
Firefox Nightly Secure DNS Experimental Results - Vinnl
https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/
======
zaarn
It's quite dissapointing how much outraged the initial announcement of DoH
generated and then the results are mostly ignored.

I find it quite exiciting tbh, the improvements seem to be far on the good
side, it might help mobile users a lot (my mISP interferes with DNS to block
VPN and tries to show ads if it fails to resolve an address).

Of course they'll have to work making sure that privacy is preserved and
poeple outside the US don't have their data shipped of to the US.

~~~
beckler
I missed the initial announcement, what was all the outrage about?

~~~
zaarn
Mostly that Mozilla was selling out users to Cloudflare and they would enable
the Cloudflare DNS per default for all users on release.

------
contravariant
Maybe this is just me, but those performance claims seem a bit dubious. Or
rather the visualisation is suspect. While it's clear that DoH performed
better in the cases where DNS had a hiccup I can't say with certainty DoH
didn't have similar hiccups that were hidden by the way they presented the
data.

In fact, assuming there's no deep meaningful dependence between the
performance of DoH and DNS requests then ordering by the performance of DNS
requests clusters all the bad DNS requests and shuffles the DoH requests
randomly. It's therefore not surprising that after averaging you see a spike
of bad DNS requests which is absent for the DoH requests (you're essentially
looking at the quantile function of the DNS requests minus the average of the
DoH requests).

Edit: unless what we're looking at is the difference of both quantile
functions, but then the language describing the graph is a bit confusing and
just plotting both quantile functions would have saved a lot of confusion.

------
some_account
I took part in this and noticed no difference compared to traditional DNS in
terms of speed.

The more important question is who we trust though. Currently, the DNS
information where we go on the web is spread across a number of national
internet service providers. In some countries, they feed this info to the NSA.
In others, they may not.

This new DNS system makes everybody use a single DNS endpoint, the same one
across the world located in the US.

Is this better or worse? Depends on your isp and country.

~~~
477353468463695
> This new DNS system makes everybody use a single DNS endpoint, the same one
> across the world located in the US.

This was only the case in this experiment. From the article:

> We’re also working on privacy preserving ways of dividing the DNS
> transactions between a set of providers, and/or partnering with servers
> geographically.

That is still less different providers than can currently be used, so it is
something that we should be concerned with long-term, but I don't think, it
makes sense to throw the technology away. Just be concerned that there are the
right kind of providers used for this.

I figure, this is become like the CA infrastructure, for better or for worse.

------
westurner
> _The experiment generated over a billion DoH transactions and is now closed.
> You can continue to manually enable DoH on your copy of Firefox Nightly if
> you like._

...

> _Using HTTPS with a cloud service provider had only a minor performance
> impact on the majority of non-cached DNS queries as compared to traditional
> DNS. Most queries were around 6 milliseconds slower, which is an acceptable
> cost for the benefits of securing the data. However, the slowest DNS
> transactions performed much better with the new DoH based system than the
> traditional one – sometimes hundreds of milliseconds better._

------
badrabbit
As an individual,this is great news for me. But for corporate use,this means
having to intercept https unless you can turn DoH off via GPO or something.

These days,credential and PII theft phishing is a huge concern. Without
intercepting https,the only way to know if a user went to a phishing site is
by logging DNS or relying on SNI(SNI encryption is being developed as well).

~~~
zamadatix
I'm sure it'll end up in [https://github.com/mozilla/policy-
templates/blob/master/READ...](https://github.com/mozilla/policy-
templates/blob/master/README.md) if it gets officially added and released.

Though I will say inspecting DNS for phishing protection is like watching your
front door to catch a burglar.

~~~
badrabbit
Once you know of a phishing attack (or malware activity) you need to check
what users fell for it. For prevention, your run of the mill phishing campaign
blasts emails at a large number of recipients,you can block domains it uses to
prevent infection or visits to malicious URLs.

In essence,defenders need to monitor for and block attacker infrastructure.

------
Spivak
To the Mozillians that follow these threads,

Shame on you for making studies like this opt-out. Look, I get that making it
opt-in would reduce your sample size but this kind of thing isn't acceptable
for a browser that's supposed to respect the user -- you're literally using
dark patterns. Expressed consent should be the standard.

You're targeting Nightly users, the very people who know enough to make an
informed decision as to whether they want to participate in the study, please
just let us make an informed decision. Have a big modal pop-over when the
browser starts, explain the experiment and give the user an unbiased choice --
don't select participate by default, don't make the decline button gray and
sad, don't shame the user with the decline button text. I would have been
excited to participate.

~~~
laken
The article specifies that only users on Nightly who opted in previously to
Nightly _Experiments_ were targeted, and were in the dataset. The first
experiment you join in Firefox usually has several steps of confirmations and
opt-ins.

