Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 2) by vux984 on Monday September 09 2019, @09:48PM (4 children)
"The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. "
Don't be so dramatic This also applies to pretty much all mainstream anti-virus/anti-malware. Take a look at what kaspersky, mcafee, symantec, etc products do.
Firefox also isn't the first browser to contemplate this: Tor browser does it too; so that it doesn't generate DNS lookups from the client.
Given that browsers run in a sandbox, steadily approaching a full virtual machine, in an ongoing effort to secure the browser; is it any surprise or even that surprising that this is happening. I wouldn't be surprised if Google follows suit, but points everyone to their own name servers by default.
Lots of other software I've seen runs all its network traffic through its own proxy services. This is HARDLY revolutionary.
So... "never in the history of the internet" to... "oh yeah Verisign did it, but we got really mad so its ok NOW". That's not the first time we've gotten mad at Verisign, nor the most recent. There was that time in 2010 they got breached and tried to hide it -- I guess that's ok from critical trusted internet infrastructure right? Or that time they siezed 82 domains after a court told them to... paragons of virtue.
Mozilla is assuming joe sixpack DOESN'T know anything about this feature, or how DNS works at all for that matter. And they'd be correct.
It's not mandatory.
It would be overriding the network if it affected anyhting OUTSIDE of the browser. It doesn't.
Hey I agree. P2P distributed DNS for the win. But that's a solution for tomorrow maybe. This is a solution for today.
Most people aren't setup to query the root servers directly via encryption. (Assuming you want to trust the root servers). Most people are querying ISPs and/or Google. THIS is better than THAT.
(Score: 2) by The Shire on Monday September 09 2019, @10:24PM (3 children)
Antivirus software does not override your network settings.
Tor is a product designed to circumvent filters, that's it's purpose. Firefox is not. If Mozilla wants Firefox to behave like Tor them perhaps they should retire Firefox and start promoting Tor as their mainstream browser.
It is mandatory. When the new release arrives it will be on by default and cannot be turned off without doing some fancy footwork on the network, and even then you can't be entirely sure it's turned off. If it's voluntary then it should have an on/off switch in the options dialog but they have already indicated it will not. This is a hidden "feature" designed such that people will be unaware their queries are being redirected. IMO it's behavior is that of malware.
Browser functionality is an integral part of enterprise and personal interaction on the internet. Until now, browsers have behaved like all internet enabled apps - they use the system networking configuration. To silently override it is going to cause all manner of confusion when intranets cease to function because the browser isn't using the local dns. And when you choose to telecommute but your browser isn't working with the company network even though you have your dns pointed at it because the browser is quietly ignoring your preferences.
Look, a browser is a network application. By design it should use your networks configuration not go rogue. And this "solution" doesn't even fix the problem. It's of no consequence if your ISP is collecting your DNS query data or Cloudflare is. Don't forget that all HTTPS connections can already be monitored by your ISP by extracting the plain text SNI connection information - so they already know the domain you're going to hit. All Mozilla is doing is handing than same data to yet another 3rd party, Cloudflare. It doesn't benefit the end user it harms them by spreading their data to yet another profit motivated data miner. This only benefits Mozilla and Cloudflare. There is no helping hand here - there's only forced data mining.
(Score: 2) by vux984 on Tuesday September 10 2019, @01:11AM (2 children)
Many Antivirus packages include full on VPN services that route all your traffic through the A/V providers site; under the guise of 'network security features' to protect you when on wifi and so forth. Then they install certificates and proxy the sites you visit so that they can scan the pages for malware content before your browser gets them. Your browser doesn't even see the certificates the site hosts if you click the certificate information you'll see the a/v vendor certificates. This is also under the auspices of protection.
That's overriding your network settings in my books.
Are you sure? My reading is that it will be switched on by default, and the fancy footwork on the network is to allow you signal to firefox with it turned on to not use it there WHILE its still enabled. But that the user can still turn it off manually. Where did you read that it would not be something that you could turn off? I am willing to concede that point if you can cite it; and it would even go a long way to convincing me that mozilla is in the wrong here.
Encrypted SNI is a thing; and that is a component this endeavour...
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/ [mozilla.org]
Depends who you trust; and where you are; and who that ISP is. Some are are substituteable with cloudflare but most are worse.
A data miner scrubbing your data after 24 hours as part of this service. If you want to refuse to beleive they are doing it because you don't like cloudflare, or something that's fine. But if they are doing what they publicly commit to doing, what exactly is the problem? Oh, and you can ALSO select a different DOH provider it doesn't have to be cloudflare. That's not forced either.
(Score: 2) by The Shire on Tuesday September 10 2019, @01:32AM (1 child)
You must admit this discussion is getting a little tedious. I think we understand each others positions.
I don't believe for a moment that Mozilla or Cloudflare's motivations are any more than finding ways to improve their market share, data mine as much of the nets traffic as possible, and of course make money.
You seem to believe that both companies believe they can save end users from themselves and it's all about helping the little guy.
One of us is wrong.
(Score: 2) by vux984 on Tuesday September 10 2019, @03:49PM
I don't think it is quite as either-or as you put it though, but sure, I'm good to agree to disagree. And see how it plays out.
I am also still very curious where you saw that Mozilla said they wouldn't let you turn it off via a setting?!