Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Security IT

Mozilla To Add Second DNS-over-HTTPS (DoH) Provider in Firefox (zdnet.com) 67

Mozilla has announced that NextDNS would be joining Cloudflare as the second DNS-over-HTTPS (DoH) provider inside Firefox. From a report: The browser maker says NextDNS passed the conditions imposed by its Trusted Recursive Resolver (TRR) program, and can now be added as a second option for DoH inside Firefox. These conditions include (1) limiting the data NextDNS collects from the DoH server used by Firefox users; (2) being transparent about the data they collect; and (3) promising not to censor, filter, or block DNS traffic unless specifically requested by law enforcement.

DNS-over-HTTPS, or DoH, is a new feature that was added to Firefox last year. When enabled, it encrypts DNS traffic coming in and out of the browser. DNS traffic is not only encrypted but also moved from port 53 (for DNS traffic) to port 443 (for HTTPS traffic), effectively hiding DNS queries and replies inside the browser's normal stream of HTTPS content. This encrypted DNS traffic reaches a so-called DoH resolver. Here, the DoH traffic is decrypted and the DoH resolver makes the DNS query on the user's behalf, receives the result, encrypts it, and sends it back to the user's browser -- also disguised inside encrypted HTTPS content.

This discussion has been archived. No new comments can be posted.

Mozilla To Add Second DNS-over-HTTPS (DoH) Provider in Firefox

Comments Filter:
  • D'OH! (Score:5, Funny)

    by RAHH ( 5900166 ) on Tuesday December 17, 2019 @02:39PM (#59529504)
    Every single time I read the acronym Homer Simpson appeared.
  • by magarity ( 164372 ) on Tuesday December 17, 2019 @02:40PM (#59529510)

    unless specifically requested by law enforcement

    Why just "requested" instead of "ordered" (which implies a certain degree of court oversight)?

    • Re: (Score:2, Troll)

      by thegarbz ( 1787294 )

      Why just "requested" instead of "ordered" (which implies a certain degree of court oversight)?

      Because PR people in general are not autistic pedants.

      • PR copy is vetted by legal. Mozilla is being intentionally squirrelly here. The whole point of pulling DNS resolution from the OS and into their own software is for Mozilla to wrest control over DNS queries from users' operating system. Once the ecosystem is established by Google (both in Chrome and in their other project: Mozilla), users' choices will be incrementally reduced until there is no choice. Users will have no choice but to allow Mozilla/Google to monetize their DNS queries as well as be subjecte
    • by AmiMoJo ( 196126 )

      The policy wording is says "except where required by law" so I guess it depends on jurisdiction. If the law says the cops only have to ask...

      https://wiki.mozilla.org/Secur... [mozilla.org]

  • What about DoT?? (Score:4, Interesting)

    by l2718 ( 514756 ) on Tuesday December 17, 2019 @02:43PM (#59529516)

    It is very notable that Mozilla is choosing to avoid going for DNS-over-TLS, an approach which is more consistent with the layered approach to networking and security.

    The fact that internet users make DNS queries is not secret, and does not need to be hidden among other HTTP traffic. It is the content of the DNS queries that needs protection.

    • by fibonacci8 ( 260615 ) on Tuesday December 17, 2019 @03:07PM (#59529612)
      Which is fine until someone starts blocking port 853. Blocking port 443 causes a lot more problems for the malicious ISP/government than it solves.
      • Blocking 1.1.1.1 and 8.8.8.8 is also not very hard.

      • Are you forced to use port 853? DNS over TLS could probably run just fine on port 443 too.

      • No need. It won't take long to establish a list of DoH servers and just block 443 to them. All of this will be moot on most corporate networks anyway. Ours, like most, will block all 443 unless you install the company certificate that allows the firewall to MITM all HTTPS traffic. So all Mozilla will have achieved is increasing surveillance by forcing network admins to make the choice between ceding all control or clamping down further.
    • Re:What about DoT?? (Score:5, Informative)

      by slack_justyb ( 862874 ) on Tuesday December 17, 2019 @03:12PM (#59529628)

      It is very notable that Mozilla is choosing to avoid going for DNS-over-TLS

      DNS over TLS is already done by systemd-resolved on Linux, so if anyone wanted to go that route, they could already do so. Android as well implements it in whatever version Pie is. Windows and Mac have been quite silent on implementations. For those operating systems it's more than likely people would need to use some sort of proxy. Mozilla has advocated query encryption for some time now, but the layered approach is arguably outside of their domain for implementation. If operating systems are dragging their feet on the matter, then I don't see that as Mozilla's concern.

      The fact that internet users make DNS queries is not secret, and does not need to be hidden among other HTTP traffic

      Aye, but look at implementation. The layer approach can be prohibited by simply blocking port 853, which China's firewall already does. However, China's firewall still permits 443 open and the country has not shown the ability to filter out specific web traffic from "legitimate" TLS traffic. That's not to say they will not be able to eventually do so, nor is that saying this China case is the only reason this method should be chosen. Picking DoT or DoH is best left to whatever you the user feels like is a good choice. Both have pros and cons to usage. However, the adoption of DoT has been abysmal at best, even at the behest of browser makers asking OS makers to implement.

      It is the content of the DNS queries that needs protection

      And both do that job. Implementation of DoT requires deeper hooks into a specific platform than browser makers really should have say in, but browser makers are the ones that stand to pay the most over inaction on DoT. however, I feel discussion over the two methods is about as academic as the kind of discussions we have here at Slashdot over things like vim vs emacs or IPv6 migration.

      My final take is this. Encryption following the more consistent with layered approach hasn't had any motion, even with vendors and open source advocates providing implementations for it. So in light of that apparent failure, browser makers are doing what they feel is within their power to rectify. I concur that taking the more by the book approach feels more satisfying, but it would seem that few feel obligated to follow suit.

      • DNS over TLS is already done by systemd-resolved on Linux, ...

        Yeah, I want my init system to be managing DNS for me.

        • by Cyberax ( 705495 )
          It has always done so, through /etc/resov.conf which was edited by the DHCP client.
        • Yeah, I want my init system to be managing DNS for me.

          systemd-resolved isn't an init system. If we're to compare it to other software it is a DNS proxy. While it does have the term systemd in it, systemd-resolved handles no init related functions. Thinking it does handle init related tasks is about as good a comparison of kcalc or konsole being a desktop manager. Just because it has the K in it, does not mean it functions anything like KDE proper. systemd-resolved is a program that is made by the same folks who bring you systemd, hence the systemd moniker

        • Comment removed based on user account deletion
      • I'm sure China's Great Firewall is performing TLS inspection so they can still snoop.
      • Re:What about DoT?? (Score:4, Informative)

        by MyFirstNameIsPaul ( 1552283 ) on Tuesday December 17, 2019 @04:47PM (#59529938) Journal

        DNS over TLS is already done by systemd-resolved on Linux, so if anyone wanted to go that route, they could already do so.

        How is this accomplished without knowing if the server can respond to DoT? Even at the firewall level it seems like some defined intermediary (Cloudflare, Quad9, Google, etc.) DoT server is required.

        Have you noticed that in these discussions nobody seems to mention that DoT and DoH can prevent modifying DNS queries?

        I found interesting this paragraph from a PowerDNS blog entry [powerdns.com]:

        DNS over HTTPS offers additional tracking capabilities

        DNS over HTTPS opens up DNS to all the tracking possibilities present in HTTPS and TLS. As it stands, DNS over UDP almost always gets some free privacy by mixing all devices on a network together – an outside snooper sees a stream of queries coming from a household, a coffeeshop or even an entire office building, with no way to tie a query to any specific device or user. Such mixing of queries provides an imperfect but useful modicum of privacy.

        DNS over HTTPS however neatly separates out each device (and even each individual application on that device) to a separate query stream. This alone is worrying, as we now have individual users’ queries, but the TLS that underlies HTTPS also typically uses TLS Resumption which offers even further tracking capabilities.

        In short, setting up an encrypted connection eats up precious CPU cycles both on client and server. It is therefore possible to reuse a previously established encrypted state for subsequent connections, which saves a lot of time and processor energy.

        It does however make it possible to track an application from IP address to IP address because this TLS Resumption session ID is effectively a cookie that uniquely tracks users across network and IP address changes.

        • by AmiMoJo ( 196126 )

          This is easily fixed by the client though. Just keep creating new connections. HTTPS is considered the baseline now, the overhead is relatively tiny.

      • by _merlin ( 160982 )

        However, China's firewall still permits 443 open and the country has not shown the ability to filter out specific web traffic from "legitimate" TLS traffic.

        Have you even been to China? The current implementation of the "great firewall" black-holes traffic to/from banned IP addresses/address ranges. You can't load Google APIs stuff over HTTPS because the IP addresses are blacklisted. They'll just blacklist the addresses of the DoH resolvers.

      • by Rambo ( 2730 )

        I would love to see a more layered approach that would defeat the use of MitM attacks like proxies that essentially strip away any protection you might have otherwise had from TLS (i.e. corporate proxies). Also the idea that a trojan might install a rogue proxy and add its certificate into any browsers present on the system is really unnerving, since you'd essentially be naked when visiting "secure" sites, and once the change was made the trojan wouldn't even have to hang around in the OS. Adding DoH just

    • It is the content of the DNS queries that needs protection.

      What does or does not need protection is not for you to decide, and especially not what tools someone uses for their protection against their adversary. If you want to fight for a selection switch to decide whether to do something over TLS or HTTPS then I'll be right behind your campaign. If you're proposing one or the other based on a decision you make without information about another user then you will find quite a bit of resistance.

    • by jrumney ( 197329 )

      Which DNS server you use while in China, may however be of interest to the Chinese secret police. By making it indistinguishable from HTTPS traffic, finding the DNS requests so they know which servers to block becomes a much bigger needle in haystack problem.

    • by AmiMoJo ( 196126 )

      DoH has some other advantages, e.g. it allows the server to send DNS data speculatively. The server knows that the site needs half a dozen domains to fully load so it sends them over before the browser has even asked.

    • It is the content of the DNS queries that needs protection.

      I fail to see the point. My computer shows where I point my browser next, it does a dns request. Like what is the ip number for website x. My ISP can see this. Okay, now Firefox can mask that. Golly, next thing that my network shows after some secret packets between my PC and this dns machine is the request at the IP number for website x.
      What privacy did I just gain?

  • by whoever57 ( 658626 ) on Tuesday December 17, 2019 @02:57PM (#59529566) Journal

    Does this feature work with a proxy?

    At the moment, it is difficult to have a single instance of Firefox that completely appears to be where my proxy is located. This is because the DNS queries are handled by my system resolver, which will give the same response to the queries from all browsers.

    Now, if the DoH requests are also proxied, this will allow me to run a browser instance that appears to be located in the country where the proxy is based (the endpoint of a VPN).

    It only needs the "CONNECT" method for this to work.

    • At the moment, it is difficult to have a single instance of Firefox that completely appears to be where my proxy is located.

      Why is setting network.proxy.socks_remote_dns=true difficult?

      • Or just checking the "Proxy DNS when using SOCKS v5" box in Firefox's preferences.
      • Why is setting network.proxy.socks_remote_dns=true difficult?

        It's not difficult. But does it do anything when I am using an HTTP proxy (Squid)?

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Tuesday December 17, 2019 @02:59PM (#59529576)
    Comment removed based on user account deletion
    • by Shotgun ( 30919 )

      My thought exactly. Is there any thought given to rotating DoH providers, along with slipping in some requests directly to the cable provider? The idea being that no one provider has enough information to really keep track of you. And I still don't see how this blocks the people that are really tracking you, the advertisers. If they serve you an add, what is to stop it from reporting back your IP and the page that you're on?

      Like all these VPN solutions, it just seems to me that they're kicking the can d

  • by Nickname Gallery ( 6466304 ) on Tuesday December 17, 2019 @03:10PM (#59529624)
    1) In Firefox type about:config into the location bar.
    2) Acknowledge stern warnings of impending doom
    3) Search for network.trr.mode
    4) Note that the name doesn't even mention DNS
    4) Set to 0
    5) For good measure vandalize the entry network.trr.uri
    • by bsolar ( 1176767 )
      The configuration is easily accessible under Preferences -> Network Settings.
      • It may not stay there. With this, it is also easier to put it in user.js, and I wanted to point out the choice of preference name.
    • Or open up network settings and untick the box which isn't ticked by default.

      Jeeeeesus. What next, change the Linux desktop resolution by recompiling the kernel with a driver that specifically disables the one you're using?

  • Hidden persistent malware communicates with external command and control servers which often cycle through IP addresses. DNS maps randomized hostnames (which can be generated by the malware) to the IP address for the moment.

    Anti-malware analytics looks for this (assume the end point can't be fixed, like a router or printer or other embedded device). Encrypted DNS hides it.
    • by TheSync ( 5291 )

      Also DoH to third-party DNS providers makes it harder for CDNs to re-direct you to less loaded media servers when you are streaming video.

  • Firefox requests the page fro the IP address from the ISP identifying the site that they so cleverly tried to hide from the ISP.

  • It's just a proxy (Score:3, Interesting)

    by Anonymous Coward on Tuesday December 17, 2019 @04:29PM (#59529868)

    Yes, you are hiding your DNS queries from your ISP but you are giving all your DNS queries to Google/Cloudflare/NextDNS.

    This should be fixed at the DNS protocol level not via MitM proxies. The DNS protocol should be enhanced to have optional full forward secrecy for query/response and everyone should run their own caching DNS servers on their router.

    I'd rather my ISP see my DNS queries than Google or Cloudflare. YMMV.

  • by Anonymous Coward
    It only resolves A records. No CNAME, MX, SRV or TXT records for you.
  • Not "feature".

    Yay, now my ISP can not spy on my DNS requests anymore. Now Mozilla can!
    (And anyone they chose as a provider. ... Can I buy being one? I got some people who'd pay big money for that. -- Mr. S. Leaze van Bag)

    Except I DIDN'T USE MY ISP'S DNS!
    I run my own! And you fuckers just deliberately put a leak in my VPN!

    I hope your get a virus. The really nasty kind, that gives you a bleeding bulbonic anus plague.
    ${insert The Thick Of It insults}

    • >"Yay, now my ISP can not spy on my DNS requests anymore. Now Mozilla can!"

      Or Google. Firefox allows you to specify which provider you want to use. I have a feeling more will appear.

      >"And anyone they chose as a provider. ... Can I buy being one?"

      You don't have to buy one. You can set the IP address of whatever provider you choose in the settings.

      >"Except I DIDN'T USE MY ISP'S DNS! I run my own! And you fuckers just deliberately put a leak in my VPN!"

      No, because you are not forced to use it at a

  • https://www.asuswrt-merlin.net... [asuswrt-merlin.net]

    Asuswrt-Merlin 384/NG Changelog

    384.14 (14-Dec-2019)
    - NEW: Implement option to prevent Firefox's automatic usage of DoH.
    By default, this will only apply if you have DNSPrivacy
    enabled, or if you have DNSFilter enabled with a global
    filter, to ensure that Firefox will not byp

    • NEW: Implement option to prevent Firefox's automatic usage of DoH.

      Clever. But how does it detect it? I'm wondering if this feature might be useful in PiHole too?

      • by eahm ( 6466500 )

        Not entirely sure, I may go ask Merlin on IRC later. I just enabled that feature and also enabled DoT/Cloudflare for the network apart from son's devices which they are locked to CleanBrowsing Family DNS.

  • I mean, what does it exactly achieve, as far as me, the user, is concerned? My ISP won't be able to see my DNS queries, but they sure will be able to see what sites I am visiting. On the other hand, the DoH server, which is outside my control, will be able to see every single DNS query that I make. Thus, in a nutshell, I go from the standard setting, in which my ISP can see my DNS queries and what sites I visit, to another setting in which my ISP still can see what sites I visit, and a third party (Cloudfl

  • Oh, so now we need permission to set DoH to a host Firefox has blessed hmm? No thank you, f**k you very much.

    How about we should be able to set it to whatever we damn well please?

    I guess someone needs to make a patcher for Firefox that will give true control back to the users. To think that it's come to this.

    What's that about those who prefer security over liberty, again?

  • Until all the sites we hit are using TLS 1.3 it doesn't matter if your DNS is or isn't encrypted. Your ISP is just as capable of reading the SNI parameter of your TLS requests if they want to record the domains you're visiting, and they probably do.

    All Mozilla is doing right now is forcing the unwary to divulge their domain requests to Mozilla's chosen providers instead of that data being either A) Spread across the various ISP's or B) Going to the actual DNS provider you already told your network to use.

    D

    • Until all the sites we hit are using TLS 1.3 it doesn't matter if your DNS is or isn't encrypted. Your ISP is just as capable of reading the SNI parameter of your TLS requests if they want to record the domains you're visiting

      Yup.

      , and they probably do.

      Well, we're no CenturyLink or Comcast or anything... But we do have tens of thousands of fiber home residential customers.
      The only time we look at things like SNI fields or DNS requests are when we're trying to help you get your damn internet working.
      All this shit about moving to large non-ISP resolvers is just making all of your service worse. Our local cachers have tiny fractions of the latency, and don't have to fight streaming protocol congestion windows for long-running streams of what should be

      • All this shit about moving to large non-ISP resolvers is just making all of your service worse. Our local cachers have tiny fractions of the latency, and don't have to fight streaming protocol congestion windows for long-running streams of what should be simple query/response transactions.

        Don't forget that using massively shared DNS servers like this also breaks CDNs like Akamai and Cloudfront. They use the incoming DNS requests from your configured DNS resolvers to return IP addresses of caching servers located physically close to where "you" are. If everyone's using 1.1.1.1 and 8.8.8.8 then everybody will be sharing the same two sets of caching servers and getting worse downloads the further away from them they are.

        • by amorsen ( 7485 )

          The results you get from 1.1.1.1 and 8.8.8.8 depend on your location. The problem you imagine has already been solved.

          • Kind of.
            Anycast nameservers serving local addresses is far more accurate.
            eDNS0 Client Subnet as an extension is a pretty shit poor attempt at getting originator information from a query.
            A) It's limited to /24 resolution (or lower depending on intermediate resolvers), which as anyone who runs a network can tell you, says nothing of geographical location of a subnet.
            B) It relies on some kind of database as to what /24's (again, wrongly in many cases) are located where.

            The "problem" has been "solved" to
            • by amorsen ( 7485 )

              The "problem" has been "solved" to the liking of those who made the push, who determined, I'm sure quite rightly for them, that having the DNS queries is more valuable than the additional cost to the end user in terms of latency for having incorrect local routing.

              You are implying that Cloudflare and NextDNS are profiting from getting the DNS queries. They have explicitly promised not to do so, and Mozilla has audited them.

              You are not the only one making these allegations. I would really like some substantiation. What do you know that Mozilla does not?

              • You are implying that Cloudflare and NextDNS are profiting from getting the DNS queries. They have explicitly promised not to do so, and Mozilla has audited them.

                No, I'm implying that not one party in that list you just gave has demonstrated a single reason to be trusted, and many reasons not to be.
                Also, you're thinking far too small.
                This is a war for control over name resolution. Learned you nothing of Microsoftian tactics? Play nice until you have the control, then exert it.

                You are not the only one making these allegations. I would really like some substantiation. What do you know that Mozilla does not?

                There's nothing contentious about my allegation. It assessed base value of 2 setups to interested parties.
                I'd love to hear you explain how my allegation is *wrong*.

                Now, as far as my implic

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...