Arthur T Knackerbracket has found the following story:
Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.
The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.
(Score: 5, Insightful) by Anonymous Coward on Monday November 04 2019, @08:59PM (7 children)
Placing fixed DNS over HTTPS, so even local control of DNS is blocked is bad.
My firewall has blacked holed over 17,000 domains protecting my network, now Firefox and Chrome are going to blow right through them, vs honoring local DNS first.
What about local machines on my network, that I want to be found? They are not in this bypassed DoH.
Same goes for my company.
This is similar complaint in England, where ISP are required law to block websites. Mozilla is putting out a English version to allow that.
DoH cannot be set on by default, that just means GOOGLE and Cloudflare are getting to monetize the DNS business.
POLITICS ARE ALL LIES AND HALF TRUTHS. Even from the truth-tellers.
(Score: 3, Disagree) by exaeta on Monday November 04 2019, @09:12PM (5 children)
The Government is a Bird
(Score: 2, Funny) by fustakrakich on Monday November 04 2019, @09:41PM
DNS over HTTP is a fine mechanism to circumvent organizational wiretapping of DNS queries. I fully support DNS over HTTPS.
Normally I would agree, but Cloudflare? Eventually the ISP's owners will buy them, and then who has all that DNS info?
And this whole HTTPS thing is a joke also. The certs aren't worth the paper they're printed on.
La politica e i criminali sono la stessa cosa..
(Score: 5, Insightful) by maxwell demon on Monday November 04 2019, @09:59PM (3 children)
The problem isn't exactly that DNS is checked over HTTPS, the problem is that this decision is made on the browser level.
I would have absolutely no problem with a program you install at your computer that makes all the DNS lookups on that computer go through HTTPS. I do have a problem with the browser not using the computer's configured DNS, whatever that is.
And no, it doesn't break just enterprise setups. It breaks every single home router whose web interface is accessed through a local domain name.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Monday November 04 2019, @11:15PM
"A program" which a regular user would not even know about, let alone be able to properly configure, will be used only by a tiny minority. As a consequence, any action against that program, the protocol, and its users, will go through unopposed. Which rather defeats the whole purpose.
Common browser (Chrome) using a common protocol (HTTPS) to a common endpoint (Cloudflare) on the other hand, is where breaking it is "breaking the Internet" for the masses, which isn't yet commonly done. A separate program like you want, could well exist alongside it, and hide in the noise; but its attempting to stand alone will be the very essence of pointless.
(Score: 3, Informative) by exaeta on Tuesday November 05 2019, @04:33PM (1 child)
The Government is a Bird
(Score: 2) by maxwell demon on Tuesday November 05 2019, @05:52PM
Then configure your computer to fetch the DNS from elsewhere. Over HTTPS, from Google, from your friend's private DNS server, it doesn't matter. The point is, the browser is the wrong place for that. Probably you don't even have to do that at your computer; you can configure your home router to use a different DNS server, which will distribute that setting through DHCP.
If I open a page from Firefox, I want to get the IP from the same place as when I use wget. Or links.
And if I make an entry in my hosts file, I want the browser to honour that, too.
What about users of Pi-hole? [wikipedia.org] I'm sure they'll not be amused if all the ads (and possibly malware) suddenly start coming through again, just because the browser no longer honours the settings of the computer.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by RamiK on Tuesday November 05 2019, @03:53AM
You have full control over it as a user wanting to switch providers or simply disable it or as an admin wanting to reroute DNS requests to their own enterprise server: https://support.mozilla.org/en-US/kb/firefox-dns-over-https [mozilla.org]
DoH has other issues regarding performance and anonymity... But the former is marginal while the latter is yet to be proven and is mostly a theoretical concern relating to piracy content that we can simply wait until it makes it to court before reconsidering.
compiling...