This is painful to read. Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
If instead what you worry about is the government spying on your traffic then complaining about DoH is even more silly - DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
DoH is vital to protect users around the world from censorship and worse. Enabling it by default is a good thing - protecting users from abuse shouldn't only be opt-in. There has to be SOME default chosen, and the default needs to be a site large and well run enough to a) handle the load, and b) be in the firefox HSTS preload list. There aren't a lot of good DoH providers that fit these criteria - CF is one of the few.
There's nothing that makes Cloudflare the more "privacy friendly" 3rd party. "Privacy friendly" would be a mechanism by which my desire to communicate with "example.com" involved my computer and the computer at example.com with no third party in between.
As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company - that seems like less privacy.
And I am not looking forward to finding out the fun ways in which this will break our local DNS.
The idea that Cloudflare is in way more trustworty than my local ISP is at best naïve. All this creates is another huge centralized pool of data with no oversight whatsoever except the promise of some company that is currently growing fast, that they will not do anything with that data. Come the times when money becomes tight again, we'll see how well that promise holds up.
Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
Seems obvious, but is wrong. If there is a really obvious obstacle to anything, which immediately comes to mind, chances are people addressed this already.
In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
Before, my ISP could gather the domains I visit by DNS. Now, they can still gather them from the IP addresses and SNI, and Cloudflare can gather them from DNS. I'm really struggling to see how this isn't a reduction in privacy.
> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
What happens if they get a FISA warrant? How does your contract protect users that before didn't have their DNS queries sent to US companies?
SNI encryption is only useful if the website you're visiting shares the IP with lots of other websites. E.g, they're sitting behind cloudflare.
When you visit any of my websites, which are not on shared IPs, then not only will you continue to inform your ISP that you're doing so (regardless of the existence of ESNI), but you will additionally be informing cloudflare too.
What's your solution? That I centralise all my websites behind Cloudflare? In the name or privacy? Laughable.
Your ISP can gather them with much, much more effort. There is privacy value in making things harder. The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?
> and Cloudflare can gather them from DNS
but is contractually forbidden from saving that information.
You are not permitted to hand-wave corrupt government interception or rubberhosing of civilian data as "wrong threat model." These technologies are central to, and must be focused specifically on, protecting all civilian data from all governments. That is the primary purpose of all privacy systems. Not to protect you from coffee-shop denizens trying to snoop which dating sites you use.
The internet is as much of a monopoly outside of the US for example Tiscali in Europe. We have the same kangaroo courts when it comes to getting warrants to invade people privacy.
At least from a general perspective I don't see a big difference.
But it's not one or the other; an EU court will make a warrant for the ISP traffic data, and an US court for the DNS requests. You become vulnerable to both.
Cloudflare is still a US company. Do you have any FISA jurisprudence showing that simply running the server on another country makes it immune to warrants?
> The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?
I used to work at an ISP.
We configured (wrote policy language for) our DPI platforms to do header inspection of all HTTPS traffic to measure customer experience to different websites, to improve the customer experience.
The raw data was (theoretically) accessible to ~4 people and deleted as soon as ETL had succeeded, and the anonymised results (aggregated only by region, product etc.) were available to the operations team (another ~8) and product management (~4).
This complies with our countries personal information regulations.
Mozilla proponents seem to be quite anti-ISP.
Why is that?
>> What happens if they get a FISA warrant?
> They have to follow the law? Wrong threat model.
If this happens for non-US citizens, this is violation of privacy laws of the affected user.
If this is rolled out, I will either ensure my distro switches this off by default, or have to consider changing browsers (away from Firefox).
Even if this infrastructure was run by Mozilla itself, and they really really promised me that they would not do anything with the data - that's all I would have - a promise ( which is also how cloudflare words it btw [0]). Which in the asymetric situation that puts me in, is not worth all too much to me, because I will never be able to verify it.
The data would still end up at yet one more company, compared to the status quo.
Trust works if I know the people involved - but I don't know a single individual at Mozilla (or Cloudflare for that matter). That Mozilla trusts Cloudflare is besides the point if I don't really know who they are.
The entity I am actually trying to trust is example.com - all this shuffling around trust in increasing layers of complexity is missing the point of the actual problem: Bootstrapping a connection to example.com without revealing to a 3rd part that that is what one is trying to do.
Ceteris paribus, not having the data is strictly, mathematically more private and secure than having the data but being contractually obliged not to distribute it around. Contracts change, laws change, accidental leaks and targeted attacks happen, there's FISA, and there's a non-zero probability that Cloudflare suddenly decides that half of Europe is Nazis and don't deserve their contractual protections anymore (I'm sorry, but Cloudflare walked into that one themselves).
It's as simple as this. Now I do prefer a society of trust over excessive technological means, but let's not pretend like sending data to an additional third party is somehow more or even just as private as not sending it in the first place.
You are not considering that IP addresses are dynamic. Only your provider can associate your IP address with you, and thus associate the DNS requests that you make with your identity. Cloudfare can't, because today you have one IP, tomorrow you can have another. And this without talking about providers that puts you inside a NAT, like it's common with mobile connections, where thousands of different costumers shares the same IP address, and thus only the provider can really log your DNS traffic.
So if Cloudfare maintains a log of your requests who cares, that log is useless since they can't identify you as soon as you change your IP address. While using standard DNS the provider can identify you and can log all you DNS requests, even if you don't the default ISP DNS servers, since they can simply intercept and decode all the traffic on the DNS port. And not only your provider, everyone in the path between your PC and the DNS server, even at LAN level, for example in public WiFi networks like in airports, schools, companies, the administrators can log all your DNS traffic, and put filters on it.
> As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company
> Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
Make up your mind are you worried about the number of people that can see your dns or not?
And for regular DNS, their ISP/employer/school will be the service provider for 99.9999% of users. Regular DNS is not exactly easy to find (on Windows, it's under Settings -> Network -> Change Adapter Options -> Adapter Name -> IPv4 -> Properties), which is arguably as hard as going to about:config. And there is no menu of providers listed--nor does it explain who would choose the "automatic" DNS server options (the one that uses DHCP).
So the status quo is no better than this, and at least this is encrypted and protected by a privacy guarantee.
Now I agree that ideally a user-visible preference should be created for the DoH resolver, but I don't think that's a blocking issue. Just like the accounts features uses a mozilla server, and chrome uses google accounts, and both use google safe browsing lists, browsers have always made the decision to hardcode various external service providers.
You're completely missing the point. Users have many different ISPs, and them knowing DNS queries is not a problem because it's the ISP anyway. Now a browser wants to change that behavior, and send ALL queries to one american company.
While that's an unpopular opinion I tend to agree, I'm still on the fence if that's really bad or if I'm just grumpy about change though. It really feels like instead of fixing the underlying problems we're duct taping the internet by moving HTTPS to OSI layer 4 and making TCP and the concept of ports obsolete for a majority of use cases - which in many cases implies a loss of control. I'm honestly not sure why our sector pushes HTTPS solutions over plain TLS, is it just because it blends in with web traffic and it's easier to grasp because more people are familiar with the basic concepts?
Of course there's arguments for and against these aspects in the case of name resolution, both technical and on a legislative level, but maybe a net win in terms of privacy protection for the majority of users is still worth it. And should Cloudflare or whoever decide to misbehave with the data we send, it'll at least be easy to switch to other providers when DoH is widely adopted.
> Or -- much better -- use DoT instead of DoH so port 443 isn't getting misused for DNS.
DNS over TLS has other issues. There's a nice comparison there https://dnscrypt.info/faq/ I have been using local resolver on 53, that forwards all requests from my LAN into DNSCrypt (and sends that over a VPN tunnel). That way I maintain privacy, and decentralization as well as being able to simply use the DNS resolver built into my OS.
The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020? They missed all their advisory target dates (July 2019) for actually writing documents, and that isn't the end by any means for a protocol like this.
So Firefox could at most support either Google QUIC (internal prototype, now obsolete, who cares?) or a random draft that may end up not resembling the final product. If they haven't decided to do either it doesn't seem like a big deal.
> The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020?
Ah yes you're right. Also Mozilla (M. Thomson, Ed) is on the author list there so I expect they will support it when it is finalized.
Hopefully then they also support DNS over QUIC, I expect they probably will once QUIC is finalized. I think DoH is just a stop-gap measure to be honest.
Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.
> Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.
For most people, if you can't trust your ISP, you have bigger problems.
For people who can trust their ISP, why should we all by default be affected by the fact that the Mozilla developers seem to all live in a non-free or non-democratic country.
Maybe they should instead focus on fixing the US political system that results in their current situation, rather than trying to use technical means to solve political problems.
What if you can trust your ISP most of the times but not during a specific time? For example, when there are civilian protests/acts which the current government doesn't like?
I have a very specific case for this: in the days before and during the referendum for the Catalonia independence (Oct 1s 2017), all the spanish ISPs where blocking access to the websites related with the referendum, using DPI to look for the SNI hostname. One of the main reasons to enable DoH in FF is to enable the encrypted SNI feature https://miketabor.com/enable-dns-over-https-and-encrypted-sn...
Tor has some nice papers about what happens if you try that: the NSA and KGB each run a server and content themselves with getting a sample of the population.
And that should surely be the default. What's Mozilla's intent to send DNS queries to Cloudflare by default, and require regular DNS resolution to be configured manually?
My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).
I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.
If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.
So it depends on the country. In my country (Russia) all Internet traffic is being recorded by the ISP for the last month and sites are blocked on political reasons. For me having DoH with Cloudflare is better.
The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens
You also can't trust laws since ISPs can be hacked or infiltrated from the inside
In terms of personal protection encryption trumps law
From what I can tell, all countries covered by the GDPR heavily limit what an ISP can do with DNS queries. That covers 515M people, which is more than the populations of three mentioned countries (US, Russia and Australia) put together.
A lot of these countries currently have laws to record years of DNS logs for future analysis by the police. Due to the abuse these countries have done in the past about it, I do not want any record personally.
That’s a very good point. In fact all of them do, because the same EU that mandates GDPR also mandates data retention, which only differs in details in member states.
I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.
What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?
Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.
Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.
This is already what happens. Your DNS queries have to go somewhere, and unless you control the DNS servers, there's a third party in the loop somewhere.
With TLS1.3, encrypted SNI, encrypted DNS the ISP can only see the IP address you are connecting to, not a domain name. For Google's resources it only sees that you are connecting to Google's network, but is it Youtube or Gmail or Maps, they cannot tell (which is awesome by the way).
And down the toilet goes the (distributing and caching) Inter-Net. Long live to the new Cloud-Net. Cloudfare and Google are achieving what Compuserve and AOL could not.
Exaggerating slightly ... but not that much really. And all in the good name of privacy and security.
It is also amazing how people (Americans ?) are not willing to admit I want MY jurisdiction to apply. Not an American one. I want the choice.
Well, it's not really a choice if for security I must give up on jurisdiction ?
I don't doubt the intentions of Mozilla. But, I expect Mozilla to set the bar much higher.
> But the default protects more people than it harms.
Sorry, not good enough for me. They should not be promoting a private company centralized solution. They really should be pushing for a decentralized and distributed solution that is yet secure for everyone involve and promote that.
SNI isn't super useful to profile customers by itself. Now of course encrypted SNI will be a welcome addition to the protocol, but it won't get rid of traffic profiling.
The destination IP is more than enough to build a customer profile. It's not terribly relevant if you visited Youtube or Maps. Just analyzing netflow logs will give much more information than what services you use, such as for how long you use them and if you stream any media during that time.
Should you wish to have more information than that on your customers you'd have to buy it from someone who runs code in most web pages you visit. There are plenty of those, too.
Hence your request goes to yet another party: your ISP (by necessity via IP destination in your IP headers), the site you want to go to, and to Cloudflare/Google as DNS provider and as fourth party. Whereas with regular DNS, your ISP's nameserver gets DNS queries, hence only three parties are involved. Eg what ndidi, apexalpha said.
ISPs are highly regulated, as opposed to Cloudflare and Google. The only effect here is that Google closes another "loophole" in their view where web visit signals are send to another party (other than Google), and Cloudflare wanting their share of the cake as well. Has Mozilla disclosed what Cloudflare is paying them for being listed as default DoH provider?
Well to buy a domain you need to go to an accredited registrar for the respective TLD. And DNS registrations, renewals, etc. are standardized (and have TLD-specific policies). Also, you're entitled to transfer your domain name to another registratr, etc., also with a public and transparent protocol. The registrar will then arrange for their nameserver being registered as authoritative for your domain on the TLD's root domain server, etc. What's the problem with US ISPs here? That they're selling DNS query records (with your IP) against their nameservers? That's in the same territory as Cloudflare and Google, and will only stop with proper privacy laws; certainly not by giving up on the decentralized nature of DNS and giving all traffic/signals to Cloudflare/Google.
aren't you still sending your data to unregulated third party with any ISP? (i dont live in the US so i am not aware if they're regulated in this regard)
I think you mistook it. I was talking about doh providers, not all options, and responded to a line completely tangential, if not unrelated to what you try to bring here. An answer looking for a question, I guess?
> DNS requests are routinely ... monitored by ISPs
DoH doesn't prevent ISP monitoring. Even if they cannot see the DNS request, the browser sends the ISP the returned A/AAAA record in the header of a TCP SYN packet. The ISP necessarily sees the hosts you are connecting to; they don't need to see the DNS traffic. DoH to Cloudflare allows both Cloudflare and the ISP to monitor your pattern-of-life.
> DoH is vital to protect users around the world from censorship and worse.
Yes, it would be a useful tool to fight censorship, but don't conflate that with monitoring traffic. The ISP still sees the addresses and ports in the IP+TCP headers.
Well, the A/AAAA record and the host you're contacting aren't necessarily the same information, right? You could connect to 10 wildly different sites all behind a CDN and get the same A record for all of them, but vastly different results. It's the host, not the A/AAAA record, that leaks the most information in such a case. DoH/DoT plugs the host being leaked in the DNS packet, then.
But of course, then the problem is punted to SNI, since your TLS Hello packet will probably send the host name with the setup packet, leaking the host then. So we're back to square one. To be fair, Firefox and Cloudflare are also working on ESNI, in which case, from what I understand, your DoH reply will include the A/AAAA record and the public key to encrypt SNI names with, which plugs that final major hole.
So I think the A/AAAA record being exposed doesn't necessarily tank everything, but it certainly isn't perfect, either. But realistically none of these solutions were 100% perfect and a unique A/AAAA record was always going to expose you to a significant amount of side analysis, I think. In general, it just raises the bar and lets us place more trust in the "last hop" between you and the resolvers, much like many other improvements over the past few years, and originally envisioned by e.g. DNSCrypt. In general I feel the actual host header is more important than the A/AAAA record (it is at least more accurate), but I could be super wrong about that.
(The more general discussion about a few major players being able to shape major internet changes for users like this, and general consolidation of the internet is, I think, extremely relevant. But also beyond just this particular exercise.)
> This is especially true in the country the author appears to be based (Germany).
Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.
They're enabling this in the US, and yet even with all its problems, it's the one country that the average web surfer would have to worry least about when visiting "inappropriate" sites.
> DoH is vital to protect users around the world from censorship and worse.
Great. Then enable it in countries where it's actually a problem. As a Canadian I do not feel a need for this, and I worry about Cloudflare getting an NSL more than I worry about CSIS/RCMP tapping glass.
> Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.
Completely wrong threat assesment in my opinion. You should always be concerned about your own government. It isn't only the axis of evil that imprisons people with leaks about heavy privacy invasions.
Russia and China have anything about you and you are a citizen of a western nation? Great, because that doesn't matter at all.
You know who poses the greatest threat in motorsports? It is the other driver on your team.
Who says I'm not? But I have recourse with government. What recourse do I have with a private corporation that's based in a country with such law privacy laws.
Least concerned with? Have you already forgotten about Snowden? Do you know about Five Eyes (or even Fourteen Eyes)? In Canada they outsource surveillance of Canadians to overseas Five Eyes partner agencies so they evade their own privacy laws. It's reasonable to assume that other Five Eyes countries do the same.
My e-mail is hosted on Canadian soil with a direct-connect to TorIX (and I personally know the people who run the servers).
I know when I hit a foreign corporation (AMZN, GOOG, etc.) that my data is probably up for grabs, but I also know when when my traffic is not leaving Canadian (digital) soil.
So yes, I know all about ECHELON et al, but I know how the packets I send out are generally routed as well.
Alright, in case your government leverages allied ones to evade domestic legislation, foreign governments are a threat. But the initiative for surveillance still lies with your own government. That would only confirm the need to hold your own government accountable.
DoH is vital to protect users around the world from censorship and worse.
Like I've asked before, should Mozilla also start including an obfuscating VPN by default, to bypass the Chinese firewall?
This is a political issue, and one that I don't think Mozilla should even get involved in because it could have very ugly consequences --- just focus on making a good browser and leave the politics (and VPN/firewall-busters) to others.
I dont think they are in a position to be trustworthy enough to offer that. Not after the fiasco with their expired addon certificate sabotaging Tor. I still dont see how the standard practice in Firefox to just silently disable addons is anything but malice.
The default (which the majority of people will be using) is not Google, it's their ISP. And in the vast majority of cases, their ISP is under the jurisdiction of their country, while Google and Cloudflare have to obey the laws of a foreign country. Said foreign country might one day decide that for instance Google and Cloudflare now have to log the IP address of everyone who does a DNS lookup for news.ycombinator.com, even if the laws in the user's country forbid it.
This is very bad for Erdoğan. They won't be able to block DNS over HTTPS. Thus teir classic DNS blocks will be useless. Last time I've checked there was over 300K blocked domains via DNS. Even 8.8.8.8 doesn't work.
Eh, this is a losing battle for them. In theory any HTTPS server can be a DoH server if set up for it. One key for the future is to have so many DoH servers available for people in countries that filter that there is no way the government can block them all.
My uBlock Origin contains over 100k filter rules, and I pay zero for it. I doubt a company can't sell a list of open DoH servers for a reasonable price.
To access a DNS-over-HTTP server, you need its IP (otherwise it would be a circular problem - must have DNS to access DNS). So they can just block the IP/port.
Said own country might one day decide to restrict access/log visits to controversial site X (e.g. Tibet, government critical news, piratebay etc.), which does not affect your DNS based in foreign country
Well, if the user has configured their router to use their preferered DNS provider, and this is enabled, and they don't realise, then as far they are concerned all their requests are going via that provider, when in fact they are going out somewhere else.
It's worse, because the local ISP is more trustworthy and additionally you enable cloudflare for large scale profiling. And don't claim they won't do it, it's just a matter of time
Telia in Sweden has shared data with "selected partners" in a way that led to customers being extorted because of, among other things, porn surfing history and torrent downloading.
Trusting your ISP, even in a country with data protection laws like Sweden, is naive. I'd much rather trust a company that tells me "this is the data we store. This is the data we share with APNIC and no-one else".
I live in Sweden and I would never trust any ISP. There are too many cases of data shared with "business partners" that led to things like tries to extort torrent users or porn surfers (even reputable ISPs).
This should be, if not illegal at least highly problematic in the eyes of the law. At best the ISPs got a "better behave, because next time ...".
All ISPs have data sharing with "selected partners to ensure service quality" which, at least until GDPR, meant basically that they could sell data.
Whereas cloudflare states that the 1.1.1.1 data will only ever be shared with APNIC in anonymised form (which they define). Cloudflare defines what data they share for 1.1.1.1 users, which my ISP does not. I trust cloudflare, at least right now. If they were to change their retention policies and agreement I would maybe reconsider.
I'm fairly sure that most, even non-technical users understand fairly well that their ISP can snoop on their internet connection. On the other hand I doubt that my mom expects that when she connects to https://www.impots.gouv.fr/ her browser pings an american-owned server to get access.
Yes, it's trivial. It's also very annoying to the probably 99% of users who don't care about it at all, especially if this becomes just one of many settings that needs to be configured on startup.
My ISPs caching DNS, and any caching DNS running on IP addresses belonging/advertised by my ISP by BGP to various CDNs, are the best possible responses.
I don't care if the p99 DNS response from my ISP is 50% slower than Cloudflare, if the streaming video, or large download, or many small files requests are better served by CDNs in my ISPs network that are not visible to Cloudflare.
All DNS benchmarks I have seen focus only on the DNS response time, never on the DNS response quality.
But that's because they are mostly written by people who don't know how the internet (or competent ISPs) actually work. Some of them even seem to log errors when they get unexpected responses for some well-known URLs (like google.com) because they don't know there are new Google sites than when they last checked ...
A minor quibble, but the url ends in .ch, and the company address is in Switzerland. Why do you say the author is in Germany? (Am I missing something?)
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
Germany: Storing data for a limited period of time so that data pertaining to individuals can be requested on a case-by-case basis by law enforcement (we are talking Police, not all of government). Not a big deal.
U.S.: Highly developed and well resourced mass surveillance in operation on both the business side (surveillance capitalism) and government side (NSA). Privacy laws that protect only U.S.-based persons and declare data pertaining to foreign persons to be fair game. Big f*ing deal.
European privacy laws are great, but I’m not so sure it’s as simple as you make it out to be. German intelligence also cooperates with the US on NSA surveillance.
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
Author is based in Switzerland.
But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.
For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.
They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won[1]. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies[2].
In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.
Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities[3].
Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.
Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.
(source: worked in the industry)
> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.
Your post is painful to read. Masses of unfounded FUD.
> security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
The author appears to be from Switzerland, and it's not clear at all why "security services" (who?) in Germany "especially" have few restrictions.
The usual list of security services, BND etc., not sure why adding lists of acronyms is important to you, when "security services" captures the meaning quite well.
> "especially"
That refers to news and new laws in recent years, which extended their surveillance capabilities. Also, it is relevant because Germany both has relative strong data protection against non-state actors, but also quite capable intelligence agencies.
That said, I think arguing about state actors is the wrong threat model for this discussion.
> I think arguing about state actors is the wrong threat model for this discussion
My post was just a rebuttal to GP's framing the discussion around vague accusations towards state actors.
> security services captures the meaning quite well
It really doesn't. The various secret services (internal, external, military) are reporting to parliament (not the whole of it, just a close circle/committee nevertheless having received trust by being elected), and their heads are nominated by the government. It's of course entirely within your right to criticize their existence or operations, but yielding power to private monopolies based in another country without any public control whatsover and potential ties to foreign secret services (we don't really know) can't possibly solve whatever problem you're on to, and shouldn't be justified on such vague arguments.
Laws restricting what the government and private entities can do with data almost invariably (e.g. the GDPR) just have a blanket exception for security services.
Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.
> For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
I don't really see how DoH helps because the IP is still flowing between host and client. What does it matter if they can't see the DNS request? They still see the ip values flying between your computer and TheGreatSatan.us.xxx ? Only a VPN can help here anyway. DoH is good for making sure the IP matches up to the host address because it can verify the IP returned is the one that it is in actually rather than a state actor substitution.
Since this moment Firefox should be actively prohibited in any security-conscious workplace - because it will leak some or whole map of internal resources to the third party, which has absolutely no business knowing what resources are deployed in the local network.
And deciding what's good for users without making them explicitly and consciously confirm this choice is bad, worse than censorship.
> if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
I don't think anyone believes CF will start selling data, that's not what the article argues.
Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.
> DoH is vital to protect users around the world from censorship and worse.
This isn't black and white. Yes there is upside (as both you and the article agree), but the downside of how DoH is implemented here is that you have to point all your DNS queries to a US company. Historically we've seen how this is a bad idea for global internet privacy (eg. PRISM, etc).
> I don't think anyone believes CF will start selling data, that's not what the article argues.
CF is not a private company funded by a foundation with a time until the funding runs out measured in 30-40 years. It is a public company with a small number of customers that provide majority of its revenue.
It simply isn't prudent to say that it won't explore other revenue streams in future and that monetization of data won't be one of those streams.
This is where me and the author disagree with you. In most places in Europe there is a complete distrust of US companies and hosting anything on US soil.
Historically we've seen many cases of US companies handing over data to US authorities (willingly or not).
This is not speculation it's first hand opinion, I am from the UK, i distrust all UK ISPs, their DNS is filth and they are suspected of working with GCHQ... I agree US companies and US law in general are worse for data protection than the EU, but on per company basis CF is more trustworthy and half of the purpose of their DNS is to attempt to provide more privicy.
You do not have to point your DNS queries to a US company, this is completely false. You can point your DNS queries at whichever DoH provider you want - you can even run your own DoH provider if you want to.
I should have worded that differently: the default is a US company. Which applies to everyone who doesn't change it specifically for Firefox (the vast majority of users).
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services
Not true. ISPs typically record and store netflow-like data, very rarely DNS-data (I'd say storing DNS data is even unusual). If ISPs are in a position to get more detailed than netflow data on you they resort to things like deep packet inspection (DPI), which doesn't rely on DNS, pretty much all mobile/cellular ISPs do that today.
> DoH is vital to protect users around the world from censorship and worse.
Not true either. DoH can't do anything against censorship and if enabled by default in all browsers can actually give worldwide censorship powers to a single US entity that already has something akin "we will block anything we don't like and do anything our government wants" in their ToS.
You might look into "passive DNS" services that collect and provide servies based on DNS data collected by ISPs and carriers. It's often more or less anonymized, and often used for good things too - but not wholly harmless.
The average internet user probably has no idea what DNS or HTTPS are, let alone DoH (which even I as a technical user had forgotten existed before I read this post). Defaults matter a whole lot. I haven't formed a definitive opinion on DoH but either way saying "you can configure it so it doesn't matter" is not reasonable in my opinion.
It's interesting that when Russia started blocking access to some popular websites a few years ago, the instructions for installation of VPN were found in all places. The case - then, for example, attempts to block Telegram servers lead to unexpected unblocking some forbidden sites, like kasparov.ru - shows how some networking skills can be grown en masse in a short period of time.
So, yes, average Internet user isn't very familiar with DNS. Maybe privacy wars will lead to growing awareness in this area though.
It's actually not, or am I somehow missing that this is a feature that Mozilla has announced as part of this move? Users who are not technical powerusers will not understand the real security implications of "Enable DNS over HTTPS", and right now I can't find a setting to change the provider anywhere in the settings dialogue, and about:config and enterprise policies are not something that regular users mess with.
It's in Options/Preferences > Network Settings > Settings, scroll to the bottom and select Custom from the Use Provider dropdown. I added AdGuard's DNS over HTTPS address. https://dns.adguard.com/dns-query
Haha. Okay: Actually didn't see it because that one line landed below the fold on my resolution (960px height, fixed taskbar on Windows). Rookie mistake. But also bad UI design if this is actually something that's important and that users should pay attention to.
But.
(1) There is no informed consent happening here, highlighting to a user, say in Europe, that this would lead to a U.S.-regulated entity knowing a lot about their browsing history. Regular users can't be expected to understand that that is what this setting implies but will think of "DNS over HTTPS" as technical mumbo jumbo that they don't need to pay attention to and that they should keep at default.
(2) The dropdown doesn't have any options besides Cloudflare. In order to use the "Other" option, the user would have to research URLs of providers on the Web, which seems like so much friction that few people will do this.
The dropdown in (2) doesn't have any other options because of the thing you're worried about in (1). Mozilla seeks specifically to contract with DoH operators to secure the operator's consent to protect their users and never do most of the things you're worried they might do.
They do NOT want the list to go:
Cloudflare
Sketchy Valley Company with six months runway and no clear plan how to make a profit
The Actual Mob, really
Google
Great Britain's Ministry of Truth
Russian Media Company owned by Vladimir Putin
And then have news sites going "Why are all these obviously untrustworthy folks listed?" when the answer would be "Oh we heard that people didn't like the short list of actually trustworthy providers so we added all the other ones that we don't trust too!"
In a very long-winded and theatrical way you are making the point that you believe that there are no credible alternatives out there. I believe there are. I believe that, as soon as any company puts their HQ and their servers in Europe they have a credibility-advantage over cloudflare right there on the legal front and on regulatory oversight.
I also don't believe that Mozilla has the ability to greatly influence the way Cloudflare would run their service, given that they're probably not paying a lot (or anything at all; don't know the particulars), and are unlikely to be a major component of Cloudflare's revenue. Cloudflare has much more to lose by picking a fight with the U.S. government (think government surveillance) or by pissing off major advertising networks and media corporations (think surveillance capitalism) who make up the lion's share of their revenue on Cloudflare's core webcaching business.
> CF is involved with serving vast swathes of the internet anyway
Too involved. Cloudflare also single-handedly killed web browsing over Tor with extremely frequent and hard CAPTCHAS, until users install a browser extension that sets a cookie encrypted using NSA's favourite elliptic curve flavour.
Just a coincidence, I'm sure. Much like their ability to offer free MITM CDN services to so many web sites.
It's very disturbing to see the overreach that Mozilla has resorted to and the "privacy" argument (it was "security" before that...) being used to justify essentially ignoring system configuration. My ISP has more accountability than a company in another country.
The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.
Exactly. If Mozilla wants to, it's more than welcome to reach into the VPN area with its own products, but I don't believe this functionality should be part of a browser. They're already reaching into the VPN area[1], should they also investigate bypassing Chinese censorship with their own "firewall-busting" obfuscating VPN? That's not something most users want nor need in their browsers, and such functionality is really a cat-and-mouse game that I think is best left to smaller and less-well-known entities.
It's unfortunate that browsers are already beyond "neutral", when IMHO the only thing they should do is fetch exactly the page URL that was entered and display it.
Edit: yes, apparently people disagree and want Mozilla to control what the Internet (and every user, ignoring his/her default configuration) does. This is really really disturbing.
> the only thing [browsers] should do is fetch exactly the page URL that was entered and display it.
I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.
There is an argument that ensuring privacy in DNS could be done outside the browser. I think HTTPS is a good precedent for putting privacy in the scope of the browser; the browser should attempt to ensure that privacy expected by the user is established or it should refuse to operate.
I disagree with the solution of trusting Cloudflare, but privacy should be considered crucial to user safety in modern browser design decisions.
I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.
I strongly disagree. A browser has one job, and that is to follow and render URLs. Secure connections and such are services provided by other components of the OS, and the browser should absolutely use those services but not attempt to overreach its main purpose. It's really the principle of "do one thing and do it well".
To spin your analogy, you're arguing that cars should have seatbelts that also check your age and blood alcohol level because "that's also a safety thing".
There is an argument that ensuring privacy in DNS could be done outside the browser
Yes, the same way that VPN clients are; and I'm perfectly happy for Mozilla to be working in that area, but most certainly do not put that in the browser and do not make it default.
>> It's really the principle of "do one thing and do it well".
This sounds good on the surface, but falls apart at the smallest level of logical scrutiny.
It's akin to saying, "a car should only accelerate, decelerate and make turns!" After all, that's a car's main purpose.
Whereas the fact of the matter is that modern cars are built to be able to handle all kinds of hostile environments and have numerous defense and safety mechanisms in order to keep their passengers safe.
What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy? This is pretty much how we got here. Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.
So browsers can throw up their hands and say "we are as secure as the OS" or they can do it themselves. Not ideal but the alternative is worse for users.
What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy?
Nothing. Absolutely nothing. Work within the environment you're given.
Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.
...and that's just fine, because I trust my LAN more than some third party in another country.
>>browsers should do one thing>browsers should do it all
The essential Multics vs Unix mindset clash. One application to rule them all vs. a versatile toolbox of interchangeable modules. Telco heads vs hacker heads.
In the end, the hackers always win - but the telcos grow to be fat cats.
In a way, it's a Multics vs. Multics clash. I already have one application to rule them all. My operating system. I do not appreciate when the browser tries to supersede it. Not (just) because of philosophical reasons, but because browsers completely suck at being operating systems. The web takes a lot of control from the users, and offers near-zero interoperability.
It all feels like a step-by-step attempt at turning general-purpose computers into cable TV.
I don't think this is at odds with "should do one thing well". Safety is not an application in itself, it is a design principle.
"rm"'s purpose is only to delete, yet it still tries to ensure safety and sanity with its flags: -r, -f, --no-preserve-root, etc. Even simple tools should be safe by default.
We already have applications that can take all your traffic and send it over an encrypted tunnel somewhere else, if you don't want to exit to the Internet from a place you don't trust. They're called VPN clients. DoH is like a partial VPN client. It doesn't belong in the browser.
DoH servers are not open proxies, they're just DNS resolvers with support for a security layer; they are comparable to HTTPS, SMTPS, SSH, etc. servers, not to a VPN.
VPNs are not a substitute for, nor a better solution than DoH in the same way as they are not for HTTPS or SSH.
> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.
This is beside the point. Mozilla make a browser. They don't make the address resolution code for the underlying operating system. Operating system vendors are of course going to start to support DNS-over-https.
You can disable dns-over-https if you don't want it enabled. Just go to about:config and set network.trr.mode. to 5
That's a really strange comparison. You know that mozilla has an agreement with cloudflare under which cloudflare has agreed not to log dns queries right?
1)Since the agreement is about processing of this data it really doesn't matter whether you have a contract with CF
2)You don't need any contractual relationship to have GDPR apply to processing your data. If you're a European data subject then GDPR applies to any processing of your personally-identifiable data whoever is processing it and wherever they're doing it. If you're not a European data subject then GDPR would only apply if the company was a European company or if the processing was happening in Europe.
It is. I just never use the settings screen. See here for how you toggle it, including screenshots. I would expect that the new version will be similar.
Edit: I've just checked and there is the ability in the settings screen to set a custom DoH provider. So once your pihole can do it you can set it there.
> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!
I trust my ISP and government more than a US company I have no formal contract with and the US government.
Also, there's the whole 'applications should not override system level settings' thing. My DHCP pushes a local (caching) DNS server that also does name resolution for internal services. This change would break that for all Firefox users on my network.
> I trust my ISP and government more than a US company I have no formal contract with and the US government.
And every single intermediary and whoever else might be listening in? This is an unencrypted plaintext connection. Which is the main point here. The whole "we trust ISP more" thing is completely beside the point. The point is DNS is horribly insecure nowadays, and it is about damn time we switch to something better.
> Also, there's the whole 'applications should not override system level settings' thing.
Hopefully, DoH will become a system level setting eventually.
If you use wi-fi without a VPN, you have the coffee shop and the coffee shop's ISP. And anyone listening there. Of course there is cleartext SNI even for SSL connections... but alas.
Because if you do, at that point they are your "ISP" for purposes of this discussion. Do you still trust them more than Cloudflare?
(For a desktop machine, obviously this is not an issue, but for pretty much anyone with a laptop this is something that needs to be worried about.)
As far as internal services, is this a split-horizon setup? As far as I understand, the plan is to detect those and fall back from DoH to normal DNS as needed.
It seems very American to me to trust a private actor such as CouldFlare more than your own government.
I feel like at least in Europe, a large majority of people would trust their government and local ISP much more than some company halfway over the world with basically no accountancy in your own country, especially an American one since it means your data is basically at the mercy of the US government.
The ISP I run is applying [1] such blocks on our DNS recursors (blocking illegal online gambling domains, as per legal requirements [2]).
I still trust my DNS servers (or those of most ISPs, for that matter) more than I trust Cloudflare. I'd rather have intelligence services go through the effort of infiltrating every single ISP separately to get any useful dragnet intelligence, instead of just one large entity that can illegally collect all traffic from all users of a web browser.
And I very much hope they aren't contemplating rolling this out in Europe.
Having worked for a major European telco, I get the impression that the amount of regulation they face around data protection and privacy is tremendous and my experience has been that this stuff is by no means taken lightly either.
It would never in a million years occur to me to route my traffic in such a way as to circumvent the legal protections it enjoys as long as it stays within a European ISP's network and instead encrypt it and send it off to a nearly unregulated entity in a foreign country.
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!
Your ISP has access to more detailed data on you than DNS queries. Also CF servers are typically located in the same jurisdiction as your government and send unencrypted DNS queries from there. Now instead of dealing with every ISP your government has to deal with just one company in one location, no need to even ask that company anything, just come in and setup mirroring point, very convenient for the government, not very good for you.
They can log unencrypted DNS queries coming from Cloudflare, yes. But they can't correlate those with the incoming encrypted queries, not when the amount of traffic coming in is as vast as it will be. It doesn't help much to know "some Firefox user somewhere tried to resolve such-and-such domain".
Absolutely. This warning seems disingenuous and will confuse many normal people. DNS over HTTPs and DNS over TLS are good things and increase our privacy. People should switch to them.
> I live in Europe and I do trust my ISP (and government, which has a decent track record at enforcing GDPR).
I believe the GP comment was referring to government surveillance. This is a thing in Europe and GDPR won't protect you from it.
Also, good news for you: Since you live in Europe, the announced switch to DoH with Cloudflare as the default for Firefox users in the US won't affect you.
This is a gross over-simplification. Cloudflare is required by contract to respect your privacy, which is much stronger than even the privacy laws have here in the EU since it addresses everyone, not just the EU population:
The people fighting for the status quo probably know how to run their own resolver, even with DoH or DTLS. But Mozilla's conundrum is how to protect everyone 's privacy (and to a certain extent, security). DoH, despite all its flaws, attempts to do that by piggy-backing on already working infrastructure, so it seems like a good fit to move everyone to DoH. But then, they're the chicken-and-egg problem. How do you make sure people deploy local DoH resolvers if no browser enforces the move to DoH ? How do you make sure those resolvers are truthful, or even respect local law (having both is often impossible).
So, you need to compromise. I'd have preferred to have temporary non-profit third party entity handle this à-la-Letsencrypt, but Mozilla deemed its contract with Cloudflare sufficient to provide enough guaranties. Ideally, name resolution should be done closer to the user instead of being centralized like that. But by arguing instead of experimenting we just keep the status quo. Time will tell if this was a bad decision. But it's not as clear cut as this blog post says it is.
A contract where cloudflare receives no consideration isn't particularly comforting, as such agreements are routinely ignored by courts (or equivalently by capping damages at nothing).
> Mozilla's conundrum is how to protect everyone 's privacy
And exactly how does this protect user's privacy? Instead of the user's ISP being able to see where the user connects now both cloudflare AND the user's ISP (via seeing the connection itself) can tell.
Re: privacy: by not having lying DNS or no NXDOMAIN, there is also less tracking (say, fingerprinting in ad web pages).
And in the ISP's case, you're assuming they already do DPI, otherwise they now see IPs, which might not mean much in the CDN case. But if they do DPI, it will be resolved once ESNI starts being deployed.
> But if they do DPI, it will be resolved once ESNI starts being deployed.
What if ISPs block requests with eSNI for all users, in order to be able to remain compliant with legal intercept legislation (e.g. warrant for suspected child porn investigation)?
There are conflicting desires with trade-offs, and all Mozilla is doing here is escalating the war, rather than trying to reach agreement with the rest of the industry on how to satisfy two different requirements.
> > But if they do DPI, it will be resolved once ESNI starts being deployed.
> Once.
This underestimates DPI vendors. eSNI can't stop them, they will just move to exploit side channel information (traffic patterns) to identify which websites you are visiting. People need to remember, that DPI industry has been fighting with obfuscation for years, it's a war where Cloudflare and Mozilla are compete newbies.
These are just unsubstantiated assertions. Fingerprinting does exist, but what you're saying is that there might be methods we haven't foreseen that will be implemented to improve DPI analysis and tampering. So what ? Do nothing in the meantime ?
> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!
You're right. But so are Mozilla.
Here we are 30 years into the web, and we're still using plain old DNS. DNS over TLS should have caught on, but it didn't. Apple and Microsoft had years to ensure it's implemented as standard, but they didn't.
The points this article makes - about DHCP options, about multiple providers, are very valid.
But they're also just talking shops.
The biggest problems here seems to be
1) DHCP can't give internal DOH servers. When I'm at home I want it landing on my own DOH server, but when I'm away I want to use a different one.
2) Internal DNS resolving falls to bits
Agreed, I'd prefer setting up the DNS-over-HTTPS config at the gateway level (and either push the config over DHCP, or have the gateway act as a local resolver, which forwards the new requests over DoH), but we're not there yet.
In theory isn't it "just" a matter of agreeing a DHCP option number, then having the DHCP client (or vpn client or whatever) be responsible for passing it to applications that want it (including the system resolver, be that mDNSResponder, systemd, glibc, whatever windows uses)
Anyone who wants to can configure their dhcp client to ignore it, or use a different service, you could even have applications doing that too, but this would allow a network operator to tell people where the recommended resource is.
Likewise if you want to change your DNS provider yourself you would have a single location on your machine to do it for the entire OS, rather than having to change 50 different applications.
> have the gateway act as a local resolver, which forwards the new requests over DoH
This is what I would like to see as a default (and included in routers). In fact, it's what I already do myself.
I think (as others here have said) that the privacy concerns the article raises are mostly FUD. But I do agree with the article when it says handling DNS at the application level is kind of a terrible idea (even though it might seem justified in this case). If the end result is that every application has its own built in network stack, that's going to be terrible for security, usability, and make it much harder to debug third-party apps.
I use my pfsense router as a DoH recursive resolver, so while DNS is unencrypted inside my local network, all requests are protected when the enter the internet.
As someone who has donated to Mozilla over the years and used Firefox as much as possible, this makes me very unlikely to donate in the future.
People say that it's trivial to change. It's trivial to change for us who are technically minded. It's far from obvious and will not be changed by non-technical users.
This will only increase the massive amount of data that Cloudflare gets about people's online behavior. I am always very skeptical of centralization and of having a company get this much information. Remember google's Don't be evil? I'm extremely uncomfortable with such a massive centralization of data.
People might say that the status co is not great because DNS is sent to the ISP. I'd argue the status co is better because it's far less centralized. And, at least for Europeans, I trust European legislation better than US legislations.
I can understand the argument that some countries have mass surveillance and it's a net positive for users in those countries since it will protect them. But in that case, I feel that the default should be randomized from a list of provider, not only one company. I also would be much less concerned by this if it was an option on first startup with a clear explanation (even though users tend to not read and blindly click accept, it's at least more of an informed consent)
And anyway, that purpose of preventing mass surveillance and blocking in those countries where it would actually be useful seems to be moot because of:
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
So, if isp in countries with censorship can use a canary website to prevent users from bypassing "legally-set blocklists". What is the point again of enabling this?
> This will only increase the massive amount of data that Cloudflare gets about people's online behavior
No, it explicitly won't.
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
Which sounds nice in theory, but there are the usual legal exceptions:
> The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.
> Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law.
> The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates.
This doesn't really matter if you live in the US, but most of us don't.
I disagree. It has become common for the OS to handle DNS globally. This can provide nice cache efficiency/centralized configuration benefits. But it is also much less flexible and unlike e.g. the OS's Certificate Authority Registry there's no update/revocation benefits.
DNS over HTTPS being configurable in the browser gives us more flexibility. For example you want to AdBlock but not risk breaking OS Updates, you want to split-tunnel a VPN connection then pick which resolver for the browser, or you even want to use a different non-"internet"/non-ICANN network only in a single browser/instance you now can. That's powerful.
DNS by the OS is common in 2019. But saying it "should" without explanation isn't a strong argument except towards the status quo.
PS - If you think of a web browser like an "app ecosystem" this line of thinking makes a heck of a lot of sense. The OS is just a host for a sub-"OS" ecosystem. There's a reason browsers already have their own configuration for e.g. web cams, microphones, sound/mute, language, 3D acceleration, and security that already end-run around what the OS is trying to dictate.
No one wants a proliferation of different applications which all have different settings to access the network, especially when the OS provides centralised functionality to do so.
Because the OS gets provisioned with DNS by DHCP. Because the OS incorporates the hosts file.
Any internal domains or local domain edits are not covered by this.
Because in most cases you don't want different applications to use different settings.
If you are currently using private DNS server with internal domains and don't know about changes firefox is going to make, firefox will resolve you domains incorectly
while all your tools like nslookup and dig will show correct information.
And then when you do figure it out, you will have to go to every single user and help them fix firefox setup. (because most of such small businesses don't have their own AD)
I first though about blocking it at companies firewall level, but thats tricky, because you don't want to break everything else that uses cloudflare.
Same reason applications use syscalls instead of writing low level code to write directly to your HDD. The entire point of an OS is to abstract away low-level crap, and DNS is (imo) part of that.
Even worse, corporate intranet addresses get leaked.
Everyone on this article saying it's FUD is either a framework junky, isn't seeing the bigger picture, or just focus on one wrong thing in the article.
It's actually FUD, because it's missing some important points
> For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
I hardly see how the OP is FUD. What the article states is true; just because you can opt-out doesn't mean it's wrong.
Where you are drawing the line is the opt-out to disable it, as opposed to the convention of opt-in.
Think about companies in the 50-200 employee range; As a sysadmin, I have to purposefully go out of my way to put that domain (use-application-dns.net)[1] in my root resolver, and point it to NXDOMAIN.
I can't do it if another provider is managing my DNS (ISP, cloud service...); it also doesn't actually guarantee that it is off.
> If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.
The basic IT mantra has been 'If it aint broke, don't fix it.' Mozilla itself is moving fast and breaking things; which is why we have standards in the first place.
For god sake, there isn't even a proper RFC to select yes or no to DoH.
I, as a sysadmin, must not only implement the domain in my resolver, but I also must keep in my mind that if a user is using Firefox, that there are things it does internally that are not right, and it is easier for me to have my users on Chrome, because it is less of a headache for me.
Well, now CF will know per-organization IT structures. All those LAN-only administrative interfaces, and, with link prefetching, internal resource maps could be built in just a few clicks , using account with sufficient privileges.
This is such a security-defying move by Mozilla I can't even start. And CF DNS logs will be the obvious first step for every targeted attack.
Sure, if your targeted attacker has managed to compromise Cloudflare first… Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi access to your network, those domain names are already leaking to other DNS providers whenever someone accidentally accesses a URL while on the wrong network.
Also, if your internal resources are using publicly trusted SSL certificates, the domain names are already being broadcast to the public thanks to Certificate Transparency. If you’re sophisticated enough to run a private CA for them, then you’re probably sophisticated enough to set up use-application-dns.net as well – though I still wouldn’t recommend ever treating domain name secrecy as a meaningful security boundary, considering how many ways they can be leaked. The remaining possibility is that your internal resources aren’t using SSL at all... in which case you have bigger problems than domain name leaks.
Firefox tries DoH via Cloudflare, for an internal domain that returns NXDOMAIN (Cloudflare can't answer for your internal resolver,) then they fall back to local resolvers, which is OS based (DHCP or statically set.)
The response time to complete the internal request goes up, because you're sending data to Cloudflare, they can't find it, then the 'normal' response time for internal resolvers.
Luckily for them, they probably aren't allowed to use Firefox anyway, and are stuck using Edge or whatever, and the local MCSE will use this as another reason why Firefox may not be used by anyone.
Yes, however the difference here is that Chrome is looking at the OS resolver itself first; not just disregarding it, or looking for a magic domain. Chrome is being opt-in, Firefox is being opt-out.
Chrome DoH use cases:
For the average home user, fine; they're either using what the ISP DNS is, or the public ones (1.1.1.1, 8.8.8.8 ....) If those are on the 'accepts DoH from us', then it'll use DoH to the appropriate destination.
For the corporate environment, their internal DNS might not support DoH, and as such, Chrome will not even try to use DoH.
The key is that it is respecting the OS DNS settings, not the ability to not resolve a magic domain. If I opt to setup DoH internally, the understanding is that I know what I'm getting into.
> When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
...then what is the point of having DoH in the first place? Anyone who wants to intercept your DNS traffic will use the canary domain and force Firefox to disable DoH.
How does that work in this bold new future? I'll have to register a domain name and add a bunch of A records for 192.168.0.1, but then it still won't work -- I'll have to do "http://desktop.mydomain.com".
Worse, while going to "shed" will work in chrome, it will fail in firefox. My guest network captive portal may well break too if someone visits with firefox.
Hopefully Google will use the same method for disabling DoH in Chrome. But I won't be surprised if they're going to force DoH even harder, and make it even more difficult to turn off.
Do you... really care if someone outside you network knows the domain you chose for an internal network service?
That's not sensitive information. Also, there's basically no way for cloudflare, even if they were being malicious about it, to collect and use that information. What would they do with it?
Yes, I care. Why don't you? I work for Tier 1 banks. They are paranoid, and rightly so. One of their many paranoid rules is that hostnames can never betray the machine's purpose. You could easily analyze DoH stats and deduce certain machines' functions.
Yes, Pi-hole works via setting it as a DNS server, which this will bypass by default.
You will have to turn it off manually, in Firefox.
Not a great direction for DNS to be going for things like Pi-hole. If DoH becomes a thing on say smart TVs and gaming consoles, I fear it will be baked in and not configurable. Also going to be annoying on PCs/phones if each individual application is going to get its own DNS config now.
Would it be hard to make pi-hole into a DoH provider so you could just point your browser at it? Or does that defeat the "just works" factor of the pi-hole?
Presumably you'd want DoH on the Pi-hole in the other direction, so that it's encrypting your DNS requests forwarded out to the Internet. But yeah, there'd be no reason to want to deal with certificates for your local network machines to do DoH from Pi-hole to PC.
I don’t imagine it would. It might be there already. The real problem was mentioned above. We risk a situation where each app has its own doh config and not all of them allow you to change it. There’s nothing necessarily wrong with doh. It’s that app developers are baking it into apps instead of the OS where it belongs.
...unless you disable it. However you can configure firefox to use your pi-hole if you can get it serving dns over https. If that's not supported now I would expect it becomes supported very soon.
There is no conceivable reason as to why anyone would remove the ability to configure DNS servers. DNS server options are present in almost all internet-facing applications and devices, from locked-down ecosystems like iOS to touchscreen printers and game consoles. You're just spreading FUD.
Out of the box? Yep! I realise that will annoy people but honestly it's a good thing - any solution that would not bypass a pi-hole would allow governments and ISPs to do the same.
To retain your pi-hole, you'll need to run a DoH proxy on your pi-hole device, configure your browser to use that as the DoH provider, and this will allow your pi-hole to inspect and modify DNS results. Your pi-hole can then use any upstream DoH provider that you want.
I had no idea this was going to be the default. It's massively wrong. I use a Pihole DNS server, which means after a lot of debugging I'd have discovered Firefox had unilaterally decided to stop abiding by internet protocols. It's always one step forward and two back with these Moz guys. I guess that's better than every step back like Chrome, but jeez Moz, get a clue.
This misses the forest for the trees. In the UK ISPs are already legally mandated to log your web requests and provide them to the government. Those who live under free regimes should not deny those of us who live under oppressive governments the right to privacy of our communications. The fact that cloudflare is a US entity and thus not subject to UK law is the whole point.
> Those who live under free regimes should not deny those of us who live under oppressive governments the right to privacy of our communications
And those who live under oppresive governments should not be an excuse to force those who don't to have their traffic routed through a property of an oppressive government.
Yes, I know it's not about to be a default for non-US users yet. But "The UK people are getting screwed" is not a very good argument for "everyone should be getting screwed by the US".
It's not just the UK people. Most people in the world live in countries that have oppressive internet laws. Swiss people are a tiny privileged minority. The author should travel the world and see exactly how the internet is outside of their bubble. DoH is an important privacy feature and important for protecting people's fundamental rights.
> The fact that cloudflare is a US entity and thus not subject to UK law is the whole point.
As a fellow citizen of a Five Eyes country, I assume that if any of those 5 have info about me that one of the other four wants it won't even be a question of paperwork for it to be shared.
The previous UK law, RIPA, was abused for investigating minor crimes such as fraudulently obtaining disabled parking badges. It's not just about national governments but local municipal authorities too. Yes I would prefer another jurisdiction but it's way better than the status quo whereby the browsing history is just handed over.
Then it's a good thing that if you use DNS over HTTPS, none of those countries will have the info, since the connection is encrypted to Cloudflare and they will not be logging queries.
Why shouldn't it be the default? Switzerland has a population 8 million. Why should the default be geared towards a small minority when there are billions of people not just in the UK but in Asia and Africa who would benefit from this feature. If they OP thinks that their country's laws are strong enough to make the feature unnecessary then they can turn it off.
Maybe someone with deeper knowledge of the legal situation can correct me if I'm wrong here, but from what I gather: U.S. privacy laws, to the extent that the U.S. has any, affords protections only to U.S.-based persons. Data pertaining to foreign persons is basically "fair game" to them.
> It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in.
I think it should be on by default. In my country encrypted DNS makes it more difficult for the government to track what people watch and to block sites.
> And to select or enter the DoH provider instead of defaulting to Cloudflare.
You can enter any DNS server address in Firefox.
While I agree, that it is bad to concentrate all the world's DNS queries in the hands of an entity under US jurisdiction, not encrypting DNS is much worse currently. So Cloudflare and US government are the lesser evil for me.
Also, if there were volunteers running free DoH servers then Mozilla could choose one of them randomly instead of sending all queries to USA.
Why not install DoH system wide, then (the kind of change which is easy if tools like Firefox use the system APIs for this and very difficult if individual applications all reimplement DNS) instead of only doing it for Firefox?
Because it is easier to embed it into a browser rather than persuade vendors of all major OSes (Windows, Mac, Android and thousand of Linux distributions) to add it.
Also, even if a company like Microsoft adds it to Windows, they will add it only to they latest version and leave people on Windows XP, 7 and 8 without protection. Same with Google - they will add it only to the latest Android. Because commercial companies want you to buy new products, not to use the old one for a long time.
What they should do is offer several alternatives when enabling DoH (Cloudflare isn't the only DoH provider out there), and anto-detect if your ISP or local network supports it at the enterprise level.
At least you can change the provider in about:config. I don't remember if you can do it through the settings page.
Yea, Preferences > Network Settings > Enable DNS over HTTPS
Can currently choose "Cloudfare (default)" or "Custom"
But I agree, a few more options on there would be good, and if they are turning it on by default, then there should be a setup page that appears to let you choose the provider or something
> claimed that Mozilla plans to support DNS-over-HTTPS "in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."
> By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench in many ISPs' ability to sniff on customers' traffic and filter traffic for government-mandated "bad sites."
But I don't see why they can't offer their DoH, it seems their issue is with Cloudflare not with DoH per se
because most people don't know they can easily bypass the DNS based filters that is used to block "bad sites". DoH by default uses cloudflare's DNS, and so won't (need to) comply with the UK's filter laws.
> DoH by default uses cloudflare's DNS, and so won't (need to) comply with the UK's filter laws.
I'm assuming the DoH servers used by British users are physically in the UK. (I believe they anycast the service from all of their edge locations, and they have several in the UK.)
So the fact that Cloudflare doesn't have to comply with this law is precarious. Is it because only ISPs are required to comply? If so, it seems like a matter of time before Parliament amends the law to require any public DNS operator to implement the filters as well.
Note that Mozilla has added a way for network operators to disable DoH for their entire network, by NXDOMAINing a specific fake address. UK ISPs will presumably do that, and DoH won't happen in the UK for a while.
What if the user just doesn't make any DNS queries, because all their host lookups are going over DoH? They can log all the user's DNS queries, but all of them will just be for the DoH server whenever the user starts Firefox.
I assume DoH will not be logged at all. Or just many connections logged to "one.one.one.one".
Difference being if I connected to ISP ABC's DoH server - communication between will be encrypted, but the actual requests will be logged after they receive the request.
The only thing that annoys me slightly about this, is that I currently have a couple of pi-holes running at home (one for us, and one for the kids) and I have the Mikrotik setup to redirect any request for DNS to the correct pi (So even if they change the DNS on the device it still hits the pi)
This is going to make that a pain - especially if they introduce it in the mobile version?
It's worth noting that CloudFlare has already proven itself to not be a neutral party - they have proven willing to take sites offline for both legal and social pressure reasons.
This will greatly impact the internet's ability to route around censorship as if it were damage.
Cloudflare has proven willing to refuse to use their own bandwidth to host particular websites. That's very different from censoring DNS requests, and there's no reason to think they would do the latter.
The Internet was a great distributed system with reasonable separation of concerns.
Now we are content that applications do their own name resolution and said resolution is centralised on a very few (non-altruistic) hands (CloudFlare/Google).
Add amp to this. Sprinkle it with the views of people who run their own mail server and consider where this leaves us.
I am not that naive and think we can keep ourselves in 1995. But I do think we give up on too many of the good parts all to freely.
The internet also was 99% plaintext. Then we realized that governments would pull all kinds of tricks to watch that text. From your own state monitoring all the traffic, to outside states hijacking BGP and slurping up your data. This has, at least in the case of http centralized certificates.
Here's the next thing, no one is stopping you from running your own DoH server. No one is stopping you from changing the FF config to use it. The big issue has been is the end user has been so unaware of security for so long and done so little about it somebody has to. There is no financial incentive for your ISP to care, so they have not. Most operating systems, specifically Windows, but also Apple have done little to nothing for client DNS security. This could have been handled between operating system developers and DNS infrastructure but they didn't care to.
> This could have been handled between operating system developers and DNS infrastructure but they didn't care to.
No, there was a lot of caring over the years as DNS is old and insecure, in particular unencrypted communications with authoritative DNS servers being the biggest issue. And yet completely ignored by DNS-over-HTTPS, because solving it would likely eliminate the need for resolvers in the middle, so surveillance capitalism isn't interested, they only want to "solve" it in a such way that doesn't really solve it, but just gives them DNS data.
Disagree. Most users haven’t chosen their DNS server, so replacing one unchosen DNS server with another makes no practical difference. And DoH means that people snooping on your network can no longer spy on you.
Cloudflare has committed themselves to not track users via DNS requests, and only log what’s strictly necessary.
And if you distrust Cloudflare, you have a much bigger problem. Half the Internet routes through Cloudflare these days. If they wanted to spy on you, they have (potentially clear-text) access to a good chunk of your HTTPS traffic.
And as many others have pointed out, it’s a much better recommendation to have people change the DoH server to something else.
Living in Russia, I, for one, welcome DoH and ESNI. I know I trust Cloudflare more than my government and ISP (The same ISP that routinely spoofs requests to inject ad pages/reminders to pay for service, nevermind all the blocked sites).
How will this affect using Firefox on an intranet, where there are often services and websites on a local-only DNS server? Will Firefox be unable to reach those sites by default?
Wow, thats awful that they're sending all user DNS requests to cloudflare without informed consent.
Is this also potentially a violation of federal wiretap law?
My ISP being able to monitor where I connect is not great, but being exposed to my ISP and cloudflare monitoring it is not better-- and is also very unexpected.
There are also at least somewhat clear standards of privacy expected from ISPs, it's entirely unclear to me what duty of care cloudflare has towards users of this service or what position they'd be in to resist further compromise of user data (through either legal or illegal means).
Does anyone knows why does mozilla think this is a good idea? Between each user sharing dns queries with their isps and everyone sharing dns queries with cloudflare it appears that it's obviously more secure the first approach even if none of them is really that great.
ISPs have proven themselves untrustworthy repeatedly, CloudFlare yet really hasn't. Not that I like the control they have, but it's honestly the fault of ISP's this has happened.
Cloudflare has taken sites offline before, in response to legal requests (CP) and social pressure (8ch). Whether it’s right to do it or not, Cloudflare has proven that it is not a neutral party.
True, I don't think it's ideal, but non-US entities are in slumber, there's still basically no deployment of more secure standards by ISPs. I'd send my ISP an e-mail about providing DoH but they can't even give me IPv6.
> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
One thing that concerns me greatly is debugging network problems.
Up until now, you could use dig, nslookup and other tools to see how your computers resolves to help you figure stuff out.
Now what do you do?
also what happens when firefox uses this cloudflare, some other X application will start using Z, and the third Y.
Also I work, and used to work for many small shops (under 50 people) in different industries. Its standard practice to have internal domains, sometimes even having different things on the same domain (ie mail.comany.co is diffrenet
server form inside and outside the network).
If you don't have AD (increasingly common here with apple and linux laptops being the 95% of users), you will have to go to each user on every device that has firefox and help him fix the settings.
I would say just block it at firewall level, but it's not trivial, without breaking sites that use cloudflare.
If the single DoH 'server' is the issue, wouldn't having a list of several 'servers' around the globe (hopefully in places where there isn't any form of censorship and preferably though non-commercial institutions) that the browser selects randomly solve this?
No. The browser has no business in selecting DNS servers; it is a system-wide setting and it should ask the operating system to resolve names.
How the operating system resolves names, is up to it. It could use tcp-over-pigeons, if the sysadmin configured it so, and no application should be working around that.
If you want to use DoH with Cloudflare, you are free to configure your system to do so. You will also get consistency, all your apps will use the same system, not just the browser. Let the others to have their systems configured as it suits them.
Android does support DNS-over-TLS, and it does it in a way that does not break networks - whatever it gets from DHCP, it tries the same server with DoT first. Users can also configure their preferred DoT server.
Linux, or at least the glibc-based distributions, have a concept of nss_modules; you can configure whatever mechanism you want, some people are using DNSCrypt or nss-tls, for example. Systemd-resolved, with all the hate it gets, does support DoT. So do other local caching resolvers, like Knot.
With other systems, you would have to discuss that with the respective vendors. Vendors also discuss these issues with customers, and very few customers are fond of breaking their systems. Activism, as Mozilla has shown, is a good way to irritate a good chunk of your user base. The change would have to be gradual, and allow the local admins to be in control (like Android and Linux distributions do).
I think this is a horrible idea and applications should respect the OS DNS configuration. I have already configured the instance of dnsmasq on my router at home to return NXDOMAIN for the canary domain.
That being said I am a little confused by those that are concerned because this change would mean their DNS queries will be sent to a US company and they don't trust US companies. Firefox is developed and distributed by a US corporation and is just a susceptible to being forced to follow US government directives as Cloudflare.
Also, do keep in mind that by using DoH, you're also rendering anything like Pi-Hole useless. The solution of course being to use DoH from the Pi-Hole device [0], picking your own provider and disabling it on Firefox. Only step you need to change is the part where upstream providers are given and use your own instead of Cloudflare's default.
I simply don't like DoH because I use a DNS provider that I have chosen - OpenDNS - specifically because they log my DNS queries and let me see that log. I don't mind DNS lookups from my network being logged, as long as the provider does accurate, uncensored DNS lookups. It's helped me find domains to block such as tracking domains used by IoT devices that I can't configure myself.
I have my router directing all DNS traffic to OpenDNS so these devices can't pick their own servers, any outbound requests on port 53 will be redirected. If they start using DoH/DoT, I can't do that so easily. I'd have to start monitoring outbound traffic and do hostname resolution on the IPs.
I think the privacy argument for DoH in the browser is fairly weak, since doing a DNS lookup is not really an indication of, well, anything really. No matter what domain it was, there's no indication that the user intended to visit a website or use a service on that domain, it could be as simple as a lookup to load an embedded image in a spam email. The only good usage of it is to prevent censorship via DNS.
Idk folks, the entire debate seems to be out of proportion.
1) If you do not agree with Mozilla’s actions - do not user their browser. I mean Mozilla isn’t forcing anyone to use Firefox. As a company they are free to design their product as they see fit. As an individual you are free to either use their product or not.
2) If you disagree and still chose to use Firefox - just because you are reading this means you have the knowledge to disable DoH.
3) If Mozilla remove the option to disable DoH over CF and you don’t like it - use another browser.
4) If you are concerned for other people’s data going to CF (specifically people who are not as well informed, people who don’t know what DoH or even DNS is) - very noble indeed, but unfortunately options are limited here. Encourage people to do some research and to decide for themselves whether or not they are as passionate about it.
The main point I am making is just as we want to be free in choosing whether or not to use DoH over CF, Mozilla is as free to design their own product.
I was never a conspiracy buff but the hordes of shills here who think it's a good idea to send the whole worlds browsing habits to the US a country with practically no protection of data lets this seem like a long prepared operation.
The Chinese had to hack BGP to get that kind of data for a limited time.
As a sysadmin and a user i dont see any problems with DoH, i can easily set a DNS entry[0] so that FF respects my company configuration. And as a user I've been using DoH for months, just not from cloudflare but from CZ NIC because the latency was slightly better. You can easily set your custom DoH provider with 2 clicks in the Options menu. Also for most users I see benefits, because most of them don't use VPNs on free wifis.
edit: I also think OS maintainers are the main problem here, none of this would've happened if they supported DoT or DoH themselves.
I think it's good Firefox are leading the way on DoH.
The ability to chose which DNS provider you query will be next on the feature list for Firefox I imagine.
Cloudflare have the same mindset to do something about the vulnerability of DNS to snooping (see their 1.1.1.1 app). Two companies with the same mindset. I'm hoping others follow them.
The article itself sounds paranoid and divides those that would rather trust private companies (with good intentions) against those that would rather trust their ISP/Government (also with good intentions).
With Mozilla pushing their users around, it's inevitable that a FF fork with Moz's shenigans disabled will become mainstream. What's the current state of eg Seamonkey?
We are having zero problems with the current decentralized DNS architecture.
Evidently, Mozilla plays the role of a Google's darling once again. Those financial "donations" have some interesting effects, aren't they? Aside from an official "Google Search Bar in Firefox" line.
What's even more interesting is that Hacker News moderator deranked the topic.
Probably all the actors represent the same mafia ring, as they painfully in need to defend those interests to stay commercially relevant in changing world (hello IPFS).
Maybe I'm missing something, but the "I think just me and you was safer" image feels a little misleading. There already was a third party - your ISP/DNS provider.
The stated problem is that there are few providers, as for the offending party - Firefox, it's they've defaulted to a company based in the US or a 14 Eyes member.
It doesn't feel right to address the issue by blaming the DoH, or Firefox, as they are not defaulting to the prime evil - Google.
I believe the better suggestion here to say is to set up own DoH servers, urge related parties to opensource their own implementation if there's none.
The government already has your DNS queries. So the whole point of the argument is moot.
The ISPs, and anyone they share the data with, also already have the DNS queries, so the argument is wrong.
But also, if you do want just one government to have the data, do you prefer that data to go to your local country, which may be speech-oppressing regimes like Syria, Saudi Arabia, UK, Ukraine, or Iran?
I fail to see how this is in any way a step backwards.
I don't understand the DoH protocol entirely. I thought the entire point of it was to pass encrypted requests to CloudFlare. Can anyone confirm how this works? I thought this was the entire point of DoH, adding encryption to requests and directing it away from the plaintext DNS requests.
I had to turn it off, not because I'm opposed to the idea, far from it, I'd love to use DoH, but because cloudflare's spat with archive.is renders the whole thing useless if you ever need to browse archive.is stored copies of pages.
Kind of a disservice to call it cloudflare's spat when archive.is added special code to make their dns implementation non spec compliant only when queried by cloudflare.
As somebody who's been working for internet security over 20 years, we strongly believe that applications should not choose the DNS server. The operating system is designed to manage DNS and network settings for all applications.
The result will be simple: FF market share in corporate environments will drop. If sysadmins have to jump through hoops simply to get the thing to respect corporate DNS settings, then it won't be used.
In places like India, blocking is often done at the DNS level. Cloudflare and Firefox are big reasons I can get around stupid overbroad government blocking of whatever they think is anti-national or porn.
It's weird how large companies can make decisions like this (re-routing all DNS requests to the US) on their own, without local/EU government stepping in to prevent it...
Why is that strange? It seems rather obvious to me why people are reluctant to route all their DNS queries through a for-profit company in a country with no real privacy laws (and one that you have to assume is backdoored by the NSA).
One goes fishing where the fish is. There are dozens of large and hundreds of medium to small ISPs in the US. There's only one Cloudflare. That's where the resources to get the data would be concentrated. It has been demonstrated with PRISM.
If Mozilla wants to play this game, it really should make DoH a visible top level choice for a user.
Most users don't understand DNS, HTTPS, or DoH. I think this decision overall is good, and for those who see and understand the possible issues, it's trivial to remedy.
Obviously debate is still on, as we see in here and in [0], and it looks like HN folks are not in favour of these integrations, including me. So question stands, how/why the debate was concluded, did all developers had a vote? Is there a link to discussion?
>it looks like HN folks are not in favour of these integrations, including me.
I have no idea why you think that random HN discussion afterwards (in response to an article filled with misinformation!) would have any bearing on how Firefox is developed.
Decisions are made by Google and then handed to Mozilla through a shady process called collusion.
The aim of this process is to play a two-step game in which:
1. A controversial change is made by either party (be it Google or Mozilla)
2. Another party does the same, thus cementing the planned direction
In this way, it becomes a weapon of mass control because most people do not know that both parties participate in a shady scheme backed by millions of dollars.
There aren’t a whole bunch of companies that are able to provide a good DNS service world-wide. You’ll need high-reliability DNS servers co-located all over the world. Probably a multi-million dollar investment to get such a thing going, saying nothing of the running costs.
> It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in. And to select or enter the DoH provider instead of defaulting to Cloudflare.
This is painful to read. Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
If instead what you worry about is the government spying on your traffic then complaining about DoH is even more silly - DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
DoH is vital to protect users around the world from censorship and worse. Enabling it by default is a good thing - protecting users from abuse shouldn't only be opt-in. There has to be SOME default chosen, and the default needs to be a site large and well run enough to a) handle the load, and b) be in the firefox HSTS preload list. There aren't a lot of good DoH providers that fit these criteria - CF is one of the few.
There's nothing that makes Cloudflare the more "privacy friendly" 3rd party. "Privacy friendly" would be a mechanism by which my desire to communicate with "example.com" involved my computer and the computer at example.com with no third party in between.
As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company - that seems like less privacy.
And I am not looking forward to finding out the fun ways in which this will break our local DNS.
The idea that Cloudflare is in way more trustworty than my local ISP is at best naïve. All this creates is another huge centralized pool of data with no oversight whatsoever except the promise of some company that is currently growing fast, that they will not do anything with that data. Come the times when money becomes tight again, we'll see how well that promise holds up.
Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
That's not privacy - that's just silly
>As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent
According to their blog post discussing the matter, they fully intend to inform the user of the change and give them the opportunity to opt out.
>When DoH is enabled, users will be notified and given the opportunity to opt out
https://blog.mozilla.org/futurereleases/2019/09/06/whats-nex...
> that seems like less privacy.
Seems obvious, but is wrong. If there is a really obvious obstacle to anything, which immediately comes to mind, chances are people addressed this already.
In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Before, my ISP could gather the domains I visit by DNS. Now, they can still gather them from the IP addresses and SNI, and Cloudflare can gather them from DNS. I'm really struggling to see how this isn't a reduction in privacy.
> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
What happens if they get a FISA warrant? How does your contract protect users that before didn't have their DNS queries sent to US companies?
Which is why SNI encryption is an important next step.
SNI encryption is only useful if the website you're visiting shares the IP with lots of other websites. E.g, they're sitting behind cloudflare.
When you visit any of my websites, which are not on shared IPs, then not only will you continue to inform your ISP that you're doing so (regardless of the existence of ESNI), but you will additionally be informing cloudflare too.
What's your solution? That I centralise all my websites behind Cloudflare? In the name or privacy? Laughable.
Your ISP can gather them with much, much more effort. There is privacy value in making things harder. The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?
> and Cloudflare can gather them from DNS
but is contractually forbidden from saving that information.
> What happens if they get a FISA warrant?
They have to follow the law? Wrong threat model.
> Wrong threat model.
You are not permitted to hand-wave corrupt government interception or rubberhosing of civilian data as "wrong threat model." These technologies are central to, and must be focused specifically on, protecting all civilian data from all governments. That is the primary purpose of all privacy systems. Not to protect you from coffee-shop denizens trying to snoop which dating sites you use.
Your ISP is subject to the same FISA warrant threat.
If it's one of the large monopoly providers, it's as much a one-stop-shop as Cloudfront is.
Not outside the US. Now unless Mozilla decides to pick a different DoH party for deployment in EU, the problem will come back.
Fair point. I'd meant to add "inside the US". The warrant hypo strongly implies this, though as you note, needn't necessarily.
Though outside the US, the NSA doesn't require a FISA warrant to intercept data, nor does it face any US legal restrictions on doing so.
The internet is as much of a monopoly outside of the US for example Tiscali in Europe. We have the same kangaroo courts when it comes to getting warrants to invade people privacy.
At least from a general perspective I don't see a big difference.
But it's not one or the other; an EU court will make a warrant for the ISP traffic data, and an US court for the DNS requests. You become vulnerable to both.
1.1.1.1 operates on edges of CloudFlare CDN - EU users will be handled by EU DNS server. And there’s no logging.
Cloudflare is still a US company. Do you have any FISA jurisprudence showing that simply running the server on another country makes it immune to warrants?
> And there’s no logging.
Until the courts say there must be.
> The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?
I used to work at an ISP.
We configured (wrote policy language for) our DPI platforms to do header inspection of all HTTPS traffic to measure customer experience to different websites, to improve the customer experience.
The raw data was (theoretically) accessible to ~4 people and deleted as soon as ETL had succeeded, and the anonymised results (aggregated only by region, product etc.) were available to the operations team (another ~8) and product management (~4).
This complies with our countries personal information regulations.
Mozilla proponents seem to be quite anti-ISP.
Why is that?
>> What happens if they get a FISA warrant?
> They have to follow the law? Wrong threat model.
If this happens for non-US citizens, this is violation of privacy laws of the affected user.
If this is rolled out, I will either ensure my distro switches this off by default, or have to consider changing browsers (away from Firefox).
Even if this infrastructure was run by Mozilla itself, and they really really promised me that they would not do anything with the data - that's all I would have - a promise ( which is also how cloudflare words it btw [0]). Which in the asymetric situation that puts me in, is not worth all too much to me, because I will never be able to verify it.
The data would still end up at yet one more company, compared to the status quo.
Trust works if I know the people involved - but I don't know a single individual at Mozilla (or Cloudflare for that matter). That Mozilla trusts Cloudflare is besides the point if I don't really know who they are.
The entity I am actually trying to trust is example.com - all this shuffling around trust in increasing layers of complexity is missing the point of the actual problem: Bootstrapping a connection to example.com without revealing to a 3rd part that that is what one is trying to do.
[0] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...
> To mitigate this risk, our partners are contractually bound to adhere to this policy.
You seem to think that: 1)No company in the history of the world, has ever violated a contract?
2)No government has ever forced a company to give up information that it is contractually obliged not to give up
3)No hacker has ever hacked into a company's systems and exfiltrated data the company was contractually obliged not to share
You seem to think that if a contract has been concluded, it is impossible for it to be violated.
Then there are also the problems of making all Firefox browsers depend on the availability of CloudFlare.
Ceteris paribus, not having the data is strictly, mathematically more private and secure than having the data but being contractually obliged not to distribute it around. Contracts change, laws change, accidental leaks and targeted attacks happen, there's FISA, and there's a non-zero probability that Cloudflare suddenly decides that half of Europe is Nazis and don't deserve their contractual protections anymore (I'm sorry, but Cloudflare walked into that one themselves).
It's as simple as this. Now I do prefer a society of trust over excessive technological means, but let's not pretend like sending data to an additional third party is somehow more or even just as private as not sending it in the first place.
You are not considering that IP addresses are dynamic. Only your provider can associate your IP address with you, and thus associate the DNS requests that you make with your identity. Cloudfare can't, because today you have one IP, tomorrow you can have another. And this without talking about providers that puts you inside a NAT, like it's common with mobile connections, where thousands of different costumers shares the same IP address, and thus only the provider can really log your DNS traffic.
So if Cloudfare maintains a log of your requests who cares, that log is useless since they can't identify you as soon as you change your IP address. While using standard DNS the provider can identify you and can log all you DNS requests, even if you don't the default ISP DNS servers, since they can simply intercept and decode all the traffic on the DNS port. And not only your provider, everyone in the path between your PC and the DNS server, even at LAN level, for example in public WiFi networks like in airports, schools, companies, the administrators can log all your DNS traffic, and put filters on it.
In the US, it's been my experience that cable IP addresses rarely change.
> As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company
> Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
Make up your mind are you worried about the number of people that can see your dns or not?
Don't oversimplify the issue.
> it's trivial to change your DoH provider
Cloudfare is the default.
Cloudfare is the only provider listed.
Cloudfare will be On by default, so it will be that for 99.999% of Firefox users.
That ain't right no matter how well intended it is.
And for regular DNS, their ISP/employer/school will be the service provider for 99.9999% of users. Regular DNS is not exactly easy to find (on Windows, it's under Settings -> Network -> Change Adapter Options -> Adapter Name -> IPv4 -> Properties), which is arguably as hard as going to about:config. And there is no menu of providers listed--nor does it explain who would choose the "automatic" DNS server options (the one that uses DHCP).
So the status quo is no better than this, and at least this is encrypted and protected by a privacy guarantee.
Now I agree that ideally a user-visible preference should be created for the DoH resolver, but I don't think that's a blocking issue. Just like the accounts features uses a mozilla server, and chrome uses google accounts, and both use google safe browsing lists, browsers have always made the decision to hardcode various external service providers.
> So the status quo is no better than this
You're completely missing the point. Users have many different ISPs, and them knowing DNS queries is not a problem because it's the ISP anyway. Now a browser wants to change that behavior, and send ALL queries to one american company.
Indeed, I think that in this case, on the whole, more privacy is achieved by decentralization rather than by encryption...
So the solution could be to make it so that there are many DoH providers and a browser would choose one of them randomly (or by user's choice).
Or -- much better -- use DoT instead of DoH so port 443 isn't getting misused for DNS.
While that's an unpopular opinion I tend to agree, I'm still on the fence if that's really bad or if I'm just grumpy about change though. It really feels like instead of fixing the underlying problems we're duct taping the internet by moving HTTPS to OSI layer 4 and making TCP and the concept of ports obsolete for a majority of use cases - which in many cases implies a loss of control. I'm honestly not sure why our sector pushes HTTPS solutions over plain TLS, is it just because it blends in with web traffic and it's easier to grasp because more people are familiar with the basic concepts?
Of course there's arguments for and against these aspects in the case of name resolution, both technical and on a legislative level, but maybe a net win in terms of privacy protection for the majority of users is still worth it. And should Cloudflare or whoever decide to misbehave with the data we send, it'll at least be easy to switch to other providers when DoH is widely adopted.
You're right of course, but HTTP(S) only 'won' because of the web.
> Or -- much better -- use DoT instead of DoH so port 443 isn't getting misused for DNS.
DNS over TLS has other issues. There's a nice comparison there https://dnscrypt.info/faq/ I have been using local resolver on 53, that forwards all requests from my LAN into DNSCrypt (and sends that over a VPN tunnel). That way I maintain privacy, and decentralization as well as being able to simply use the DNS resolver built into my OS.
I have to wonder though with HTTP/3 https://en.wikipedia.org/wiki/HTTP/3 being QUIC based, will we see DNS over QUIC? https://en.wikipedia.org/wiki/QUIC
Seems like Firefox doesn't even support QUIC at the moment. https://bugzilla.mozilla.org/show_bug.cgi?id=1158011
The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020? They missed all their advisory target dates (July 2019) for actually writing documents, and that isn't the end by any means for a protocol like this.
So Firefox could at most support either Google QUIC (internal prototype, now obsolete, who cares?) or a random draft that may end up not resembling the final product. If they haven't decided to do either it doesn't seem like a big deal.
> The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020?
Ah yes you're right. Also Mozilla (M. Thomson, Ed) is on the author list there so I expect they will support it when it is finalized.
https://datatracker.ietf.org/doc/draft-ietf-quic-transport/
Hopefully then they also support DNS over QUIC, I expect they probably will once QUIC is finalized. I think DoH is just a stop-gap measure to be honest.
https://datatracker.ietf.org/doc/draft-huitema-quic-dnsoquic...
Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.
> Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.
For most people, if you can't trust your ISP, you have bigger problems.
For people who can trust their ISP, why should we all by default be affected by the fact that the Mozilla developers seem to all live in a non-free or non-democratic country.
Maybe they should instead focus on fixing the US political system that results in their current situation, rather than trying to use technical means to solve political problems.
What if you can trust your ISP most of the times but not during a specific time? For example, when there are civilian protests/acts which the current government doesn't like?
I have a very specific case for this: in the days before and during the referendum for the Catalonia independence (Oct 1s 2017), all the spanish ISPs where blocking access to the websites related with the referendum, using DPI to look for the SNI hostname. One of the main reasons to enable DoH in FF is to enable the encrypted SNI feature https://miketabor.com/enable-dns-over-https-and-encrypted-sn...
That would break the internet for many innocent souls behind firewalls.
Tor has some nice papers about what happens if you try that: the NSA and KGB each run a server and content themselves with getting a sample of the population.
> the NSA and KGB each run a server and content themselves with getting a sample
Which is already a lot better than getting 100% from simply spying on CloudFlare or serving them with "National Security Letters".
The other viable doh provider is google. Other’s timeout is simply not worth the request, in my experience. How does one choose from these two?
No, the other viable option is not enabling DoH by default.
And that should surely be the default. What's Mozilla's intent to send DNS queries to Cloudflare by default, and require regular DNS resolution to be configured manually?
Yes, that's exactly their plan at the moment. Hence the whole brouhaha.
privacy-wise, plaintext is the worst option possible.
I disagree, at least in my situation.
My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).
I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.
If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.
So it depends on the country. In my country (Russia) all Internet traffic is being recorded by the ISP for the last month and sites are blocked on political reasons. For me having DoH with Cloudflare is better.
Ditto in Australia
The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens
You also can't trust laws since ISPs can be hacked or infiltrated from the inside
In terms of personal protection encryption trumps law
> You also can't trust laws since ISPs can be hacked or infiltrated from the inside
Cloudflare isn't magically free from the same threats.
> I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.
There's very few countries with such strong privacy protections, even in the Western world.
From what I can tell, all countries covered by the GDPR heavily limit what an ISP can do with DNS queries. That covers 515M people, which is more than the populations of three mentioned countries (US, Russia and Australia) put together.
> which is more than the populations of three mentioned countries (US, Russia and Australia) put together.
Not sure it matters, but only by a small margin is that true. 500M vs 515M.
A lot of these countries currently have laws to record years of DNS logs for future analysis by the police. Due to the abuse these countries have done in the past about it, I do not want any record personally.
That’s a very good point. In fact all of them do, because the same EU that mandates GDPR also mandates data retention, which only differs in details in member states.
That's a very good point.
I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.
What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?
Couldn’t your isp watch traffic to pull out SNI information?
the next step is eSNI and judging by the DoH rollout that will also be a new level of controversy advocating against it
What are the arguments against eSNI?
> What are the arguments against eSNI?
Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.
Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.
Your request will hit CloudFlare edge node in your country and be served from there. Under your jurisdiction.
I can think of something worse: sending all your DNS queries to an unregulated third party.
This is already what happens. Your DNS queries have to go somewhere, and unless you control the DNS servers, there's a third party in the loop somewhere.
Not really, my DNS requests go to my ISP's DNS server. And the ISP sees the requests anyway since they are the one forwarding all the packets.
Now, Cloudfare will see them too. (if this would come to my country).
But your ISP won't see them. They'll see that some requests are being made to Cloudflare, but not anything about the content.
No I mean in my current situation if my ISP is also my DNS provider they will get the requests.
But they can already see what sites I visit because they are my ISP and carry my packets.
In Mozilla's new default implementation Cloudflare will also see them, without me ever knowing (as an average user).
With TLS1.3, encrypted SNI, encrypted DNS the ISP can only see the IP address you are connecting to, not a domain name. For Google's resources it only sees that you are connecting to Google's network, but is it Youtube or Gmail or Maps, they cannot tell (which is awesome by the way).
And down the toilet goes the (distributing and caching) Inter-Net. Long live to the new Cloud-Net. Cloudfare and Google are achieving what Compuserve and AOL could not.
Exaggerating slightly ... but not that much really. And all in the good name of privacy and security.
It is also amazing how people (Americans ?) are not willing to admit I want MY jurisdiction to apply. Not an American one. I want the choice.
Caching died with insecure HTTP, and that's okay.
> I want the choice.
Then turn it off. But the default protects more people than it harms.
Well, it's not really a choice if for security I must give up on jurisdiction ?
I don't doubt the intentions of Mozilla. But, I expect Mozilla to set the bar much higher.
> But the default protects more people than it harms. Sorry, not good enough for me. They should not be promoting a private company centralized solution. They really should be pushing for a decentralized and distributed solution that is yet secure for everyone involve and promote that.
SNI isn't super useful to profile customers by itself. Now of course encrypted SNI will be a welcome addition to the protocol, but it won't get rid of traffic profiling.
The destination IP is more than enough to build a customer profile. It's not terribly relevant if you visited Youtube or Maps. Just analyzing netflow logs will give much more information than what services you use, such as for how long you use them and if you stream any media during that time.
Should you wish to have more information than that on your customers you'd have to buy it from someone who runs code in most web pages you visit. There are plenty of those, too.
Hence your request goes to yet another party: your ISP (by necessity via IP destination in your IP headers), the site you want to go to, and to Cloudflare/Google as DNS provider and as fourth party. Whereas with regular DNS, your ISP's nameserver gets DNS queries, hence only three parties are involved. Eg what ndidi, apexalpha said.
With Tor ISP can't even see the final address, but maybe Tor has its own solutions for DNS?
Onion sites use a keypair as their "name"
ISP and government are that "unregulated third party".
ISPs are highly regulated, as opposed to Cloudflare and Google. The only effect here is that Google closes another "loophole" in their view where web visit signals are send to another party (other than Google), and Cloudflare wanting their share of the cake as well. Has Mozilla disclosed what Cloudflare is paying them for being listed as default DoH provider?
ISP's are highly regulated when it comes to DNS? Not here in the US they are not.
Well to buy a domain you need to go to an accredited registrar for the respective TLD. And DNS registrations, renewals, etc. are standardized (and have TLD-specific policies). Also, you're entitled to transfer your domain name to another registratr, etc., also with a public and transparent protocol. The registrar will then arrange for their nameserver being registered as authoritative for your domain on the TLD's root domain server, etc. What's the problem with US ISPs here? That they're selling DNS query records (with your IP) against their nameservers? That's in the same territory as Cloudflare and Google, and will only stop with proper privacy laws; certainly not by giving up on the decentralized nature of DNS and giving all traffic/signals to Cloudflare/Google.
aren't you still sending your data to unregulated third party with any ISP? (i dont live in the US so i am not aware if they're regulated in this regard)
Plaintext doesn't route every god damn request through Google or Cloudfare.
If you have a Chromecast, it's already sending the DNS requests to 8.8.8.8 unless you specifically block the IP.
> If you have a Chromecast
Why the hell would anyone buy hardware from an evil spyware company such as Google?
Of course you can never trust a private corporation to do stuff in the public interest.
I think you mistook it. I was talking about doh providers, not all options, and responded to a line completely tangential, if not unrelated to what you try to bring here. An answer looking for a question, I guess?
Even Quad9[1] or NextDNS[2]? Quad9 works well for me.
[1]: https://quad9.net/doh-quad9-dns-servers/ [2]: https://nextdns.io/
I'm on Firefox 69, it's disabled, I never touched it.
> DNS requests are routinely ... monitored by ISPs
DoH doesn't prevent ISP monitoring. Even if they cannot see the DNS request, the browser sends the ISP the returned A/AAAA record in the header of a TCP SYN packet. The ISP necessarily sees the hosts you are connecting to; they don't need to see the DNS traffic. DoH to Cloudflare allows both Cloudflare and the ISP to monitor your pattern-of-life.
> DoH is vital to protect users around the world from censorship and worse.
Yes, it would be a useful tool to fight censorship, but don't conflate that with monitoring traffic. The ISP still sees the addresses and ports in the IP+TCP headers.
Well, the A/AAAA record and the host you're contacting aren't necessarily the same information, right? You could connect to 10 wildly different sites all behind a CDN and get the same A record for all of them, but vastly different results. It's the host, not the A/AAAA record, that leaks the most information in such a case. DoH/DoT plugs the host being leaked in the DNS packet, then.
But of course, then the problem is punted to SNI, since your TLS Hello packet will probably send the host name with the setup packet, leaking the host then. So we're back to square one. To be fair, Firefox and Cloudflare are also working on ESNI, in which case, from what I understand, your DoH reply will include the A/AAAA record and the public key to encrypt SNI names with, which plugs that final major hole.
So I think the A/AAAA record being exposed doesn't necessarily tank everything, but it certainly isn't perfect, either. But realistically none of these solutions were 100% perfect and a unique A/AAAA record was always going to expose you to a significant amount of side analysis, I think. In general, it just raises the bar and lets us place more trust in the "last hop" between you and the resolvers, much like many other improvements over the past few years, and originally envisioned by e.g. DNSCrypt. In general I feel the actual host header is more important than the A/AAAA record (it is at least more accurate), but I could be super wrong about that.
(The more general discussion about a few major players being able to shape major internet changes for users like this, and general consolidation of the internet is, I think, extremely relevant. But also beyond just this particular exercise.)
> This is especially true in the country the author appears to be based (Germany).
Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.
They're enabling this in the US, and yet even with all its problems, it's the one country that the average web surfer would have to worry least about when visiting "inappropriate" sites.
* https://en.wikipedia.org/wiki/Room_641A
> DoH is vital to protect users around the world from censorship and worse.
Great. Then enable it in countries where it's actually a problem. As a Canadian I do not feel a need for this, and I worry about Cloudflare getting an NSL more than I worry about CSIS/RCMP tapping glass.
* https://en.wikipedia.org/wiki/National_security_letter
> Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.
Completely wrong threat assesment in my opinion. You should always be concerned about your own government. It isn't only the axis of evil that imprisons people with leaks about heavy privacy invasions.
Russia and China have anything about you and you are a citizen of a western nation? Great, because that doesn't matter at all.
You know who poses the greatest threat in motorsports? It is the other driver on your team.
> ... * concerned about your own government.*
Who says I'm not? But I have recourse with government. What recourse do I have with a private corporation that's based in a country with such law privacy laws.
I know it was a rhetorical question but here it needs to be spelled out:
None.
Least concerned with? Have you already forgotten about Snowden? Do you know about Five Eyes (or even Fourteen Eyes)? In Canada they outsource surveillance of Canadians to overseas Five Eyes partner agencies so they evade their own privacy laws. It's reasonable to assume that other Five Eyes countries do the same.
I'm with an ISP that has a direct link to TorIX, which has a who's who of the major Internet properties and CDNs:
* https://www.torix.ca/peers/
My e-mail is hosted on Canadian soil with a direct-connect to TorIX (and I personally know the people who run the servers).
I know when I hit a foreign corporation (AMZN, GOOG, etc.) that my data is probably up for grabs, but I also know when when my traffic is not leaving Canadian (digital) soil.
So yes, I know all about ECHELON et al, but I know how the packets I send out are generally routed as well.
Alright, in case your government leverages allied ones to evade domestic legislation, foreign governments are a threat. But the initiative for surveillance still lies with your own government. That would only confirm the need to hold your own government accountable.
DoH is vital to protect users around the world from censorship and worse.
Like I've asked before, should Mozilla also start including an obfuscating VPN by default, to bypass the Chinese firewall?
This is a political issue, and one that I don't think Mozilla should even get involved in because it could have very ugly consequences --- just focus on making a good browser and leave the politics (and VPN/firewall-busters) to others.
In case you missed it, https://blog.mozilla.org/blog/2019/09/10/firefoxs-test-pilot...
And route all (Firefox) internet traffic of the world through the US.
Mozilla is working to add a tor mode or add on.
I dont think they are in a position to be trustworthy enough to offer that. Not after the fiasco with their expired addon certificate sabotaging Tor. I still dont see how the standard practice in Firefox to just silently disable addons is anything but malice.
> the article deliberately buries that it's trivial to change your DoH provider
While true for you or me, the vast majority of people will have this enabled by default - probably not even realising it's on
And? Those same people are likely using their ISP or Google for DNS right now. How is this worse?
The default (which the majority of people will be using) is not Google, it's their ISP. And in the vast majority of cases, their ISP is under the jurisdiction of their country, while Google and Cloudflare have to obey the laws of a foreign country. Said foreign country might one day decide that for instance Google and Cloudflare now have to log the IP address of everyone who does a DNS lookup for news.ycombinator.com, even if the laws in the user's country forbid it.
Mozilla is only applying this in the US.
To start with
According to a CCC talk about DNS security, Mozilla is going to enable providers on a regional-basis by partnering with privacy-friendly non-profits.
DigitalCourage was one of the names mentioned as a potential EU-based DoH provider.
This!
This is very bad for Erdoğan. They won't be able to block DNS over HTTPS. Thus teir classic DNS blocks will be useless. Last time I've checked there was over 300K blocked domains via DNS. Even 8.8.8.8 doesn't work.
> They won't be able to block DNS over HTTPS
Of course they will. The DoH server can be blocked just like any other.
Eh, this is a losing battle for them. In theory any HTTPS server can be a DoH server if set up for it. One key for the future is to have so many DoH servers available for people in countries that filter that there is no way the government can block them all.
My uBlock Origin contains over 100k filter rules, and I pay zero for it. I doubt a company can't sell a list of open DoH servers for a reasonable price.
How they are going to block servers who have DoH url? DNS level block or IP block. May be SNI level block but in few years we will have ESNI.
To access a DNS-over-HTTP server, you need its IP (otherwise it would be a circular problem - must have DNS to access DNS). So they can just block the IP/port.
Why can't they block 1.1.1.1?
They can block but you can make any https page into DoH. What they are going to do? Block every web site?
No, just the ones that run DoH.
Wrong way around.
Said own country might one day decide to restrict access/log visits to controversial site X (e.g. Tibet, government critical news, piratebay etc.), which does not affect your DNS based in foreign country
Said country will just block the Cloudflare DoH server as well, forcing users to switch to a controlled DNS server.
Well, if the user has configured their router to use their preferered DNS provider, and this is enabled, and they don't realise, then as far they are concerned all their requests are going via that provider, when in fact they are going out somewhere else.
That seems pretty shady to me
It's worse, because the local ISP is more trustworthy and additionally you enable cloudflare for large scale profiling. And don't claim they won't do it, it's just a matter of time
I scoff at the idea that Comcast is more trustworthy than Cloudflare.
Telia in Sweden has shared data with "selected partners" in a way that led to customers being extorted because of, among other things, porn surfing history and torrent downloading.
Trusting your ISP, even in a country with data protection laws like Sweden, is naive. I'd much rather trust a company that tells me "this is the data we store. This is the data we share with APNIC and no-one else".
Are you kidding? My ISP is blocking wikipedia.org, i.imgur.com, imbd.com, torproject.org, and many other.
I live in Sweden and I would never trust any ISP. There are too many cases of data shared with "business partners" that led to things like tries to extort torrent users or porn surfers (even reputable ISPs).
This should be, if not illegal at least highly problematic in the eyes of the law. At best the ISPs got a "better behave, because next time ...".
All ISPs have data sharing with "selected partners to ensure service quality" which, at least until GDPR, meant basically that they could sell data.
Whereas cloudflare states that the 1.1.1.1 data will only ever be shared with APNIC in anonymised form (which they define). Cloudflare defines what data they share for 1.1.1.1 users, which my ISP does not. I trust cloudflare, at least right now. If they were to change their retention policies and agreement I would maybe reconsider.
I'm fairly sure that most, even non-technical users understand fairly well that their ISP can snoop on their internet connection. On the other hand I doubt that my mom expects that when she connects to https://www.impots.gouv.fr/ her browser pings an american-owned server to get access.
If she does it from a Chromebook/Chromebox, then all the requests are likely routed through Google DNS.
Tracetouting that address could reveal a lot more foreign-owned (and built) servers in the path, so I’m not sure what your litmus test is.
It's significantly better actually - gets around DNS blocking put in place by malicious ISPs and governments.
Well there is whole article linked explaining just that.
But basically, i know my ISP, and they don't log dns queries.
Most ISP's (the ones i have worked with) don't save DNS requests. They usually save netflow.
I also use vpn (my own), with its own dns resolver, for when i don't trust middle man.
> There has to be SOME default chosen
It seems trivial to select a half a dozen likely candidates and let the user choose between them on install.
Honestly I'd like them to do the same with the search engine. Yes, it's simple enough to change the default, but it'd be nice to choose up-front.
Yes, it's trivial. It's also very annoying to the probably 99% of users who don't care about it at all, especially if this becomes just one of many settings that needs to be configured on startup.
Make it random then.
Random security settings that differ with each installation? No thanks, I’d rather not play dice with security.
Every question you make a potential user/customer answer is a potential loss of conversion.
Most Firefox users do not care. Those that do can figure out how to change it easily enough.
But Cloudflare also happen to be the fastest DNS resolver.
Fastest isn't necessarily best.
My ISPs caching DNS, and any caching DNS running on IP addresses belonging/advertised by my ISP by BGP to various CDNs, are the best possible responses.
I don't care if the p99 DNS response from my ISP is 50% slower than Cloudflare, if the streaming video, or large download, or many small files requests are better served by CDNs in my ISPs network that are not visible to Cloudflare.
All DNS benchmarks I have seen focus only on the DNS response time, never on the DNS response quality.
But that's because they are mostly written by people who don't know how the internet (or competent ISPs) actually work. Some of them even seem to log errors when they get unexpected responses for some well-known URLs (like google.com) because they don't know there are new Google sites than when they last checked ...
A minor quibble, but the url ends in .ch, and the company address is in Switzerland. Why do you say the author is in Germany? (Am I missing something?)
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
Germany: Storing data for a limited period of time so that data pertaining to individuals can be requested on a case-by-case basis by law enforcement (we are talking Police, not all of government). Not a big deal.
U.S.: Highly developed and well resourced mass surveillance in operation on both the business side (surveillance capitalism) and government side (NSA). Privacy laws that protect only U.S.-based persons and declare data pertaining to foreign persons to be fair game. Big f*ing deal.
European privacy laws are great, but I’m not so sure it’s as simple as you make it out to be. German intelligence also cooperates with the US on NSA surveillance.
https://www.reuters.com/article/us-germany-spying-merkel/mer...
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
Author is based in Switzerland.
But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.
For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.
They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won[1]. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies[2].
In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.
Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities[3].
Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.
Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.
(source: worked in the industry)
> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.
[1]: https://web.archive.org/web/20180511081552/http://www.vg-koe...
[2]: https://de.wikipedia.org/wiki/Vorratsdatenspeicherung
[3]: https://www.golem.de/news/t-online-navigationshilfe-telekom-...
Your post is painful to read. Masses of unfounded FUD.
> security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
The author appears to be from Switzerland, and it's not clear at all why "security services" (who?) in Germany "especially" have few restrictions.
The usual list of security services, BND etc., not sure why adding lists of acronyms is important to you, when "security services" captures the meaning quite well.
> "especially"
That refers to news and new laws in recent years, which extended their surveillance capabilities. Also, it is relevant because Germany both has relative strong data protection against non-state actors, but also quite capable intelligence agencies.
That said, I think arguing about state actors is the wrong threat model for this discussion.
> I think arguing about state actors is the wrong threat model for this discussion
My post was just a rebuttal to GP's framing the discussion around vague accusations towards state actors.
> security services captures the meaning quite well
It really doesn't. The various secret services (internal, external, military) are reporting to parliament (not the whole of it, just a close circle/committee nevertheless having received trust by being elected), and their heads are nominated by the government. It's of course entirely within your right to criticize their existence or operations, but yielding power to private monopolies based in another country without any public control whatsover and potential ties to foreign secret services (we don't really know) can't possibly solve whatever problem you're on to, and shouldn't be justified on such vague arguments.
Laws restricting what the government and private entities can do with data almost invariably (e.g. the GDPR) just have a blanket exception for security services.
Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.
So far I'm using NextDns.io at home, which is DoH and also applies ad-filtering. I haven't heard of any security concerns yet
Disclaimer: I do not work or have any financial connection to that service
It will actually not be used anymore, because firefox avoids your local DoH setup.
> For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
https://www.zdnet.com/article/mozilla-to-gradually-enable-dn...
And I'm already set for the DoH switch https://i.imgur.com/GuP5a8F.png
Doesn't this completely defeat the whole thing?
Anyone upstream that wants to start censoring or logging can just add this canary domain and continue business as usual.
I tried NextDns but it's extremely slow for me. (I live in central Europe.)
I don't really see how DoH helps because the IP is still flowing between host and client. What does it matter if they can't see the DNS request? They still see the ip values flying between your computer and TheGreatSatan.us.xxx ? Only a VPN can help here anyway. DoH is good for making sure the IP matches up to the host address because it can verify the IP returned is the one that it is in actually rather than a state actor substitution.
Since this moment Firefox should be actively prohibited in any security-conscious workplace - because it will leak some or whole map of internal resources to the third party, which has absolutely no business knowing what resources are deployed in the local network. And deciding what's good for users without making them explicitly and consciously confirm this choice is bad, worse than censorship.
> if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
I don't think anyone believes CF will start selling data, that's not what the article argues.
Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.
> DoH is vital to protect users around the world from censorship and worse.
This isn't black and white. Yes there is upside (as both you and the article agree), but the downside of how DoH is implemented here is that you have to point all your DNS queries to a US company. Historically we've seen how this is a bad idea for global internet privacy (eg. PRISM, etc).
> I don't think anyone believes CF will start selling data, that's not what the article argues.
CF is not a private company funded by a foundation with a time until the funding runs out measured in 30-40 years. It is a public company with a small number of customers that provide majority of its revenue.
It simply isn't prudent to say that it won't explore other revenue streams in future and that monetization of data won't be one of those streams.
Good point. I meant there is no reason to dispute the article because it talks about CF monetizing that data. Because it doesn't.
> I don't think anyone believes CF will start selling data, that's not what the article argues.
> Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.
I understand the argument in theory.. but the reality is CF is a more trustworthy DNS provider than basically any consumer ISP in the EU.
This is where me and the author disagree with you. In most places in Europe there is a complete distrust of US companies and hosting anything on US soil.
Historically we've seen many cases of US companies handing over data to US authorities (willingly or not).
This is not speculation it's first hand opinion, I am from the UK, i distrust all UK ISPs, their DNS is filth and they are suspected of working with GCHQ... I agree US companies and US law in general are worse for data protection than the EU, but on per company basis CF is more trustworthy and half of the purpose of their DNS is to attempt to provide more privicy.
And practically, US companies are not restricted from selling of user data to third parties, while EU companies are.
I think in most countries, government can approach domestic companies to hand over data in case of illegal action.
The problem with the US is that data is being used against you, like recent events have shown.
You do not have to point your DNS queries to a US company, this is completely false. You can point your DNS queries at whichever DoH provider you want - you can even run your own DoH provider if you want to.
I should have worded that differently: the default is a US company. Which applies to everyone who doesn't change it specifically for Firefox (the vast majority of users).
...users in the US.
Quite an important detail.
> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services
Not true. ISPs typically record and store netflow-like data, very rarely DNS-data (I'd say storing DNS data is even unusual). If ISPs are in a position to get more detailed than netflow data on you they resort to things like deep packet inspection (DPI), which doesn't rely on DNS, pretty much all mobile/cellular ISPs do that today.
> DoH is vital to protect users around the world from censorship and worse.
Not true either. DoH can't do anything against censorship and if enabled by default in all browsers can actually give worldwide censorship powers to a single US entity that already has something akin "we will block anything we don't like and do anything our government wants" in their ToS.
You might look into "passive DNS" services that collect and provide servies based on DNS data collected by ISPs and carriers. It's often more or less anonymized, and often used for good things too - but not wholly harmless.
you too have ignored "it's trivial to change your DoH provider"
The average internet user probably has no idea what DNS or HTTPS are, let alone DoH (which even I as a technical user had forgotten existed before I read this post). Defaults matter a whole lot. I haven't formed a definitive opinion on DoH but either way saying "you can configure it so it doesn't matter" is not reasonable in my opinion.
It's interesting that when Russia started blocking access to some popular websites a few years ago, the instructions for installation of VPN were found in all places. The case - then, for example, attempts to block Telegram servers lead to unexpected unblocking some forbidden sites, like kasparov.ru - shows how some networking skills can be grown en masse in a short period of time.
So, yes, average Internet user isn't very familiar with DNS. Maybe privacy wars will lead to growing awareness in this area though.
It's actually not, or am I somehow missing that this is a feature that Mozilla has announced as part of this move? Users who are not technical powerusers will not understand the real security implications of "Enable DNS over HTTPS", and right now I can't find a setting to change the provider anywhere in the settings dialogue, and about:config and enterprise policies are not something that regular users mess with.
It's in Options/Preferences > Network Settings > Settings, scroll to the bottom and select Custom from the Use Provider dropdown. I added AdGuard's DNS over HTTPS address. https://dns.adguard.com/dns-query
Haha. Okay: Actually didn't see it because that one line landed below the fold on my resolution (960px height, fixed taskbar on Windows). Rookie mistake. But also bad UI design if this is actually something that's important and that users should pay attention to.
But.
(1) There is no informed consent happening here, highlighting to a user, say in Europe, that this would lead to a U.S.-regulated entity knowing a lot about their browsing history. Regular users can't be expected to understand that that is what this setting implies but will think of "DNS over HTTPS" as technical mumbo jumbo that they don't need to pay attention to and that they should keep at default.
(2) The dropdown doesn't have any options besides Cloudflare. In order to use the "Other" option, the user would have to research URLs of providers on the Web, which seems like so much friction that few people will do this.
The dropdown in (2) doesn't have any other options because of the thing you're worried about in (1). Mozilla seeks specifically to contract with DoH operators to secure the operator's consent to protect their users and never do most of the things you're worried they might do.
They do NOT want the list to go:
Cloudflare
Sketchy Valley Company with six months runway and no clear plan how to make a profit
The Actual Mob, really
Google
Great Britain's Ministry of Truth
Russian Media Company owned by Vladimir Putin
And then have news sites going "Why are all these obviously untrustworthy folks listed?" when the answer would be "Oh we heard that people didn't like the short list of actually trustworthy providers so we added all the other ones that we don't trust too!"
In a very long-winded and theatrical way you are making the point that you believe that there are no credible alternatives out there. I believe there are. I believe that, as soon as any company puts their HQ and their servers in Europe they have a credibility-advantage over cloudflare right there on the legal front and on regulatory oversight.
I also don't believe that Mozilla has the ability to greatly influence the way Cloudflare would run their service, given that they're probably not paying a lot (or anything at all; don't know the particulars), and are unlikely to be a major component of Cloudflare's revenue. Cloudflare has much more to lose by picking a fight with the U.S. government (think government surveillance) or by pissing off major advertising networks and media corporations (think surveillance capitalism) who make up the lion's share of their revenue on Cloudflare's core webcaching business.
But it is actually easy to change.
https://i.imgur.com/GuP5a8F.png
Open settings and search for DNS. There will be a single button for you to click and "Enable DNS over HTTPS" is at the bottom.
> CF is involved with serving vast swathes of the internet anyway
Too involved. Cloudflare also single-handedly killed web browsing over Tor with extremely frequent and hard CAPTCHAS, until users install a browser extension that sets a cookie encrypted using NSA's favourite elliptic curve flavour.
Just a coincidence, I'm sure. Much like their ability to offer free MITM CDN services to so many web sites.
It's very disturbing to see the overreach that Mozilla has resorted to and the "privacy" argument (it was "security" before that...) being used to justify essentially ignoring system configuration. My ISP has more accountability than a company in another country.
The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.
Exactly. If Mozilla wants to, it's more than welcome to reach into the VPN area with its own products, but I don't believe this functionality should be part of a browser. They're already reaching into the VPN area[1], should they also investigate bypassing Chinese censorship with their own "firewall-busting" obfuscating VPN? That's not something most users want nor need in their browsers, and such functionality is really a cat-and-mouse game that I think is best left to smaller and less-well-known entities.
It's unfortunate that browsers are already beyond "neutral", when IMHO the only thing they should do is fetch exactly the page URL that was entered and display it.
Edit: yes, apparently people disagree and want Mozilla to control what the Internet (and every user, ignoring his/her default configuration) does. This is really really disturbing.
[1] https://news.ycombinator.com/item?id=20927832
> the only thing [browsers] should do is fetch exactly the page URL that was entered and display it.
I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.
There is an argument that ensuring privacy in DNS could be done outside the browser. I think HTTPS is a good precedent for putting privacy in the scope of the browser; the browser should attempt to ensure that privacy expected by the user is established or it should refuse to operate.
I disagree with the solution of trusting Cloudflare, but privacy should be considered crucial to user safety in modern browser design decisions.
I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.
I strongly disagree. A browser has one job, and that is to follow and render URLs. Secure connections and such are services provided by other components of the OS, and the browser should absolutely use those services but not attempt to overreach its main purpose. It's really the principle of "do one thing and do it well".
To spin your analogy, you're arguing that cars should have seatbelts that also check your age and blood alcohol level because "that's also a safety thing".
There is an argument that ensuring privacy in DNS could be done outside the browser
Yes, the same way that VPN clients are; and I'm perfectly happy for Mozilla to be working in that area, but most certainly do not put that in the browser and do not make it default.
>> It's really the principle of "do one thing and do it well".
This sounds good on the surface, but falls apart at the smallest level of logical scrutiny.
It's akin to saying, "a car should only accelerate, decelerate and make turns!" After all, that's a car's main purpose.
Whereas the fact of the matter is that modern cars are built to be able to handle all kinds of hostile environments and have numerous defense and safety mechanisms in order to keep their passengers safe.
The same applies to Internet browsers.
What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy? This is pretty much how we got here. Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.
So browsers can throw up their hands and say "we are as secure as the OS" or they can do it themselves. Not ideal but the alternative is worse for users.
What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy?
Nothing. Absolutely nothing. Work within the environment you're given.
Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.
...and that's just fine, because I trust my LAN more than some third party in another country.
> I strongly disagree. A browser has one job, and that is to follow and render URLs.
wow. not only has history rejected your premise, but the many technologies that exist today in a web browser prove you wrong.
>>browsers should do one thing >browsers should do it all
The essential Multics vs Unix mindset clash. One application to rule them all vs. a versatile toolbox of interchangeable modules. Telco heads vs hacker heads.
In the end, the hackers always win - but the telcos grow to be fat cats.
In a way, it's a Multics vs. Multics clash. I already have one application to rule them all. My operating system. I do not appreciate when the browser tries to supersede it. Not (just) because of philosophical reasons, but because browsers completely suck at being operating systems. The web takes a lot of control from the users, and offers near-zero interoperability.
It all feels like a step-by-step attempt at turning general-purpose computers into cable TV.
I don't think this is at odds with "should do one thing well". Safety is not an application in itself, it is a design principle.
"rm"'s purpose is only to delete, yet it still tries to ensure safety and sanity with its flags: -r, -f, --no-preserve-root, etc. Even simple tools should be safe by default.
We already have applications that can take all your traffic and send it over an encrypted tunnel somewhere else, if you don't want to exit to the Internet from a place you don't trust. They're called VPN clients. DoH is like a partial VPN client. It doesn't belong in the browser.
DoH servers are not open proxies, they're just DNS resolvers with support for a security layer; they are comparable to HTTPS, SMTPS, SSH, etc. servers, not to a VPN.
VPNs are not a substitute for, nor a better solution than DoH in the same way as they are not for HTTPS or SSH.
> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.
This is beside the point. Mozilla make a browser. They don't make the address resolution code for the underlying operating system. Operating system vendors are of course going to start to support DNS-over-https.
You can disable dns-over-https if you don't want it enabled. Just go to about:config and set network.trr.mode. to 5
> You can disable dns-over-https if you don't want it enabled.
It was also possible to disable Ubuntu from sending your desktop searches to online retailers:
* https://www.pcworld.com/article/2889895/how-to-stop-ubuntu-f...
Just because something can be disabled does not necessarily mean it should be enabled by default in the first place.
That's a really strange comparison. You know that mozilla has an agreement with cloudflare under which cloudflare has agreed not to log dns queries right?
Maybe Mozilla has such an agreement, but I don't. I have a contract with my ISP, and thr GDPR applies to that contract. CF? Not so much.
1)Since the agreement is about processing of this data it really doesn't matter whether you have a contract with CF 2)You don't need any contractual relationship to have GDPR apply to processing your data. If you're a European data subject then GDPR applies to any processing of your personally-identifiable data whoever is processing it and wherever they're doing it. If you're not a European data subject then GDPR would only apply if the company was a European company or if the processing was happening in Europe.
Thanks. I feel this should just be a setting on the settings screen. I use a PiHole DNS service at home which I want to keep using over this.
It is. I just never use the settings screen. See here for how you toggle it, including screenshots. I would expect that the new version will be similar.
https://www.zdnet.com/article/how-to-enable-dns-over-https-d...
Edit: I've just checked and there is the ability in the settings screen to set a custom DoH provider. So once your pihole can do it you can set it there.
It should be a setting in a standard dot file. I don't understand why Mozilla can't create a simple configuration file like most applications.
All these settings are stored in ~/.mozilla/firefox/<profile name>
So for me the trr mode is stored in /home/sean/.mozilla/firefox/k3dmofx7.default/prefs.js
I've tried changing prefs from that file and it is a mess. Not adequately documented either. Standard INI-format would be ideal.
Of course, I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!
If you don't like CF just switch to different provider https://github.com/curl/curl/wiki/DNS-over-HTTPS
> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!
I trust my ISP and government more than a US company I have no formal contract with and the US government.
Also, there's the whole 'applications should not override system level settings' thing. My DHCP pushes a local (caching) DNS server that also does name resolution for internal services. This change would break that for all Firefox users on my network.
> I trust my ISP and government more than a US company I have no formal contract with and the US government.
And every single intermediary and whoever else might be listening in? This is an unencrypted plaintext connection. Which is the main point here. The whole "we trust ISP more" thing is completely beside the point. The point is DNS is horribly insecure nowadays, and it is about damn time we switch to something better.
> Also, there's the whole 'applications should not override system level settings' thing.
Hopefully, DoH will become a system level setting eventually.
If you use your ISP's DNS servers, there is no intermediary between you and them.
If you use wi-fi without a VPN, you have the coffee shop and the coffee shop's ISP. And anyone listening there. Of course there is cleartext SNI even for SSL connections... but alas.
What coffee shop ? I only connect to wifi at home and at the office.
And you're the only person who uses mobile computing devices.
Not sure what point you’re trying to make here.
Unless your ISP is running Huawei equipment. ;)
There aren't many intermediaries if you use your ISP's internal resolvers.
And there are intermediaries between Cloudflare/other DoH providers and the respective authoritative nameservers anyway.
My ISP is subject to specific regulations for licensed network providers, which Cloudflare isn't.
Thus, Cloudflare is the problematic intermediary.
But unless they have the private key for CloudFlare certs, they can't snoop in so it doesn't matter if there are intermediaries in between.
The traffic between Clouflare and the authoritative nameservers will be good old 53/udp.
The only thing the snooper won't be sure with is, which Cloudflare client asked for that record.
> I trust my ISP and government more than a US company I have no formal contract with and the US government.
You're not affected then, because the DoH rollout w/ Cloudflare as the default is only planned for the US.
That is not an argument, it is clear that this is supposed to be deployed by default.
... only for users in the US. Are you aware of other plans?
For now
Do you ever use wifi in a coffeeshop or hotel?
Because if you do, at that point they are your "ISP" for purposes of this discussion. Do you still trust them more than Cloudflare?
(For a desktop machine, obviously this is not an issue, but for pretty much anyone with a laptop this is something that needs to be worried about.)
As far as internal services, is this a split-horizon setup? As far as I understand, the plan is to detect those and fall back from DoH to normal DNS as needed.
> applications should not override system level settings
I wish Windows 10 and other operating systems natively supported DNS-over-HTTPS, but many don't. So they have to work around that lack of support.
> I trust my ISP and government more than a US company I have no formal contract with and the US government.
I do not! I'd rather have that anon US co. than any government.
You can use different DoH server, you can setup your own, that's not a problem
https://www.ghacks.net/2018/04/02/configure-dns-over-https-i...
I use https://odvr.nic.cz/doh
This is exactly why DoH is enabled by default in the US only.
I do trust my ISP and my government more than I trust CloudFlare.
It seems very American to me to trust a private actor such as CouldFlare more than your own government.
I feel like at least in Europe, a large majority of people would trust their government and local ISP much more than some company halfway over the world with basically no accountancy in your own country, especially an American one since it means your data is basically at the mercy of the US government.
Cloudflare has a better track record than most ISPs and governments.
Aren't there a bunch of European ISPs applying government enforced DNS blocking?
Seems like this is a very good move for them.
The ISP I run is applying [1] such blocks on our DNS recursors (blocking illegal online gambling domains, as per legal requirements [2]).
I still trust my DNS servers (or those of most ISPs, for that matter) more than I trust Cloudflare. I'd rather have intelligence services go through the effort of infiltrating every single ISP separately to get any useful dragnet intelligence, instead of just one large entity that can illegally collect all traffic from all users of a web browser.
[1] - https://github.com/q3k/rsh-unbound
[2] - https://hazard.mf.gov.pl/Ustawa
Couldn't agree more.
And I very much hope they aren't contemplating rolling this out in Europe.
Having worked for a major European telco, I get the impression that the amount of regulation they face around data protection and privacy is tremendous and my experience has been that this stuff is by no means taken lightly either.
It would never in a million years occur to me to route my traffic in such a way as to circumvent the legal protections it enjoys as long as it stays within a European ISP's network and instead encrypt it and send it off to a nearly unregulated entity in a foreign country.
I trust Mozilla and the contract they have with CloudFlare (not just CloudFlare by itself) more than my ISP.
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
These are much stronger guarantees than my ISP's.
Is your ISP in the US and your government the US government? The DoH rollout w/ Cloudflare is only planned for the US.
> The DoH rollout w/ Cloudflare is only planned for the US.
For now.
> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!
Your ISP has access to more detailed data on you than DNS queries. Also CF servers are typically located in the same jurisdiction as your government and send unencrypted DNS queries from there. Now instead of dealing with every ISP your government has to deal with just one company in one location, no need to even ask that company anything, just come in and setup mirroring point, very convenient for the government, not very good for you.
They can log unencrypted DNS queries coming from Cloudflare, yes. But they can't correlate those with the incoming encrypted queries, not when the amount of traffic coming in is as vast as it will be. It doesn't help much to know "some Firefox user somewhere tried to resolve such-and-such domain".
Absolutely. This warning seems disingenuous and will confuse many normal people. DNS over HTTPs and DNS over TLS are good things and increase our privacy. People should switch to them.
Are there any GDPR compliant entities there? Preferably some company/organization from Europe?
I live in Europe and I do trust my ISP (and government, which has a decent track record at enforcing GDPR).
Even with DoH, my ISP already sees all of my network traffic. My DNS queries will effectively be anonymized by their recursive name servers.
> I live in Europe and I do trust my ISP (and government, which has a decent track record at enforcing GDPR).
I believe the GP comment was referring to government surveillance. This is a thing in Europe and GDPR won't protect you from it.
Also, good news for you: Since you live in Europe, the announced switch to DoH with Cloudflare as the default for Firefox users in the US won't affect you.
This is a gross over-simplification. Cloudflare is required by contract to respect your privacy, which is much stronger than even the privacy laws have here in the EU since it addresses everyone, not just the EU population:
https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...
The people fighting for the status quo probably know how to run their own resolver, even with DoH or DTLS. But Mozilla's conundrum is how to protect everyone 's privacy (and to a certain extent, security). DoH, despite all its flaws, attempts to do that by piggy-backing on already working infrastructure, so it seems like a good fit to move everyone to DoH. But then, they're the chicken-and-egg problem. How do you make sure people deploy local DoH resolvers if no browser enforces the move to DoH ? How do you make sure those resolvers are truthful, or even respect local law (having both is often impossible).
So, you need to compromise. I'd have preferred to have temporary non-profit third party entity handle this à-la-Letsencrypt, but Mozilla deemed its contract with Cloudflare sufficient to provide enough guaranties. Ideally, name resolution should be done closer to the user instead of being centralized like that. But by arguing instead of experimenting we just keep the status quo. Time will tell if this was a bad decision. But it's not as clear cut as this blog post says it is.
A contract where cloudflare receives no consideration isn't particularly comforting, as such agreements are routinely ignored by courts (or equivalently by capping damages at nothing).
> Mozilla's conundrum is how to protect everyone 's privacy
And exactly how does this protect user's privacy? Instead of the user's ISP being able to see where the user connects now both cloudflare AND the user's ISP (via seeing the connection itself) can tell.
Re: the contract, let's hope you're wrong.
Re: privacy: by not having lying DNS or no NXDOMAIN, there is also less tracking (say, fingerprinting in ad web pages).
And in the ISP's case, you're assuming they already do DPI, otherwise they now see IPs, which might not mean much in the CDN case. But if they do DPI, it will be resolved once ESNI starts being deployed.
> But if they do DPI, it will be resolved once ESNI starts being deployed.
What if ISPs block requests with eSNI for all users, in order to be able to remain compliant with legal intercept legislation (e.g. warrant for suspected child porn investigation)?
There are conflicting desires with trade-offs, and all Mozilla is doing here is escalating the war, rather than trying to reach agreement with the rest of the industry on how to satisfy two different requirements.
> Re: the contract, let's hope you're wrong.
Switching from a technical measure of privacy (no data being shared) to hope isn't the right way to go.
> But if they do DPI, it will be resolved once ESNI starts being deployed.
Once.
> > But if they do DPI, it will be resolved once ESNI starts being deployed.
> Once.
This underestimates DPI vendors. eSNI can't stop them, they will just move to exploit side channel information (traffic patterns) to identify which websites you are visiting. People need to remember, that DPI industry has been fighting with obfuscation for years, it's a war where Cloudflare and Mozilla are compete newbies.
These are just unsubstantiated assertions. Fingerprinting does exist, but what you're saying is that there might be methods we haven't foreseen that will be implemented to improve DPI analysis and tampering. So what ? Do nothing in the meantime ?
It's true hope isn't the proper answer. But IANAL is.
> "This is a gross over-simplification. Cloudflare is required by contract to respect your privacy"
How often to corporations take other corporations to court over contract disputes? I think it's pretty often.
It is indeed. We'll see if Mozilla's lawyers are good at writing contracts once the Mozilla vs Oath case resolves:
https://blog.mozilla.org/blog/2017/12/05/mozilla-files-cross...
> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!
You're right. But so are Mozilla.
Here we are 30 years into the web, and we're still using plain old DNS. DNS over TLS should have caught on, but it didn't. Apple and Microsoft had years to ensure it's implemented as standard, but they didn't.
The points this article makes - about DHCP options, about multiple providers, are very valid.
But they're also just talking shops.
The biggest problems here seems to be 1) DHCP can't give internal DOH servers. When I'm at home I want it landing on my own DOH server, but when I'm away I want to use a different one. 2) Internal DNS resolving falls to bits
Agreed, I'd prefer setting up the DNS-over-HTTPS config at the gateway level (and either push the config over DHCP, or have the gateway act as a local resolver, which forwards the new requests over DoH), but we're not there yet.
In theory isn't it "just" a matter of agreeing a DHCP option number, then having the DHCP client (or vpn client or whatever) be responsible for passing it to applications that want it (including the system resolver, be that mDNSResponder, systemd, glibc, whatever windows uses)
Anyone who wants to can configure their dhcp client to ignore it, or use a different service, you could even have applications doing that too, but this would allow a network operator to tell people where the recommended resource is.
Likewise if you want to change your DNS provider yourself you would have a single location on your machine to do it for the entire OS, rather than having to change 50 different applications.
> have the gateway act as a local resolver, which forwards the new requests over DoH
This is what I would like to see as a default (and included in routers). In fact, it's what I already do myself.
I think (as others here have said) that the privacy concerns the article raises are mostly FUD. But I do agree with the article when it says handling DNS at the application level is kind of a terrible idea (even though it might seem justified in this case). If the end result is that every application has its own built in network stack, that's going to be terrible for security, usability, and make it much harder to debug third-party apps.
I use my pfsense router as a DoH recursive resolver, so while DNS is unencrypted inside my local network, all requests are protected when the enter the internet.
> DNS over TLS should have caught on, but it didn't.
So enable DoT instead.
As someone who has donated to Mozilla over the years and used Firefox as much as possible, this makes me very unlikely to donate in the future.
People say that it's trivial to change. It's trivial to change for us who are technically minded. It's far from obvious and will not be changed by non-technical users.
This will only increase the massive amount of data that Cloudflare gets about people's online behavior. I am always very skeptical of centralization and of having a company get this much information. Remember google's Don't be evil? I'm extremely uncomfortable with such a massive centralization of data.
People might say that the status co is not great because DNS is sent to the ISP. I'd argue the status co is better because it's far less centralized. And, at least for Europeans, I trust European legislation better than US legislations.
I can understand the argument that some countries have mass surveillance and it's a net positive for users in those countries since it will protect them. But in that case, I feel that the default should be randomized from a list of provider, not only one company. I also would be much less concerned by this if it was an option on first startup with a clear explanation (even though users tend to not read and blindly click accept, it's at least more of an informed consent)
And anyway, that purpose of preventing mass surveillance and blocking in those countries where it would actually be useful seems to be moot because of: > Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
So, if isp in countries with censorship can use a canary website to prevent users from bypassing "legally-set blocklists". What is the point again of enabling this?
> This will only increase the massive amount of data that Cloudflare gets about people's online behavior
No, it explicitly won't.
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Which sounds nice in theory, but there are the usual legal exceptions:
> The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.
> Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law.
> The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates.
This doesn't really matter if you live in the US, but most of us don't.
There are two points:
1. centralization of all dns lookups is worrisome
2. Dns should not be handled by applications. It should be handled by the operating system.
I see a lot of people conflating the two in the comments.
I want to address #2.
I disagree. It has become common for the OS to handle DNS globally. This can provide nice cache efficiency/centralized configuration benefits. But it is also much less flexible and unlike e.g. the OS's Certificate Authority Registry there's no update/revocation benefits.
DNS over HTTPS being configurable in the browser gives us more flexibility. For example you want to AdBlock but not risk breaking OS Updates, you want to split-tunnel a VPN connection then pick which resolver for the browser, or you even want to use a different non-"internet"/non-ICANN network only in a single browser/instance you now can. That's powerful.
DNS by the OS is common in 2019. But saying it "should" without explanation isn't a strong argument except towards the status quo.
PS - If you think of a web browser like an "app ecosystem" this line of thinking makes a heck of a lot of sense. The OS is just a host for a sub-"OS" ecosystem. There's a reason browsers already have their own configuration for e.g. web cams, microphones, sound/mute, language, 3D acceleration, and security that already end-run around what the OS is trying to dictate.
> 2. Dns should not be handled by applications. It should be handled by the operating system.
I agree with #1 but why it should be managed by the OS?
No one wants a proliferation of different applications which all have different settings to access the network, especially when the OS provides centralised functionality to do so.
Because the OS gets provisioned with DNS by DHCP. Because the OS incorporates the hosts file. Any internal domains or local domain edits are not covered by this.
Because in most cases you don't want different applications to use different settings.
If you are currently using private DNS server with internal domains and don't know about changes firefox is going to make, firefox will resolve you domains incorectly while all your tools like nslookup and dig will show correct information.
And then when you do figure it out, you will have to go to every single user and help them fix firefox setup. (because most of such small businesses don't have their own AD)
I first though about blocking it at companies firewall level, but thats tricky, because you don't want to break everything else that uses cloudflare.
It's annoying. I've already experienced this with chrome as chrome ignores my hosts file settings.
Example: Say you use hosts file to block porn and other shady sites for your kid, all they have to do is use chrome.
This has nothing to do with the topic. Chrome isn't replacing the OS's DNS resolver, and that bug is just that: a bug.
A bug that I cannot reproduce. Chrome follows my HOSTS file fine on Windows 10. But even if it didn't it would still be off-topic.
Same reason applications use syscalls instead of writing low level code to write directly to your HDD. The entire point of an OS is to abstract away low-level crap, and DNS is (imo) part of that.
Because I don't want to have to manage 400 configs when I can manage 1.
It seems like this change by Firefox would bypass a pi-hole. Am I understanding it correctly?
...and a local HOSTS file.
So now it will, by default, contact all the ad/tracking hosts that you configured to be blocked.
"But now your DNS queries to those ad/tracking hosts are encrypted!"
No. I don't care. I didn't want to connect to those hosts in the first place.
Even worse, corporate intranet addresses get leaked.
Everyone on this article saying it's FUD is either a framework junky, isn't seeing the bigger picture, or just focus on one wrong thing in the article.
It's actually FUD, because it's missing some important points
> For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
https://www.zdnet.com/article/mozilla-to-gradually-enable-dn...
I hardly see how the OP is FUD. What the article states is true; just because you can opt-out doesn't mean it's wrong.
Where you are drawing the line is the opt-out to disable it, as opposed to the convention of opt-in.
Think about companies in the 50-200 employee range; As a sysadmin, I have to purposefully go out of my way to put that domain (use-application-dns.net)[1] in my root resolver, and point it to NXDOMAIN.
I can't do it if another provider is managing my DNS (ISP, cloud service...); it also doesn't actually guarantee that it is off.
> If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.
The basic IT mantra has been 'If it aint broke, don't fix it.' Mozilla itself is moving fast and breaking things; which is why we have standards in the first place.
For god sake, there isn't even a proper RFC to select yes or no to DoH.
I, as a sysadmin, must not only implement the domain in my resolver, but I also must keep in my mind that if a user is using Firefox, that there are things it does internally that are not right, and it is easier for me to have my users on Chrome, because it is less of a headache for me.
[1] https://support.mozilla.org/en-US/kb/configuring-networks-di...
Indeed, Firefox is prioritizing the interests of users over the interests of sysadmins. Personally, I'm fine with that.
> The basic IT mantra has been 'If it aint broke, don't fix it.'
An unencrypted protocol that compromises privacy may not be "broke" for sysadmins, but it is for users.
Well, now CF will know per-organization IT structures. All those LAN-only administrative interfaces, and, with link prefetching, internal resource maps could be built in just a few clicks , using account with sufficient privileges. This is such a security-defying move by Mozilla I can't even start. And CF DNS logs will be the obvious first step for every targeted attack.
Sure, if your targeted attacker has managed to compromise Cloudflare first… Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi access to your network, those domain names are already leaking to other DNS providers whenever someone accidentally accesses a URL while on the wrong network.
Also, if your internal resources are using publicly trusted SSL certificates, the domain names are already being broadcast to the public thanks to Certificate Transparency. If you’re sophisticated enough to run a private CA for them, then you’re probably sophisticated enough to set up use-application-dns.net as well – though I still wouldn’t recommend ever treating domain name secrecy as a meaningful security boundary, considering how many ways they can be leaked. The remaining possibility is that your internal resources aren’t using SSL at all... in which case you have bigger problems than domain name leaks.
How is it in the interest of users if they can't access the intranet servers anymore?
They can, it just takes extra steps.
Firefox tries DoH via Cloudflare, for an internal domain that returns NXDOMAIN (Cloudflare can't answer for your internal resolver,) then they fall back to local resolvers, which is OS based (DHCP or statically set.)
The response time to complete the internal request goes up, because you're sending data to Cloudflare, they can't find it, then the 'normal' response time for internal resolvers.
Edit: Made more clear.
> They can, it just takes extra steps.
For 99% of users, that means they can't.
Luckily for them, they probably aren't allowed to use Firefox anyway, and are stuck using Edge or whatever, and the local MCSE will use this as another reason why Firefox may not be used by anyone.
You know that Chrome is also planning a similar switch?
https://www.silicon.co.uk/workspace/browser/google-chrome-do...
Yes, however the difference here is that Chrome is looking at the OS resolver itself first; not just disregarding it, or looking for a magic domain. Chrome is being opt-in, Firefox is being opt-out.
Chrome DoH use cases:
For the average home user, fine; they're either using what the ISP DNS is, or the public ones (1.1.1.1, 8.8.8.8 ....) If those are on the 'accepts DoH from us', then it'll use DoH to the appropriate destination.
For the corporate environment, their internal DNS might not support DoH, and as such, Chrome will not even try to use DoH.
The key is that it is respecting the OS DNS settings, not the ability to not resolve a magic domain. If I opt to setup DoH internally, the understanding is that I know what I'm getting into.
> When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
...then what is the point of having DoH in the first place? Anyone who wants to intercept your DNS traffic will use the canary domain and force Firefox to disable DoH.
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
Wait, what? Surely making DNS private and non-censorable is the whole point of DoH?
Corporations concerned about that should be blocking DoH anyway
How can you block it, if the browser itself is doing the communication, over https no-less?
DoH was made to stop censorship, which includes blocking; if you could just block it, then whats the point of DoH?
DoH uses regular DNS to get the IP address of the DoH server. So they could just block queries for the most popular DoH servers.
Any device at home an go to http://nas and get on my nas, "http://desktop", "http://router", and "http://shed" and get on those.
How does that work in this bold new future? I'll have to register a domain name and add a bunch of A records for 192.168.0.1, but then it still won't work -- I'll have to do "http://desktop.mydomain.com".
Worse, while going to "shed" will work in chrome, it will fail in firefox. My guest network captive portal may well break too if someone visits with firefox.
I don't know why you're downvoted, because that is a very good question.
What you have to do is add an entry in your local nameserver for domain use-application-dns.net and set it to NXDOMAIN. See https://support.mozilla.org/en-US/kb/configuring-networks-di....
Hopefully Google will use the same method for disabling DoH in Chrome. But I won't be surprised if they're going to force DoH even harder, and make it even more difficult to turn off.
Firefox claims they will detect this situation and disable DoH.
Detect it, how? By forwarding the request to a local resolver after DoH fails, and thus leaking information?
Do you... really care if someone outside you network knows the domain you chose for an internal network service?
That's not sensitive information. Also, there's basically no way for cloudflare, even if they were being malicious about it, to collect and use that information. What would they do with it?
Yes, I care. Why don't you? I work for Tier 1 banks. They are paranoid, and rightly so. One of their many paranoid rules is that hostnames can never betray the machine's purpose. You could easily analyze DoH stats and deduce certain machines' functions.
Leaking information is bad.
It's definitely sensitive information --- useful for attackers to find out the structure of the LAN.
Happy to see someone understands the real problem here!
What's wrong with uBlock Origin?
Yes, Pi-hole works via setting it as a DNS server, which this will bypass by default.
You will have to turn it off manually, in Firefox.
Not a great direction for DNS to be going for things like Pi-hole. If DoH becomes a thing on say smart TVs and gaming consoles, I fear it will be baked in and not configurable. Also going to be annoying on PCs/phones if each individual application is going to get its own DNS config now.
Would it be hard to make pi-hole into a DoH provider so you could just point your browser at it? Or does that defeat the "just works" factor of the pi-hole?
Probably easier to just turn off DoH in Firefox.
In a home LAN configuration, which I'd expect is the vast majority of Pi-hole setups, I don't think you'd really be gaining anything from DoH.
And even if Pi-hole does support being a DoH server, you'd have to configure that in Firefox anyway.
Presumably you'd want DoH on the Pi-hole in the other direction, so that it's encrypting your DNS requests forwarded out to the Internet. But yeah, there'd be no reason to want to deal with certificates for your local network machines to do DoH from Pi-hole to PC.
I don’t imagine it would. It might be there already. The real problem was mentioned above. We risk a situation where each app has its own doh config and not all of them allow you to change it. There’s nothing necessarily wrong with doh. It’s that app developers are baking it into apps instead of the OS where it belongs.
Yes, a DoH request would never hit your Pi Hole
Yes, unless you configure Firefox to not use Cloudflare DoH.
...unless you disable it. However you can configure firefox to use your pi-hole if you can get it serving dns over https. If that's not supported now I would expect it becomes supported very soon.
then some "brave" company like apple/mozilla removes the option to disable it
There is no conceivable reason as to why anyone would remove the ability to configure DNS servers. DNS server options are present in almost all internet-facing applications and devices, from locked-down ecosystems like iOS to touchscreen printers and game consoles. You're just spreading FUD.
How do you imagine apple will remove an option from mozilla?
One option would be to worry about mozilla turning off the ability to disable this if they ever actually do that.
Out of the box? Yep! I realise that will annoy people but honestly it's a good thing - any solution that would not bypass a pi-hole would allow governments and ISPs to do the same.
To retain your pi-hole, you'll need to run a DoH proxy on your pi-hole device, configure your browser to use that as the DoH provider, and this will allow your pi-hole to inspect and modify DNS results. Your pi-hole can then use any upstream DoH provider that you want.
I had no idea this was going to be the default. It's massively wrong. I use a Pihole DNS server, which means after a lot of debugging I'd have discovered Firefox had unilaterally decided to stop abiding by internet protocols. It's always one step forward and two back with these Moz guys. I guess that's better than every step back like Chrome, but jeez Moz, get a clue.
This misses the forest for the trees. In the UK ISPs are already legally mandated to log your web requests and provide them to the government. Those who live under free regimes should not deny those of us who live under oppressive governments the right to privacy of our communications. The fact that cloudflare is a US entity and thus not subject to UK law is the whole point.
> Those who live under free regimes should not deny those of us who live under oppressive governments the right to privacy of our communications
And those who live under oppresive governments should not be an excuse to force those who don't to have their traffic routed through a property of an oppressive government.
Yes, I know it's not about to be a default for non-US users yet. But "The UK people are getting screwed" is not a very good argument for "everyone should be getting screwed by the US".
It's not just the UK people. Most people in the world live in countries that have oppressive internet laws. Swiss people are a tiny privileged minority. The author should travel the world and see exactly how the internet is outside of their bubble. DoH is an important privacy feature and important for protecting people's fundamental rights.
> The fact that cloudflare is a US entity and thus not subject to UK law is the whole point.
As a fellow citizen of a Five Eyes country, I assume that if any of those 5 have info about me that one of the other four wants it won't even be a question of paperwork for it to be shared.
The previous UK law, RIPA, was abused for investigating minor crimes such as fraudulently obtaining disabled parking badges. It's not just about national governments but local municipal authorities too. Yes I would prefer another jurisdiction but it's way better than the status quo whereby the browsing history is just handed over.
> The previous UK law, RIPA, was abused for investigating minor crimes such as fraudulently obtaining disabled parking badges.
I understand that you're trying to illustrate a larger problem, but that example is likely to get you zero sympathy from anybody, anywhere.
I know that US ISPs have an established pattern of "just handing over" browsing history, but I have no idea what CF's track record is like.
Then it's a good thing that if you use DNS over HTTPS, none of those countries will have the info, since the connection is encrypted to Cloudflare and they will not be logging queries.
Agreed. The connection is indeed encrypted and they are not currently logging queries.
As far as I understood the OP is that it shouldn't be the default.
If you worry for your government, you should use a VPN anyway (where possible which is the case for UK afaik).
Why shouldn't it be the default? Switzerland has a population 8 million. Why should the default be geared towards a small minority when there are billions of people not just in the UK but in Asia and Africa who would benefit from this feature. If they OP thinks that their country's laws are strong enough to make the feature unnecessary then they can turn it off.
Maybe someone with deeper knowledge of the legal situation can correct me if I'm wrong here, but from what I gather: U.S. privacy laws, to the extent that the U.S. has any, affords protections only to U.S.-based persons. Data pertaining to foreign persons is basically "fair game" to them.
> It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in.
I think it should be on by default. In my country encrypted DNS makes it more difficult for the government to track what people watch and to block sites.
> And to select or enter the DoH provider instead of defaulting to Cloudflare.
You can enter any DNS server address in Firefox.
While I agree, that it is bad to concentrate all the world's DNS queries in the hands of an entity under US jurisdiction, not encrypting DNS is much worse currently. So Cloudflare and US government are the lesser evil for me.
Also, if there were volunteers running free DoH servers then Mozilla could choose one of them randomly instead of sending all queries to USA.
Why not install DoH system wide, then (the kind of change which is easy if tools like Firefox use the system APIs for this and very difficult if individual applications all reimplement DNS) instead of only doing it for Firefox?
Because it is easier to embed it into a browser rather than persuade vendors of all major OSes (Windows, Mac, Android and thousand of Linux distributions) to add it.
Also, even if a company like Microsoft adds it to Windows, they will add it only to they latest version and leave people on Windows XP, 7 and 8 without protection. Same with Google - they will add it only to the latest Android. Because commercial companies want you to buy new products, not to use the old one for a long time.
What they should do is offer several alternatives when enabling DoH (Cloudflare isn't the only DoH provider out there), and anto-detect if your ISP or local network supports it at the enterprise level.
At least you can change the provider in about:config. I don't remember if you can do it through the settings page.
Yea, Preferences > Network Settings > Enable DNS over HTTPS
Can currently choose "Cloudfare (default)" or "Custom"
But I agree, a few more options on there would be good, and if they are turning it on by default, then there should be a setup page that appears to let you choose the provider or something
Many ISPs won't offer such thing https://www.zdnet.com/article/uk-isp-group-names-mozilla-int...
> claimed that Mozilla plans to support DNS-over-HTTPS "in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."
> By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench in many ISPs' ability to sniff on customers' traffic and filter traffic for government-mandated "bad sites."
But I don't see why they can't offer their DoH, it seems their issue is with Cloudflare not with DoH per se
because most people don't know they can easily bypass the DNS based filters that is used to block "bad sites". DoH by default uses cloudflare's DNS, and so won't (need to) comply with the UK's filter laws.
> DoH by default uses cloudflare's DNS, and so won't (need to) comply with the UK's filter laws.
I'm assuming the DoH servers used by British users are physically in the UK. (I believe they anycast the service from all of their edge locations, and they have several in the UK.)
So the fact that Cloudflare doesn't have to comply with this law is precarious. Is it because only ISPs are required to comply? If so, it seems like a matter of time before Parliament amends the law to require any public DNS operator to implement the filters as well.
Note that Mozilla has added a way for network operators to disable DoH for their entire network, by NXDOMAINing a specific fake address. UK ISPs will presumably do that, and DoH won't happen in the UK for a while.
Also certain countries (eg. Australia), have a metadata retention law.
That means that the ISP dns will 100% be logging all requests made.
The risk of Cloudflare doing it is far outweighed by ISPs legally being required to do it, at least in Australia.
What if the user just doesn't make any DNS queries, because all their host lookups are going over DoH? They can log all the user's DNS queries, but all of them will just be for the DoH server whenever the user starts Firefox.
I assume DoH will not be logged at all. Or just many connections logged to "one.one.one.one".
Difference being if I connected to ISP ABC's DoH server - communication between will be encrypted, but the actual requests will be logged after they receive the request.
I can't see any way in which that could be abused.
Kazakhstan, China, Russia and the NSA all agree with me.
The only thing that annoys me slightly about this, is that I currently have a couple of pi-holes running at home (one for us, and one for the kids) and I have the Mikrotik setup to redirect any request for DNS to the correct pi (So even if they change the DNS on the device it still hits the pi)
This is going to make that a pain - especially if they introduce it in the mobile version?
You should be able to disable the Firefox default-on DoH across your network by returning NXDOMAIN for use-application-dns.net [1]
I don't know how to configure pi-hole, but at the dnsmasq level you can do that with this directive:
[1] https://support.mozilla.org/en-US/kb/configuring-networks-di...Interesting, thanks.
I guess if these use normal DNS requests first to determine if it should be allowed, then it will work.
> If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored
Well, that kinda puts a dampner on it all!
Only firefox does this, and Firefox has uBlock Origin. Why is this an issue?
It's worth noting that CloudFlare has already proven itself to not be a neutral party - they have proven willing to take sites offline for both legal and social pressure reasons.
This will greatly impact the internet's ability to route around censorship as if it were damage.
I agree, only somewhere that hosts neo-nazi websites would be trustworthy enough for this. /s
Cloudflare has proven willing to refuse to use their own bandwidth to host particular websites. That's very different from censoring DNS requests, and there's no reason to think they would do the latter.
The Internet was a great distributed system with reasonable separation of concerns.
Now we are content that applications do their own name resolution and said resolution is centralised on a very few (non-altruistic) hands (CloudFlare/Google).
Add amp to this. Sprinkle it with the views of people who run their own mail server and consider where this leaves us.
I am not that naive and think we can keep ourselves in 1995. But I do think we give up on too many of the good parts all to freely.
The internet also was 99% plaintext. Then we realized that governments would pull all kinds of tricks to watch that text. From your own state monitoring all the traffic, to outside states hijacking BGP and slurping up your data. This has, at least in the case of http centralized certificates.
Here's the next thing, no one is stopping you from running your own DoH server. No one is stopping you from changing the FF config to use it. The big issue has been is the end user has been so unaware of security for so long and done so little about it somebody has to. There is no financial incentive for your ISP to care, so they have not. Most operating systems, specifically Windows, but also Apple have done little to nothing for client DNS security. This could have been handled between operating system developers and DNS infrastructure but they didn't care to.
> This could have been handled between operating system developers and DNS infrastructure but they didn't care to.
No, there was a lot of caring over the years as DNS is old and insecure, in particular unencrypted communications with authoritative DNS servers being the biggest issue. And yet completely ignored by DNS-over-HTTPS, because solving it would likely eliminate the need for resolvers in the middle, so surveillance capitalism isn't interested, they only want to "solve" it in a such way that doesn't really solve it, but just gives them DNS data.
Disagree. Most users haven’t chosen their DNS server, so replacing one unchosen DNS server with another makes no practical difference. And DoH means that people snooping on your network can no longer spy on you.
Cloudflare has committed themselves to not track users via DNS requests, and only log what’s strictly necessary.
And if you distrust Cloudflare, you have a much bigger problem. Half the Internet routes through Cloudflare these days. If they wanted to spy on you, they have (potentially clear-text) access to a good chunk of your HTTPS traffic.
And as many others have pointed out, it’s a much better recommendation to have people change the DoH server to something else.
Living in Russia, I, for one, welcome DoH and ESNI. I know I trust Cloudflare more than my government and ISP (The same ISP that routinely spoofs requests to inject ad pages/reminders to pay for service, nevermind all the blocked sites).
Not like DoH helps much here though.
How will this affect using Firefox on an intranet, where there are often services and websites on a local-only DNS server? Will Firefox be unable to reach those sites by default?
Wow, thats awful that they're sending all user DNS requests to cloudflare without informed consent.
Is this also potentially a violation of federal wiretap law?
My ISP being able to monitor where I connect is not great, but being exposed to my ISP and cloudflare monitoring it is not better-- and is also very unexpected.
There are also at least somewhat clear standards of privacy expected from ISPs, it's entirely unclear to me what duty of care cloudflare has towards users of this service or what position they'd be in to resist further compromise of user data (through either legal or illegal means).
Does anyone knows why does mozilla think this is a good idea? Between each user sharing dns queries with their isps and everyone sharing dns queries with cloudflare it appears that it's obviously more secure the first approach even if none of them is really that great.
ISPs have proven themselves untrustworthy repeatedly, CloudFlare yet really hasn't. Not that I like the control they have, but it's honestly the fault of ISP's this has happened.
Cloudflare has taken sites offline before, in response to legal requests (CP) and social pressure (8ch). Whether it’s right to do it or not, Cloudflare has proven that it is not a neutral party.
CloudFlare has stopped hosting particular websites; they haven't censored DNS requests. There's a huge difference between the two.
some ISPs.
The problem is that Mozilla is taking a very US-centric view of a product that is used worldwide.
…and DNS over HTTPS, using CloudFlare, is only being enabled in the US. A US-centric view for a US-only decision seems fair to me?
The change is only being rolled out to the US.
True, I don't think it's ideal, but non-US entities are in slumber, there's still basically no deployment of more secure standards by ISPs. I'd send my ISP an e-mail about providing DoH but they can't even give me IPv6.
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
So, the "obvious" view seems to be wrong.
I don't see why the first approach is obviously more secure - especially considering the ISP knows your name and address.
One thing that concerns me greatly is debugging network problems.
Up until now, you could use dig, nslookup and other tools to see how your computers resolves to help you figure stuff out.
Now what do you do?
also what happens when firefox uses this cloudflare, some other X application will start using Z, and the third Y.
Also I work, and used to work for many small shops (under 50 people) in different industries. Its standard practice to have internal domains, sometimes even having different things on the same domain (ie mail.comany.co is diffrenet server form inside and outside the network).
If you don't have AD (increasingly common here with apple and linux laptops being the 95% of users), you will have to go to each user on every device that has firefox and help him fix the settings.
I would say just block it at firewall level, but it's not trivial, without breaking sites that use cloudflare.
If the single DoH 'server' is the issue, wouldn't having a list of several 'servers' around the globe (hopefully in places where there isn't any form of censorship and preferably though non-commercial institutions) that the browser selects randomly solve this?
No. The browser has no business in selecting DNS servers; it is a system-wide setting and it should ask the operating system to resolve names.
How the operating system resolves names, is up to it. It could use tcp-over-pigeons, if the sysadmin configured it so, and no application should be working around that.
If you want to use DoH with Cloudflare, you are free to configure your system to do so. You will also get consistency, all your apps will use the same system, not just the browser. Let the others to have their systems configured as it suits them.
Maybe if the OS providers were more proactive about DNS over TLS/HTTPS, Mozilla wouldn't have needed to do this to keep users secure.
Android does support DNS-over-TLS, and it does it in a way that does not break networks - whatever it gets from DHCP, it tries the same server with DoT first. Users can also configure their preferred DoT server.
Linux, or at least the glibc-based distributions, have a concept of nss_modules; you can configure whatever mechanism you want, some people are using DNSCrypt or nss-tls, for example. Systemd-resolved, with all the hate it gets, does support DoT. So do other local caching resolvers, like Knot.
With other systems, you would have to discuss that with the respective vendors. Vendors also discuss these issues with customers, and very few customers are fond of breaking their systems. Activism, as Mozilla has shown, is a good way to irritate a good chunk of your user base. The change would have to be gradual, and allow the local admins to be in control (like Android and Linux distributions do).
I think this is a horrible idea and applications should respect the OS DNS configuration. I have already configured the instance of dnsmasq on my router at home to return NXDOMAIN for the canary domain.
That being said I am a little confused by those that are concerned because this change would mean their DNS queries will be sent to a US company and they don't trust US companies. Firefox is developed and distributed by a US corporation and is just a susceptible to being forced to follow US government directives as Cloudflare.
Also, do keep in mind that by using DoH, you're also rendering anything like Pi-Hole useless. The solution of course being to use DoH from the Pi-Hole device [0], picking your own provider and disabling it on Firefox. Only step you need to change is the part where upstream providers are given and use your own instead of Cloudflare's default.
[0] https://docs.pi-hole.net/guides/dns-over-https/
I simply don't like DoH because I use a DNS provider that I have chosen - OpenDNS - specifically because they log my DNS queries and let me see that log. I don't mind DNS lookups from my network being logged, as long as the provider does accurate, uncensored DNS lookups. It's helped me find domains to block such as tracking domains used by IoT devices that I can't configure myself.
I have my router directing all DNS traffic to OpenDNS so these devices can't pick their own servers, any outbound requests on port 53 will be redirected. If they start using DoH/DoT, I can't do that so easily. I'd have to start monitoring outbound traffic and do hostname resolution on the IPs.
I think the privacy argument for DoH in the browser is fairly weak, since doing a DNS lookup is not really an indication of, well, anything really. No matter what domain it was, there's no indication that the user intended to visit a website or use a service on that domain, it could be as simple as a lookup to load an embedded image in a spam email. The only good usage of it is to prevent censorship via DNS.
Idk folks, the entire debate seems to be out of proportion. 1) If you do not agree with Mozilla’s actions - do not user their browser. I mean Mozilla isn’t forcing anyone to use Firefox. As a company they are free to design their product as they see fit. As an individual you are free to either use their product or not. 2) If you disagree and still chose to use Firefox - just because you are reading this means you have the knowledge to disable DoH. 3) If Mozilla remove the option to disable DoH over CF and you don’t like it - use another browser. 4) If you are concerned for other people’s data going to CF (specifically people who are not as well informed, people who don’t know what DoH or even DNS is) - very noble indeed, but unfortunately options are limited here. Encourage people to do some research and to decide for themselves whether or not they are as passionate about it.
The main point I am making is just as we want to be free in choosing whether or not to use DoH over CF, Mozilla is as free to design their own product.
I was never a conspiracy buff but the hordes of shills here who think it's a good idea to send the whole worlds browsing habits to the US a country with practically no protection of data lets this seem like a long prepared operation.
The Chinese had to hack BGP to get that kind of data for a limited time.
As a sysadmin and a user i dont see any problems with DoH, i can easily set a DNS entry[0] so that FF respects my company configuration. And as a user I've been using DoH for months, just not from cloudflare but from CZ NIC because the latency was slightly better. You can easily set your custom DoH provider with 2 clicks in the Options menu. Also for most users I see benefits, because most of them don't use VPNs on free wifis.
edit: I also think OS maintainers are the main problem here, none of this would've happened if they supported DoT or DoH themselves.
[0] https://support.mozilla.org/en-US/kb/configuring-networks-di...
I think it's good Firefox are leading the way on DoH.
The ability to chose which DNS provider you query will be next on the feature list for Firefox I imagine.
Cloudflare have the same mindset to do something about the vulnerability of DNS to snooping (see their 1.1.1.1 app). Two companies with the same mindset. I'm hoping others follow them.
The article itself sounds paranoid and divides those that would rather trust private companies (with good intentions) against those that would rather trust their ISP/Government (also with good intentions).
With Mozilla pushing their users around, it's inevitable that a FF fork with Moz's shenigans disabled will become mainstream. What's the current state of eg Seamonkey?
We are having zero problems with the current decentralized DNS architecture.
Evidently, Mozilla plays the role of a Google's darling once again. Those financial "donations" have some interesting effects, aren't they? Aside from an official "Google Search Bar in Firefox" line.
What's even more interesting is that Hacker News moderator deranked the topic.
Probably all the actors represent the same mafia ring, as they painfully in need to defend those interests to stay commercially relevant in changing world (hello IPFS).
Maybe I'm missing something, but the "I think just me and you was safer" image feels a little misleading. There already was a third party - your ISP/DNS provider.
In other news, bots have now started using DoH (one via Google's DoH service):
* https://www.proofpoint.com/us/threat-insight/post/psixbot-no...
* https://news.ycombinator.com/item?id=20934680
I don't know about you guys but in Turkey if you query wikipedia.org from 8.8.8.8 it doesn't return results.
However if you use DoH you can access Wikipedia.
Thank you whoever contributed to DoH!
Whatever convinced Google – Google – to censor Turkey, you don’t think they will be able to convince Cloudflare to do the same?
This is a problem of centralization.
The stated problem is that there are few providers, as for the offending party - Firefox, it's they've defaulted to a company based in the US or a 14 Eyes member.
It doesn't feel right to address the issue by blaming the DoH, or Firefox, as they are not defaulting to the prime evil - Google.
I believe the better suggestion here to say is to set up own DoH servers, urge related parties to opensource their own implementation if there's none.
The government already has your DNS queries. So the whole point of the argument is moot.
The ISPs, and anyone they share the data with, also already have the DNS queries, so the argument is wrong.
But also, if you do want just one government to have the data, do you prefer that data to go to your local country, which may be speech-oppressing regimes like Syria, Saudi Arabia, UK, Ukraine, or Iran?
I fail to see how this is in any way a step backwards.
List of FF "integrations" grows. There is also HIBP one. We need a clean from 3rd parties version, like ungoogled-chromium project.
Pretty hilarious that this entire article is negated by contractual agreements spelled out in Firefox's FAQ in DoH
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
I don't understand the DoH protocol entirely. I thought the entire point of it was to pass encrypted requests to CloudFlare. Can anyone confirm how this works? I thought this was the entire point of DoH, adding encryption to requests and directing it away from the plaintext DNS requests.
For those who are uneasy to use CF DoH, here's a list of alternative DoH Resolvers
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-av...
I had to turn it off, not because I'm opposed to the idea, far from it, I'd love to use DoH, but because cloudflare's spat with archive.is renders the whole thing useless if you ever need to browse archive.is stored copies of pages.
Kind of a disservice to call it cloudflare's spat when archive.is added special code to make their dns implementation non spec compliant only when queried by cloudflare.
I wonder if they will deal with it now that all US Firefox users will be unable to use it by default.
As somebody who's been working for internet security over 20 years, we strongly believe that applications should not choose the DNS server. The operating system is designed to manage DNS and network settings for all applications.
This is nonsense.
Instead of a reactionary remark please provide arguments and explanations for your viewpoint to actually further the discussion.
I think tptacek's comment is just fine as it is.
Not convincing. I live in Russia, explain why I wouldn't want this turned on?
The result will be simple: FF market share in corporate environments will drop. If sysadmins have to jump through hoops simply to get the thing to respect corporate DNS settings, then it won't be used.
In places like India, blocking is often done at the DNS level. Cloudflare and Firefox are big reasons I can get around stupid overbroad government blocking of whatever they think is anti-national or porn.
It's weird how large companies can make decisions like this (re-routing all DNS requests to the US) on their own, without local/EU government stepping in to prevent it...
DoH and DoT are very interested technologies, disabling them 'cause Cloudflare is ... strange.
From another side, DoH/DoT prevents ISPs/government from DNS modifying/rerouting.
Why is that strange? It seems rather obvious to me why people are reluctant to route all their DNS queries through a for-profit company in a country with no real privacy laws (and one that you have to assume is backdoored by the NSA).
'Cause it not vendor-locked to Cloudflare, you can use your own server.
I strongly support DoH as it prevents government snooping on the public. It’s really unhelpful that people like this attack Firefox over this issue.
Stand strong Firefox against this.
One goes fishing where the fish is. There are dozens of large and hundreds of medium to small ISPs in the US. There's only one Cloudflare. That's where the resources to get the data would be concentrated. It has been demonstrated with PRISM.
If Mozilla wants to play this game, it really should make DoH a visible top level choice for a user.
Most users don't understand DNS, HTTPS, or DoH. I think this decision overall is good, and for those who see and understand the possible issues, it's trivial to remedy.
I think dns (and many other "trivial" to implement sensitive services) should be a gov service. Preferably the eu and idealy made usable for anyone.
OpenBSD folks removed it, and they are always right about security, as they were with disabling Intel hyperthreading.
How decisions are made in Mozilla? By whom? Is there public discussion beforehand?
This has been tested and debated for months. Initial support for Firefox rolled out 9 months ago or so: https://miketabor.com/enable-dns-over-https-and-encrypted-sn...
The conclusion of the debate was that it vastly improves the privacy for most users. Which is why it shipped in Firefox.
Take that into account when you read (misleading, factually wrong) push-back like the original article.
> The conclusion of the debate
Obviously debate is still on, as we see in here and in [0], and it looks like HN folks are not in favour of these integrations, including me. So question stands, how/why the debate was concluded, did all developers had a vote? Is there a link to discussion?
[0] https://news.ycombinator.com/item?id=20927832
>it looks like HN folks are not in favour of these integrations, including me.
I have no idea why you think that random HN discussion afterwards (in response to an article filled with misinformation!) would have any bearing on how Firefox is developed.
https://www.mozilla.org/en-US/about/governance/
>Is there a link to discussion?
There's been about 1.5 year of extended discussion and iteration over DoH, yes. I'm sorry but there certainly isn't just a "single" link!
First announcements were even longer ago: https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-ove...
Decisions are made by Google and then handed to Mozilla through a shady process called collusion.
The aim of this process is to play a two-step game in which:
In this way, it becomes a weapon of mass control because most people do not know that both parties participate in a shady scheme backed by millions of dollars.privacy aside , how about internal hosted zones and stuff that isn't resolvable by TLDS or CCTLDS?
My understanding is that the DNS query goes to the closest of the more than 180 Cloudflare servers, not specifically to the US servers. Complete FUD.
The point is that Cloudflare is a US company. From that perspective, where their servers are located is irrelevant.
Of course it is relevant. They claim US government has access to all the logs, this is simply not true.
Please provide some proof that a US company would not have to respond to US government requests. The location of the servers doesn’t matter.
> It means people outside the US can now be fully tracked by US government
How?
Firefox, wth.
Cloudflare is not the internet.
It's currently proxying 10.2% of all known websites (by the surveyor) on the entire Internet.
https://w3techs.com/technologies/details/cn-cloudflare/all/a...
Not big, but not insignificant.
I hope to see a solution from Mozilla, is it known why they choose DoH with Cloudflare? It seems a bit strange from a company always focused on OSS.
There aren’t a whole bunch of companies that are able to provide a good DNS service world-wide. You’ll need high-reliability DNS servers co-located all over the world. Probably a multi-million dollar investment to get such a thing going, saying nothing of the running costs.
“DoH means that Firefox will concentrate all DNS traffic on Cloudflare”
Not true, you can choose DoH servers.
I think this article would benefit from not shoehorning politics into the issue. Couldn't take this seriously after the irrelevant slight at Trump.
> DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and they send traffic from all their users to one entity.
Why does DoH necessarily mean that Cloudflare will be handling the traffic? The article barrels right to that conclusion without explaining why.
The default setting in Firefox is to use Cloudfare as the DOH provider
Thanks for pointing this out.
> It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in. And to select or enter the DoH provider instead of defaulting to Cloudflare.
Buried lede is buried.