
Turn off DoH, Firefox - telmich
https://ungleich.ch/en-us/cms/blog/2019/09/11/turn-off-doh-firefox/
======
jfindley
This is painful to read. Masses off unfounded FUD - the article deliberately
buries that it's trivial to change your DoH provider if you're silly enough to
believe that CF is actively logging DoH requests and selling them (CF is
involved with serving vast swathes of the internet anyway - if they wanted to
go down this route they have _far_ more lucrative avenues open than selling
DNS requests by IP).

If instead what you worry about is the government spying on your traffic then
complaining about DoH is even _more_ silly - DNS requests are routinely
intercepted and monitored by ISPs in many countries, with the information
available to the security services, who have very few restrictions on what
they are allowed to do with this data. This is especially true in the country
the author appears to be based (Germany).

DoH is vital to protect users around the world from censorship and worse.
Enabling it by default is a _good_ thing - protecting users from abuse
shouldn't only be opt-in. There has to be SOME default chosen, and the default
needs to be a site large and well run enough to a) handle the load, and b) be
in the firefox HSTS preload list. There aren't a lot of good DoH providers
that fit these criteria - CF is one of the few.

~~~
yosamino
There's nothing that makes Cloudflare the more "privacy friendly" 3rd party.
"Privacy friendly" would be a mechanism by which my desire to communicate with
"example.com" involved my computer and the computer at example.com with _no_
third party in between.

As it stands Mozilla is switching out our local ISP for CloudFlare without
asking our consent which means my traffic data is now spread around one _more_
company - that seems like less privacy.

And I am not looking forward to finding out the fun ways in which this will
break our local DNS.

The idea that Cloudflare is in way more trustworty than my local ISP is at
best naïve. All this creates is another huge centralized pool of data with no
oversight whatsoever except the _promise_ of some company that is currently
growing fast, that they will not do anything with that data. Come the times
when money becomes tight again, we'll see how well that promise holds up.

Sure, encrypting DNS is a good thing. But this is just like trying to make
email more secure by using a 3rd party encryption gateway - all it does is
moving around who to trust.

That's not privacy - that's just silly

~~~
diffeomorphism
> that seems like less privacy.

Seems obvious, but is wrong. If there is a really obvious obstacle to
anything, which immediately comes to mind, chances are people addressed this
already.

In the US, Firefox by default directs DoH queries to DNS servers that are
operated by CloudFlare, meaning that CloudFlare has the ability to see users'
queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place
that forbids CloudFlare or any other DoH partner from collecting personal
identifying information. To mitigate this risk, our partners are contractually
bound to adhere to this policy.

[https://support.mozilla.org/en-US/kb/firefox-dns-over-
https](https://support.mozilla.org/en-US/kb/firefox-dns-over-https)

~~~
icebraining
Before, my ISP could gather the domains I visit by DNS. Now, they can still
gather them from the IP addresses and SNI, _and_ Cloudflare can gather them
from DNS. I'm really struggling to see how this isn't a reduction in privacy.

> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that
> forbids CloudFlare or any other DoH partner from collecting personal
> identifying information. To mitigate this risk, our partners are
> contractually bound to adhere to this policy.

What happens if they get a FISA warrant? How does your contract protect users
that before didn't have their DNS queries sent to US companies?

~~~
diffeomorphism
Your ISP can gather them with much, much more effort. There is privacy value
in making things harder. The only motivation your ISP has for logging this is
making money; if getting the information is too tedious and expensive why
would they bother?

> and Cloudflare can gather them from DNS

but is contractually forbidden from saving that information.

> What happens if they get a FISA warrant?

They have to follow the law? Wrong threat model.

~~~
a-raccoon
> Wrong threat model.

You are not permitted to hand-wave corrupt government interception or
rubberhosing of civilian data as "wrong threat model." These technologies are
central to, and must be focused specifically on, protecting all civilian data
from all governments. That is the primary purpose of all privacy systems. Not
to protect you from coffee-shop denizens trying to snoop which dating sites
you use.

~~~
dredmorbius
Your ISP is subject to the same FISA warrant threat.

If it's one of the large monopoly providers, it's as much a one-stop-shop as
Cloudfront is.

~~~
TeMPOraL
Not outside the US. Now unless Mozilla decides to pick a different DoH party
for deployment in EU, the problem will come back.

~~~
dangerface
The internet is as much of a monopoly outside of the US for example Tiscali in
Europe. We have the same kangaroo courts when it comes to getting warrants to
invade people privacy.

At least from a general perspective I don't see a big difference.

~~~
icebraining
But it's not one or the other; an EU court will make a warrant for the ISP
traffic data, and an US court for the DNS requests. You become vulnerable to
both.

~~~
vsl
1.1.1.1 operates on edges of CloudFlare CDN - EU users will be handled by EU
DNS server. And there’s no logging.

~~~
icebraining
Cloudflare is still a US company. Do you have any FISA jurisprudence showing
that simply running the server on another country makes it immune to warrants?

> And there’s no logging.

Until the courts say there must be.

------
userbinator
It's very disturbing to see the overreach that Mozilla has resorted to and the
"privacy" argument (it was "security" before that...) being used to justify
essentially ignoring system configuration. My ISP has more accountability than
a company in another country.

 _The correct way would be to standardise DoH and DoT and add support into it
into automatic address configurations and operating systems._

Exactly. If Mozilla wants to, it's more than welcome to reach into the VPN
area with its own products, but I don't believe this functionality should be
part of a browser. They're already reaching into the VPN area[1], should they
also investigate bypassing Chinese censorship with their own "firewall-
busting" obfuscating VPN? That's not something most users want nor need in
their browsers, and such functionality is really a cat-and-mouse game that I
think is best left to smaller and less-well-known entities.

It's unfortunate that browsers are already beyond "neutral", when IMHO the
only thing they should do is fetch exactly the page URL that was entered and
display it.

Edit: yes, apparently people disagree and want Mozilla to control what the
Internet (and every user, ignoring his/her default configuration) does. This
is really _really_ disturbing.

[1]
[https://news.ycombinator.com/item?id=20927832](https://news.ycombinator.com/item?id=20927832)

~~~
gnode
> the only thing [browsers] should do is fetch exactly the page URL that was
> entered and display it.

I strongly disagree. Browsers deal with a hostile environment that poses
countless threats to their users, and need to be safe. Arguing that browsers
should be minimal and not protect privacy is like arguing that cars should be
minimal and not have seat belts.

There is an argument that ensuring privacy in DNS could be done outside the
browser. I think HTTPS is a good precedent for putting privacy in the scope of
the browser; the browser should attempt to ensure that privacy expected by the
user is established or it should refuse to operate.

I disagree with the solution of trusting Cloudflare, but privacy should be
considered crucial to user safety in modern browser design decisions.

~~~
userbinator
_I strongly disagree. Browsers deal with a hostile environment that poses
countless threats to their users, and need to be safe. Arguing that browsers
should be minimal and not protect privacy is like arguing that cars should be
minimal and not have seat belts._

I strongly disagree. A browser has one job, and that is to follow and render
URLs. Secure connections and such are services provided by other components of
the OS, and the browser should absolutely use those services but not attempt
to overreach its main purpose. It's really the principle of "do one thing and
do it well".

To spin your analogy, you're arguing that cars should have seatbelts that also
check your age and blood alcohol level because "that's also a safety thing".

 _There is an argument that ensuring privacy in DNS could be done outside the
browser_

Yes, the same way that VPN clients are; and I'm perfectly happy for Mozilla to
be working in that area, but most certainly do not put that in the browser and
do not make it default.

~~~
Spivak
What do you do as a browser vendor when the OS fails to provide you meaningful
security and privacy? This is pretty much how we got here. Basically every
device on the planet is right now configured to blindly accept whatever DNS
server is handed to it by DHCP and there is really no movement on changing
that.

So browsers can throw up their hands and say "we are as secure as the OS" or
they can do it themselves. Not ideal but the alternative is worse for users.

~~~
userbinator
_What do you do as a browser vendor when the OS fails to provide you
meaningful security and privacy?_

Nothing. Absolutely nothing. Work within the environment you're given.

 _Basically every device on the planet is right now configured to blindly
accept whatever DNS server is handed to it by DHCP and there is really no
movement on changing that._

...and that's just fine, because I trust my LAN more than some third party in
another country.

------
akerro
Of course, I'd rather trust unecncrypted plaintext DNS queries that go to my
ISP and government!

If you don't like CF just switch to different provider
[https://github.com/curl/curl/wiki/DNS-over-
HTTPS](https://github.com/curl/curl/wiki/DNS-over-HTTPS)

~~~
Aaargh20318
> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and
> government!

I trust my ISP and government more than a US company I have no formal contract
with and the US government.

Also, there's the whole 'applications should not override system level
settings' thing. My DHCP pushes a local (caching) DNS server that also does
name resolution for internal services. This change would break that for all
Firefox users on my network.

~~~
roblabla
> I trust my ISP and government more than a US company I have no formal
> contract with and the US government.

And every single intermediary and whoever else might be listening in? This is
an unencrypted plaintext connection. Which is the main point here. The whole
"we trust ISP more" thing is completely beside the point. The point is DNS is
horribly insecure nowadays, and it is about damn time we switch to something
better.

> Also, there's the whole 'applications should not override system level
> settings' thing.

Hopefully, DoH will become a system level setting eventually.

~~~
seszett
If you use your ISP's DNS servers, there is no intermediary between you and
them.

~~~
unethical_ban
If you use wi-fi without a VPN, you have the coffee shop and the coffee shop's
ISP. And anyone listening there. Of course there is cleartext SNI even for SSL
connections... but alas.

~~~
Aaargh20318
What coffee shop ? I only connect to wifi at home and at the office.

~~~
unethical_ban
And you're the only person who uses mobile computing devices.

~~~
Aaargh20318
Not sure what point you’re trying to make here.

------
Aissen
This is a gross over-simplification. Cloudflare is required by contract to
respect your privacy, which is much stronger than even the privacy laws have
here in the EU since it addresses everyone, not just the EU population:

[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/firefox/)

The people fighting for the status quo probably know how to run their own
resolver, even with DoH or DTLS. But Mozilla's conundrum is how to protect
_everyone_ 's privacy (and to a certain extent, security). DoH, despite all
its flaws, attempts to do that by piggy-backing on already working
infrastructure, so it seems like a good fit to move everyone to DoH. But then,
they're the chicken-and-egg problem. How do you make sure people deploy local
DoH resolvers if no browser enforces the move to DoH ? How do you make sure
those resolvers are truthful, or even respect local law (having both is often
impossible).

So, you need to compromise. I'd have preferred to have temporary non-profit
third party entity handle this à-la-Letsencrypt, but Mozilla deemed its
contract with Cloudflare sufficient to provide enough guaranties. Ideally,
name resolution should be done closer to the user instead of being centralized
like that. But by arguing instead of experimenting we just keep the status
quo. Time will tell if this was a bad decision. But it's not as clear cut as
this blog post says it is.

~~~
nullc
A contract where cloudflare receives no consideration isn't particularly
comforting, as such agreements are routinely ignored by courts (or
equivalently by capping damages at nothing).

> Mozilla's conundrum is how to protect everyone 's privacy

And exactly how does this protect user's privacy? Instead of the user's ISP
being able to see where the user connects now both cloudflare AND the user's
ISP (via seeing the connection itself) can tell.

~~~
Aissen
Re: the contract, let's hope you're wrong.

Re: privacy: by not having lying DNS or no NXDOMAIN, there is also less
tracking (say, fingerprinting in ad web pages).

And in the ISP's case, you're assuming they already do DPI, otherwise they now
see IPs, which might not mean much in the CDN case. But if they do DPI, it
will be resolved once ESNI starts being deployed.

~~~
TeMPOraL
> _Re: the contract, let 's hope you're wrong._

Switching from a technical measure of privacy (no data being shared) to _hope_
isn't the right way to go.

> _But if they do DPI, it will be resolved once ESNI starts being deployed._

Once.

~~~
zzzcpan
> > But if they do DPI, it will be resolved once ESNI starts being deployed.

> Once.

This underestimates DPI vendors. eSNI can't stop them, they will just move to
exploit side channel information (traffic patterns) to identify which websites
you are visiting. People need to remember, that DPI industry has been fighting
with obfuscation for years, it's a war where Cloudflare and Mozilla are
compete newbies.

~~~
Aissen
These are just unsubstantiated assertions. Fingerprinting does exist, but what
you're saying is that there might be methods we haven't foreseen that will be
implemented to improve DPI analysis and tampering. So what ? Do nothing in the
meantime ?

------
isostatic
> The correct way would be to standardise DoH and DoT and add support into it
> into automatic address configurations and operating systems. Not in
> applications!

You're right. But so are Mozilla.

Here we are 30 years into the web, and we're still using plain old DNS. DNS
over TLS should have caught on, but it didn't. Apple and Microsoft had years
to ensure it's implemented as standard, but they didn't.

The points this article makes - about DHCP options, about multiple providers,
are very valid.

But they're also just talking shops.

The biggest problems here seems to be 1) DHCP can't give internal DOH servers.
When I'm at home I want it landing on my own DOH server, but when I'm away I
want to use a different one. 2) Internal DNS resolving falls to bits

~~~
m-p-3
Agreed, I'd prefer setting up the DNS-over-HTTPS config at the gateway level
(and either push the config over DHCP, or have the gateway act as a local
resolver, which forwards the new requests over DoH), but we're not there yet.

~~~
isostatic
In theory isn't it "just" a matter of agreeing a DHCP option number, then
having the DHCP client (or vpn client or whatever) be responsible for passing
it to applications that want it (including the system resolver, be that
mDNSResponder, systemd, glibc, whatever windows uses)

Anyone who wants to can configure their dhcp client to ignore it, or use a
different service, you could even have applications doing that too, but this
would allow a network operator to tell people where the recommended resource
is.

Likewise if you want to change your DNS provider yourself you would have a
single location on your machine to do it for the entire OS, rather than having
to change 50 different applications.

------
gommm
As someone who has donated to Mozilla over the years and used Firefox as much
as possible, this makes me very unlikely to donate in the future.

People say that it's trivial to change. It's trivial to change for us who are
technically minded. It's far from obvious and will not be changed by non-
technical users.

This will only increase the massive amount of data that Cloudflare gets about
people's online behavior. I am always very skeptical of centralization and of
having a company get this much information. Remember google's Don't be evil?
I'm extremely uncomfortable with such a massive centralization of data.

People might say that the status co is not great because DNS is sent to the
ISP. I'd argue the status co is better because it's far less centralized. And,
at least for Europeans, I trust European legislation better than US
legislations.

I can understand the argument that some countries have mass surveillance and
it's a net positive for users in those countries since it will protect them.
But in that case, I feel that the default should be randomized from a list of
provider, not only one company. I also would be much less concerned by this if
it was an option on first startup with a clear explanation (even though users
tend to not read and blindly click accept, it's at least more of an informed
consent)

And anyway, that purpose of preventing mass surveillance and blocking in those
countries where it would actually be useful seems to be moot because of: >
Additionally, Mozilla is also working with ISPs to make sure users won't use
DoH as a way to bypass legally-set blocklists.

> The organization said it's been asking ISPs and providers of network-based
> parental control solutions to add a "canary domain" to their blocklists.
> When Firefox will detect that this canary domain is blocked, it will disable
> DoH to prevent the feature to be used as a filter-bypassing solution.

So, if isp in countries with censorship can use a canary website to prevent
users from bypassing "legally-set blocklists". What is the point again of
enabling this?

~~~
diffeomorphism
> This will only increase the massive amount of data that Cloudflare gets
> about people's online behavior

No, it explicitly won't.

Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that
forbids CloudFlare or any other DoH partner from collecting personal
identifying information. To mitigate this risk, our partners are contractually
bound to adhere to this policy.

[https://support.mozilla.org/en-US/kb/firefox-dns-over-
https](https://support.mozilla.org/en-US/kb/firefox-dns-over-https)

~~~
toupeira
Which sounds nice in theory, but there are the usual legal exceptions:

> The resolver must not retain, sell, or transfer to any third party ( _except
> as may be required by law_ ) any personal information, IP addresses or other
> user identifiers, or user query patterns from the DNS queries sent from the
> Firefox browser.

> Transparency Report. There must be a transparency report published at least
> yearly that documents the policy for how the party operating the resolver
> will handle law enforcement requests for user data and that documents the
> types and number of requests received and answered, _except to the extent
> such disclosure is prohibited by law_.

> The party operating the resolver should not by default block or filter
> domains _unless specifically required by law in the jurisdiction in which
> the resolver operates_.

This doesn't really matter if you live in the US, but most of us don't.

------
coleifer
There are two points:

1\. centralization of all dns lookups is worrisome

2\. Dns should not be handled by applications. It should be handled by the
operating system.

I see a lot of people conflating the two in the comments.

~~~
kbumsik
> 2\. Dns should not be handled by applications. It should be handled by the
> operating system.

I agree with #1 but why it should be managed by the OS?

~~~
vezycash
It's annoying. I've already experienced this with chrome as chrome ignores my
hosts file settings.

Example: Say you use hosts file to block porn and other shady sites for your
kid, all they have to do is use chrome.

~~~
Someone1234
This has nothing to do with the topic. Chrome isn't replacing the OS's DNS
resolver, and that bug is just that: a bug.

A bug that I cannot reproduce. Chrome follows my HOSTS file fine on Windows
10. But even if it didn't it would still be off-topic.

------
Chirael
It seems like this change by Firefox would bypass a pi-hole. Am I
understanding it correctly?

~~~
userbinator
...and a local HOSTS file.

So now it will, by default, contact all the ad/tracking hosts that you
configured to be blocked.

"But now your DNS queries to those ad/tracking hosts are encrypted!"

No. I don't care. I didn't want to connect to those hosts in the first place.

~~~
cremp
Even worse, corporate _intranet_ addresses get leaked.

Everyone on this article saying it's FUD is either a framework junky, isn't
seeing the bigger picture, or just focus on one wrong thing in the article.

~~~
m-p-3
It's actually FUD, because it's missing some important points

> For starters, Mozilla said that after it turns on DoH by default for US
> users, Firefox will contain a mechanism to detect the presence of any local
> parental control software or enterprise configurations.

> Additionally, Mozilla is also working with ISPs to make sure users won't use
> DoH as a way to bypass legally-set blocklists.

> The organization said it's been asking ISPs and providers of network-based
> parental control solutions to add a "canary domain" to their blocklists.
> When Firefox will detect that this canary domain is blocked, it will disable
> DoH to prevent the feature to be used as a filter-bypassing solution.

[https://www.zdnet.com/article/mozilla-to-gradually-enable-
dn...](https://www.zdnet.com/article/mozilla-to-gradually-enable-dns-over-
https-for-firefox-us-users-later-this-month/)

~~~
cremp
I hardly see how the OP is FUD. What the article states is true; just because
you can opt-out doesn't mean it's wrong.

Where you are drawing the line is the opt-out to disable it, as opposed to the
convention of opt-in.

Think about companies in the 50-200 employee range; As a sysadmin, I have to
purposefully go out of my way to put that domain (use-application-dns.net)[1]
in my root resolver, and point it to NXDOMAIN.

I can't do it if another provider is managing my DNS (ISP, cloud service...);
it also doesn't actually guarantee that it is off.

> If a user has chosen to manually enable DoH, the signal from the network
> will be ignored and the user’s preference will be honored.

The basic IT mantra has been 'If it aint broke, don't fix it.' Mozilla itself
is moving fast and breaking things; which is why we have standards in the
first place.

For god sake, there isn't even a proper RFC to select yes or no to DoH.

I, as a sysadmin, must not only implement the domain in my resolver, but I
also must keep in my mind that if a user is using Firefox, that there are
things it does internally that are not right, and it is easier for me to have
my users on Chrome, because it is less of a headache for me.

[1] [https://support.mozilla.org/en-US/kb/configuring-networks-
di...](https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-
over-https)

~~~
comex
Indeed, Firefox is prioritizing the interests of users over the interests of
sysadmins. Personally, I'm fine with that.

> The basic IT mantra has been 'If it aint broke, don't fix it.'

An unencrypted protocol that compromises privacy may not be "broke" for
sysadmins, but it is for users.

~~~
YarickR2
Well, now CF will know per-organization IT structures. All those LAN-only
administrative interfaces, and, with link prefetching, internal resource maps
could be built in just a few clicks , using account with sufficient
privileges. This is such a security-defying move by Mozilla I can't even
start. And CF DNS logs will be the obvious first step for every targeted
attack.

~~~
comex
Sure, if your targeted attacker has managed to compromise Cloudflare first…
Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi
access to your network, those domain names are already leaking to other DNS
providers whenever someone accidentally accesses a URL while on the wrong
network.

Also, if your internal resources are using publicly trusted SSL certificates,
the domain names are already being broadcast to the public thanks to
Certificate Transparency. If you’re sophisticated enough to run a private CA
for them, then you’re probably sophisticated enough to set up use-application-
dns.net as well – though I still wouldn’t recommend ever treating domain name
secrecy as a meaningful security boundary, considering how many ways they can
be leaked. The remaining possibility is that your internal resources aren’t
using SSL at all... in which case you have bigger problems than domain name
leaks.

------
dreamcompiler
I had no idea this was going to be the default. It's massively wrong. I use a
Pihole DNS server, which means after a lot of debugging I'd have discovered
Firefox had unilaterally decided to _stop abiding by internet protocols_. It's
always one step forward and two back with these Moz guys. I guess that's
better than every step back like Chrome, but jeez Moz, get a clue.

------
mantap
This misses the forest for the trees. In the UK ISPs are already legally
mandated to log your web requests and provide them to the government. Those
who live under free regimes should not deny those of us who live under
oppressive governments the right to privacy of our communications. The fact
that cloudflare is a US entity and thus not subject to UK law is the whole
point.

~~~
cookie_monsta
> The fact that cloudflare is a US entity and thus not subject to UK law is
> the whole point.

As a fellow citizen of a Five Eyes country, I assume that if any of those 5
have info about me that one of the other four wants it won't even be a
question of paperwork for it to be shared.

~~~
mantap
The previous UK law, RIPA, was abused for investigating minor crimes such as
fraudulently obtaining disabled parking badges. It's not just about national
governments but local municipal authorities too. Yes I would prefer another
jurisdiction but it's way better than the status quo whereby the browsing
history is just handed over.

~~~
cookie_monsta
> The previous UK law, RIPA, was abused for investigating minor crimes such as
> fraudulently obtaining disabled parking badges.

I understand that you're trying to illustrate a larger problem, but that
example is likely to get you zero sympathy from anybody, anywhere.

I know that US ISPs have an established pattern of "just handing over"
browsing history, but I have no idea what CF's track record is like.

------
codedokode
> It is clear what Mozilla needs to do: Mozilla can and should revert the
> change and allow users to easily opt-in.

I think it should be on by default. In my country encrypted DNS makes it more
difficult for the government to track what people watch and to block sites.

> And to select or enter the DoH provider instead of defaulting to Cloudflare.

You can enter any DNS server address in Firefox.

While I agree, that it is bad to concentrate all the world's DNS queries in
the hands of an entity under US jurisdiction, not encrypting DNS is much worse
currently. So Cloudflare and US government are the lesser evil for me.

Also, if there were volunteers running free DoH servers then Mozilla could
choose one of them randomly instead of sending all queries to USA.

~~~
saurik
Why not install DoH system wide, then (the kind of change which is easy if
tools like Firefox use the system APIs for this and very difficult if
individual applications all reimplement DNS) instead of only doing it for
Firefox?

~~~
codedokode
Because it is easier to embed it into a browser rather than persuade vendors
of all major OSes (Windows, Mac, Android and thousand of Linux distributions)
to add it.

Also, even if a company like Microsoft adds it to Windows, they will add it
only to they latest version and leave people on Windows XP, 7 and 8 without
protection. Same with Google - they will add it only to the latest Android.
Because commercial companies want you to buy new products, not to use the old
one for a long time.

------
m-p-3
What they should do is offer several alternatives when enabling DoH
(Cloudflare isn't the only DoH provider out there), and anto-detect if your
ISP or local network supports it at the enterprise level.

At least you can change the provider in about:config. I don't remember if you
can do it through the settings page.

~~~
akerro
Many ISPs won't offer such thing [https://www.zdnet.com/article/uk-isp-group-
names-mozilla-int...](https://www.zdnet.com/article/uk-isp-group-names-
mozilla-internet-villain-for-supporting-dns-over-https/)

~~~
raverbashing
> claimed that Mozilla plans to support DNS-over-HTTPS "in such a way as to
> bypass UK filtering obligations and parental controls, undermining internet
> safety standards in the UK."

> By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench
> in many ISPs' ability to sniff on customers' traffic and filter traffic for
> government-mandated "bad sites."

But I don't see why they can't offer their DoH, it seems their issue is with
Cloudflare not with DoH per se

~~~
chii
because most people don't know they can easily bypass the DNS based filters
that is used to block "bad sites". DoH by default uses cloudflare's DNS, and
so won't (need to) comply with the UK's filter laws.

~~~
profmonocle
> DoH by default uses cloudflare's DNS, and so won't (need to) comply with the
> UK's filter laws.

I'm assuming the DoH servers used by British users are physically in the UK.
(I believe they anycast the service from all of their edge locations, and they
have several in the UK.)

So the fact that Cloudflare doesn't have to comply with this law is
precarious. Is it because only ISPs are required to comply? If so, it seems
like a matter of time before Parliament amends the law to require any public
DNS operator to implement the filters as well.

------
bennyp101
The only thing that annoys me slightly about this, is that I currently have a
couple of pi-holes running at home (one for us, and one for the kids) and I
have the Mikrotik setup to redirect any request for DNS to the correct pi (So
even if they change the DNS on the device it still hits the pi)

This is going to make that a pain - especially if they introduce it in the
mobile version?

~~~
sjagoe
You should be able to disable the Firefox default-on DoH across your network
by returning NXDOMAIN for use-application-dns.net [1]

I don't know how to configure pi-hole, but at the dnsmasq level you can do
that with this directive:

    
    
      address=/use-application-dns.net/
    

[1] [https://support.mozilla.org/en-US/kb/configuring-networks-
di...](https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-
over-https)

~~~
bennyp101
Interesting, thanks.

I guess if these use normal DNS requests first to determine if it should be
allowed, then it will work.

> If a user has chosen to manually enable DoH, the signal from the network
> will be ignored and the user’s preference will be honored

Well, that kinda puts a dampner on it all!

------
falcolas
It's worth noting that CloudFlare has already proven itself to not be a
neutral party - they have proven willing to take sites offline for both legal
and social pressure reasons.

This will greatly impact the internet's ability to route around censorship as
if it were damage.

~~~
AgentME
I agree, only somewhere that hosts neo-nazi websites would be trustworthy
enough for this. /s

------
clan
The Internet was a great distributed system with reasonable separation of
concerns.

Now we are content that applications do their own name resolution and said
resolution is centralised on a very few (non-altruistic) hands
(CloudFlare/Google).

Add amp to this. Sprinkle it with the views of people who run their own mail
server and consider where this leaves us.

I am not that naive and think we can keep ourselves in 1995. But I do think we
give up on too many of the good parts all to freely.

~~~
pixl97
The internet also was 99% plaintext. Then we realized that governments would
pull all kinds of tricks to watch that text. From your own state monitoring
all the traffic, to outside states hijacking BGP and slurping up your data.
This has, at least in the case of http centralized certificates.

Here's the next thing, no one is stopping you from running your own DoH
server. No one is stopping you from changing the FF config to use it. The big
issue has been is the end user has been so unaware of security for so long and
done so little about it _somebody has to_. There is no financial incentive for
your ISP to care, so they have not. Most operating systems, specifically
Windows, but also Apple have done little to nothing for client DNS security.
This could have been handled between operating system developers and DNS
infrastructure but they didn't care to.

~~~
zzzcpan
> This could have been handled between operating system developers and DNS
> infrastructure but they didn't care to.

No, there was a lot of caring over the years as DNS is old and insecure, in
particular unencrypted communications with authoritative DNS servers being the
biggest issue. And yet completely ignored by DNS-over-HTTPS, because solving
it would likely eliminate the need for resolvers in the middle, so
surveillance capitalism isn't interested, they only want to "solve" it in a
such way that doesn't really solve it, but just gives them DNS data.

------
mikl
Disagree. Most users haven’t chosen their DNS server, so replacing one
unchosen DNS server with another makes no practical difference. And DoH means
that people snooping on your network can no longer spy on you.

Cloudflare has committed themselves to not track users via DNS requests, and
only log what’s strictly necessary.

And if you distrust Cloudflare, you have a much bigger problem. Half the
Internet routes through Cloudflare these days. If they wanted to spy on you,
they have (potentially clear-text) access to a good chunk of your HTTPS
traffic.

And as many others have pointed out, it’s a much better recommendation to have
people change the DoH server to something else.

------
ltt481
Living in Russia, I, for one, welcome DoH and ESNI. I know I trust Cloudflare
more than my government and ISP (The same ISP that routinely spoofs requests
to inject ad pages/reminders to pay for service, nevermind all the blocked
sites).

~~~
konart
Not like DoH helps much here though.

------
wwright
How will this affect using Firefox on an intranet, where there are often
services and websites on a local-only DNS server? Will Firefox be unable to
reach those sites by default?

------
nullc
Wow, thats awful that they're sending all user DNS requests to cloudflare
without informed consent.

Is this also potentially a violation of federal wiretap law?

My ISP being able to monitor where I connect is not great, but being exposed
to my ISP _and_ cloudflare monitoring it is not better-- and is also very
unexpected.

There are also at least somewhat clear standards of privacy expected from
ISPs, it's entirely unclear to me what duty of care cloudflare has towards
users of this service or what position they'd be in to resist further
compromise of user data (through either legal or illegal means).

------
fimdomeio
Does anyone knows why does mozilla think this is a good idea? Between each
user sharing dns queries with their isps and everyone sharing dns queries with
cloudflare it appears that it's obviously more secure the first approach even
if none of them is really that great.

~~~
Avamander
ISPs have proven themselves untrustworthy repeatedly, CloudFlare yet really
hasn't. Not that I like the control they have, but it's honestly the fault of
ISP's this has happened.

~~~
userbinator
_some_ ISPs.

The problem is that Mozilla is taking a very US-centric view of a product that
is used worldwide.

~~~
gsnedders
…and DNS over HTTPS, using CloudFlare, is only being enabled in the US. A US-
centric view for a US-only decision seems fair to me?

------
unionpivo
One thing that concerns me greatly is debugging network problems.

Up until now, you could use dig, nslookup and other tools to see how your
computers resolves to help you figure stuff out.

Now what do you do?

also what happens when firefox uses this cloudflare, some other X application
will start using Z, and the third Y.

Also I work, and used to work for many small shops (under 50 people) in
different industries. Its standard practice to have internal domains,
sometimes even having different things on the same domain (ie mail.comany.co
is diffrenet server form inside and outside the network).

If you don't have AD (increasingly common here with apple and linux laptops
being the 95% of users), you will have to go to each user on every device that
has firefox and help him fix the settings.

I would say just block it at firewall level, but it's not trivial, without
breaking sites that use cloudflare.

------
Crinus
If the single DoH 'server' is the issue, wouldn't having a list of several
'servers' around the globe (hopefully in places where there isn't any form of
censorship and preferably though non-commercial institutions) that the browser
selects randomly solve this?

~~~
vetinari
No. The browser has no business in selecting DNS servers; it is a system-wide
setting and it should ask the operating system to resolve names.

How the operating system resolves names, is up to it. It could use tcp-over-
pigeons, if the sysadmin configured it so, and no application should be
working around that.

If you want to use DoH with Cloudflare, you are free to configure your system
to do so. You will also get consistency, all your apps will use the same
system, not just the browser. Let the others to have their systems configured
as it suits them.

~~~
yuft
Maybe if the OS providers were more proactive about DNS over TLS/HTTPS,
Mozilla wouldn't have needed to do this to keep users secure.

~~~
vetinari
Android does support DNS-over-TLS, and it does it in a way that does not break
networks - whatever it gets from DHCP, it tries the same server with DoT
first. Users can also configure their preferred DoT server.

Linux, or at least the glibc-based distributions, have a concept of
nss_modules; you can configure whatever mechanism you want, some people are
using DNSCrypt or nss-tls, for example. Systemd-resolved, with all the hate it
gets, does support DoT. So do other local caching resolvers, like Knot.

With other systems, you would have to discuss that with the respective
vendors. Vendors also discuss these issues with customers, and very few
customers are fond of breaking their systems. Activism, as Mozilla has shown,
is a good way to irritate a good chunk of your user base. The change would
have to be gradual, and allow the local admins to be in control (like Android
and Linux distributions do).

------
tssva
I think this is a horrible idea and applications should respect the OS DNS
configuration. I have already configured the instance of dnsmasq on my router
at home to return NXDOMAIN for the canary domain.

That being said I am a little confused by those that are concerned because
this change would mean their DNS queries will be sent to a US company and they
don't trust US companies. Firefox is developed and distributed by a US
corporation and is just a susceptible to being forced to follow US government
directives as Cloudflare.

------
kemonocode
Also, do keep in mind that by using DoH, you're also rendering anything like
Pi-Hole useless. The solution of course being to use DoH from the Pi-Hole
device [0], picking your own provider and disabling it on Firefox. Only step
you need to change is the part where upstream providers are given and use your
own instead of Cloudflare's default.

[0] [https://docs.pi-hole.net/guides/dns-over-https/](https://docs.pi-
hole.net/guides/dns-over-https/)

------
mcovey
I simply don't like DoH because I use a DNS provider that I have chosen -
OpenDNS - specifically because they log my DNS queries _and let me see that
log_. I don't mind DNS lookups from my network being logged, as long as the
provider does accurate, uncensored DNS lookups. It's helped me find domains to
block such as tracking domains used by IoT devices that I can't configure
myself.

I have my router directing all DNS traffic to OpenDNS so these devices can't
pick their own servers, any outbound requests on port 53 will be redirected.
If they start using DoH/DoT, I can't do that so easily. I'd have to start
monitoring outbound traffic and do hostname resolution on the IPs.

I think the privacy argument for DoH in the browser is fairly weak, since
doing a DNS lookup is not really an indication of, well, anything really. No
matter what domain it was, there's no indication that the user intended to
visit a website or use a service on that domain, it could be as simple as a
lookup to load an embedded image in a spam email. The only good usage of it is
to prevent censorship via DNS.

------
sirtoffski
Idk folks, the entire debate seems to be out of proportion. 1) If you do not
agree with Mozilla’s actions - do not user their browser. I mean Mozilla isn’t
forcing anyone to use Firefox. As a company they are free to design their
product as they see fit. As an individual you are free to either use their
product or not. 2) If you disagree and still chose to use Firefox - just
because you are reading this means you have the knowledge to disable DoH. 3)
If Mozilla remove the option to disable DoH over CF and you don’t like it -
use another browser. 4) If you are concerned for other people’s data going to
CF (specifically people who are not as well informed, people who don’t know
what DoH or even DNS is) - very noble indeed, but unfortunately options are
limited here. Encourage people to do some research and to decide for
themselves whether or not they are as passionate about it.

The main point I am making is just as we want to be free in choosing whether
or not to use DoH over CF, Mozilla is as free to design their own product.

------
_Codemonkeyism
I was never a conspiracy buff but the hordes of shills here who think it's a
good idea to send the whole worlds browsing habits to the US a country with
practically no protection of data lets this seem like a long prepared
operation.

The Chinese had to hack BGP to get that kind of data for a limited time.

------
lousken
As a sysadmin and a user i dont see any problems with DoH, i can easily set a
DNS entry[0] so that FF respects my company configuration. And as a user I've
been using DoH for months, just not from cloudflare but from CZ NIC because
the latency was slightly better. You can easily set your custom DoH provider
with 2 clicks in the Options menu. Also for most users I see benefits, because
most of them don't use VPNs on free wifis.

edit: I also think OS maintainers are the main problem here, none of this
would've happened if they supported DoT or DoH themselves.

[0] [https://support.mozilla.org/en-US/kb/configuring-networks-
di...](https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-
over-https)

------
tedk-42
I think it's good Firefox are leading the way on DoH.

The ability to chose which DNS provider you query will be next on the feature
list for Firefox I imagine.

Cloudflare have the same mindset to do something about the vulnerability of
DNS to snooping (see their 1.1.1.1 app). Two companies with the same mindset.
I'm hoping others follow them.

The article itself sounds paranoid and divides those that would rather trust
private companies (with good intentions) against those that would rather trust
their ISP/Government (also with good intentions).

------
tannhaeuser
With Mozilla pushing their users around, it's inevitable that a FF fork with
Moz's shenigans disabled will become mainstream. What's the current state of
eg Seamonkey?

------
garganzol
We are having zero problems with the current decentralized DNS architecture.

Evidently, Mozilla plays the role of a Google's darling once again. Those
financial "donations" have some interesting effects, aren't they? Aside from
an official "Google Search Bar in Firefox" line.

What's even more interesting is that Hacker News moderator deranked the topic.

Probably all the actors represent the same mafia ring, as they painfully in
need to defend those interests to stay commercially relevant in changing world
(hello IPFS).

------
stordoff
Maybe I'm missing something, but the "I think just me and you was safer" image
feels a little misleading. There already was a third party - your ISP/DNS
provider.

------
throw0101a
In other news, bots have now started using DoH (one via Google's DoH service):

* [https://www.proofpoint.com/us/threat-insight/post/psixbot-no...](https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module)

* [https://news.ycombinator.com/item?id=20934680](https://news.ycombinator.com/item?id=20934680)

------
darkhorn
I don't know about you guys but in Turkey if you query wikipedia.org from
8.8.8.8 it doesn't return results.

However if you use DoH you can access Wikipedia.

Thank you whoever contributed to DoH!

~~~
teddyh
Whatever convinced Google – _Google_ – to censor Turkey, you don’t think they
will be able to convince Cloudflare to do the same?

This is a problem of centralization.

------
methou
The stated problem is that there are few providers, as for the offending party
- Firefox, it's they've defaulted to a company based in the US or a 14 Eyes
member.

It doesn't feel right to address the issue by blaming the DoH, or Firefox, as
they are not defaulting to the prime evil - Google.

I believe the better suggestion here to say is to set up own DoH servers, urge
related parties to opensource their own implementation if there's none.

------
knorker
The government already has your DNS queries. So the whole point of the
argument is moot.

The ISPs, and anyone they share the data with, also already have the DNS
queries, so the argument is wrong.

But also, if you do want just one government to have the data, do you prefer
that data to go to your local country, which may be speech-oppressing regimes
like Syria, Saudi Arabia, UK, Ukraine, or Iran?

I fail to see how this is in any way a step backwards.

------
auslander
List of FF "integrations" grows. There is also HIBP one. We need a clean from
3rd parties version, like ungoogled-chromium project.

------
Niksko
Pretty hilarious that this entire article is negated by contractual agreements
spelled out in Firefox's FAQ in DoH

[https://support.mozilla.org/en-US/kb/firefox-dns-over-
https](https://support.mozilla.org/en-US/kb/firefox-dns-over-https)

------
TX-i
I don't understand the DoH protocol entirely. I thought the entire point of it
was to pass encrypted requests to CloudFlare. Can anyone confirm how this
works? I thought this was the entire point of DoH, adding encryption to
requests and directing it away from the plaintext DNS requests.

------
m-p-3
For those who are uneasy to use CF DoH, here's a list of alternative DoH
Resolvers

[https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-
av...](https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-
servers)

------
NikkiA
I had to turn it off, not because I'm opposed to the idea, far from it, I'd
love to use DoH, but because cloudflare's spat with archive.is renders the
whole thing useless if you ever need to browse archive.is stored copies of
pages.

~~~
tick_tock_tick
Kind of a disservice to call it cloudflare's spat when archive.is added
special code to make their dns implementation non spec compliant only when
queried by cloudflare.

~~~
yuft
I wonder if they will deal with it now that all US Firefox users will be
unable to use it by default.

------
tptacek
_As somebody who 's been working for internet security over 20 years, we
strongly believe that applications should not choose the DNS server. The
operating system is designed to manage DNS and network settings for all
applications._

This is nonsense.

~~~
tambre
Instead of a reactionary remark please provide arguments and explanations for
your viewpoint to actually further the discussion.

~~~
draw_down
I think tptacek's comment is just fine as it is.

------
Grue3
Not convincing. I live in Russia, explain why I wouldn't want this turned on?

------
Tharkun
The result will be simple: FF market share in corporate environments will
drop. If sysadmins have to jump through hoops simply to get the thing to
respect corporate DNS settings, then it won't be used.

------
distant_hat
In places like India, blocking is often done at the DNS level. Cloudflare and
Firefox are big reasons I can get around stupid overbroad government blocking
of whatever they think is anti-national or porn.

------
DavideNL
It's weird how large companies can make decisions like this (re-routing all
DNS requests to the US) on their own, without local/EU government stepping in
to prevent it...

------
paulcarroty
DoH and DoT are very interested technologies, disabling them 'cause Cloudflare
is ... strange.

From another side, DoH/DoT prevents ISPs/government from DNS
modifying/rerouting.

~~~
antientropic
Why is that strange? It seems rather obvious to me why people are reluctant to
route all their DNS queries through a for-profit company in a country with no
real privacy laws (and one that you have to assume is backdoored by the NSA).

~~~
paulcarroty
'Cause it not vendor-locked to Cloudflare, you can use your own server.

------
treggle
I strongly support DoH as it prevents government snooping on the public. It’s
really unhelpful that people like this attack Firefox over this issue.

Stand strong Firefox against this.

~~~
notyourday
One goes fishing where the fish is. There are dozens of large and hundreds of
medium to small ISPs in the US. There's only one Cloudflare. That's where the
resources to get the data would be concentrated. It has been demonstrated with
PRISM.

If Mozilla wants to play this game, it really should make DoH a visible top
level choice for a user.

~~~
magashna
Most users don't understand DNS, HTTPS, or DoH. I think this decision overall
is good, and for those who see and understand the possible issues, it's
trivial to remedy.

------
9588
I think dns (and many other "trivial" to implement sensitive services) should
be a gov service. Preferably the eu and idealy made usable for anyone.

------
auslander
OpenBSD folks removed it, and they are always right about security, as they
were with disabling Intel hyperthreading.

------
auslander
How decisions are made in Mozilla? By whom? Is there public discussion
beforehand?

~~~
gcp
This has been tested and debated for months. Initial support for Firefox
rolled out 9 months ago or so: [https://miketabor.com/enable-dns-over-https-
and-encrypted-sn...](https://miketabor.com/enable-dns-over-https-and-
encrypted-sni-in-firefox/)

The conclusion of the debate was that it vastly improves the privacy for most
users. Which is why it shipped in Firefox.

Take that into account when you read (misleading, factually wrong) push-back
like the original article.

~~~
auslander
> The conclusion of the debate

Obviously debate is still on, as we see in here and in [0], and it looks like
HN folks are not in favour of these integrations, including me. So question
stands, how/why the debate was concluded, did all developers had a vote? Is
there a link to discussion?

[0]
[https://news.ycombinator.com/item?id=20927832](https://news.ycombinator.com/item?id=20927832)

~~~
gcp
>it looks like HN folks are not in favour of these integrations, including me.

I have no idea why you think that random HN discussion afterwards (in response
to an article filled with misinformation!) would have any bearing on how
Firefox is developed.

[https://www.mozilla.org/en-US/about/governance/](https://www.mozilla.org/en-
US/about/governance/)

>Is there a link to discussion?

There's been about 1.5 year of extended discussion and iteration over DoH,
yes. I'm sorry but there certainly isn't just a "single" link!

------
bechampion
privacy aside , how about internal hosted zones and stuff that isn't
resolvable by TLDS or CCTLDS?

------
booblik
My understanding is that the DNS query goes to the closest of the more than
180 Cloudflare servers, not specifically to the US servers. Complete FUD.

~~~
userbinator
The point is that Cloudflare is a US company. From that perspective, where
their servers are located is irrelevant.

~~~
booblik
Of course it is relevant. They claim US government has access to all the logs,
this is simply not true.

~~~
falcolas
Please provide some proof that a US company would not have to respond to US
government requests. The location of the servers doesn’t matter.

------
SimeVidas
> It means people outside the US can now be fully tracked by US government

How?

------
netfl0
Firefox, wth.

Cloudflare is not the internet.

~~~
m-p-3
It's currently proxying 10.2% of all known websites (by the surveyor) on the
entire Internet.

[https://w3techs.com/technologies/details/cn-
cloudflare/all/a...](https://w3techs.com/technologies/details/cn-
cloudflare/all/all)

Not big, but not insignificant.

------
riccardogiorato
I hope to see a solution from Mozilla, is it known why they choose DoH with
Cloudflare? It seems a bit strange from a company always focused on OSS.

~~~
mikl
There aren’t a whole bunch of companies that are able to provide a good DNS
service world-wide. You’ll need high-reliability DNS servers co-located all
over the world. Probably a multi-million dollar investment to get such a thing
going, saying nothing of the running costs.

------
ros65536
I think this article would benefit from not shoehorning politics into the
issue. Couldn't take this seriously after the irrelevant slight at Trump.

------
aazaa
> DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and
> they send traffic from all their users to one entity.

Why does DoH necessarily mean that Cloudflare will be handling the traffic?
The article barrels right to that conclusion without explaining why.

~~~
bennyp101
The default setting in Firefox is to use Cloudfare as the DOH provider

~~~
aazaa
Thanks for pointing this out.

> It is clear what Mozilla needs to do: Mozilla can and should revert the
> change and allow users to easily opt-in. And to select or enter the DoH
> provider instead of defaulting to Cloudflare.

Buried lede is buried.

