Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla Firefox

Fearing Drama, Mozilla Opens Public Consultation Before Worldwide Firefox DoH Rollout (zdnet.com) 79

Mozilla has opened today a public comment and consultation period about the ways it could enable support for the controversial privacy-centric DNS-over-HTTPS (DoH) protocol inside Firefox. From a report: The browser maker's decision to open a rare public consultation period comes after the organization faced criticism last year in the UK for its plans to support DoH inside Firefox. UK government officials, law enforcement agencies, and local internet service providers criticized Mozilla for developing and wanting to roll out DoH, a feature they said could have helped suspects bypass enterprise firewalls and parental controls blocklists -- even earning the browser maker a nomination for an "Internet Villain" award from a local ISP. All last year's hoopla was caused by DoH, a web protocol developed as an alternative to the classic DNS (Domain Name System). DoH works by encrypting DNS queries (which are normally sent out in clear text) and hiding them inside normal-looking HTTPS web traffic.
This discussion has been archived. No new comments can be posted.

Fearing Drama, Mozilla Opens Public Consultation Before Worldwide Firefox DoH Rollout

Comments Filter:
  • Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong. I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work. I am real fucking excited about NOT supporting this. It's gonna be too damn easy to just tell people to use a different browser.

    • If your network security relies on a configured DNS to work you're network is broken.

      DOH is a good thing.

      • If your network security relies on a configured DNS to work you're network is broken.

        Not really, you can have local domains on the local network. But then again, Firefox will attempt to resolve those properly so it won't break.

        • Attempt.

          Sorry, what?

          You think I'll let those nutjobs decide what I want for DNS and what not?

          Name resolution is a OS service!

          Software should NEVER deal with it directly!
          That is called a trojan! A deliberate MITM-enabling backdoor.

          I will submit Firefox's backdoor code to anti-virus databases, you can bet on that! (Chrome's too.)

          • by serviscope_minor ( 664417 ) on Thursday November 19, 2020 @01:17PM (#60743516) Journal

            Attempt.

            Sorry, what?

            Nothing can guarantee an attempt to communicate over a network will succeed. So "attempt" is the correct term.

            You think I'll let those nutjobs decide what I want for DNS and what not?

            FFS man you're claiming to be technically competent. Go into the settings and SWITCH IT OFF if you don't want it.

            Name resolution is a OS service!

            Why?

            Software should NEVER deal with it directly!

            Why?

            That is called a trojan! A deliberate MITM-enabling backdoor.

            Stop being foolish, it's neither of those things. You HAVE to trust firefox already. If they wanted to MITM you, then they could fuck with SSL since that's compiled into the browser. It's laughable that they'd not bother with the most obvious attack vector then do something really perverse with DNS because REASONS. Be rational.

            I will submit Firefox's backdoor code to anti-virus databases, you can bet on that! (Chrome's too.)

            Great just what they need, legions of neckbeards spamming them.

          • Comment removed (Score:4, Insightful)

            by account_deleted ( 4530225 ) on Thursday November 19, 2020 @01:35PM (#60743630)
            Comment removed based on user account deletion
      • Re: (Score:3, Insightful)

        by fahrbot-bot ( 874524 )

        DOH is a good thing.

        Perhaps, if your browser and OS and other apps also use it. Otherwise, you're getting DNS information from different sources -- DNS server and DoH server. Theoretically, this shouldn't be an issue, but theory and practice don't always agree.

        A man with one watch knows the time, a man with two is never sure.

      • by Z00L00K ( 682162 )

        You are missing the point - if the browser do DoH then it can actually cause intranet functionality to fail and that's a real bugger.

        On my home network I have an "override" of my local server so that it's using the internal IP address instead of the public because the public IP address would be causing a request to go out in public before coming back.

    • by serviscope_minor ( 664417 ) on Thursday November 19, 2020 @12:50PM (#60743364) Journal

      Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong.

      Firstly, why? You state this as a fact, but provide no reasons.

      Secondly, if you're on your own network, then just add a canary domain and Firefox won't use DoH, or, add the canary to your resolver, or configure it to not use DoH. If you're on an enterprise system, the enterprise management stuff can turn it off.

      It's 100% your choice whether to use it or not.

      I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work.

      Well this is currently the only practical way to sidestep evil ISPs and currently the evil of the ISPs far outweighs the evil of a second DNS system. In my opinion of course. I think you're letting perfect be the enemy of good. It's good to avoid Theresa May's snoopathon or the ISPs farming you for advertising. Waiting for hypothetical perfect future solutions mean this will continue for the forseeable future.

      I am real fucking excited about NOT supporting this.

      Supporting this? It just works.

      It's gonna be too damn easy to just tell people to use a different browser.

      This sounds like a rant along the lines of "Firefox sux because of X so I'll switch to chrome which does X more and first!".

      • by MeNeXT ( 200840 )

        Secondly, if you're on your own network, then just add a canary domain and Firefox won't use DoH, or, add the canary to your resolver, or configure it to not use DoH. If you're on an enterprise system, the enterprise management stuff can turn it off.

        So all this trouble for nothing? Someone smart enough to spy on your DNS queries is too stupid to use the canary domain to disable it? What a waste of energy to accomplish absolutely no benefit for user privacy but an amazing opportunity to spy on users.

        It doesn't just work it breaks local networks.

      • by GoRK ( 10018 )

        Yeah I'm not the user who is gonna be calling up when I cant get to my printer's webpage or all my web pages are running slow as shit because Firefox is resolving to CDN endpoints on the other side of the Earth.

        > Well this is currently the only practical way to sidestep evil ISPs

        Not even close, sorry.

        > This sounds like a rant along the lines of "Firefox sux because of X so I'll switch to chrome which does X more and first!".

        This isn't a problem for me or you because we know about this. 99% of people d

        • Yeah I'm not the user who is gonna be calling up when I cant get to my printer's webpage or all my web pages are running slow as shit because Firefox is resolving to CDN endpoints on the other side of the Earth.

          They've already tried large rollouts and it hasn't caused all the problem the peanut gallery seems to think are terminal. It's almost like they have thought of this stuff. It' in the FAQ.

          How does Firefox handle split-horizon DNS?

          If Firefox fails to resolve a domain via DoH, it will fall back to the D

        • Second reply because the lameness filter has gone mad.

          How about Apple's recent policy of allowing their own apps to bypass local network policy, routing, and vpn layers. Do you think that is OK too? Because it's eerily close to being the same fucking thing.

          Sounds a bit different to me for a variety of reasons, but I don't know for sure. Why are they doing this?

          In Firefox's (and Chrome, and Opera and Brave and...) they're doing it because bad actors have thoroughly Trojaned DNS turning it into a fantastic wa

    • Using DNS to censor and block websites is also not how the system was intended to work. ANYONE that messes with DNS is in the wrong IMO.
    • by apoc.famine ( 621563 ) <apoc.famine@gm[ ].com ['ail' in gap]> on Thursday November 19, 2020 @01:06PM (#60743450) Journal

      Maybe read up on it before the angry rant?

      You can use whoever you want for DoH. That's the opposite of a vendor-selected resolver, like you claim. Sure, they offer Cloudflare as an option if you don't have a preference, but it's not like you're locked into them. There's a damn drop-down menu of choices, one of which is 'Custom'.

      I'm more than happy to have Cloudflare handle my DNS queries privately instead of my ISP or Google. I'm even happier that my ISP isn't snooping on my DNS queries. I fail to see what all the anger is about.

      If you don't want DoH, there's a checkbox under network settings for that. How DARE they give us choices!!!!

    • Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong. I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work. I am real fucking excited about NOT supporting this. It's gonna be too damn easy to just tell people to use a different browser.

      Advice like this makes me wonder how many starving people you've educated about how to cure world hunger without actually fucking helping at all.

      If you fully support privacy initiatives, I sure as shit don't see you offering anything but resistance.

    • }}} Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong. {{{ --- Agreed. Firefox has already been messing up DNS in the browser, pushing valid sites to a search engine request because the Firefox DNS for some reason cannot find a FQDN that resolves quite correctly on my network's DNS. If Firefox can't even get simple DNS right, what's the chance of them getting DoH right?
    • by hey! ( 33014 )

      This kind of thing reminds me of how Skype connects pairs of user without an intermediate server, even when both endpoints are behind NAT firewalls. This involves using standard TCP/IP features, but in a way they were never intended to be used. Nonetheless it works as long as the TCP/IP implementation adheres to standards.

      Here Mozilla is trying to accomplish something similar: provide a feature that is useful to its users that uses standard network features, but in a way not originally intended. As long

  • Comment removed based on user account deletion
    • Keep this up and they [browsers] will be the Internet for most people.

      That ship sailed probably 20 years ago.

      • No it hasn't. So stop pushing it.
        Most people use WhatsApp every day, and it isn't in the browser.
        Neither is any other app. Or their Office software on their PC.
        All they usually do on the web is e-mail (stupidly), reading websites, cat pictures and YouTube-likes.

        • by rtb61 ( 674572 )

          There is a step they can take. Replace DNS altogether with actual name based internet IP address look up and kick DNS right on out of that internet. A localised internet new age yellow pages, link people from company name direct to IP address, DNS not needed all of the time.

    • Keep this up and they will be the Internet for most people.

      I think most people already think Facebook = Internet.

      There's slightly smarter people who think Web = Internet.

      And there's the ignorant people who used to think "Blue E = Internet", but Microsoft took their "Blue E" away and they were forced to learn a bit how things work.

    • Re:Why DNSSEC (Score:5, Interesting)

      by PraiseBob ( 1923958 ) on Thursday November 19, 2020 @01:02PM (#60743432)
      I'd much rather trust an open source browser that I choose, with configuration settings I choose, than trust my ISP. My ISP isn't my first, second, or even third choice, it's my only high speed choice because of their monopoly on my cities geographic region. I know that they spy on my dns requests, and sometimes hijack them when my VPN is off. I know they make money from spying on me, and selling my private info against my wishes. All this talk about "enterprise firewalls" being at risk, and "wont somebody please think of the kids" is pure bullshit, it's only about the money.
      • by MeNeXT ( 200840 )

        And yet that same ISP can disable your DoH faster than you can activate it. DoH changes nothing as far as your ISP is concerned. If you don't trust your ISP your ONLY option is a VPN through a trusted provider.

    • One word: Idiocracy.

      Though there's more to it: Somehow those people have their polarities reversed. I saw it start with hipsters, that intentionally had "bad = good". Along the bad/good axis of batshit insanity.

      I mean just look at the whole webification mess... How does any of that even remotely make sense? EVERY single part of Firefox or Chrome can be replaced by an existing older lower level function/service/protocol/... WebSOCKETS?? ...

      It's insanity! Pure unadulterated insanity! And we need to finally ta

    • Browser vendors have too much power and control as it is.

      Which is relevant why? Don't use their DoH servers and move on with your life. Hell Firefox doesn't default to any browser vendor's DoH server.

      • Not yet, they don't. When FireFox v100 will be out, there won't be a choice anymore. Google's Chrome will have taken away that choice too.

        Have you not been paying attention lately? All browsers introduce things as a choice, until they don't. DoH won't be any different.

        Also, this is much more a U.S.-only thing. ISP's spy on DNS. In other countries ISP's don't spy on their users. So DoH doesn't bring any benefit. As in at all.

        Why ISP's do not spy on users? Not allowed by law. And those are uphold by organizat

        • Not yet, they don't. When FireFox v100 will be out, there won't be a choice anymore.

          Holy shit your conspiracy bullshit is getting tiring. You nutjobs have been saying shit like that for years. Remember how in 2020 Linux wouldn't be able to work on computers anymore due to UEFI.

          I'm genuinely curious, do you guys just troll or do you actually believe your own bullshit?

          • What was unclear about taking away configuration options? Which has been done again and again?

            I'm genuinely curious, are you willfully that blind, or do you enjoy being naked and bound over a barrel, ready to take it for your masters?

            Only a little bit too much enjoyment, maybe? Or is it more an "all in"-kind of deal? Well...whatever rocks your boat.

  • DoH means a backdoor and MITM for every corporate and VPN user. It circumvents my own DNS server, and puts in Mozilla to spy on me instead.

    This is completely unacceptable.

    And given the availability of sane non-webified DoT, it is just as pointless as it is stupid. (Given that reasoning, one could just as well argue, that adding even more useless layers like HTTP, would improve it too.)

    I guess after boycotting Chrome-likes, I have to just uninstall Firefox too, and create some semantic HTML parser that gives

    • DoH means a backdoor and MITM for every corporate and VPN user. It circumvents my own DNS server, and puts in Mozilla to spy on me instead.

      This is completely unacceptable.

      Well perhaps your corporate IT staff should get a clue and configure it correctly so firefox won't make DoH requests. You're not corporate IT are you?

      I have to just uninstall Firefox too, and create some semantic HTML parser that gives me a Gopher-like directory structure that is actually optimized for getting freaking stuff done!

      Go nuts!

      • What kind of stupid argument is that?

        How about you can uncheck that "I own your firstborn, and your anus, and you have to send me all your money" box too, in that next piece of software. (Hinthint: hyperbole. for clarity.)

        So I can come with that argument too, when you complain that that is wrong. Boohoo, you didn't know? It was clearly designed as a trap? Yeah, that was my point! Should have accepted that before it was too late.

        It IS literally a backdoor and a MITM on your DNS!
        And made so you most easily fa

        • OK, it's clear you're not only a moron but an angry moron.

          Censoring it, like a good drone

          This literally cannot be the case because I'm posting in the thread. See point 1.

          Ergo: It is malware.

          Using words like "ergo" dose not make your non-arguments sound. Yelling even louder that it's a MITM and malware does not make it so. So tell me, once they've MITM'd your DNS and returned a fake address, they then do what precisely becasue it's all verified by TLS anyway which you apparently trusted completely right up u

  • How absurd for the^H^H^Ha web browser to be the one exception in your system, which uses different DNS than everything else. Can't wait until the day I can ssh or curl an intranet host, but Firefox can't access it because it can't figure out the address. (Or worse: it "works" but talks to a different host.)

    Heh, remember back in the day when some people wanted alternative DNS roots, and critics worried about DNS balkanizing, where we don't all see the same internet? Now suddenly everyone's ok with their own

    • How absurd for the^H^H^Ha web browser to be the one exception in your system, which uses different DNS than everything else. Can't wait until the day I can ssh or curl an intranet host, but Firefox can't access it because it can't figure out the address. (Or worse: it "works" but talks to a different host.)

      If you know enough to know what ssh and curl are, then you know enough to switch off DoH in firefox.

  • by Anonymous Coward

    That the entities who benefit from privacy exploits are up in arms is all the more reason to implement DoH. Period. When you look at the massive surveillance we are under, including the gov't PRISM program, this is but one small step in the way of taking our privacy back.

    They almost always use "what about the pedos!?" [sic] argument to defend their otherwise weak positions. It's tiring.

    • by Sloppy ( 14984 )

      Implementing DoH is just fine. But do it in one place, not separately in each application.

      • by ceoyoyo ( 59147 )

        Yeah, it should be done in the OS. You should be able to hack it into an existing OS by running your own DNS server. I wonder if such a thing exists?

  • DoH does not really enhance your privacy - it merely shifts your lack thereof. In addition, those who get now access to your DNS data are the likes of Google, Cloudflare, IBM, etc. What makes you think that they will be more gentle with your data than your ISP? Because they say so? Finally, DoH is opens a data highway for those keen on disseminating malware.

    Well done, Mozilla people!

  • Most or all enterprise firewalls will block sites based on category or the site name. So while DNS queries will be hidden in general, you still won't get to the website unless it is some new unknown site. All the https websites like facebook and whatever are blocked in all the offices I have seen. How does this hurt enterprises again?

    • How does this hurt enterprises again?

      It doesn't. Better still they can add this question on their interview process which weeds out the Slashdot armchair engineers who have no idea how to manage a network.

      • by MeNeXT ( 200840 )

        So your solution to the enterprise is to allow users to configure their systems willy nilly as they please? You are right it would weed out the clueless. You would be the first. DoH adds nothing positive to the enterprise environment except more work.

        DoH, due to the canary domain, is useless for the purpose that is claimed. On the other hand, it is a great opportunity to monetize the user base.

        • So your solution to the enterprise is to allow users to configure their systems willy nilly as they please?

          Good work proving my point. My solution to the enterprise is to hire qualified IT people and not Slashdot users who seem to think that DoH isn't a thing that can be expressly disabled from user control through Firefox's enterprise policies and as the GP has already pointed out enterprise security doesn't depend on DNS control.

          You are right it would weed out the clueless. You would be the first.

          The big difference between you and me is you seem to know little but think you know a lot. I actually know a lot but yet realise it's little enough that I wouldn't even apply for said

  • I set my DNS the way I want, and don't want FF to hijack my OS settings.

    So I just want to know what do I need to add to my prefs.js or user.js files to disable it completely.

    user_pref("?.doh.?", false);

  • Why cant firefox just ship with an optional install that allows users to install a DoH resolver for the entire system? This would be the right approach.

  • I don't remember any public consultation before they removed ALSA support from the browser.

    Yes, I know you can use apulse wrapper, and that is whaty I do nowdays.
    I just needed to vent.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...