Mozilla: Cloudflare Doesn't Pay Us For Any DoH Traffic (zdnet.com) 93
An anonymous reader writes: Mozilla said today that "no money is being exchanged to route DNS requests to Cloudflare" as part of the DNS-over-HTTPS (DoH) feature that is currently being gradually enabled for Firefox users in the US. The browser maker has been coming under heavy criticism lately for its partnership with Cloudflare. Many detractors say that by using Cloudflare as the default DoH resolver for Firefox, Mozilla will help centralize a large chunk of DNS traffic on Cloudflare's service. Critics of this decision include regular users, but also ISP-backed lobby groups, according to a recent report citing leaked documents. But according to Mozilla, they're not getting paid for this, and are only doing it for Firefox user privacy.
The resolver is a side wide setting (Score:5, Insightful)
Why is an application bypassing my system wide resolver settings and doing it's own name resolving on rogue infrastructure ?
Sounds like malware.
Comment removed (Score:5, Insightful)
Re:The resolver is a side wide setting (Score:4, Informative)
Yes, everybody wants to do everything for everyone, so much for one program doing one thing right
For now the OpenBSD people is disabling DOH by default - undeadly.org [undeadly.org]. Moving from Linux to a BSD seems to be getting closer and closer for me with most distros following Red Hat in becoming a Microsoft Windows Clone.
Disabling DNS over HTTPS (Score:4, Informative)
If you are using Firefox and want to make sure DNSoHTTPS is disables, let it know that it is YOUR choice to disable it:
- about:config
- Search for setting "network.trr.mode"
- Change value "0" for value "5"
- [...]
- Enjoy you freedom of choice!
Value 0 means it is off because no choice has been made (off by default), meaning that when it's rolled out, it could be change by an update or any "call home".
Value 5 means you CHOSE to disable it, so any subsequent update should keep it off, even if the installer or any "call home" is set to turn it on.
Re: (Score:2)
Alas, Mozilla has a habit of renaming config names for no reason. Every time I update Firefox (as my *backup* browser), I need to make sure the settings I've changed still work.
It's particularly frustrating when they "rename" things by adding an extra underscore.
Re: (Score:2)
It is the result of a self-righteous corporate culture that believes it exists as savior to protect everyone from themselves.
I wish they would work on other, less important things. Like, how come every time Firefox receives an update it resets my browser language to English (Canada), but I know that stuff is really mundane and it's better to solve the bigger problems people are suffering from.
Re: (Score:2)
Indeed. I wonder how they will prevent their browser completely failing for locally served pages in corporate networks which are dependent on local DNS, as soon as this is becoming default... Or did I miss something?
Re: The resolver is a side wide setting (Score:3, Informative)
> becoming default... Or did I miss something?
Yeah, you have to read the Mozilla docs or the security press from a few weeks ago to find out all the lengths their DoH implementation goes through to make sure local DNS isn't different than ISP DNS. Fake domains and everything.
Something like 7% of resolvers were found to have local DNS variations and Firefox will use them in that case or if the preference is set or if an enterprise policy is set. If you have a basic cable modem/wifi setup you'll get DoH
Re: (Score:3)
Agreed. Microsoft obviously can't be trusted to do anything to damage their spyware-fueled empire, so it falls on application developers.
How many people do you know that even know what a DNS is? Maybe 5% of web users? People use a browser like they use a car - it takes them places, and that's the last they think about how it works. Even competent, intelligent people - they don't need to know how the internet works any more than they need to know how an internal combustion engine works, or how to properl
Re: (Score:2)
A program's default settings absolutely *should* protect such people from the ubiquitous predators as much as possible
This is not the case here. This is the case of Mozilla taking your browsing history and sending it over to a 3rd party, noteably Cloudfare, without the user having knowledge of it.
Mozilla are the predators here. A program bypassing system libraries to implement its own requests to rogue infrastructure unbeknownst to the user is not "protecting them", it's quite the opposite.
Re: (Score:2)
Not quite your browsing history - the sites you visit for, but not how often, or what you look at once you're there.
And that history is already harvested by your ISP and anyone else who cares to look - none of whom make any bones about the fact that they're going to exploit that data in every way they can. Cloudfare at least has an explicit policy of never sharing that data, and know they'll be tossed to the curb for an alternative if they ever get caught doing otherwise. Compare to your ISP who knows the
Re:The resolver is a side wide setting (Score:4)
If your intent was sarcasm, you should be more obvious about it -- it's sometimes hard to tell that in a text medium. If your intent wasn't sarcasm -- intellectualism necessarily includes educating yourself about how systems work before engaging in discussion on them. Listening to experts (of which there are a number on
Re: (Score:1)
As the FAQ linked to in the summary notes you will get a pop-up warning when it is first enabled, it can be disabled in the preferences, you can disable it now before updating in advance if you want to, and enterprises can disable it at group policy level.
The default setting should be based on what is best for the majority of users, and I'm afraid running your own local resolver is not something most people would even understand let alone do.
Re: (Score:2)
As the FAQ linked to in the summary notes you will get a pop-up warning when it is first enabled, it can be disabled in the preferences, you can disable it now before updating in advance if you want to, and enterprises can disable it at group policy level.
The default setting should be based on what is best for the majority of users, and I'm afraid running your own local resolver is not something most people would even understand let alone do.
So most people don't have an ISP provided router with a built-in local resolver??
I would beg to differ, I am certain 99.9% of all end-users have that setup.
Of course the entire idea behind DoH is to avoid that resolver in case it is compromised, but that also takes away the speed benefit it gives.
Re:The resolver is a side wide setting (Score:4, Informative)
You are correct. 99.9% of people don't have an ISP provided router with a built-in local resolver. They have an ISP provided router that serves up DHCP for their internal network which assigns the ISPs DNS servers to the internal network.
Re: (Score:2)
You are correct. 99.9% of people don't have an ISP provided router with a built-in local resolver. They have an ISP provided router that serves up DHCP for their internal network which assigns the ISPs DNS servers to the internal network.
Never heard of such a thing. All routers I have ever come across have a DNS cache built in.
Re:The resolver is a side wide setting (Score:4, Interesting)
As the FAQ linked to in the summary notes you will get a pop-up warning when it is first enabled
This should not even be a thing in the first place. If I want to use DoH, I should configure it at the OS level, and it should be transparent to applications who then use the standard system resolver library in order to obtain network addresses.
Malware bypass the system resolver. Is Mozilla in the business of making malware now ?
and I'm afraid running your own local resolver is not something most people would even understand let alone do.
Literally everyone in the world using Windows since the days of Windows 95 has run a system wide resolver. It was configured automatically through DHCP most of the time. What are you even saying here ?
Re: (Score:2)
This should not even be a thing in the first place. If I want to use DoH, I should configure it at the OS level, and it should be transparent to applications who then use the standard system resolver library in order to obtain network addresses.
Sounds great, but Windows and Mac OS doesn't support it. Linux probably does, thought not "out of the box" in major distros.
Re: (Score:2)
Sounds great, but Windows and Mac OS doesn't support it. Linux probably does, thought not "out of the box" in major distros.
The fix is not to make every application implement their own version of the protocol, and then bypass system settings. It's to submit feature requests with the OS vendor.
Re: (Score:2)
yeah right, and then wait 10 years or maybe longer before they implement it?
Re: (Score:2)
yeah right, and then wait 10 years or maybe longer before they implement it?
If it's that good, they won't drag their feet on it.
Re: (Score:2)
Windows being almost a monopoly, there are tons of good features/changes which aren't done and never will be.
Re: (Score:2)
yes, sure, just look to ipv6 ... how long it took for OS to support, many apps still do not support it and most ISP, while many are ready for ipv6, do no enable it because of those apps that fail
do not like ipv6! sure, lets look to DNSSEC ... how many OS support it directly? the DoH is a workaround for the time it is taking for DNSSEC to be enabled. as DoH is much simple and for now is locked in the browsers, it is simple to implement
but hey, if you do not like it, disable it... it is up to you... but notic
Re: (Score:3)
Or... they could just release their DoH resolver into homebrew (or yum or apt). Then anyone who wants it can fetch it, turn it on, and set their DNS resolver to 127.0.0.1; easy peasy. It's not exactly rocket surgery that we're talking about. Mozilla's intention may be good here. (And really, anything that pisses off Comcast and whatever ilk are part of, or listen to, their "ISP lobbying group" is undoubtedly a good thing taken as a whole.). But they're going about it in the wrong way.
Re: (Score:2)
Or... they could just release their DoH resolver into homebrew (or yum or apt). Then anyone
By anyone, you mean anyone not running Windows or Mac OS or Android or iOS, right?
Re: (Score:2)
Re: (Score:2)
But can you explain what the use of this is, other than to give Moz data to sell (yeah I'm not buying their BS) cuz I don't see it.
The use of this is to encrypt DNS requests so that your network administrator, hotel, hackers, etc. can't just sniff on the network and check what web site your are visiting.
If you don't like cloudflare you can set another server manually. Or turn DoH off entirely. Mozilla isn't getting any of that information.
Its not like DNS is something people have been having issues with,
The issue is the lack of privacy.
Re: (Score:2)
But that don't really solve anything, as long as host names are sent in plain text even when using https requests.
Re: (Score:2)
https://blog.cloudflare.com/en... [cloudflare.com]
Re: (Score:2)
Not like people have been havIng issues with DNS, apart from the UK's DNS snooping network. And US ISPs snooping on it to sell your data to advertisers.
So apart from that half billion people I could list without even taking the effort to search the web, no one's been having any problems.
But you'd rather believe Mozilla are being evil with zero evidence than worry about the known evils. You are free to male that choice, but that it's not malware you make a different choice.
Re: (Score:1)
So tell us, how do you set up a system wide DoH resolver in Windows? And how many Windows users ever configured their DNS settings at all, rather than just using DHCP with the defaults their ISP supplied modem came with?
Re: (Score:2)
That would be the ISP.... ?
Re "what is best for the majority of users"
Who gets to set what is "best" and wants to look after the "majority of users"?
We have seen that with social media, search services, ad brands and the resulting "good" censorship...
Re: (Score:2)
No, a local resolver is inside your LAN and assigns hostnames to the machines on it. You can also add things like blacklists, e.g. via a PiHole, and of course it does caching so maybe it's a bit faster too. But possibly not as fast as DoH.
Re: (Score:2)
At least this application is open sourced. You have no idea what the other browsers are doing.
Re:The resolver is a side wide setting (Score:5, Informative)
Because there is a high likelihood that your system wide resolver is malware.
Meanwhile Cloudfare has made these promises, at https://developers.cloudflare.... [cloudflare.com]
Cloudflare will never sell your data or use it to target ads. Period.
All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:
Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.
You can choose not to believe them, of course, but I struggle to think of any similarly unequivocal promises by a corporation that were later broken. I would like to hear examples.
Re: (Score:2)
Because there is a high likelihood that your system wide resolver is malware.
Uh ? If you don't trust your ISP's DNS servers, configure different ones. For sure the systemd people don't mess around with whatever you configured, and Microsoft is not likely not to simply process DNS requests as you configured them.
If you don't trust your system wide resolver, you're using an untrusty OS and the fix to that is not to run an untrust worthy Browser on top of it.
Re: (Score:3)
If you don't trust Firefox's choice of DNS servers, configure different ones.
For the vast majority of users, Cloudflare's DNS servers are a better choice than what they have. The rest will have to manually configure.
Re: (Score:3)
If you don't trust Firefox's choice of DNS servers, configure different ones.
I did, you can find them in /etc/resolv.conf. I shouldn't have to configure them elsewhere or change settings at the application level to respect my DNS choices.
The simple choice to not having to deal with this is not to install Firefox. This simply should not have been a Browser feature.
Re: (Score:2)
ISP spying should not have been an ISP feature. Yet it is, so we deal with it as best we can.
We as nerds cannot just leave the average person to be used and abused. We can handle a bit of additional work to get a sane setup. The average person cannot.
Yes that's blank elitism. So sue me.
Re: (Score:2)
ISP spying should not have been an ISP feature. Yet it is, so we deal with it as best we can.
The best you can is using different DNS servers.
We as nerds cannot just leave the average person to be used and abused.
You're not some savior to the masses, you're just another exploiter who wants them to use your stuff rather than the other guy's stuff.
We can handle a bit of additional work to get a sane setup.
The fact I can configure Firefox to work as I want it doesn't mean the defaults they picked are sane. In this case, they are quite literally acting as malware. As such, I will not install their future releases and never recommend the browser again, especially not in a corporate setting where extra work will be required to int
Re: (Score:2)
You're not some savior to the masses, you're just another exploiter who wants them to use your stuff rather than the other guy's stuff.
Cloudflare is not my stuff. I do not like Cloudflare at all. Yet I still believe their promise that they will not monetize DNS queries.
Re: The resolver is a side wide setting (Score:1)
Re: (Score:2)
Doesn't systemd force google's DNS servers on you if you don't have DNS configured?
Re: (Score:2)
and then the ISP can create a firewall rule that redirect all those queries to port 53 to their own server and you are still using their DNS but do not even know...
Re: (Score:2, Interesting)
You can choose not to believe them, of course, but I struggle to think of any similarly unequivocal promises by a corporation that were later broken. I would like to hear examples.
How about Cloudflare's promise not to kick people off the service for ideological reasons, which turned out to be unless I wake up in a bad mood [gizmodo.com]?
I'm not shedding any tears for the Daily Stormer (or 8chan), only for Cloudflare becoming the designated defender of free speech, because they're not actually committed to doing that.
Re: (Score:2)
Yes, that promise was broken. It was never in a contract-like form though, was it?
Either way, if they break their promise, Firefox will be removing them in the next release.
Re: (Score:2)
Firefox will be removing them in the next release.
Mozilla is as ideologically driven, they have already shown this. Your entire premise in all of this, and accepting software bypassing system settings, is that you somehow implicitly trust the 3rd parties involved. Trust which unfounded given the evidence.
Re: (Score:2)
Since I'm not Cloudflare's customer, I have no contractual relationship with them, so these words are worth nothing. I have my own local resolver, and I expect everything to use it as configured, not just ignore system-wide and network-wide settings. Having to configure individual applications to honor system settings is absurd.
Re: (Score:2)
Because you are in the minority by a very very large degree. That's why.
I'd be fine with a TOR like setup. It would punish sites that load things from all over the web, because the would be slower. But of course caching would help.
Re: (Score:2)
Why is an application bypassing my system wide resolver settings and doing it's own name resolving on rogue infrastructure ?
To me this is a necessary and critical feature, one that I use literally every single day. Browsers that don't support this functionality won't even get a look from me (like anything Chromium based; granted I don't touch Chrome for a variety of other reasons anyway, but still..).
The most common instance is when using a machine connected to one network, but I want a browsing session that originates from outside that network (this can be very useful in testing). This is why the functionality is an every d
Of course they don't have to pay Cloudflare... (Score:2, Insightful)
This is a data mining windfall for Cloudflare. If anything, Cloudflare should be paying Mozilla for this.
Re: (Score:3, Informative)
Re: (Score:2)
Derp. You're right. Reading comprehension this early in the morning. Something something coffee.
Someone vote this AC up.
Re: (Score:2)
I thought the whole point was to try to avoid data mining by hiding DNS requests.
If Clourflare now has the honor of data mining, has anything been accomplished? And since your ISP still knows what you visit, hasn't the situation actually gotten worse?
Re: (Score:1)
Re: (Score:2)
This is a data mining windfall for Cloudflare. If anything, Cloudflare should be paying Mozilla for this.
How so? Is Cloudflare decrypting the traffic? They will need a trusted cert to do so and play MitM.
Re: (Score:1)
The resolved DNS is what's valuable in this context.
Re: (Score:2)
The way I see it, the options are:
1. Use the ISP DNS - the ISP can see the requests and delvier whatever responses it wants.
2. Use google DNS or OpenDNS or similar - the DNS provider can see the requests, the ISP can still see the requests and change responses, but now it needs to sniff the traffic.
3. Do not use any DNS forwarder. The ISP can still sniff the requests and now the TLD DNS server also sees your requests
4. Use DoH - the DNS provider can see the requests, but now the ISP cannot see your request
Re: (Score:3)
According to Cloudflare:
Cloudflare will never sell your data or use it to target ads. Period.
All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
Cloudflare will retain only lim
Re: Of course they don't have to pay Cloudflare... (Score:1)
That and a warrant canary would be nice.
Centralized is a target for surveillance; decentralized is, on average, the best option for privacy.
Re: (Score:1)
Cloudflare also said they would not censor their customers. Then they did it anyway after some journos complained. Then they said it was a bad idea. Aaaand then they did it again.
The words of corporations are worthless. Their assurances are merely PR capital that could be outweighed by something more profitable at the drop of a hat.
Re: (Score:2)
If they change their stance, the next version of Firefox will have another default provider.
If you want to do better, I am sure Firefox will be willing to add your resolver to the default list after the same type of discussion they had with Cloudflare.
Re: (Score:1)
Re: (Score:2)
Cloudflare? (Score:1)
Why would any sane person want to route more traffic than necessary to Cloudflare? This is a massive data-mining scheme, and Mozilla should be ashamed to be cooperating with it.
It's against privacy (Score:1)
They are sending all DNS traffic to a third party. It's like if they forced all search through one search engine and then hid the setting deep in the browser.
CloudFlare hosts terrible stuff. They have no morals. What do you think they'd do with your data?
Re: (Score:2)
You're a looney
Don't like it? Turn it off. (Score:5, Insightful)
I personally like the feature. It's not that I don't trust my ISP. It's that when I am on a public wifi or network I don't trust, I prefer having my DNS encrypted to an end point where I won't be personally identified because my requests will be mixed with thousands of others.
I also like the fact that Firefox can override the system's proxy settings, and use the feature. This way I can have two browsers, one (Firefox) going through the proxy and the other one which doesn't.
The proxy is actually running on an SSH tunnel to a server I control. So I can choose if I want to browse through my encrypted tunnel or not.
Re: (Score:1)
Re: (Score:3)
My ISP doesn't have a track record of monitoring that data and probably doesn't, but you are right that they could.
Re: (Score:2)
Every isp ip for every user, every site went into a log.
Re: (Score:2)
"Industry Leadership in Security" - you mean the same Cloudflare that has provided hosting to spammers and DDos-for-hire outfits (while at the same time selling DDoS protection services)? No thanks, I'll look elsewhere for actual leadership.
Re: (Score:3)
It's fine as long as it's configurable without diving into about:config (which I think it is). With respect to DoH in particular, I'm largely fine with their compromise of only enabling it if the OS settings are stock and only then if the user agrees to it.
Re: (Score:2)
it is configurable in options -> network settings
Slimy Liars (Score:1)
Re: (Score:2)
Ding, ding, ding - we have a winner!
DoH (Score:2)
Do you want to get sued? Because that's how you get sued.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Just because you can do it doesn't mean you should (Score:3)
https://hackaday.com/2019/10/2... [hackaday.com]
https://www.zdnet.com/article/... [zdnet.com]
Re: (Score:2)
Lost Opportunity (Score:3)
What a damn shame, and a lost opportunity. Mozilla should have opened up bidding to see who would have paid them the most. As they say, hindsight is 20/20
Mozilla should run its own DNS (Score:3)
Cloudflare is the NSA (Score:1)
Cloudflare is the NSA why do you think their services are all "free", MITM shady websites and DNS data is how you recon your targets.
bandwidth isnt free and the pennies that cloudflare make from paying customers is just cover.
Re: (Score:2)
It is free because while many people use it free, when you go to work, you may have to choose one CDN ... If i already know cloudflare, i will recommend that to be used at work too... so yes, free is a bait to catch more customers and then upgrade 1% of those to the paid accounts
We tried several CDN and we returned to cloudflware, their service is good and not as expensive when compared with some other CDN with the same level of features... not only that but they are one of the CDN with more PoP all over th
Should use a random list for each query (Score:1)
They should have a random list of DNS, and pick one randomly for every query