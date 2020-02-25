from the and-everyone-else-on-the-network dept.
Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.
"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.
Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.
Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 0) by Anonymous Coward on Wednesday February 26, @02:44PM (3 children)
Let's say for a moment that I don't like Cloudflare. Just as a hypothetical. Let's say I don't really care about who's monitoring my DNS. Let's say I realize that location tracking can happen whether my traffic is encrypted or not and that the real intelligence value in such data is tying location to location and the clustering of numbers together then watching how they disperse, not necessarily location to browsing. Let's say that the last entity in the universe I want having access to what DNS requests I make is fucking Cloudflare.
Can I turn it off and go back to the DNS provider I want? Easily?
Oh, and how will this fuck with the fact that I set my DNS resolvers manually and don't want my browser coming within ten fucking miles of my choice?
(Score: 0) by Anonymous Coward on Wednesday February 26, @02:56PM
As explained by firefox. When the option is first enabled, you get a warning popup and the option to disable the feature. If you click without reading, you can go to about:config and set network.trr.mode to 0 or 5.
If you forget this, you can go to your preferred search engine and query with this string "disable firefox dns over https". The first link should take you to the page I used to find this information.
(Score: 2) by Booga1 on Wednesday February 26, @02:58PM
Yes, you can turn it off. It's just a checkbox. Uncheck it and it goes back to how things normally work.
Yes, it's easy to change providers. NextDNS is already available in the menu and if you want something else, just click "Custom."
No worries about it messing with manual DNS resolvers either. The Firefox setting for this only controls Firefox. It's not like Internet Explorer where you can screw up your whole system because it pretends to be standalone while actually controlling the operating system.
(Score: 2) by zocalo on Wednesday February 26, @03:02PM
Yes, it's a setting in "General, Network Settings", or at least it is until Mozilla decides to simplify things and your only option is to go into "about:config". Provider options for me (Firefox 73.0.1) are "Cloudflare (Default)", "NextDNS", "Custom" (which lets you specify your own server(s)), or turning it off altogether. Keep in mind that this is an application level thing and as such operates completely independently of your OS settings, so if you use multiple applications that default to enabling DoH you'll need to disable it for each one individually if that's your preference - and keep checking to see if an update hasn't re-enabled it again as well.
(Score: 1) by fustakrakich on Wednesday February 26, @02:45PM
And help snooping Cloudflare, one stop shopping for those who don't want to have to get multiple warrants