement etc.

      1. Carpet Deal 'em Bronze badge
        FAIL

        Re: Good and bad

        DHCP picks up a default DNS server, but that's not even in the same league as an application picking its own server in defiance of system configuration. If I do, for some reason, change my system DNS configuration, I damn well expect all applications on the system to honor it, not to have to chase down any and everything that can access the internet and hope I can change its configuration to match.

        There's simply no justification for Mozilla's behavior - period.

        1. SuperFrog
          Coffee/keyboard

          Re: Good and bad

          I get this in one sense that the OS should be the ultimate arbitrator of what happens on the system. You want to 'know everything' that goes on in a modern OS preventing data leaks etc.

          But we have had many applications that have gone around system configs. I'm thinking my VPN application here changes my network settings to make VPN work. What about Outlook and O365 probably does some things that make that service work. I think Cisco even sells this service for OpenDNS. I don't think this is really a big deal really.

          1. Carpet Deal 'em Bronze badge

            Re: Good and bad

            A VPN makes explicit, system-wide adjustments - it's got nothing to do with an application ignoring system settings. The rest of your post is just flailing to try and distract from an application's misbehavior.

      2. Captain Scarlet Silver badge
        Childcatcher

        Re: Good and bad

        I have to point out that you pay the ISP for internet service, a part of this service is DNS which the majority of home users won't know how to change (Other bolt on such as email addresses and web hosting these days are less important).

        I have no issue with this, I have an issue on supplied routers not letting you change DNS Settings especially if you pay for the router (Looking at you BT).

  2. msknight

    Thank goodness we can turn it off...

    ...otherwise how would we resolve internal DNS queries for our own machines.

    1. the spectacularly refined chap

      Re: Thank goodness we can turn it off...

      They've been breaking it for years, if I enter n1a in the address bar I want to go to that host. I don't want to search for it - that is what a search bar is for. I certainly don't want you to try n1a.com and similar before you go to where I told you.

      Just do what I damn well tell you. I'm fed up of browser vendors making arbitrary decisions about what is in my interests.

      1. overunder Silver badge

        Re: Thank goodness we can turn it off...

        " ..if I enter n1a in the address bar I want to go to that host"

        .com? .net? .org? I'm sorry, but the internet is bigger than your Google Chrome (not that Cloudfare would argue with your vision).

        1. KSM-AZ
          FAIL

          Re: Thank goodness we can turn it off...

          No I want n1a, or maybe fred, wilma or barney, resolved by my dns server, or perhaps from my /etc/hosts file. I don't want to go to the effing internet, I want to go to the machine downstairs on the third floor called betty. If I want to search for something on the "BIGGER THAN ME" internet, I will perform a search, not type n1a in my F*CKING ADDRESS BAR WHERE YOU PUT A F*CKING ADDRESS NOT A SEARCH TERM. I'm not searching for nude pictures of Betty White, I have a machine called betty which I can happily 'ssh betty' to, but when I want to just go to betty's stupid apache server, I have to type in http://betty/, and I have a 50/50 chance I will get those nude pictures.

          AAAAAAAARRRRRRRGGGGGGGHHHHHHHHH!!!!!!!

          1. Phil O'Sophical Silver badge

            Re: Thank goodness we can turn it off...

            Go to about:config and set keyword.enabled to false. Seemed to fix it for me.

            1. Rich 2 Silver badge

              Re: Thank goodness we can turn it off...

              You're welcome to have an upvote, but it does piss me off that basic settings like this are hidden away in about:config

              1. teknopaul Silver badge

                Re: Thank goodness we can turn it off...

                This bizniz of default to internet search, which happens to be where mozzila get their money from, is telling. If they really cared about privacy they would not send data to search engine by default.

                All dns to cloudflare is a shocking default.

                Any one ever been hit by a dns hijack problem in the real world? Personally I have only been hit by the reverse, firefox going to somewhere i did not type and passing a whole url of private data with it.

        2. big_D Silver badge

          Re: Thank goodness we can turn it off...

          And my network is smaller than the Internet and the Internet DNS server don't know anything about it.

          n1a is a server on the local network, that the local DNS resolves. No need for the browser to go to Google or to use DoH, because it won't find it!

          If I ping it, it translates to a local IP address, if I enter it into the browser, the browser ignores the DNS lookup and goes straight to Google/DuckDuckGo/whatever. You can override it with "n1a/", but most people generally forget the first time.

        3. Robert Grant Silver badge

          Re: Thank goodness we can turn it off...

          .com? .net? .org? I'm sorry, but the internet is bigger than your Google Chrome (not that Cloudfare would argue with your vision).

          That's exactly the point being made: the browser currently guesses; it shouldn't.

      2. eldakka Silver badge

        Re: Thank goodness we can turn it off...

        I also detest searches from the address bar, however most browsers (including Chrome) allow you to turn off address bar searches, which is what I do.

      3. disgustedoftunbridgewells Silver badge

        Re: Thank goodness we can turn it off...

        It annoys me that Chrome does the same with whatever.local

        You'd assume they'd have an exception for the .local tld.

        1. cybersaur

          Re: Thank goodness we can turn it off...

          You shouldn't be using .local anymore anyway. Best practice these days is to use a domain name you have purchased exclusively for your internal network (without using it for anything hosted on the Internet).

          1. Anonymous Coward
            Anonymous Coward

            Re: Thank goodness we can turn it off...

            In case you don't want to use your own domain, the recommended suffix is .home.arpa. See RFC 8375

          2. disgustedoftunbridgewells Silver badge

            Re: Thank goodness we can turn it off...

            Not even ICANN will sell off .local.

      4. bpfh Silver badge

        Re: Thank goodness we can turn it off...

        Except most. browsers have a multipurpose search & address bar and have done for years and it will second guess you, unless you add a protocol such as http://n1a, then generally it will realise that you want to go to that host and not look it up in $SEARCH_ENGINE.

        I will admit, mixing the search and address bars is a great boon to the general public, but I've mostly found it to be a pain :( Oh, and get off my lawn!

        1. teknopaul Silver badge

          Re: Thank goodness we can turn it off...

          Its a massive security hole too.

          Sending localhst8080?username=bob&passwodr=whatever

          to a search engine.

          I disable the irritatingly named "awsome bar" always.

          1. CBM

            Re: Thank goodness we can turn it off...

            I think after you put a password in a URL parameter, where it will be immortalized in history, access logs, etc, everthing else is minor league.

    2. rg287 Silver badge

      Re: Thank goodness we can turn it off...

      Quite.

      As always there are multiple correct answers here. Just as the anonymity argument on social media swings between "But trolls" and "But political activists operating in fear of their lives" or just people separating their online and professional persona (e.g. The Secret Barrister) so it is with the case for DoT/DoH.

      DoH is excellent for not only securing your DNS but obfuscating it as general HTTPS traffic. It also bypasses possibly-compromised DHCP settings (though if the authorities are on your device it's already game over). For some people that's genuinely of interest and value.

      But for general usage, the Browser is categorically the wrong place to be doing DNS. It makes the crucial assumption that you don't want to connect to LAN domains or use anything that your system might otherwise know about. Worse yet, Firefox's implementation allows you to specify only one "Trusted provider". When Cloudflare fell over last year, there was no way - other than manually changing your settings - to say "Yes, use NextDNS if Cloudflare is unavailable" resulting in resolution failures for everyone using it. What sort of fragile implementation doesn't allow for failover?

      Of course there's a security argument there as well, but if you only trust one provider, you can just specify one provider. Those who prefer reliability can specify two.

      Compare this to System-level DNS Resolvers - W10 lets you set a Primary/Secondary, macOS lets you set an arbitrary number in preferred order. Linux likewise.

      1. TonyJ Silver badge

        Re: Thank goodness we can turn it off...

        "... W10 lets you set a Primary/Secondary..."

        Win 10 lets you set any number, under advanced settings of the properties of the protocol.

        Windows has done this since at least XP.

        Granted, it's not in the most obvious place, but at least this one they've kept consistent through versions of OS (so far!)

        1. A.P. Veening Silver badge

          Re: Thank goodness we can turn it off...

          but at least this one they've kept consistent through versions of OS (so far!)

          Please don't even give them the idea of possibly changing it (and you just did :( ).

          1. TonyJ Silver badge

            Re: Thank goodness we can turn it off...

            Ah come on...! You can't blame me! Once they're done dicking around with everything else, they are going to get to it eventually....

  3. Anonymous Coward
    Big Brother

    If the IWF were a bit more accountable and transparent I'd be a lot less wary of them.

    1. Yet Another Anonymous coward Silver badge

      The IWF protects us from terrorists.

      Therefore only terrorists would object to the IWF

  4. Nunyabiznes Silver badge

    Bruce Schneier

    Seems to think it is a good idea.

    https://www.schneier.com/blog/archives/2020/02/firefox_enables.html

    There are some good arguments in the comments about why it is a bad idea, though. Like most complex technical issues, I think there will be advantages and disadvantages depending on whether you are a non-technical user or someone who wants/needs finer control of their systems.

    1. LDS Silver badge

      Re: Bruce Schneier

      I'm afraid it does allow fingerprinting, something that is far more difficult with plain DNS behind a NAT, too little information in the latter to be much useful.

      But an HTTP call can contain a lot of user information that can be used for fingerprinting.

      What means they delete data after 24h and keep only aggregate one? That's enough time to extract any useful information. I'm sure they don't sell the data, they will just sell the use of them.

      They should forget them the moment they send back a reply.

      1. sabroni Silver badge

        Re: They should forget them the moment they send back a reply.

        But what's in it for them? How do you monetise DNS resolution?

        1. Wibble

          Re: They should forget them the moment they send back a reply.

          Bastard Telecom sets their shitty "search engine" as the default for unresolved DNS queries. They only ever do anything if there's money in it for them.

          1. TonyJ Silver badge

            Re: They should forget them the moment they send back a reply.

            About a decade or so ago, when fibre first appeared for us, BT were the only operator providing the service (I had been refreshging the availability page and it went from a few weeks away to available!), so if I wanted fibre it was them or wait.

            Being impatient and tired of my 3.5Mb (at best, on a good day), I signed up.

            It didn't matter what you set your DNS servers to, BT forwarded all the traffic to their own.

            Do they still do this, does anyone know?

  5. This post has been deleted by a moderator

    1. Kabukiwookie Silver badge

      Re: You can disable

      You can disable it.

      For now.

      1. JakeMS

        Re: You can disable

        Firefox has a fairly decent policy json system useful for licking down Firefox in a business environment (for example, completely disabling access to about:config, or disabling Firefox sync etc).

        Hopefully they add this to that policy, and if not trusty old mozilla.cfg with lockPref will do the trick.

        I'll be disabling this one, I'm a naughty admin* who has an internal VPN running on all systems which hijacks DNS queries to change the IP of some VPN enabled servers (From a public IP to a local VPN 10.* IP), thus changing the access level.

        Sadly this will bork access if you don't let me control the DNS servers system wide.

        * Yes a hosts file can do this, but ain't nobody got time to set a host file on every VPN client.

        1. This post has been deleted by a moderator

          1. Peter 26

            Re: You can disable

            How would that work? Surely it's hard coded to use 1.1.1.1? In general you don't use DNS to look up a DNS server, although it theoretically would be possible in this case.

            1. rg287 Silver badge

              Re: You can disable

              Technically Cloudflare's DoH endpoint is at <https://cloudflare-dns.com/dns-query>

              Obviously this requires that you have a config file with the IPs for that domain to bootstrap the service (just as a full resolver has a Root Hints file to bootstrap the service).

              Using a domain is done because although it's perfectly possible to have a TLS Cert for an IP address, it's poor form and CAs aren't supposed to issue such things. As a result it's better for the resolver to be calling a FQDN (though CF, being their own CA could generate one - and I seem to recall reading that they might have by now).

        2. eldakka Silver badge
          Coat

          Re: You can disable

          Firefox has a fairly decent policy json system useful for licking down Firefox
          I'm not putting my tongue anywhere near that ...

    2. JohnFen Silver badge

      Re: You can disable

      But disabling it will not stop applications and web sites from using it anyway (they would just do the DoH lookup directly rather than relying on the browser/system to do it). That's the major problem with DoH -- it will affect you whether or not you allow your browser to use it.

      1. This post has been deleted by a moderator

        1. Scramworks

          Re: You can disable

          RPZ2IOC do a DoH RPZ list I think, as do infoblox and there's one here as well:

          https://articles.scramworks.net/2019/06/doh-no/

          Redirecting the DoH addresses to a logging HTTPS server is quite fun to spot if anything is trying to use DoH without permission ( as some apps do ).

  6. Anonymous Coward
    Anonymous Coward

    Google also has plans to roll out DoH in Chrome, but with an important difference. It will only use DoH if the configured DNS server supports it, saying: "This would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged."

    Right, so if I want to run a DoH server but don't want to expose UDP 53 (i.e. a "normal" resolver), Chrome's just not going to bother? Bit of a non-starter then.

  7. Baldrickk Silver badge

    I'm of the opinion that encrypted DNS of some form is a benefit, but at the same time, that centralisation reduces the redundancy needed for the web to remain stable as a whole, and the free choice of those using it.

    The answer would seem to be to have more DoH providers.

    1. Snake Silver badge

      Quite

      Precisely. We'd all like more freedom of choice plus more security combined together, but the DNS providers seem to be dragging their feet on this. IMHO Mozilla has done the best that they can, provide DoH, using the few known, and trusted, DoH providers that currently exist.

      Mozilla's choice is hopefully forcing the hand of the DNS system to finally step up and provide a larger number of alternatives, by implementing DoH across more of their infrastructure.

      The problem with Google's "We'll use it if it is available" mantra is that there is no impetus for the DNS providers to actually create that functionality, as it is optional. If history proves anything, never give mediocrity as a 'reasonable' choice because that's exactly what you'll end up with.

      1. This post has been deleted by a moderator

      2. Baldrickk Silver badge

        Re: "We'll use it if it is available" mantra

        Sounds like IPv6 support XD

    2. John Robson Silver badge

      Doesn't reduce the redundancy... in fact Cloudflare is probably running *more* redundancy than your ISP DNS...

      1. hellwig

        Agreed. The point of distributed DNS is to prevent a single source from being overloaded. Cloudflare's whole business model is distribution and redundancy.

        Unless you have local domains to resolve (if working for a corporation, browser configuration should be locked by IT policy anyway), why would you ever need your own copy of the DNS registry? It's not like there are allowed to be different public DNS registries, the entire internet would just burn in the resulting chaos (as happens occasionally when a major DNS power screws up).

        The only problem with a single source like Cloudflare would be if we didn't trust Cloudflare to show us the page we wanted. It sounds like Cloudflare, being a ""trusted recursive resolver", is willing to be open enough to show this isn't really a concern.

        I'm much more worried about what my ISP is choosing to do with it's man-in-the-middle status.

        1. Nate Amsden

          the problem is centralization. If your ISP's DNS goes down it only affects the ISP's customers

          https://www.theregister.co.uk/2019/07/02/cloudflare_down/

          Cloudflare has had a good chunk of outages over the years. Or at least their outages make news here more often than most any other CDN provider I can recall by a large margin, I haven't tried to get stats so my impression may be incorrect.

          Having DNS ride on top of HTTPS makes things worse outage wise I'd expect as that is a pretty common data path. Cloudflare's CPU flare up last year I don't believe had any impact on their regular UDP/53 DNS hosting services (I was in talks with them at around that time to use them as a DNS provider).

          I've run my own DNS both recursive(internal) as well as authoritative for my domains(external) since about 1998.

          I'd be more open to DNS over HTTPS if there was actually a number of resolvers people could run on their own equipment. Last I checked I haven't seen any (one recent forum thread on the topic here someone pointed me to a product but it ended up being a simple proxy to an already existing DoH provider, not capable of serving DoH from say a local BIND installation).

          Perhaps that situation has changed in recent months I am not sure.

          I do fear the number of end user issues encountered as a result of split DNS on vpn systems where resolving some host externally results in a different address than internally and that behavior being intentional. I did something like this to block access to vulnerable CMS systems several years ago, if you tried to acess them externally they hit an address where the load balancer inspected the rule and only allowed very specific url patterns through, if you wanted to manage the CMS you had to be on VPN. If you tried to manage from outside you got a big warning page saying you needed to be on VPN.

          Another similar situation recently where I adjusted internal DNS during an extended outage so that users on VPN could connect to the application, and users on the internet would get a maintenance page. An alternative solution would of been use host file entries for internal users but that is even more complicated. In fact I had to help one user deal with their host file entries from another similar event 2+ years ago that they never removed which was interfering with the new host file entries they were trying to use(tried to resort to host file entries for that user after all attempts to use DNS failed, only later did they disclose they had other host file entries already in place that were obsolete, so I just had them remove them all).

          I'd wager in both of these cases Firefox's (and probably soon Chrome's and others) behavior will cause problems. The article mentions being able to push a policy, well good luck with that outside of very tightly controlled orgs(i've never worked at such an org in my 22 year career). Just another annoying thing to have to keep in mind when a user has a DNS related issue.

          Already complex enough to try to get users to clear their DNS cache and/or browser dns cache/restart browser to get around DNS caching problems this will just make it much worse.

          oh well, pales in comparison to the headache that will be the new SSL expiry issues, ugh.

          1. Ben Tasker Silver badge

            > I'd be more open to DNS over HTTPS if there was actually a number of resolvers people could run on their own equipment. Last I checked I haven't seen any (one recent forum thread on the topic here someone pointed me to a product but it ended up being a simple proxy to an already existing DoH provider, not capable of serving DoH from say a local BIND installation).

            It's perfectly possible to run your own DoH Server. The post covers a few options for how you handle the back-end, but the base principle is

            - Get the DoH terminator up and running

            - Configure it to forward onto the resolver of your choice (which may well be a local BIND instance)

            Personally I've got it forwarding into Pihole (for ad filtering), which then sends into Unbound (because I have some additional config in Unbound format). You can just as easily _just_ use Pihole, or install BIND etc.

            I do fear the number of end user issues encountered as a result of split DNS on vpn systems where resolving some host externally results in a different address than internally and that behavior being intentional.

            You _can_ address that to a limited extent where you're running your own DoH server. Basically, you need 2 and need to split-horizon those too. The internal one returns the VPN/local addresses, the external one the external addresses.

            I've not done as much with that though.

      2. Anonymous Coward
        Anonymous Coward

        Mozilla / Cloudflare reduces redundancy

        Cloudflare does in principle have a resilient setup but it is by now means infallible - it fell over a few weeks ago. The problem is that every node in its network is identical so a problem in hardware or software affecting one may well affect them all.

        Centralisation is in general a bad idea, both because it reduces diversity and also because the large pools of data that inevitably result from it are very attractive to hackers, include the so-called "state actors". And anyone that thinks Cloudflare, or indeed any of the other providers, can withstand a determined attack by a state actor is deluded.

    3. Roland6 Silver badge

      >The answer would seem to be to have more DoH providers.

      With the client being directed to an appropriate service by DHCP....

  8. Rob Burke
    Thumb Down

    I mostly don't like this

    I love the idea of DNS over HTTPS - I have it enabled myself in PiHole, using applied-privacy.net as my DNS over HTTPS provider, it works great. My devies uses PiHole as their primary DNS server, so no need to fiddle with DNS on an application level. DNS at application level seems weird,

    I don't like that Mozilla are changing something so central by default; even if it's done with good intentions, it normalises such things and then before you know it, less ethical players such as Google will follow suit.

    I don't like that Mozilla are changing the behaviour of their software deliberately based on your territory, that feels a bit weird.

    1. This post has been deleted by its author

  9. talk_is_cheap

    One question is who is more trustworthy?

    My local ISPs (PlusNet and Virgin) who are under the control of the UK government or an ISP in the USA which is not directly under the control of the UK. For now I'll take the USA provider, with the added advantage that my requests are encrypted over the wire. I'm sure the UK government will at some point roll out a DNS platform that we must all use by law until then I am happy with having options.

    1. DavCrav Silver badge

      Re: One question is who is more trustworthy?

      "One question is who is more trustworthy?"

      That isn't one question, that's a multitude of questions. Because some entity I would trust with regards A I would not necessarily trust with regards B.

      Some examples:

      Whom do I trust more not to immediately give all of my data to the US government? US ISP or UK ISP? I would go with the UK ISP on that one.

      Whom do I trust not toi immediately give all of my data to the Chinese government? Whichever one has the better security, which isn't easy to tell.

      Whom do I trust not to immediately sell my data to anyone who flashes their wallet? I would trust the UK ISP more in this regards, as there is both a customer relationship there and they are, at least in theory, regulated by some pretty powerful laws.

      Whom do I trust not to screw everything up massively? Well, not Virgin, for example.

      etc.

    2. John Robson Silver badge

      Re: One question is who is more trustworthy?

      Oh, I’ll use that dns system ... I’ll positively flood it with garbage requests.

      Meanwhile I’ll use an actual DNS provider.

    3. Anonymous Coward
      Anonymous Coward

      Re: One question is who is more trustworthy?

      If you're concerned about keeping your DNS data private I'd stick to a UK / European provider as they're all covered by GDPR. I would definitely avoid any US company as the personal data for non-US citizens that can be reasonably assumed to be located outside of the US can be accessed by US law enforcement authorities without a warrant under FISA 702. And note that this applies no matter where in the world the servers are located.

  10. tekHedd

    Suddenly, Advertising!

    Ah, so that's why my DNS-based ad server blocks suddenly stopped working. :P

    If you wonder why google's such a huge proponent of this technology, now you know...or are they? Google is farily meh on doh arent' they? Odd, since they're pretty pro on HTTPS-everywhere in every other respect.

    1. LDS Silver badge

      Re: Suddenly, Advertising!

      Exactlly:

      "DoH combined with a third-party resolver makes it harder for" user-controlled DNS server to block advertising - or other sites which should not be reachable for whatever reason.

      Many company blacklists may stop to work - if they don't fully ensure which browser are used and how they are configured. If Mozilla wants to increase its market share, maybe that's not the right way.

      1. whitepines Silver badge
        Thumb Down

        Re: Suddenly, Advertising!

        I think I've mentioned this before, but companies have one of two solutions now due to DoH:

        1.) Block or MITM all HTTPS traffic. Legality concerns (i.e. is the promise of the company's firewall to only MITM for site blocking enough if the firewall truly does forget the data as soon as it's checked the blacklist/whitelist enough to satisfy the rules?) apply. In the USA though it'd probably be where the mandated logging gets installed, since the infrastructure to capture the browsing destinations and origin machines is already in place.

        2.) Deploy VPN to the desk (no VPN session, no Internet access of any type) along with completely locked down, fully corporate controlled computers. This means whitelisted apps, and is a lot more invasive. It stops anyone on the technical side from doing much of their job or makes anyone that has an exception to e.g. run VMs a prime suspect in any computer crimes investigation (in Blighty, that probably means arrest first and ask questions later).

        What Mozilla has done is effectively funnel the personal browsing of workers into their oh-so-easily-tracked mobiles. Great job increasing privacy!

        1. JohnFen Silver badge

          Re: Suddenly, Advertising!

          > Block or MITM all HTTPS traffic

          This is what I've done for my home LAN -- all HTTPS traffic is funneled through a MITM proxy so that I can filter out any DoH requests and drop them. I'm still on the lookout for a better solution, but I don't think that one exists.

        2. sillyfudder

          Re: Suddenly, Advertising!

          Unless all your "personal browsing" is routed to your own home network (using mobile openvpn to pivpn in your house), and then goes out via pihole set up to cut out mobile advertisers and using DoH.

          I realise that using this methodology conveniently routes ALL of my home and roaming internet activity through a single path which is a downside if anyone was genuinely interested in me. But I'm in the UK and mildly inconveniencing mobile provider/ISP/UK government information gathering (as a boring law abiding individual) brings me some satisfaction.

          If I was really paranoid I could set up a second pivpn for mobile use which would routes out of my home network using openvpn as well, but like I say I'm not /that/ interesting.

      2. Hyper72

        Re: Suddenly, Advertising!

        Disabling DoH on a network is mind boggingly trivial. If the admin doesn’t want to use an enterprise policy then can just use a Canary Domain on his DNS to return NXDOMAIN, Firefox checks this at startup and then doesn’t use DoH. Voila, local DNS with blacklists will continue to be used.

        PiHole even has it implemented.

        1. JohnFen Silver badge

          Re: Suddenly, Advertising!

          > If the admin doesn’t want to use an enterprise policy then can just use a Canary Domain on his DNS to return NXDOMAIN, Firefox checks this at startup and then doesn’t use DoH.

          Doing this will not affect software that really wants to use DoH. It will only affect webpages that use the FF-supplied mechanisms.

        2. Anonymous Coward
          Anonymous Coward

          Re: Suddenly, Advertising!

          Except of course that any other application on your device that decides to use DoH will likely ignore the canary domain as well as your local DNS settings. And let's not forget that malware is also using DoH to hide from your firewall. Oh and Mozilla may withdraw the canary domain option in the future anyway.

          Apart from that you're good.

    2. 5p0ng3b0b

      Re: Suddenly, Advertising!

      In firefox network settings, enable DNS over HTTPS and use custom provider and enter https://dns.adguard.com/dns-query

  11. Elledan

    The answer is obvious: use DNSSEC and DNS-over-TLS (DoT), with the latter having its own port instead of trying to sneak along with other HTTPS traffic.

    Client-side DNSSEC validation ensures that the DNS record is genuine. DoT ensures that nobody can look at those queries (for whatever reason...).

    DoH is an unnecessary complication to DoT that adds a lot more overhead. Having random apps on your system dodging local and network-level security by pretending to be plain HTTPS traffic is a security nightmare. Implementing DoH on embedded devices is inconceivable, unless unnecessarily adding an entire webserver to said device as a dependency overhead (and security risk) can be considered to be a good idea by anyone.

    1. Anonymous Coward
      Anonymous Coward

      All is not lost yet .....!!!! :)

      Elledan,

      "The answer is obvious: use DNSSEC and DNS-over-TLS (DoT)"

      But, DoT is very easy to block by disallowing Port 853 !!!

      DoH is not as 'pure' But is not so easy to block.

      If you use 'Dnscrypt-proxy' you can use DoH in Firefox and it will go to your own DNS Resolver.

      (See https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH)

  12. Anonymous Coward
    Anonymous Coward

    Quite blockable so they must downgrade.

    Since FF is open source; this means that the innards are on display which means the technical amongst us will block 1.1.1.1 at the router.

    And so on and so forth

    Not great as a situation but FF will have to fallback to normal OS DNS resolution at some point otherwise it’s dwindling market share will quickly drop to zero when the likes of my family can’t view cat videos.

  13. ecarlseen

    It's straightforward to roll your own DNS-over-HTTPS

    There are several Linux-based tutorials out there, and the overhead is minuscule. I'd imagine that pre-rolled containers will be popping up shortly. At that point you can control how DNS resolution occurs within your personal or business environment; what is forwarded upstream, filtered, etc.

    1. JohnFen Silver badge

      Re: It's straightforward to roll your own DNS-over-HTTPS

      That doesn't actually address the problem, though, because there is no way you can force applications to use your DoH resolver.

      1. Graham Cobb

        Re: It's straightforward to roll your own DNS-over-HTTPS

        there is no way you can force applications to use your DoH resolver

        But that statement is true whether or not Firefox use DoH. Any application (or even any javascript running in any browser window) can decide it will do name-to-address translations using their favourite web site if they want. Even if there was no such thing as a DoH spec, Firefox or Cloudflare in existence.

        Firefox implementing it means the vast majority of those apps will just let FF do the lookup for them and so give me controls to send that to my own server. It changes nothing for the ones who are going to their own DoH server,

        1. JohnFen Silver badge

          Re: It's straightforward to roll your own DNS-over-HTTPS

          > But that statement is true whether or not Firefox use DoH.

          Yes indeed -- that's rather my point, and my objection to DoH. That it exists as a standard is the problem with it, not that it exists in FF.

          > Even if there was no such thing as a DoH spec, Firefox or Cloudflare in existence.

          But without DoH, it's simple to detect and filter DNS lookups when they do. If they use a nonstandard, private DNS server to avoid that sort of defense, then it's easy to block all access to that server.

          While it was always technically possible to do surreptitious DNS lookups, that there is a standard mechanism to do so now, supported by mainstream DNS providers, means that the number of people actually doing this will grow from "insignificant" to "reasonably common".

          > Firefox implementing it means the vast majority of those apps will just let FF do the lookup for them

          Yes, but those aren't the apps I'm worried about. I'm worried about ne'er-do-wells, such as martech companies and other spies.

    2. LDS Silver badge

      Re: It's straightforward to roll your own DNS-over-HTTPS

      Most consumer users just rely on what their ISP-provided router make available. While technically-savvy users will work around DoH if they think they have, they are still a small percentage of the overall public - and those gathering the data know that.

      1. JohnFen Silver badge

        Re: It's straightforward to roll your own DNS-over-HTTPS

        Indeed. DoH is a huge gift to marketers and other spies.

  14. Anonymous Coward
    Anonymous Coward

    Doesn't make any sense if you use VPN. It just spoiles your ID to the DNS.

  15. Grogan

    As if I'm going to let Mozilla choose a "name resolution partner" to control my DNS lookups. Not interested, not having it.

    I don't do ISP DNS servers anyway, I use a service that I trust to return current (respecting TTL), unbiased results. In resolv.conf files as well as in my router/gateway for any other clients. I've also considered forcing redirection, but don't want to limit my abilities to query other name servers directly.

  16. Phil Kingston

    So what....

    do Cloudflare get out of this? I mean they have to be monetising it somehow. Is aggregated browsing data valuable enough to advertisers for it to be worth Cloudflare providing the service?

    1. A Known Coward

      Re: So what....

      If you want the high conspiracy theory, then I would point to the recent news that the CIA bought and ran a Swiss manufacturer of encryption machines for decades. There are those who believe, not without precedent that firms such as Cloudflare through which so much of your private data flows are just there as part of the vast data collection efforts of various intelligence agencies.

      Personally, I don't think it's possible to discount this possibility nor confirm it. Much like Huawei, the question becomes, is it worth the risk?

      1. Peter 26

        Re: So what....

        This is a really valid point. We don't think it's the case, but who's to say for sure?

        Also, what if they have been issued a secret subpoena requiring them access to all the DNS logs?

        Alternatively just targeting their network data which I've read can be fingerprinted to identify lookups. A massive project, but certain people have big pockets and by putting all your eggs in one basket it means they have less networks to target. Cloudflare/Google DNS being the main ones.

        Anyway, 99.9999% of people don't know what DNS Sec is, so I think Fierfox have done the right thing for today. In a years time there might be a better option. If you're a techie you can change it in the options, if you aren't you would have no idea and noprotection anyway, so something is better than nothing.

    2. LDS Silver badge

      "is aggregated browsing data valuable"

      Define "aggregated" - that's a weasel word. We don't know really what they mean when they say "aggregated" and we don't know its granularity. A "user" profile is an "aggregation" of data too, they can't store every single search or other detailed data (and search through them each time a marketer ask a target group) - they're going to aggregate that data. And sell the target group, not the data.

      Anyway even less granular data could be useful - say for example you can work out the age group, income level and location for particular searches (and that's a kind of aggregation), it's evidently something you can sell.

    3. Scramworks

      Re: So what....

      Amongst other things other peoples CDNs don't work as well as Cloudflares if you're using cloudlfare for DNS, but theirs works even better.

  17. Colonel Mad

    Enabled in the UK

    I have just looked at my settings here in MK, (I'm with Now TV) and DOH is enabled?

    1. Neal L

      Re: Enabled in the UK

      I checked mine, in the UK as well, and DoH wasn't enabled. I'm not sure your ISP can change a setting in your browser.

  18. TeeCee Gold badge

    Hmm.

    A malicious DNS server could direct you to a site you did not request...

    ...whether you talk to it over HTTPS or not, so DOH doesn't do anything to address this. Forcing the resolver to cloudflare (as per FF) does, but only for things going via FF and is thus nowhere near a full solution. All this does is impart a false sense of security, a dangerous thing.

  19. anoco

    Why are we still talking about Mozilla?

    This company lost its bearings long time ago. Used to be that the user was the master. Give them all the options so that each user can customize their browser whichever way they want. "Take back the internet" was their slogan, because MS was taking the control away from you.

    Then, (in my paranoid opinion after a MS mole infiltrated the organization, just like in Nokia's case) they did a 180 and decided that they will go after the user that doesn't know better. Well that market already has a trillion-pound gorilla and a trillion-pound elephant catering to them.

    Now what? After pissing their loyal base off, have they reversed their market share loss? Have they at least stopped sinking? Neither, and in my cynical mind they are just waiting for a Nokia style bailout...

  20. Persona Silver badge

    Cenral monitoring

    In some respects the security services may be quite happy with this. As the browser is forcing the choice of DNS resolver it will be much easier for the US security services to assert control over the resolvers it points at rather than having to pull the data from the ones controlled by the ISP's. This will let them see in real time the sites people are looking at. Should someone decide to point their DNS at another site I'm sure a browser update could be "arranged" to reset the configuration, and very few would notice.

  21. Billa Bong
    Facepalm

    Well, there goes home internet filtering

    "Cloudflare argues that filtering and blocking traffic via DNS is a poor approach. "Application-specific controls such as browser extensions would be more effective since they can actually look into the URLs and selectively prevent content from being accessible," said Peter Wu, part of the Crypto Team at Cloudflare."

    Seriously? A browser extension? Oh, that'll work really well... until 10 seconds after I've left my kids room, when it'll be disabled.

    1. Graham Cobb

      Re: Well, there goes home internet filtering

      And you don't think your kids know how to change the DNS settings on the PC?

      1. vtcodger Silver badge

        Re: Well, there goes home internet filtering

        And you don't think your kids know how to change the DNS settings on the PC?"

        And if they don't know how, they almost certainly have friends that do.

  22. EnviableOne Silver badge

    IMHO

    DNS is a network function, that should be handled at the network layer and seperated from web traffic.

    DNS needs to be resolvable from different locations (especially in enterprise) as you need to point people to internal resources.

    DNS needs different treatment and higher priority than web traffic.

    DNS should use TLS for integrity and confidentiality

    DNS should use certificates for authentication

    secure DNS should be on its own port

    use DoT (DNS over TLS) to connect to an endpoint authenticated by DNSSEC

    This can be handled in the network stack

    This can be pointed at any resolver

    This can be prioritised over web traffic

    This uses TLS

    This uses Certificates

    This is on its own port

  23. teknopaul Silver badge

    mozzila are barking

    They have broken sooo much, by breaking DNS.

    Everything that you or your organization does with DNS is broken. (In firefox)

    How many millions of bind/nsd/dbsmasq servers out there have been bypassed by this change.

    No warning. Just break shit and watch people walk off to Chrome.

    Hows your market share doing with all these security enhancements, Mozilla.

    This will be the nail in the coffin of FireFox.

    Someone needs to fork.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: mozzila are barking

      I don't think it's that terrible, enterprises can disable it, users can disable it or configure it to whatever they want (including LAN DoH).

  24. Camilla Smythe

    What of Cloudflare Insights?

    https://support.cloudflare.com/hc/en-us/articles/360033929991-Cloudflare-Browser-Insights

    Not sure I like the idea of wank like that being associated with my browsing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020