Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 1, Interesting) by Anonymous Coward on Sunday September 08 2019, @10:51PM (11 children)
My DNS already filter out 18,000 sites. I do not want tracking sites and crap pages that Mozilla will allow to work again.
What is Mozilla doing??? Being the Google? or the Facebook?
(Score: 4, Interesting) by c0lo on Sunday September 08 2019, @11:12PM (9 children)
Then disable it [mozilla.org], you can still do it ATM (or should I say: "while you can"?).
This is not to say that the potential of evil isn't there or is benign:
---
A case of mixed blessing and curse:
1. on one side, the potential of by-passing the ISP-imposed blocks is... ummm.... fine for the moment
2. on the other side, I do hope they will maintain the capability to pick a user custom DoH provider [mozilla.org] and write-enabled access for the exception list [mozilla.org] for the future. The "Note: Do not remove any domains from the list." in the latest link is a bit worrisome.
Overall, I'm a bit pessimistic on the future: looks like the trend seems to increase the control over the fundamental technologies of the Internet-as-we-know-it.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Sunday September 08 2019, @11:51PM (1 child)
An UK ISP implementing UK censorship scheme throwing a fit over this, is natural. You singing along is strange, to say the least.
(Score: 2) by c0lo on Monday September 09 2019, @12:16AM
What exactly made you say that? I don't think anything inside my post says "I sing along with that".
Maybe because I used a double negation? (the "not to say that the potential of evil isn't there"? As in "I'm implying that there may be evil in the future", 'cause ATM one still has enough control to get around).
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday September 09 2019, @02:29AM (3 children)
What do you mean "while you still can"? You have the source, don't you?
(Score: 2) by c0lo on Monday September 09 2019, @02:40AM (2 children)
Having the source is inconsequential if the remote support the source relies on (the classical DNS) is declared deprecated and/or illegal and/or, no matter the reasons, is replaced by something else and stops functioning.
(the RFC-es aren't quite natural laws)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday September 09 2019, @04:49AM (1 child)
I think we're quite far away from giving up on DNS.
(Score: 2) by c0lo on Monday September 09 2019, @05:00AM
Time will tell. But, yes, some solutions [wikipedia.org] seems to exist [wikipedia.org].
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by deimtee on Monday September 09 2019, @03:57AM (1 child)
Not that worrying. The only ones in there are localhost and local.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by c0lo on Monday September 09 2019, @04:22AM
... for now.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mer on Monday September 09 2019, @07:43PM
It's good if it gives an incentive for openDNS and other good DNS services to roll out a DoH version.
Better browsers would implement DoH. And then even if Mozilla gimps the censorship bypassing to uselessness you're fine.
Shut up!, he explained.
(Score: 2) by Bot on Tuesday September 10 2019, @09:47PM
>What is Mozilla doing??? Being the Google? or the Facebook?
let me compute... reimplementing standards... no one asked for... now everybody has to adapt...
it's being the systemd.
Account abandoned.