SoylentNews is people
SoylentNews
How to Enable DNS-Over-HTTPS (DoH) in Firefox:
The DNS-over-HTTPS [(Doh)] protocol works by taking a domain name that a user has typed in their browser and sending a query to a DNS server to learn the numerical IP address of the web server that hosts that specific site.
This is how normal DNS works, too. However, DoH takes the DNS query and sends it to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53.
This way, DoH hides DNS queries inside regular HTTPS traffic, so third-party observers won't be able to sniff traffic and tell what DNS queries users have run and infer what websites they are about to access.
Further, a secondary feature of DNS-over-HTTPS is that the protocol works at the app level. Apps can come with internally hardcoded lists of DoH-compatible DNS resolvers where they can send DoH queries.
This mode of operation bypasses the default DNS settings that exist at the OS level, which, in most cases are the ones set by local internet service providers (ISPs).
This also means that apps that support DoH can effectively bypass local ISPs traffic filters and access content that may be blocked by a local telco or local government -- and a reason why DoH is currently hailed as a boon for users' privacy and security.
[...] The below step-by-step guide will show Firefox users in the UK and Firefox users all over the world how to enable the feature right now, and not wait until Mozilla enables it later down the road -- if it will ever do. There are two methods of enabling DoH support in Firefox.
The fine article then presents step-by-step instructions on two methods to enable DoH in Firefox, as well as an explanation of what the various setting values mean.
(Score: 0) by Anonymous Coward on Monday July 08 2019, @11:54AM (4 children)
It's a nightmare for admins who need to do content blocking (schools etc). If web apps ever get to specify "DoH" servers under the pretence of "security", it'll become a nightmare for users too. Also; The inefficiency of additional HTTP + encryption overhead makes me want to puke.
(Score: 3, Interesting) by c0lo on Monday July 08 2019, @12:36PM (3 children)
<tongue_in_cheek>Look, the inefficiency of a hierarchical DNS and multiple roundtrips to different servers with recursive queries makes me want to puke. Like, why can't I make a single query and get the answer straight away?</tongue_in_cheek>
Point: everything in relation with Internet is a trade-off. The only point of debate is where you set the point of balance, and that depends on what you can afford to still consider good-enough one way or the other. Mid '90-ies, the users will curse you if you had a site with over 1MB of eye-candy images - righto, dial-up speeds.
Nowadays, you have tens-to-hundred of megs of javascript to download, going over HTTPS-everywhere, before even the first bits of useful info start hitting your browser, Guess what? the majority of users accept the trade-off, not even being aware it's actually their interest is the most compromised (a lot of data processing and page layouting happen into the client browser instead of on the serverside, so the server-side is cheaper 'cause it doesn't do any dynamic "rendering" - JSON content only. And the front-end devs are happy too - dynamic rendering means more flexible display layout, cheaper maintenance, shorter dev times - a design that's more "responsive" to whatever the markedroids throw at the engineering team and the zillions of device aspect ratios/resolution that content need to be displayed on).
Where does this lets your puke? A self-evident answer, don't you think?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday July 08 2019, @12:56PM (2 children)
That's not inefficient, transferring entire registries for every update would be inefficient.
A couple of meg, once with correct cache headers. Few JS heavy sites provide any functional benefit over vanilla html - that's a different argument and one I expect we'd agree upon.
Aside from all the negatives (overhead, hard coded DNS in apps & hijacking) there is also a potential positive. The time for alternate DNS roots has arrived.
(Score: 3, Touché) by c0lo on Monday July 08 2019, @01:19PM
Enjoy your FB-captive DNS root, I hope you like it.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday July 08 2019, @07:03PM
Alternate roots? You must be joking. I can't get my mother to understand the difference between single clicks and double clicks, nor can I get her to understand that left clicks and right clicks do different things. The only way she could install an alternate root is if one of those stupid "cursor packs" or "themes" she tries to install all the time had one in it next to the RCE and privileged escalation attack for the Linux distro installed.