Mozilla To Add Second DNS-over-HTTPS (DoH) Provider in Firefox (zdnet.com) 67
Mozilla has announced that NextDNS would be joining Cloudflare as the second DNS-over-HTTPS (DoH) provider inside Firefox. From a report: The browser maker says NextDNS passed the conditions imposed by its Trusted Recursive Resolver (TRR) program, and can now be added as a second option for DoH inside Firefox. These conditions include (1) limiting the data NextDNS collects from the DoH server used by Firefox users; (2) being transparent about the data they collect; and (3) promising not to censor, filter, or block DNS traffic unless specifically requested by law enforcement.
DNS-over-HTTPS, or DoH, is a new feature that was added to Firefox last year. When enabled, it encrypts DNS traffic coming in and out of the browser. DNS traffic is not only encrypted but also moved from port 53 (for DNS traffic) to port 443 (for HTTPS traffic), effectively hiding DNS queries and replies inside the browser's normal stream of HTTPS content. This encrypted DNS traffic reaches a so-called DoH resolver. Here, the DoH traffic is decrypted and the DoH resolver makes the DNS query on the user's behalf, receives the result, encrypts it, and sends it back to the user's browser -- also disguised inside encrypted HTTPS content.
DNS-over-HTTPS, or DoH, is a new feature that was added to Firefox last year. When enabled, it encrypts DNS traffic coming in and out of the browser. DNS traffic is not only encrypted but also moved from port 53 (for DNS traffic) to port 443 (for HTTPS traffic), effectively hiding DNS queries and replies inside the browser's normal stream of HTTPS content. This encrypted DNS traffic reaches a so-called DoH resolver. Here, the DoH traffic is decrypted and the DoH resolver makes the DNS query on the user's behalf, receives the result, encrypts it, and sends it back to the user's browser -- also disguised inside encrypted HTTPS content.
D'OH! (Score:5, Funny)
Requested? Or ordered? (Score:5, Interesting)
unless specifically requested by law enforcement
Why just "requested" instead of "ordered" (which implies a certain degree of court oversight)?
Re: (Score:2, Troll)
Why just "requested" instead of "ordered" (which implies a certain degree of court oversight)?
Because PR people in general are not autistic pedants.
Re: (Score:1)
Re: (Score:2)
The policy wording is says "except where required by law" so I guess it depends on jurisdiction. If the law says the cops only have to ask...
https://wiki.mozilla.org/Secur... [mozilla.org]
What about DoT?? (Score:4, Interesting)
It is very notable that Mozilla is choosing to avoid going for DNS-over-TLS, an approach which is more consistent with the layered approach to networking and security.
The fact that internet users make DNS queries is not secret, and does not need to be hidden among other HTTP traffic. It is the content of the DNS queries that needs protection.
Re:What about DoT?? (Score:5, Insightful)
Re: (Score:3)
Blocking 1.1.1.1 and 8.8.8.8 is also not very hard.
Re: (Score:2)
Are you forced to use port 853? DNS over TLS could probably run just fine on port 443 too.
Re: (Score:2)
Sure, just show us a public provider that is offering that service on that port.
Re: (Score:2)
I'm sure it will happen as soon as the blocking of port 853 becomes a problem. So far it isn't.
Re: (Score:1)
Re:What about DoT?? (Score:5, Informative)
It is very notable that Mozilla is choosing to avoid going for DNS-over-TLS
DNS over TLS is already done by systemd-resolved on Linux, so if anyone wanted to go that route, they could already do so. Android as well implements it in whatever version Pie is. Windows and Mac have been quite silent on implementations. For those operating systems it's more than likely people would need to use some sort of proxy. Mozilla has advocated query encryption for some time now, but the layered approach is arguably outside of their domain for implementation. If operating systems are dragging their feet on the matter, then I don't see that as Mozilla's concern.
The fact that internet users make DNS queries is not secret, and does not need to be hidden among other HTTP traffic
Aye, but look at implementation. The layer approach can be prohibited by simply blocking port 853, which China's firewall already does. However, China's firewall still permits 443 open and the country has not shown the ability to filter out specific web traffic from "legitimate" TLS traffic. That's not to say they will not be able to eventually do so, nor is that saying this China case is the only reason this method should be chosen. Picking DoT or DoH is best left to whatever you the user feels like is a good choice. Both have pros and cons to usage. However, the adoption of DoT has been abysmal at best, even at the behest of browser makers asking OS makers to implement.
It is the content of the DNS queries that needs protection
And both do that job. Implementation of DoT requires deeper hooks into a specific platform than browser makers really should have say in, but browser makers are the ones that stand to pay the most over inaction on DoT. however, I feel discussion over the two methods is about as academic as the kind of discussions we have here at Slashdot over things like vim vs emacs or IPv6 migration.
My final take is this. Encryption following the more consistent with layered approach hasn't had any motion, even with vendors and open source advocates providing implementations for it. So in light of that apparent failure, browser makers are doing what they feel is within their power to rectify. I concur that taking the more by the book approach feels more satisfying, but it would seem that few feel obligated to follow suit.
Re: (Score:3)
DNS over TLS is already done by systemd-resolved on Linux, ...
Yeah, I want my init system to be managing DNS for me.
Re: (Score:2)
Re: (Score:3)
Yeah, I want my init system to be managing DNS for me.
systemd-resolved isn't an init system. If we're to compare it to other software it is a DNS proxy. While it does have the term systemd in it, systemd-resolved handles no init related functions. Thinking it does handle init related tasks is about as good a comparison of kcalc or konsole being a desktop manager. Just because it has the K in it, does not mean it functions anything like KDE proper. systemd-resolved is a program that is made by the same folks who bring you systemd, hence the systemd moniker
Re: (Score:2)
Re: (Score:1)
Re:What about DoT?? (Score:4, Informative)
How is this accomplished without knowing if the server can respond to DoT? Even at the firewall level it seems like some defined intermediary (Cloudflare, Quad9, Google, etc.) DoT server is required.
Have you noticed that in these discussions nobody seems to mention that DoT and DoH can prevent modifying DNS queries?
I found interesting this paragraph from a PowerDNS blog entry [powerdns.com]:
Re: (Score:2)
This is easily fixed by the client though. Just keep creating new connections. HTTPS is considered the baseline now, the overhead is relatively tiny.
Re: (Score:1)
Re: (Score:2)
It's kind of opt in. When it is enabled there is a message on screen asking you to confirm.
Re: (Score:2)
Re: (Score:2)
Have you even been to China? The current implementation of the "great firewall" black-holes traffic to/from banned IP addresses/address ranges. You can't load Google APIs stuff over HTTPS because the IP addresses are blacklisted. They'll just blacklist the addresses of the DoH resolvers.
Re: (Score:2)
Re: (Score:2)
I would love to see a more layered approach that would defeat the use of MitM attacks like proxies that essentially strip away any protection you might have otherwise had from TLS (i.e. corporate proxies). Also the idea that a trojan might install a rogue proxy and add its certificate into any browsers present on the system is really unnerving, since you'd essentially be naked when visiting "secure" sites, and once the change was made the trojan wouldn't even have to hang around in the OS. Adding DoH just
Re: (Score:2)
It is the content of the DNS queries that needs protection.
What does or does not need protection is not for you to decide, and especially not what tools someone uses for their protection against their adversary. If you want to fight for a selection switch to decide whether to do something over TLS or HTTPS then I'll be right behind your campaign. If you're proposing one or the other based on a decision you make without information about another user then you will find quite a bit of resistance.
Re: (Score:2)
Which DNS server you use while in China, may however be of interest to the Chinese secret police. By making it indistinguishable from HTTPS traffic, finding the DNS requests so they know which servers to block becomes a much bigger needle in haystack problem.
Re: (Score:2)
DoH has some other advantages, e.g. it allows the server to send DNS data speculatively. The server knows that the site needs half a dozen domains to fully load so it sends them over before the browser has even asked.
Re: What about DoT?? (Score:1)
I fail to see the point. My computer shows where I point my browser next, it does a dns request. Like what is the ip number for website x. My ISP can see this. Okay, now Firefox can mask that. Golly, next thing that my network shows after some secret packets between my PC and this dns machine is the request at the IP number for website x.
What privacy did I just gain?
Proxy? (Score:3)
Does this feature work with a proxy?
At the moment, it is difficult to have a single instance of Firefox that completely appears to be where my proxy is located. This is because the DNS queries are handled by my system resolver, which will give the same response to the queries from all browsers.
Now, if the DoH requests are also proxied, this will allow me to run a browser instance that appears to be located in the country where the proxy is based (the endpoint of a VPN).
It only needs the "CONNECT" method for this to work.
Re: (Score:1)
At the moment, it is difficult to have a single instance of Firefox that completely appears to be where my proxy is located.
Why is setting network.proxy.socks_remote_dns=true difficult?
Re: (Score:1)
Re: (Score:2)
It's not difficult. But does it do anything when I am using an HTTP proxy (Squid)?
Comment removed (Score:4, Interesting)
Re: (Score:3)
My thought exactly. Is there any thought given to rotating DoH providers, along with slipping in some requests directly to the cable provider? The idea being that no one provider has enough information to really keep track of you. And I still don't see how this blocks the people that are really tracking you, the advertisers. If they serve you an add, what is to stop it from reporting back your IP and the page that you're on?
Like all these VPN solutions, it just seems to me that they're kicking the can d
Public Service Announcement: How to disable DoH (Score:4, Informative)
2) Acknowledge stern warnings of impending doom
3) Search for network.trr.mode
4) Note that the name doesn't even mention DNS
4) Set to 0
5) For good measure vandalize the entry network.trr.uri
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Or open up network settings and untick the box which isn't ticked by default.
Jeeeeesus. What next, change the Linux desktop resolution by recompiling the kernel with a driver that specifically disables the one you're using?
Encrypted DNS is great for malware (Score:2)
Anti-malware analytics looks for this (assume the end point can't be fixed, like a router or printer or other embedded device). Encrypted DNS hides it.
Re: (Score:2)
Also DoH to third-party DNS providers makes it harder for CDNs to re-direct you to less loaded media servers when you are streaming video.
And finnaly (Score:2)
Firefox requests the page fro the IP address from the ISP identifying the site that they so cleverly tried to hide from the ISP.
It's just a proxy (Score:3, Interesting)
Yes, you are hiding your DNS queries from your ISP but you are giving all your DNS queries to Google/Cloudflare/NextDNS.
This should be fixed at the DNS protocol level not via MitM proxies. The DNS protocol should be enhanced to have optional full forward secrecy for query/response and everyone should run their own caching DNS servers on their router.
I'd rather my ISP see my DNS queries than Google or Cloudflare. YMMV.
DoH is lame (Score:1)
You misspelled "bug" there. (Score:2)
Not "feature".
Yay, now my ISP can not spy on my DNS requests anymore. Now Mozilla can! ... Can I buy being one? I got some people who'd pay big money for that. -- Mr. S. Leaze van Bag)
(And anyone they chose as a provider.
Except I DIDN'T USE MY ISP'S DNS!
I run my own! And you fuckers just deliberately put a leak in my VPN!
I hope your get a virus. The really nasty kind, that gives you a bleeding bulbonic anus plague.
${insert The Thick Of It insults}
Re: (Score:2)
>"Yay, now my ISP can not spy on my DNS requests anymore. Now Mozilla can!"
Or Google. Firefox allows you to specify which provider you want to use. I have a feeling more will appear.
>"And anyone they chose as a provider. ... Can I buy being one?"
You don't have to buy one. You can set the IP address of whatever provider you choose in the settings.
>"Except I DIDN'T USE MY ISP'S DNS! I run my own! And you fuckers just deliberately put a leak in my VPN!"
No, because you are not forced to use it at a
Asuswrt-Merlin automatically disables Firefox DoH (Score:1)
https://www.asuswrt-merlin.net... [asuswrt-merlin.net]
Asuswrt-Merlin 384/NG Changelog
384.14 (14-Dec-2019)
- NEW: Implement option to prevent Firefox's automatic usage of DoH.
By default, this will only apply if you have DNSPrivacy
enabled, or if you have DNSFilter enabled with a global
filter, to ensure that Firefox will not byp
Re: (Score:2)
NEW: Implement option to prevent Firefox's automatic usage of DoH.
Clever. But how does it detect it? I'm wondering if this feature might be useful in PiHole too?
Re: (Score:1)
Not entirely sure, I may go ask Merlin on IRC later. I just enabled that feature and also enabled DoT/Cloudflare for the network apart from son's devices which they are locked to CleanBrowsing Family DNS.
What good is DoH? (Score:2)
I mean, what does it exactly achieve, as far as me, the user, is concerned? My ISP won't be able to see my DNS queries, but they sure will be able to see what sites I am visiting. On the other hand, the DoH server, which is outside my control, will be able to see every single DNS query that I make. Thus, in a nutshell, I go from the standard setting, in which my ISP can see my DNS queries and what sites I visit, to another setting in which my ISP still can see what sites I visit, and a third party (Cloudfl
Re: (Score:1)
Re: (Score:2)
>"[...]This is more, better privacy exactly how?"
Bingo.
"Allowed by Firefox" huh? (Score:2)
Oh, so now we need permission to set DoH to a host Firefox has blessed hmm? No thank you, f**k you very much.
How about we should be able to set it to whatever we damn well please?
I guess someone needs to make a patcher for Firefox that will give true control back to the users. To think that it's come to this.
What's that about those who prefer security over liberty, again?
Re: (Score:3)
Off by default (Score:1)
Data collection to solve a privacy issue (Score:2)
Until all the sites we hit are using TLS 1.3 it doesn't matter if your DNS is or isn't encrypted. Your ISP is just as capable of reading the SNI parameter of your TLS requests if they want to record the domains you're visiting, and they probably do.
All Mozilla is doing right now is forcing the unwary to divulge their domain requests to Mozilla's chosen providers instead of that data being either A) Spread across the various ISP's or B) Going to the actual DNS provider you already told your network to use.
D
Re: (Score:2)
Until all the sites we hit are using TLS 1.3 it doesn't matter if your DNS is or isn't encrypted. Your ISP is just as capable of reading the SNI parameter of your TLS requests if they want to record the domains you're visiting
Yup.
, and they probably do.
Well, we're no CenturyLink or Comcast or anything... But we do have tens of thousands of fiber home residential customers.
The only time we look at things like SNI fields or DNS requests are when we're trying to help you get your damn internet working.
All this shit about moving to large non-ISP resolvers is just making all of your service worse. Our local cachers have tiny fractions of the latency, and don't have to fight streaming protocol congestion windows for long-running streams of what should be
Re: (Score:2)
All this shit about moving to large non-ISP resolvers is just making all of your service worse. Our local cachers have tiny fractions of the latency, and don't have to fight streaming protocol congestion windows for long-running streams of what should be simple query/response transactions.
Don't forget that using massively shared DNS servers like this also breaks CDNs like Akamai and Cloudfront. They use the incoming DNS requests from your configured DNS resolvers to return IP addresses of caching servers located physically close to where "you" are. If everyone's using 1.1.1.1 and 8.8.8.8 then everybody will be sharing the same two sets of caching servers and getting worse downloads the further away from them they are.
Re: (Score:2)
The results you get from 1.1.1.1 and 8.8.8.8 depend on your location. The problem you imagine has already been solved.
Re: (Score:2)
Anycast nameservers serving local addresses is far more accurate.
eDNS0 Client Subnet as an extension is a pretty shit poor attempt at getting originator information from a query.
A) It's limited to
B) It relies on some kind of database as to what
The "problem" has been "solved" to
Re: (Score:2)
The "problem" has been "solved" to the liking of those who made the push, who determined, I'm sure quite rightly for them, that having the DNS queries is more valuable than the additional cost to the end user in terms of latency for having incorrect local routing.
You are implying that Cloudflare and NextDNS are profiting from getting the DNS queries. They have explicitly promised not to do so, and Mozilla has audited them.
You are not the only one making these allegations. I would really like some substantiation. What do you know that Mozilla does not?
Re: (Score:2)
You are implying that Cloudflare and NextDNS are profiting from getting the DNS queries. They have explicitly promised not to do so, and Mozilla has audited them.
No, I'm implying that not one party in that list you just gave has demonstrated a single reason to be trusted, and many reasons not to be.
Also, you're thinking far too small.
This is a war for control over name resolution. Learned you nothing of Microsoftian tactics? Play nice until you have the control, then exert it.
You are not the only one making these allegations. I would really like some substantiation. What do you know that Mozilla does not?
There's nothing contentious about my allegation. It assessed base value of 2 setups to interested parties.
I'd love to hear you explain how my allegation is *wrong*.
Now, as far as my implic