Stories
Slash Boxes
Comments

SoylentNews is people

Firefox Begins Enabling DNS-over-HTTPS for Users

posted by martyb on Sunday September 08 2019, @10:18PM   Printer-friendly
from the Who-do-YOU-trust? dept.

takyon writes:

Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:

DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].

By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].

When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.

Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month

A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."

DNS-over-HTTPS is the next default protection coming to Firefox

Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Firefox Begins Enabling DNS-over-HTTPS for Users | Log In/Create an Account | Top | 82 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @03:35AM (1 child)

    by The Shire (5824) on Monday September 09 2019, @03:35AM (#891524)

    You have to send your DNS queries out to someone.

    The dns root servers are that someone. There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information. If Mozilla really wanted to be privacy conscious they wouldn't have used a for profit firm. In my opinion, Mozilla has been looking desperately for cash streams to pay their increasingly top heavy salaries and Cloudflare is one such revenue source. I suspect the reason Mozilla caved and made hyperlink ping tracking mandatory also involved similar advertiser or aggregator kick backs.

    Like Google, it seems Mozilla built up a user base by promising they can be trusted and when it hit a certain mass they started cashing out in ways that are hard for the end user to see.

    And to answer your questions:

    a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)

    Currently, users have control over their networks. Most choose not to exercise that control, but those who do know that when they choose a dns provider it holds true for their entire network. It's expected behavior that the dns on your network applies everywhere. Mozilla is subverting that by inserting hidden non browser functionality into Firefox that is both silent and outside the average persons control. And I say hidden because from what I've seen, there is nothing in the browsers options that someone might see to turn it off or even know it's there. And does anyone really expect an end user to know how to create a "canary domain" that would disable this hidden DoH system? Not a chance, and both Mozilla and Cloudflare know it.

    b) What exactly are you holding up as an even better alternative?

    They could have solved the issue entirely by doing a couple things:
    1) Make it opt in
    2) Provide an easy to find browser option to turn it off - don't deceitfully hide this thing and make it difficult to turn off
    3) If the user opts in, give them a randomized list of DNS providers, with notations about which are "for profit corporations" as well as a place to enter custom providers, and let the user pick the one they want.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=2, Interesting=1, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 3, Insightful) by SpockLogic on Monday September 09 2019, @12:24PM

    by SpockLogic (2762) on Monday September 09 2019, @12:24PM (#891638)

    There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information.

    That is why I don't use my ISP's DNS nameservers.

    Anyone trust Charter ... Anyone? Anyone?

    --
    Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII