Stories
Slash Boxes
Comments

SoylentNews is people

Firefox Turns Encrypted DNS On By Default To Thwart Snooping ISPs

posted by Fnord666 on Wednesday February 26 2020, @02:37PM   Printer-friendly
from the and-everyone-else-on-the-network dept.

Arthur T Knackerbracket has found the following story:

Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.

"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.

Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.

Also at:
Mozilla Blog
The Register

Previously:
Firefox Begins Enabling DNS-over-HTTPS for Users

Original Submission

 
This discussion has been archived. No new comments can be posted.
Firefox Turns Encrypted DNS On By Default To Thwart Snooping ISPs | Log In/Create an Account | Top | 56 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by mmlj4 on Wednesday February 26 2020, @05:15PM (8 children)

    by mmlj4 (5451) on Wednesday February 26 2020, @05:15PM (#962965) Homepage

    OK, so how do I turn this garbage off?

    --
    Need a Linux consultant [joeykelly.net] in New Orleans?

  • (Score: 1) by mmlj4 on Wednesday February 26 2020, @05:17PM (2 children)

    by mmlj4 (5451) on Wednesday February 26 2020, @05:17PM (#962967) Homepage

    Or better yet, what do I have to block to keep this off a LAN?

    --
    Need a Linux consultant [joeykelly.net] in New Orleans?

    • (Score: 2) by takyon on Wednesday February 26 2020, @05:19PM

      by takyon (881) <takyonNO@SPAMsoylentnews.org> on Wednesday February 26 2020, @05:19PM (#962969) Journal

      Try blocking this and see what breaks: https://en.wikipedia.org/wiki/1.1.1.1 [wikipedia.org]

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]

    • (Score: 2) by Booga1 on Wednesday February 26 2020, @05:50PM

      by Booga1 (6333) on Wednesday February 26 2020, @05:50PM (#962978)

      That would be over here: Configuring Networks to Disable DNS over HTTPS [mozilla.org]

      Network administrators may configure their networks to treat DNS requests for a canary domain differently, to signal that their local DNS resolver implements special features that make the network unsuitable for DoH.

      In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the “DoH always” preference as mentioned above.
      The additional checks that will be performed for content filtering are:

      • Resolve canary domains of certain known DNS providers to detect content filtering
      • Resolve the “safe-search” variants of google.com and youtube.com to determine if the network redirects to them
      • On Windows and macOS, detect parental controls enabled in the operating system

      The additional checks that will be performed for private “enterprise” networks are:

      • Is the Firefox security.enterprise_roots.enabled preference set to true?
      • Is any enterprise policy configured?

  • (Score: 2) by takyon on Wednesday February 26 2020, @05:18PM

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Wednesday February 26 2020, @05:18PM (#962968) Journal

    Easily, look at the first comments. The setting is in the GUI, not just in about:config.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]

  • (Score: 2) by hendrikboom on Wednesday February 26 2020, @07:33PM (3 children)

    by hendrikboom (1125) Subscriber Badge on Wednesday February 26 2020, @07:33PM (#963035) Homepage Journal

    Configure your router to block all packets headed for 1.1.1.1?
    Or is that not the IP number Cloudflare uses for its https DNS service?

    • (Score: 0) by Anonymous Coward on Wednesday February 26 2020, @11:48PM

      by Anonymous Coward on Wednesday February 26 2020, @11:48PM (#963221)

      Don't forget 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 as well. They use those three addresses along with 1.1.1.1 for DNS.

    • (Score: 2) by edIII on Thursday February 27 2020, @01:33AM (1 child)

      by edIII (791) on Thursday February 27 2020, @01:33AM (#963265)

      Configure the router to DROP all packets if they're related to DNS, and then DROP all packets to know DNS servers. Just like we create RBLs for other purposes, we could have lists for hosts & domains that serve DNS. I'm creating a small list right now.

      • 1.1.1.1
      • 4.4.4.4
      • 8.8.8.8
      • 8.8.4.4
      • 1.0.0.1
      • 9.9.9.9
      • 2606:4700:4700::1111
      • 2606:4700:4700::1001
      • 198.101.242.72
      • 23.253.163.53
      • 205.204.88.60
      • 178.21.23.150
      • 91.239.100.100
      • 89.233.43.71
      • 208.67.222.222
      • 208.67.220.220
      • 2001:67c:28a4::
      • 2002:d596:2a92:1:71:53::

      Once that is thoroughly blocked, create your own recursive DNS server. I already have one running in PFsense, and it has fully functioning SSL/TLS DNS query support.

      The only issue though is.... where does it get its' own DNS queries resolved? So unfortunately you're still left with DNS queries that can be scraped from the traffic data. I don't know of any public trustworthy DNS servers that also serve SSL requests. Not at least any that are free, and you still need to trust the provider. You can go to VeriSign today and purchase SSL DNS service, and they CLAIM they would never, ever, ever violate your privacy for profit. They sound just like AT&T, Verizon, and all the fuckwads that did exactly that. There is ZERO reason to trust any large corporation about they say to do, and every reason to trust that it's just a PR campaign that has nothing to do with the decision making of toxic c-suites and greedy board members.

      What you're left with is running a router in the cloud, or a data center, and then operating your own SSL/TLS DNS resolver. Which is what I do. I route normal and SSL DNS queries from multiple locations to a SSL/TLS DNS resolver in a data center, using SSL/TLS to protect the packets in transit. Queries are resolved against the DNS servers I'm provided with there. All I've accomplished is in concentrating the queries into one place, to be resolved in a way that could still be monitored. That being said, I think you could trust a data center more. Volume is much higher, and data centers themselves don't seem to have any real interest in data collection at the moment. I'm sure that's a consequence of them serving businesses and not consumers, as businesses tend to get funny about business data being slurped up without compensation.

      It's very similar to Bayesian poisoning with shopping reward cards. The more people using the same card, and the more diverse and eccentric their purchases are, the less they're able to resolve about you in particular. That, and just for fun, occasionally, I'll buy some Chicklets, Saran Wrap, Exlax, Toilet Plunger, and beef bouillon. Figure that shit out marketers :)

      --
      Technically, lunchtime is at any moment. It's just a wave function.

      • (Score: 2) by Fishscene on Thursday February 27 2020, @03:58PM

        by Fishscene (4361) on Thursday February 27 2020, @03:58PM (#963546)

        Thanks for posting this list!

        As for your question of the DNS resolver...
        My DNS chain is:
        PiHole > Gateway router > External DNS provider

        The trick is in the internal logic of the gateway router itself:
        Gateway Router LAN > Gateway Router itself > Gateway Router WAN

        My firewall is set to block all DNS traffic that originates from the Router LAN port destined for the Internet. This allows the gateway router itself to send/receive DNS packets.
        Basically, if you aren't using *MY* DNS server on my internal network, you're not using anyone's.

        Now for DNS over HTTPS. I don't have a real solution for that yet, so I've resorted to just blocking https traffic to known locations. But lets be honest, this is going to be an ever-growing game of whack-a-mole.

        --
        I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.