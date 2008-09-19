from the Who-do-YOU-trust? dept.
Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 0) by Anonymous Coward on Sunday September 08, @10:51PM (1 child)
My DNS already filter out 18,000 sites. I do not want tracking sites and crap pages that Mozilla will allow to work again.
What is Mozilla doing??? Being the Google? or the Facebook?
(Score: 2) by c0lo on Sunday September 08, @11:12PM
Then disable it [mozilla.org], you can still do it ATM (or should I say: "while you can"?).
This is not to say that the potential of evil isn't there or is benign:
---
A case of mixed blessing and curse:
1. on one side, the potential of by-passing the ISP-imposed blocks is... ummm.... fine for the moment
2. on the other side, I do hope they will maintain the capability to pick a user custom DoH provider [mozilla.org] and write-enabled access for the exception list [mozilla.org] for the future. The "Note: Do not remove any domains from the list." in the latest link is a bit worrisome.
Overall, I'm a bit pessimistic on the future: looks like the trend seems to increase the control over the fundamental technologies of the Internet-as-we-know-it.
(Score: 2) by Fishscene on Sunday September 08, @10:57PM (2 children)
So Firefox by default is going to start leaking my internal network information to an untrusted (to me) 3rd party? And introduce DNS lookup delays as well?
I've been a long time Firefox supporter. But this. This is where I drop Firefox. But what to turn to? Edge? Chrome is not an option.
(Score: 2) by Booga1 on Sunday September 08, @11:08PM
Looks like you can follow these instructions to disable from the DNS/network side of things: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https [mozilla.org]
(Score: 2) by Runaway1956 on Sunday September 08, @11:10PM
So do DoH manually, and set your own DNS server(s). You can click through the links in TFS and TFA to find this page: https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/ [zdnet.com]
Or, you can do a search, and the first hit I got with the duck, was the link you could have found by clicking through.
https://duckduckgo.com/?q=enable+DoH+DNS+over+HTTPS+firefox&atb=v138-7&ia=web [duckduckgo.com]
I've been doing DoH for months now, and I believe that I used the ghack link to guide me - https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ [ghacks.net]
You don't trust Firefox, cool. But, the information is available so that you can bypass Firefox.
