Firefox by default directs DoH queries to DNS servers that are operated by a "trusted partner".
That's what I don't want - Firefox offering services.
Once you have a centralized server, with a huge number of minor queries passing through it, the operators get uppity. They start thinking they have editorial authority. Someone will decide that the DNS server should censor something. Child porn is the usual excuse, and then, after a while, you can't see sites that mention Tienanmen Square or Ukraine any more.
I'm quite happy with Sonic's classic DNS server. It just answers DNS queries and forwards requests to the appropriate upstream DNS server as required.
This is configurable though (it's only a default), and is still better than the status quo in a lot of areas. Either you care enough to change it, or you stick to the default. Default (ISP) plain DNS is worse.
I live in China and (still) use Firefox in preference to Google. I agree they need to fire the management and focus on the code. The big pain with DNS is that it's one avenue of censorship but also a proxy for many wrong-headed network geographic assumptions through the lens of geoDNS. "Oh, you resolved from Europe, so you really want a European server! Let me help you out there..." The internet has far too many of these half-baked hacks layered now, it's getting to the point where to obtain a halfway trustworthy response you have to have a dynamic network of geographically distributed and temporally transient nodes seeking similar information and voting on the result. Geoscoping, echo-chamber personalization, household profiling, jurisdiction-second-guessing, ID verification as an outsourced service, political policy fandangling, globe splitting for artificial market segregation, walled-gardening, DRM...
What is a practical alternative to multiple DNS views based on the client's geographical location, for the problems solved by them?
A way to 'opt out' of response customization based on my location would be nice while troubleshooting. But then which zone is that going to give me? Probably the US one. :P
So choose a different one. You don't have to use your ISP's. The danger is in everyone using the same one, which is what you get if the browser vendors are choosing for everyone.
Better yet, give the browsers a way to detect this (e.g. generate a random domain known not to exist and make sure it gives NXDOMAIN) and switch to the other DNS only if the normal one is broken.
Didn't the UK run into a problem a decade-ish ago where the group compiling the list of porn sites to block by default included the websites for their rival political parties? I just tried searching for references, but I can't find anything with details. I can't speak with certainty and it sounds like it was just a grunt being a jerk, but still a risk with these types of restrictions.
At the application level, it's happening right now all over social media sites. The risk is too great that our delicate minds, unable to separate fact from fiction, will ingest something deviating from the approved narrative.
Around 2 years ago my country blocked access to change.org as it contains "prohibited content" (it is widely believed to be an appeal for Germany not to permit Thai king to take up long-term residence there; people believe that the ruler should behave properly and stand with the people in its country)
The appeal itself appears to be reasonable, but Thailand is notorious about the enforcement of lèse-majesté law [1], and anything that could be interpreted, even slightly, to fall under this law often saw a summary judgment, less burden of proof, and harsh punishment. This is the reason the authority cited as a basis to block it. AFAIK, the website fought back; the block lasts only 6 months.
In the UK snoopers charter was supposed to specifically target child porn, the actual wording of the law made it legal for your bin man to see your internet history for any reason.
Do they actually use their massive unchecked power to target child porn? We don't know because it's unchecked the government doesn't report on how the law is used it just uses it.
If the government actually used it to lock up a thousand pedos that would be pretty great it would get me voting for that government so why haven't they reported how success-full this law has been in the 4 years its been in affect? we haven't heard a peep, probably because there hasn't been any success for them to boast about.
> Once you have a centralized server, with a huge number of minor queries passing through it, the operators get uppity.
This is currently the case, no? DNS is already, as far as the user concerned, a centralised service where any slippery-slope censoring can (and im sure does) already happen.
As opposed by your "trusted" partner ie. your internet provider? Ignoring that these are the organisations that keep getting hacked, they also outright try to monetize your DNS queries whichever way they can (even falsifying real sites).
And that's ignoring the obnoxious government interference ISPs tend to implement through DNS. From piratebay to youtube blocks.
You have to trust someone with DNS. And Firefox's trusted partner is better than the current status quo.
Can I ask what you would prefer? If FF adds an additional choice among the status quo, are you saying you would prefer the status quo minus the additional option of FF?
Simple: when you use the default search in a browser, you immediately see who is providing search results. If you have a problem with Google, for instance, you see that it's Google and you go and change it.
Mozilla decided to turn on DoH by default, without asking, without prompting, without any indication whatsoever. Even if you configure a canary domain, that doesn't disable the DoH preference - it just temporarily turns it off.
Organizations making unilateral decisions about sharing my private information with an untrusted, for-profit company that has a history of abuse and social irresponsibility is a very bad thing, not a good one.
DNS is not centralized. You can enter whatever DNS server you want. The problem with plain text DNS is that in countries like Turkey over half million domains are blocked in DNS level. Even if you enter your custom DNS, Turkish ISPs MITM the queries and respond with are IP adrress that says that the domain is blocked. DoH prevents such attacks. For this reason once again huge thanks to Mozilla who fights against opressing regimes.
The traffic already flows through their browser. If they wanted to filter content, they could do it now at render time. There’s nothing stopping a browser from doing content analysis before it chooses to display it to you. The fact that they haven’t, is a pretty good sign.
If you're on current macOS/Windows/Linux/Android/iOS/ChromeOS you probably just want to configure DoH or DoT at the operating system level so it is done system wide. The other half reading this probably want a "how to force disable" guide instead of a "how to" guide. The automatically rolled out browser specific method described in this article is really directed at users that don't know this is even a choice and probably wouldn't have an opinion one way or the other if they did.
Somewhat unrelated but Firefox also supports SOCKS proxying independent of the OS config. Combining this with ssh -D and you can effectively VPN your Firefox traffic out any box you can ssh to, including the DNS requests. This has been both useful for me as a troubleshooting tool and as a simple internet VPN.
> Combining this with ssh -D and you can effectively VPN your Firefox traffic out any box you can ssh to, including the DNS requests. This has been both useful for me as a troubleshooting tool and as a simple internet VPN.
You can essentially "VPN" (relay) your in-browser http traffic with just DoH.
Setup a DoH stub resolver to reply with the same ("gateway") IP for all DNS queries, then on the gateway IP, forward traffic by sniffing TLS SNI (http2/http1.1) or snooping the host headers (http1).
This won't / can't work with http3 because defence against ossification (by such middlewares) was one of quic's design goals (http3's underlying transport). You can blackhole all UDP traffic on the gateway though, which should block http3 altogether.
The only real worry is there's no authentication at the gateway. Could impl it with some form of "captive portal", however.
That's really fun and clever :), I love hacking with network protocols like that. Go or JS(Node/Deno) is also how I usually go about it! Is there any place I can follow you at outside of GitHub?
> If you're on current macOS/Windows/Linux/Android/iOS/ChromeOS you probably just want to configure DoH or DoT at the operating system level so it is done system wide.
Indeed. The problem is that a lot of operating systems still don't support it at all yet.
> The other half reading this probably want a "how to force disable" guide instead of a "how to" guide.
Sadly, yes. And the only reason I've heard for this is that they want to be able to censor or surveil traffic from other people's computers.
I'm actually in the "how do I force disable" camp for reasons unrelated to other people's computers.
On my personal network I've got an inside view of my domain that will resolve internal services if you hit the resolver from the inside, this breaks if an external resolver is used and it'd be more work for no real gain to set this up as an internal DoH resolver and make sure clients used that.
On my work laptop I have a similar need for split resolution in many cases, particularly when connecting to customer's networks. I also have an additional need to be using the same resolution flow as their computers when troubleshooting, if one of their DNS servers is misconfigured I'll never see the issue resolving to an external server.
I've not found the browser fallbacks to fully cover the 2 above scenarios and, even for the parts that are covered, I've not seen it be particularly reliable. Particular if you switch networks often.
I've also seen people against browsers pushing users to fewer centralized services but I'm not really in that boat myself, I point DNS to 1.1.1.1, 8.8.8.8 anyways.
That said I run across a lot of customers that don't understand it's easier to build and enforce a proxy config on a managed fleet than to try to play whack-a-mole with every user packet that doesn't match this policy and try to avoid DoH at the network layer as a result. I don't really expect this to change until security auditors stop accepting these implicit policies as meeting requirements. Outside of finance/government that still seems forever away.
>Indeed. The problem is that a lot of operating systems still don't support it at all yet.
Which one exactly? Android has it called "Private DNS", Linux supports it with systemd-resolved, Windows 10 too (don't know the build number at which it starts). Apple with OS 11 and iOS 14.
The main issue I see is that there is no support for both in every OS. "Private DNS" is DoT, while Windows 10 support is DoH. Apple has both.
> The automatically rolled out browser specific method described in this article is really directed at users that don't know this is even a choice...
So it's intended to benefit 99.9% of everyday users, then, despite the risk that it might irritate the 0.1% who for whatever reason want things configured some other way. Sounds like they made the right call.
Meh. I run dnsmasq combined with a dns to doh proxy on my router, and I only do that to hide my DNS queries from my ISP, but this is probably paranoia on my part because AT&T ultimately knows the IP of every site I connect to, and I guess I don’t care enough to run a VPN full time. When I do care, I’ve got a droplet running wireguard at my disposal.
> this is probably paranoia on my part because AT&T ultimately knows the IP of every site I connect to
There's a privacy benefit anyway for some sites. If your browser also supports eSNI or ECH, and you're connecting to a site hosted behind a CDN like Cloudflare, your ISP will then only know that you're connecting to the CDN, and not which site behind it that you're visiting.
It's not quite as secure as having a password, but you can force the proxy to listen on localhost-only (or any other specific addresss) by specifying it along with the port:
ssh -D 127.0.0.1:8080 some-host.elsewhere.example
This won't protect you from people who already have access to your host, or from people standing behind you, but at least folks on your network can't use your proxy.
This is objectively a terrible decision. Technologically, politically, culturally. We had a very good design in DNS, and people are throwing it away because they're terrified about the potential that their ISP might use their data. Never mind that Netflix already does it to them when they watch TV, Target does it to them when they buy condoms at the store, Google does it with their mail and search results, ESPN does it to them when they play fantasy football, and Starbucks does it to them when they buy their venti mocha frap. But because Comcast might also know what they do in their private life, we should ditch one of the internet's most important protocols, and give all our data to Cloudflare, a central TCP-based US-owned DNS resolver.
Nobody in the world needs DNS over HTTPS. If you actually need to hide your DNS requests, you have bigger problems that you need a real VPN for. This is a unilateral political decision by the people who have the most power over browsers because they have an emotional obsession with privacy, even if it makes technology in general worse.
This isn't emotional. People deal with censorship by their ISPs or absurd fines for petty piracy literally every day. It's actually more accurate to say that you have an emotional attachment to a particular internet architecture compared to the practical advantage that most people have if they have their traffic encrypted through an American company, which is a big step up from local ISP snooping in a large chunk of the world.
It's also not a 'unilateral decision by people who have the most power', it's an optional offering by Firefox, a non-profit open source browser with less than 5% marketshare. You're making it sound like the Illuminati just came up with this
The thing is, DoH doesn't solve either of those problems. Your ISP can still censor your traffic unless you're using a VPN (in which case you don't need DoH to protect from your ISP), and ``piracy'' happens outside the browser, so again, unless you're using a VPN (in which case you don't need DoH to protect from your ISP--and even if you did, DoH in your browser won't do anything) you'll still have to deal with the absurd fines.
And let's not forget, ISPs can just block known DoH hosts, and now that weird browser you were trying doesn't work anyway. Oh well, let's go back to the corporate backed spyware we're all familiar with.
This is a Bad Idea, and has the potential to make Firefox unusable to exactly the people it's trying to protect.
Sounds like what I need is a VPN or Tor in these cases. To such regimes if FF provides a way to bypass their restrictions FF would end up being classed contraband similarly.
The big difference between malicious behaviour of the ISP vs malicious behaviour from all those example companies you mentioned is that I can choose not to use Netflix/Google/ESPN/..., while I can't choose ISP. So yes, I need DoH to protect me from my ISP (and no, full blown VPN is not an option, too many compromises).
> We had a very good design in DNS, and people are throwing it away because they're terrified about the potential that their ISP might use their data
It's more about censorship by governments. Even here in Europe, we have such censorship - against "terrorists", pirates and Russian propaganda. I don't object to censoring Russian propaganda and actual ISIS/AQ-style terrorists away, but censorship against pirates is just enforcement for the ultra-rich.
I think encrypted DNS as a default is a good thing and swapping (with a notification to let you know what they did, why, and an easy button to revert the setting) in an update would be great.
> We completed our rollout of DoH by default to all United States Firefox desktop users in 2019
Why did this setting change for me today mid-session? Did someone malicious use this functionality to change my settings outside of the context of an update? I don't want anyone to be able to remotely change my privacy settings. Knowing this feature exists makes me extremely uncomfortable and has broken my trust in my browser.
Same here. Anyone here have any good arguments for why Mozilla should implement changes like this outside of a version upgrade? I just got the prompt on a version of Firefox that is not the latest version. At first I just tuned it out; it's very easy to think it's some banner on the page annoying you unless you're actively looking for it. Or maybe a notification or location request. I then thought my Firefox installation had been upgraded without my consent, which alarmed me briefly.
And I don't mean just arguments focused on benefits to Mozilla, like it's easier for them, it lets them run experiments, etc. I mean arguments why they should, in the process of doing this, take away my ability to make informed decisions as the owner of my computer. If I choose not to upgrade something, it should not change its behavior in a significant way like this.
Yeah, I've been wondering this too... I've disabled a lot of things like experiments/normandy and telemetry so I'm wondering what I'll have to find and disable now.
I went to the effort of setting up a pihole, and pointing all the devices on my network to it.
When I saw this notification for the first time yesterday I was a bit annoyed - do I now have to think about every application ignoring OS level settings and using its own?
Yes, I use ipset on openwrt to block all known public DoH IPs. That is still not enough. You need custom DNAT rules to forward all queries to port 53 to your local resolver (at my home at least, Google and Garmin devices insist on using their own DNS servers)
I see a lot of people who do no like this. And that is totaly fair. I do not want or need this either, I have my own resolver on my pi-hole and why the f whould I want FF to mess with that.
However, for 'normal' users, this is actually an important an big improvement imo. You cannot expect everyone to understand how it all works and how to run a dns server. If you can, you might not be the target audience for such features.
That being said, I'd prefer my FF without all the 'services' and bullshit. I tried Librefox, but couldn't get it to run. Gave up after 30s. Guess I'm not the target audience for that and I'll deal with disabling mozilla's spam ;)
One problem I've found when trying to switch to an alternative DNS provider is that e.g. different parts of Akamai's CDN servers have different peering arrangement with ISPs and Akamai uses DNS for directing you to a server that is well-connected to your current ISP.
So when using an alternative DNS server, download speeds for anything hosted by Akamai would always slow to a crawl in the evening because I got directed to the wrong set of Akamai servers.
I just got this automatic up/down/side-grade. DNS to be handled by a partner service provider, so they get all my data instead of my ISP getting it? Doesn't seem like an improvement. I think I will turn this off.
> DNS to be handled by a partner service provider, so they get all my data instead of my ISP getting it? Doesn't seem like an improvement.
It's an improvement in two ways. One, the DoH provider will only know that your IP address looked up certain hosts, unlike your ISP who also knows the association between your real-life identity and your IP address. Two, most ISPs (especially in the US) have horrific privacy policies and practices compared to the DoH servers.
What kind of contracts and understandings do we have with Cloudflare? What do we know about them aside from the fact that they protect scammers and spammers?
I got the pop-over notice for the first time today as well... I'm wondering now how they did it. I have firefox set to notify me about updates, but this wasn't that. I have telemetry/Normandy/experiments/etc disabled. I hope I can find whatever I have to disable to prevent settings being remotely applied to my browser outside of updates
That mostly defeats the purpose though, since to your ISP, a DNS packet from Firefox and a DNS packet from your local DoH server both look the same. Now if you hosted it on a VPS or something instead, then it would definitely be worthwhile.
Readit News
That's what I don't want - Firefox offering services.
Once you have a centralized server, with a huge number of minor queries passing through it, the operators get uppity. They start thinking they have editorial authority. Someone will decide that the DNS server should censor something. Child porn is the usual excuse, and then, after a while, you can't see sites that mention Tienanmen Square or Ukraine any more.
I'm quite happy with Sonic's classic DNS server. It just answers DNS queries and forwards requests to the appropriate upstream DNS server as required.
A way to 'opt out' of response customization based on my location would be nice while troubleshooting. But then which zone is that going to give me? Probably the US one. :P
Better yet, give the browsers a way to detect this (e.g. generate a random domain known not to exist and make sure it gives NXDOMAIN) and switch to the other DNS only if the normal one is broken.
Has this ever happened?
The appeal itself appears to be reasonable, but Thailand is notorious about the enforcement of lèse-majesté law [1], and anything that could be interpreted, even slightly, to fall under this law often saw a summary judgment, less burden of proof, and harsh punishment. This is the reason the authority cited as a basis to block it. AFAIK, the website fought back; the block lasts only 6 months.
[1] See https://en.wikipedia.org/wiki/Lèse-majesté_in_Thailand for more information.
Do they actually use their massive unchecked power to target child porn? We don't know because it's unchecked the government doesn't report on how the law is used it just uses it.
If the government actually used it to lock up a thousand pedos that would be pretty great it would get me voting for that government so why haven't they reported how success-full this law has been in the 4 years its been in affect? we haven't heard a peep, probably because there hasn't been any success for them to boast about.
This is currently the case, no? DNS is already, as far as the user concerned, a centralised service where any slippery-slope censoring can (and im sure does) already happen.
And that's ignoring the obnoxious government interference ISPs tend to implement through DNS. From piratebay to youtube blocks.
You have to trust someone with DNS. And Firefox's trusted partner is better than the current status quo.
Mozilla decided to turn on DoH by default, without asking, without prompting, without any indication whatsoever. Even if you configure a canary domain, that doesn't disable the DoH preference - it just temporarily turns it off.
Organizations making unilateral decisions about sharing my private information with an untrusted, for-profit company that has a history of abuse and social irresponsibility is a very bad thing, not a good one.
That's what I actually want from Mozilla — offering (but not forcing) privacy-enhancing services, preferably for free.
DNS is not centralized. You can enter whatever DNS server you want. The problem with plain text DNS is that in countries like Turkey over half million domains are blocked in DNS level. Even if you enter your custom DNS, Turkish ISPs MITM the queries and respond with are IP adrress that says that the domain is blocked. DoH prevents such attacks. For this reason once again huge thanks to Mozilla who fights against opressing regimes.
Somewhat unrelated but Firefox also supports SOCKS proxying independent of the OS config. Combining this with ssh -D and you can effectively VPN your Firefox traffic out any box you can ssh to, including the DNS requests. This has been both useful for me as a troubleshooting tool and as a simple internet VPN.
You can essentially "VPN" (relay) your in-browser http traffic with just DoH.
Setup a DoH stub resolver to reply with the same ("gateway") IP for all DNS queries, then on the gateway IP, forward traffic by sniffing TLS SNI (http2/http1.1) or snooping the host headers (http1).
This won't / can't work with http3 because defence against ossification (by such middlewares) was one of quic's design goals (http3's underlying transport). You can blackhole all UDP traffic on the gateway though, which should block http3 altogether.
The only real worry is there's no authentication at the gateway. Could impl it with some form of "captive portal", however.
A toy go program I co-authored can act like the aforementioned "gateway": https://github.com/celzero/midway
Indeed. The problem is that a lot of operating systems still don't support it at all yet.
> The other half reading this probably want a "how to force disable" guide instead of a "how to" guide.
Sadly, yes. And the only reason I've heard for this is that they want to be able to censor or surveil traffic from other people's computers.
On my personal network I've got an inside view of my domain that will resolve internal services if you hit the resolver from the inside, this breaks if an external resolver is used and it'd be more work for no real gain to set this up as an internal DoH resolver and make sure clients used that.
On my work laptop I have a similar need for split resolution in many cases, particularly when connecting to customer's networks. I also have an additional need to be using the same resolution flow as their computers when troubleshooting, if one of their DNS servers is misconfigured I'll never see the issue resolving to an external server.
I've not found the browser fallbacks to fully cover the 2 above scenarios and, even for the parts that are covered, I've not seen it be particularly reliable. Particular if you switch networks often.
I've also seen people against browsers pushing users to fewer centralized services but I'm not really in that boat myself, I point DNS to 1.1.1.1, 8.8.8.8 anyways.
That said I run across a lot of customers that don't understand it's easier to build and enforce a proxy config on a managed fleet than to try to play whack-a-mole with every user packet that doesn't match this policy and try to avoid DoH at the network layer as a result. I don't really expect this to change until security auditors stop accepting these implicit policies as meeting requirements. Outside of finance/government that still seems forever away.
Deleted Comment
Which one exactly? Android has it called "Private DNS", Linux supports it with systemd-resolved, Windows 10 too (don't know the build number at which it starts). Apple with OS 11 and iOS 14.
The main issue I see is that there is no support for both in every OS. "Private DNS" is DoT, while Windows 10 support is DoH. Apple has both.
So it's intended to benefit 99.9% of everyday users, then, despite the risk that it might irritate the 0.1% who for whatever reason want things configured some other way. Sounds like they made the right call.
There's a privacy benefit anyway for some sites. If your browser also supports eSNI or ECH, and you're connecting to a site hosted behind a CDN like Cloudflare, your ISP will then only know that you're connecting to the CDN, and not which site behind it that you're visiting.
I just wish it worked on the whole system
Ref: https://man.openbsd.org/ssh#D
Nobody in the world needs DNS over HTTPS. If you actually need to hide your DNS requests, you have bigger problems that you need a real VPN for. This is a unilateral political decision by the people who have the most power over browsers because they have an emotional obsession with privacy, even if it makes technology in general worse.
It's also not a 'unilateral decision by people who have the most power', it's an optional offering by Firefox, a non-profit open source browser with less than 5% marketshare. You're making it sound like the Illuminati just came up with this
And let's not forget, ISPs can just block known DoH hosts, and now that weird browser you were trying doesn't work anyway. Oh well, let's go back to the corporate backed spyware we're all familiar with.
This is a Bad Idea, and has the potential to make Firefox unusable to exactly the people it's trying to protect.
> people are throwing it away
It is not meant to replace DNS or make it impossible to work.
And by PiHole.
Conspiracy theory I semi-seriously believe: DNS over HTTPS exists so Google Chromecasts can circumvent DNS based adblockers.
It's more about censorship by governments. Even here in Europe, we have such censorship - against "terrorists", pirates and Russian propaganda. I don't object to censoring Russian propaganda and actual ISIS/AQ-style terrorists away, but censorship against pirates is just enforcement for the ultra-rich.
> We completed our rollout of DoH by default to all United States Firefox desktop users in 2019
Why did this setting change for me today mid-session? Did someone malicious use this functionality to change my settings outside of the context of an update? I don't want anyone to be able to remotely change my privacy settings. Knowing this feature exists makes me extremely uncomfortable and has broken my trust in my browser.
And I don't mean just arguments focused on benefits to Mozilla, like it's easier for them, it lets them run experiments, etc. I mean arguments why they should, in the process of doing this, take away my ability to make informed decisions as the owner of my computer. If I choose not to upgrade something, it should not change its behavior in a significant way like this.
When I saw this notification for the first time yesterday I was a bit annoyed - do I now have to think about every application ignoring OS level settings and using its own?
However, for 'normal' users, this is actually an important an big improvement imo. You cannot expect everyone to understand how it all works and how to run a dns server. If you can, you might not be the target audience for such features.
That being said, I'd prefer my FF without all the 'services' and bullshit. I tried Librefox, but couldn't get it to run. Gave up after 30s. Guess I'm not the target audience for that and I'll deal with disabling mozilla's spam ;)
So when using an alternative DNS server, download speeds for anything hosted by Akamai would always slow to a crawl in the evening because I got directed to the wrong set of Akamai servers.
https://en.wikipedia.org/wiki/EDNS_Client_Subnet
When you wonder about motivation, you don't have to go very far to see how this is obviously about money.
It's an improvement in two ways. One, the DoH provider will only know that your IP address looked up certain hosts, unlike your ISP who also knows the association between your real-life identity and your IP address. Two, most ISPs (especially in the US) have horrific privacy policies and practices compared to the DoH servers.
What kind of contracts and understandings do we have with Cloudflare? What do we know about them aside from the fact that they protect scammers and spammers?
Sorry, but that's not an improvement at all.