
What’s Next in Making Encrypted DNS-over-HTTPS the Default - bzbarsky
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
======
Jonnax
There's a lot of negativity here.

But this is a win overall for privacy.

DNS is used by ISPs to sell user's data and is one way that oppressive regimes
track what their users do.

If you're technical enough to understand DNS then you are smart enough to
change what the default is.

If you're a system administrator for a company. You should be able to push a
profile down to the user's computer to configure DNS how you want.

~~~
zajio1am
Not if one trusts more his/her ISP more than Cloudflare. At least, an ISP is a
contractual partner and under the same jurisdiction, in Europe including GDPR.

~~~
floatboth
Being in the same jurisdiction is bad: your ISP is THE place for your local
law enforcement to get info on your browsing.

~~~
xg15
Yes. However with Cloudflare, now everyone would effectively be under the
jurisdiction of the US which is not necessarily better.

~~~
darkhorn
You can change your DoH provider under the settings in Firefox.

------
nicolaslem
The article is not clear about one issue: are all applications expected to
disregard the OS DNS? Is there an option to tell all applications that they
should not bypass it?

I will be pretty pissed if I wake up one day and find that Firefox decided to
stop using my DNS server and instead started sending my requests to a third-
party.

~~~
modeless
The article explicitly mentions the way to tell applications including Firefox
not to disregard the OS DNS: blocking a canary domain. It even links to
detailed instructions.

Frankly, given how much trouble I've had with systemd's DNS meddling, I look
forward to applications taking DNS under their own control.

~~~
nicolaslem
> blocking a canary domain

And how long will it take for most ISPs to block this domain when they realize
that their DNS servers are not being used anymore? Some of them sell this data
so they see it as a source of revenue.

At this point this canary domain will have the same fate as Do Not Track.

> I look forward to applications taking DNS under their own control.

I am sure I can find a hundred applications/programs resolving domains on my
machine. It is unrealistic to configure all of them separately. At this point
we are back to the OS providing the configuration for all of them.

~~~
GTP
They already stated in the article that if the canary domain will be abused
they will disable that check.

~~~
josteink
Yeah. Sounds like another do-not-track then.

I’ll keep my firewall-rules banning all DoH-traffic to Cloudflare, just in
case.

~~~
Ayesh
I suppose you can block the IP 1.1.1.1, but Google serves THEIR DNS at
`google.com` on HTTPS port. One of the design choices of DoH to make it look
like HTTPS traffic.

It's gonna be difficult to block DoH traffic.

~~~
throw0101a
> _One of the design choices of DoH to make it look like HTTPS traffic._

Wait until encrypted SNI gets implemented everywhere was well.

------
papaf
At first, I was sceptical of DNS over HTTPS and thought that it gave
Cloudflare, who already control too much access over the internet, even more
control.

However, other DNS providers are available. For instance Google[1] and Quad 9
[2] both provide free DNS over HTTPS services.

[1] [https://developers.google.com/speed/public-
dns/docs/doh/](https://developers.google.com/speed/public-dns/docs/doh/)

[2] [https://www.quad9.net/doh-quad9-dns-servers/](https://www.quad9.net/doh-
quad9-dns-servers/)

~~~
alexis_fr
The difference is, DNS-over-HTTPS seems to support cookies and identification.
DNS only identified the IP of a person.

So it’s clearly an upgrade for Google.

~~~
jedisct1
A really good presentation on the privacy implications of "modern DNS" by
PowerDNS
[https://www.youtube.com/watch?v=V2F92orIEO8](https://www.youtube.com/watch?v=V2F92orIEO8)

~~~
zzzcpan
>
> [https://www.youtube.com/watch?v=V2F92orIEO8](https://www.youtube.com/watch?v=V2F92orIEO8)

So, given the talk, is the industry finally realizing what Mozilla, Cloudflare
and Google are trying to pull off with DoH? I guess this is why the change of
hearts from them and letting people block DoH within entire networks, hoping
not to attract attention of how much control they want to take away.

------
jlgaddis
I didn't see it mentioned in the article. Has Mozilla said whose servers they
will be sending unsuspecting users queries to by default? (IIRC, it was
Cloudflare previously. Any reason to believe this has changed?)

\---

If, like me, you already have a solution in place you are happy with and don't
like the idea of others (deciding they know what's best for you and)
circumventing it, simply ensure that your existing resolvers are configured as
described in [0]:

> _Network administrators may configure their networks as follows to signal
> that their local DNS resolver implemented special features that make the
> network unsuitable for DoH:_

> _DNS queries for the A and AAAA records for the domain “use-application-
> dns.net” must respond with NXDOMAIN rather than the IP address retrieved
> from the authoritative nameserver._

[0]: [https://support.mozilla.org/en-US/kb/configuring-networks-
di...](https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-
over-https)

~~~
josteink
If true that DoH can be disabled at network level, ad-blocking solutions like
pihole should probably implement it by default.

Anyone have any idea if this is the case?

That would at least save _me_ a lot of trouble and work.

~~~
Dylan16807
Pihole is great because it can do all your non-browser activity.

But for a browser, an ad-blocking extension works better and is less than a
minute to set up. Why force it to use the same DNS blocking?

~~~
josteink
Most mobile-browsers don’t support ad-blocking, especially on iOS.

~~~
Dylan16807
They're not threatening to use DNS-over-HTTPS either.

But didn't iOS get browser adblocking capability in the last couple years?

~~~
josteink
Not for third-party browsers like Chrome or Firefox. In a classic Apple-move,
it’s for Safari only.

~~~
Dylan16807
Even though those browsers have to use a safari core anyway? How strange.

~~~
josteink
Technically speaking they are not using Safari, but a WebView.

------
xg15
What I still don't see addressed is the question how this will affect non-
browser applications.

It's nice that Firefox (currently) still offers options to turn off DoH and to
keep using local domains. (although the way DoH and HTTPS-everywhere are
structured show that non-internet sites don't seem to have much of a place in
the web of the future)

However, now that we have public DoH endpoints available for everyone to
query, what will keep non-browser apps and devices from using DoH _without_
any way to opt-out?

Currently, tracking DNS requests seems to be a common way for security and
privacy researchers to get some basic information what an app or device is
doing on the internet. If DoH is widely deployed, all you'll probably be
seeing is encrypted connections to IPs of shared hosters.

This seems like a perfect opportunity for apps and devices to cloak data
tracking and other illegitimate requests.

~~~
zamadatix
The same thing that stopped it before DoH was standardized: nothing.

There are ways to make FW rules based on trusted DNS lookups (i.e. you can
only do traditional DNS to a trusted DNS server with domain filtering and you
can only connect to an IP if a DNS lookup has been performed) but this is
extremely hard to maintain in any sort of foolproof way.

The truth is if you allow outbound connectivity then there all the sender
needs to do is add 1 more level of obfuscation than you secure against.

------
throawayeu45556
I am wondering, does DNS-over-HTTPS really helps since the way I understand
it, after the domain name is resolved to an IP address, the client contacts
the IP address so the ISP could still know the website visited especially
since many if not most websites have dedicated IP addresses. So ISP could
simply crawl the web and map domain names to IP addresses.

Is there anything in DoH mitigating this? Or maybe is this attack vector
negligible in practice because most servers typically host multiple websites?
At least this adds plausible deniability in a wide range of situations I
guess. But is it really true? And for example, would it really help in a
country where a website like Facebook is censored? (Since their IP addresses
are dedicated).

~~~
krupan
This! Just like https encrypting website that anyone can visit is not about
privacy, DoH is also not about privacy. Anyone can visit the same https
website you visit and see what you are reading. Anyone can resolve the same
hostnames that you are resolving (or reverse IPs you are visiting to determine
hostnames).

The benefit they do provide is authentication (ensure that google.com is
really google.com) and protection against man-in-middle.

And those are great benefits!!

But it doesn't help anyone to misstate and/oversell the benefits of a new
service/protocol.

~~~
bzbarsky
> Anyone can resolve the same hostnames that you are resolving

Yes, but your ISP (including "that coffee shop whose wifi you're using" in ISP
here) can't necessarily tell which hostnames you are resolving, if you use DoH
(subject to some limitations about what happens after you've resolved the
hostname). This is in fact a privacy feature

~~~
krupan
They can see which IP addresses you go to and do a reverse lookup.

~~~
bzbarsky
They can, but of course the mapping is not always 1-1.

------
EvanAnderson
Can somebody point me to the place in the Firefox code where the "use-
application-dns.net" canary domain is actually checked? I've tried searching
the mozilla-central Mercurial repository and I'm not finding it. I'm clearly
inept here.

I'm looking at what my Windows DNS servers return when I put in an empty zone
for "use-application-dns.net" and I'd like to see exactly what Firefox is
testing for. Windows 2012 R2, at least, returns the SOA and no NXDOMAIN for an
"A" query to "use-application-dns.net" with an empty zone. If they're
explicitly looking for NXDOMAIN then blocking DOH behavior with Windows DNS
servers probably isn't going to work. >sigh<

~~~
bzbarsky
The canary is not implemented yet, as far as I can tell.

------
jamescun
I'd personally prefer to be greeted with a screen providing me with the option
of multiple DNS-over-HTTPS providers, and the option of not using one at all,
than being silently forced into handing CloudFlare even more of my data.

~~~
josteink
How about to save time, we could have this choice only once, and that would
apply to every application on the machine. Say it could even be handled by the
OS itself!

And to save users even more time, not having to configure this per machine, we
could have such assignment be an automatic part of the network
infrastructure...

We could call it DHCP and DNS! How about it?

~~~
testis321
And DNSSEC all the way to the user!

~~~
tptacek
I'd be pretty pissed if my network connection opted me into a DNSSEC-verifying
resolver, since that is pretty much pure downside for users.

~~~
josteink
As someone not very knowledgable about DNSSEC, can you expand on this point?
To the uninformed that sounds very counterintuitive.

~~~
tptacek
Apart from the blog post, if you don't know anything about DNSSEC, I think the
things you want to know are:

1\. Almost nobody --- major tech companies, banks, privacy and security
organizations --- uses it. It's decades old, and its adoption, at least in
North America and in industry, is zero. There are lots of reasons, but you
don't have to care right now.

2\. Since almost nothing uses it, there's no real upside to enabling it. But
there is a downside! If DNSSEC is misconfigured --- which is easy to do, and
it won't get noticed quickly (see: point 1) --- then sites in the DNSSEC-
signed zone silently drop off the Internet, as if they never existed. That
happened, for instance, to HBO when they launched HBO NOW: nobody on Comcast
could see it, because it turned out they'd screwed up DNSSEC, and Comcast had
DNSSEC-verifying resolvers.

------
tannhaeuser
Same story as always with Google "innovations": "hey, we're preventing DNS
queries to go to your ISP who is selling it" (to go to our service instead so
we can profit from it).

It's scary that Moz sides with monopolies like Google and Cloudflare on this
one.

~~~
LUmBULtERA
In my Firefox settings I can choose any DoH provider I want, not just
Cloudflare. Naturally _something_ has to be set up as a default so it works.
Why is adding DoH in the browser a bad thing?

~~~
josteink
Because if we’re replacing classic DNS with something new, it needs to be part
of the OS.

Not reimplemented (and configured) per application. The user and OS should
control the application, not the other way around.

~~~
Faark
Is any OS vendor working on something like that? Or do you expect Moz to jump
into OS dev as well? I'd expect them to import settings from OS as soon as a
major OS provides this for DoH.

------
elcomet
Why don't they rather include a resolver in Firefox ?

This way, no privacy problems, you're directly contacting authoritarive
servers. And you don't rely on a single dns-over-https provider.

Is the latency a big problem there? I would say that with caching it is not
too bad.

~~~
hannob
1\. The connection to the authoritative servers isn't encrypted, so the whole
point of DoH is undermined.

2\. There's plenty of networks that don't let arbitrary DNS traffic out, so
this doesn't work without another fallbacks. Fallbacks for security features
are bad.

I see that there are legit controversies around DoH. But these "Why don't you
just do X?" comments aren't helpful. Try to understand the problem they're
trying to resolve.

~~~
EvanAnderson
I disagree that the OP's comment isn't helpful. Mozilla could have taken a
tack that would have increased decentralization and promoted privacy (DNS-
over-TLS exists). Instead, they went the way of a centralized protocol that
just trades one set of potentially bad actors (ISPs) for another.

re: network policy - If you're paying to use a network with policy that you
disagree with vote w/ your wallet. If you're using somebody else's network
(i.e. a corporate network I'm paid to administer, for example) it's reasonable
to accept that you're bound by the owner's policy-- it's their network.

~~~
mtsr
I’d love to use DoT, but afaik it’s currently mostly only supported by DNS
resolvers (Google, CloudFlare and other privacy-exploiting companies) rather
than authoritative DNS servers.

------
JeanMarcS
So what will be « safer » ?

Using a pi-hole or equivalent, or using this ?

IIRC all DoH requests are sent to Cloudflare. Is there a way to host your own
DNS server and use it with DoH instead ?

~~~
jlgaddis
Yeah, you can re-configure Pi-Hole to use DoH (with your preferred servers).
unbound can be configured to use DoH as well.

~~~
mike-cardwell
For unbound, I just dropped this in my /etc/unbound/unbound.conf.d/02-block-
doh.conf

    
    
      local-zone: "use-application-dns.net" static

~~~
mtsr
Exactly what I did.

------
auslander
I wish Mozilla had Firefox version free from all integrations with 3rd
parties.

~~~
floatboth
Just build it from source with no API keys.

(Though DoH is not an "integration" in that sense.)

------
antpls
I tried forced-mode DoH in Firefox 68 and 69, on Debian 9 and 10. In all
cases, it worked for a while then stopped to work after a few hours (at random
it seems). The only way for me to make it work again was to disable DoH.

I guess a more long term solution is to have a local proxy dns-to-doh, but we
are falling back in the solution that only a technical user can setup :

[https://developers.cloudflare.com/1.1.1.1/dns-over-
https/clo...](https://developers.cloudflare.com/1.1.1.1/dns-over-
https/cloudflared-proxy/)

[https://facebookexperimental.github.io/doh-
proxy/](https://facebookexperimental.github.io/doh-proxy/)

And it means setting up firewall routing and filters, as some softwares don't
have settings to add DNS proxy, or even bypass them (Google Chrome for
example)

------
andreareina
> Fall back to operating system defaults for DNS when split horizon
> configuration or other DNS issues cause lookup failures.

I hope we'll be given the opportunity to disable this, or at the very least
show a warning (similar to cert warnings?) that something's off.

~~~
the8472
the network.trr.mode setting provides fine control

[https://wiki.mozilla.org/Trusted_Recursive_Resolver](https://wiki.mozilla.org/Trusted_Recursive_Resolver)

------
euph0ria
What is the latency for DoH compared to traditional UDP DNS?

~~~
nullify88
Here's a whitepaper that did some benchmarks and a detailed analysis on it.
Was posted on hn a few days ago.
[https://arxiv.org/abs/1907.08089](https://arxiv.org/abs/1907.08089)

They test various network conditions with some results showing DoH and DoT
loading webpages faster than udp dns (due to tcp timing out faster than udp on
lossy connections )

~~~
euph0ria
Thanks!

------
TazeTSchnitzel
I wonder if this will break TP-Link's tplinklogin.net and tplinkrepeater.net
for logging into their routers/repeaters? At least the latter is supposed to
be intercepted by the device, and if it isn't, you get a message saying things
are misconfigured.

~~~
xg15
Seems to me they should be able to keep this sort of working by resolving
tplinklogin.net to 192.168.0.1 or such on their public DNS and ensuring the
router always serves the web page from that IP.

Of course things will break down if a router is ever configured to use a
different IP - but then again, the public DNS with local IP might trigger
Firefox' heuristics and cause it to fall back to traditional DNS - so thinks
may still work.

But the whole concept of using an on-device web page as config UI seems to
become problematic, thanks to HTTPS-everywhere, as there appears to be no way
to serve HTTPS from a local, unsupervised device that is frictionless and does
not open a security vulnerability.

------
edjw
Unfortunately, Mozilla are planning to leave DoH off by default for Firefox
users in the UK. Almost certainly to avoid criticism from politicians and
children’s charities about how DoH would interfere with the UK’s network level
website blocking of ‘adult’ websites.

~~~
choeger
Hrhr. But talk about how it intends to prevent censorship...

------
pmontra
DoH bypasses the OS and the /etc/hosts file. This breaks some workflows.

~~~
Jonnax
Oh no.

Maybe you can configure this? [https://support.mozilla.org/en-
US/kb/customizing-firefox-usi...](https://support.mozilla.org/en-
US/kb/customizing-firefox-using-policiesjson)

Or perhaps use their canary domain to force Firefox to use local DNS?

Or just configure it yourself?

It's not security if an application can still access the internet. Why not
block all internet access except via a proxy server? Which is what a "real"
enterprise would do because they can block what they want and have a secure
network.

------
Avamander
ISPs, OSs and Routers should effort at providing secure resolving themselves
before every app out there thinks it knows better what DNS to use.

------
badrabbit
Why would Mozilla hurt Firefox's market share in such an obvioud and drastic
way? Do they not have anyone at their meetings that brings up obvious and
uncomfortable risks?

I use DoH on Firefox and love it but man, I myself would block Firefox in a
corporate network I help oversee if this is the default. Matter of fact, web
proxies already list DoH resolvers as anonymizing sites.

Even if this involves some profit with cloudflare,this is strategically
terrible for long term goals.

------
tinus_hn
Can you run this service yourself easily?

------
lota-putty
We're getting an option to bypass TSP's DNS to a 3rd party over secure
connection; be it DoH or DoT.

TSPs can easily map your usage behaviour to your identity while 3rd party DNS
provider will have your behaviour alone. Albeit, TSP will still have IPs
you've accessed for data transfer.

TSPs that honour their customers' privacy will allow 3rd party DoH/DoT, esp
DoT(ie port:853).

TSP: Telecom service provider

------
exabrial
Could we have srv records as the default to alleviate/eliminate the ipv4
crisis?

------
andrerm
Android + Chrome + DoH + AMP = ?

Edit: typo

------
darkhorn
Big thanks to Mozilla for making internet a more secure place.

------
techntoke
At what point can I expect Mozilla to start proxying my web requests as well?

~~~
andrerm
Mozilla I don't know but Google is already doing it with AMP

