
Firefox’s Trusted Recursive Resolver DNS feature is dangerous - chipsdujour
https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/
======
jillesvangurp
DNS over HTTPS is a great idea. There's nothing wrong with the protocol or
Mozilla's implementation of it. This article is all about Mozilla's default
choice for a DNS provider. I think Cloudflare is actually a reasonable choice
though I'm not a big fan of their annoying captchas that I get served whenever
I use vpns.

There's nothing sneaky going on here; which the article seems to imply.

Currently there is no UI to configure any of this yet (other than
about:config) but you can trivially select any DNS provider that implements
this in the same place where you turn this on. The relevant setting is
network.trr.uri. Also, you need to opt in to this to turn it on so you'd be
reviewing this setting as well. Also you can configure how this is used, how
and when it falls back to normal DNS, etc.

You can run your own server if you want; or use the one from your provider
if/when they implement this. For obvious reasons, there are not a lot of
usable servers yet but it seems Google has implemented this as well. So I
assume they plan to roll this out for Chrome at some point.

The premise of this article seems to be that you should trust your provider to
do DNS and do it well. I'm sorry to say but for the vast majority of providers
I have experience with the opposite is the case. I've had providers redirect
dns failures to advertising pages in the past, shitty performance (600 ms or
worse), and generally trying to rip me off with bad network infrastructure
related outages while charging me a premium for bandwidth clearly not
delivered via obviously very congested infrastructure. I have no reason
whatsoever to trust them, at all. The less they can learn from my traffic the
better.

~~~
nebulous1
The article doesn't suggest there's something sneaky going on. The article is
suggesting that Mozilla are choosing to share your DNS queries with a third
party service by default, which is exactly what they're doing. It's not about
them choosing Cloudflare in particular, it's about them choosing any
particular service by default. And the article's argument that, if you have to
choose somebody to share this data with, it might as well be the people you
already share it with, seems pretty valid to me.

edit: I have to point out that the article has backed away from the claim that
this will be enabled by default in September. Looking at the Mozilla blog,
they mention wanting to enable this by default but have no actual plan to do
so (and more crucially doesn't discuss at all what sort of form it would have
to be in for them to enable it by default, it may look nothing like the
cloudflare-default we're discussing here).

~~~
Xylakant
The default applies currently if you enable an experimental feature. They
hammered out a tight privacy agreement for one service and use that as default
while this is stabilized. You can pick any other resolver if you prefer. Seems
a legit way of handling this.

> And the article's argument that, if you have to choose somebody to share
> this data with, it might as well be the people you already share it with,
> seems pretty valid to me.

The whole point of HTTPS and DNS-over-HTTPS is to not share any data at all
with your provider. It’s not entirely working right now due to SNI being
plaintext, but work is being done on that, too. So that’s really not a good
argument.

~~~
_Codemonkeyism
Cloudflare is an US company, their privacy statement is worth zero to most
Firefox users.

~~~
jopsen
I believe Mozillas goal is to use the collective bargaining power of it's
user-base to get favorable terms and conditions from vendors like cloudflare.

This could include 3rd party reviews, etc.. Who knows?

~~~
nickpsecurity
That wouldn't stop legal threats. Per Core Secrets leak, NSA/FBI both pay for
and force backdoors in U.S. companies' products. They also share that
information with other enforcement organizations per other leaks. Cloudfare
are in a position to monitor lots of network activity. I'd be quie surprised
if they weren't already backdoored.

If NSA/FBI aren't in one's threat profile, one might also be concerned about a
court order over something having to do with copyright or patents. Damages for
those can be huge. There's both legal and technical firms dedicated to pouring
through data for evidence of patent infringements. Many licensing "agreements"
start with evidence they find. I don't know much more about this. My wild
guess is that _they_ often start with tips from disgruntled workers or maybe
those leaving for competitors.

These are main, three threats I'd be concerned about if sharing what I did
with a U.S.-based provider. Double true for me given I'm in the jurisdiction
of the enforcement agencies.

~~~
vavrusa
Cloudflare publishes transparency reports
[https://www.cloudflare.com/transparency/](https://www.cloudflare.com/transparency/)

It also promises not to store your IP associated with the DNS requests
[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/firefox/) so the law enforcement would have to ask
Cloudflare to install a wiretap device.

If you're this worried about being traced, it's probably best not to disclose
your IP address at all [https://blog.cloudflare.com/welcome-hidden-
resolver/](https://blog.cloudflare.com/welcome-hidden-resolver/)

~~~
jopsen
And they would have to hide such a wiretap device from auditors.

Moreover, cloudflare would be in a legal minefield since Mozilla would likely
have standing to sue, if cloudflare violates its own terms of service.

------
chrismorgan
> _My local ISP seems more trustworthy to me than a big US-based corporate
> which acts under the guise of a selfless privacy rights defender._

I have never trusted any local ISP. They’re commonly expressly allowed by law
to share roughly whatever they like about you†, _and they are known to do so_.

Cloudflare has at least promised not to be evil, and is to be audited annually
concerning it. If they desire to be evil I have no doubt they could wangle it,
but I still trust them _way_ more than I trust any ISP, because they’re
already _known_ to be evil under these definitions.

\----

† (This is a gross simplification, but it’s broadly true enough in most
countries.)

~~~
ekianjo
Cloudfare can promise what they want, they can still be subject to warrantless
spying by US agencies and not disclose anything about it.

~~~
superkuh
And lets not forget that their CEO will arbitrarily censor and stop serving
people he doesn't like. He's done it before. He'll do it again. Cloudflare has
already lost my trust.

~~~
kentonv
In his blog post on that, he said pretty clearly that he doesn't want and
should not have this power. [https://blog.cloudflare.com/why-we-terminated-
daily-stormer/](https://blog.cloudflare.com/why-we-terminated-daily-stormer/)

(Disclosure: I work for Cloudflare.)

~~~
superkuh
But he does and does. And now in the Perfect 10 lawsuit against your company
it's biting you in the ass. Now you have to censor everything. Good going.

------
msravi
The article is incorrect.

1\. TRR is not turned on by default. To turn it on, you need to go to
about:config and set network.trr.mode to something other than 0 or 5.

2\. Even if trr.mode is turned on, you need to go in and set the DOH server at
network.trr.uri. The default is blank. You can set it to any publicly known
DOH server ([https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-
av...](https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-
servers)), or even your own.

3\. The article doesn't talk about how your ISP can use DNS to censor your
result - very common, for example, in a country like India where the court
orders certain sites taken down. Mozilla's DOH solves this.

~~~
orbital-decay
The first sentence of the article is about TRR/DOH being turned on by default
in the next patch.

~~~
msravi
Can you point to a Mozilla announcement that says they'll turn on DOH by
default in a regular non-experimental non-nightly release?

This is what Mozilla says in their DOH blog:

Our second effort focuses on building a default configuration for DoH servers
that puts privacy first.

We are running a shield study where some Nightly users will participate in one
or more experiments to help us build out a secure, cloud-based service that
handles DoH requests. All Nightly users will receive an in-product
notification about these studies.

Cloudflare is our partner for these experiments. When a shield study is
active, Nightly Firefox will automatically use Cloudflare’s secure DNS over
HTTPS service (though we aren’t using the famous 1.1.1.1 address). The first
study will test whether DoH’s performance is up to the task.

~~~
Pissompons
> Can you point to a Mozilla announcement that says they'll turn on DOH by
> default in a regular non-experimental non-nightly release?

Right on their blog ([https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-
dns-ove...](https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-
https/)), quoted by the article:

"We’d like to turn this on as the default for all of our users. We believe
that every one of our users deserves this privacy and security, no matter if
they understand DNS leaks or not."

~~~
dblohm7
That is not an intent-to-ship email on the dev-platform mailing list.

------
rendx
The article lacks instructions about disabling it or using some other DOH
resolvers.

about:config -> search for network.trr -> set network.trr.mode = 5 to
completely disable it (I do not recommend this)

The curl wiki has a list of DOH servers:
[https://github.com/curl/curl/wiki/DNS-over-
HTTPS](https://github.com/curl/curl/wiki/DNS-over-HTTPS)

It should also point to "the other side of the story", the benefits of DOH
over classic DNS resolving, for example
[https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-
ove...](https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/)

~~~
telmich
Thanks for the hint! We added that to our blog entry - please let us know if
it sounds right to you.

~~~
opencl
The default is already off[1] though...

Mozilla has stated plans to _eventually_ turn it on by default[2] but I have
yet to see any timeline or details of what the default config will actually
be. Your article seems to assert that it will be on by default in FF62, where
did Mozilla ever say this? Everything I have read seems to indicate that FF62
is just adding support, which is off by default, and requires a change to
about:config to enable in the first place.

[1]
[https://gist.github.com/bagder/5e29101079e9ac78920ba2fc718ac...](https://gist.github.com/bagder/5e29101079e9ac78920ba2fc718aceec)

[2] [https://blog.nightly.mozilla.org/2018/06/01/improving-dns-
pr...](https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-
firefox/)

------
Mister_Snuggles
I'm not looking forward to this.

I use internal DNS for stuff I'm running at home (e.g., a NAS, Home Assistant,
etc). I don't want to go back to the bad old days of having to remember what
IP addresses go with what service.

My girlfriend is not going to like it when Pi-Hole magically stops working
because Firefox doesn't respect the DNS settings that are served by DHCP.

My employer uses internal DNS for internal services. The helpdesk is going to
have a fun time as Firefoxes across the organization get updated. It also
doesn't help that a large number of users are BYOD users, so enforcing certain
Firefox settings is a no-go.

Sure, there's instructions to fix it, but it should never be broken like this
in the first place.

EDIT:

The article has been updated - it now shows a screenshot from Mozilla's
blog[0] which says:

> We’ll use the default resolver, as we do now, but we’ll also send the
> request to Cloudflare’s DoH resolver. Then we’ll compare the two to make
> sure that everything is working as we expect.

Cloudflare is going to have a huge list of internal stuff used by Firefox
Nightly users, and Mozilla is going to have huge insights into how many people
use things like Pi-Hole, internal DNS servers, split DNS servers (e.g., BIND
Views), etc. And they're going to be analyzing this data in order to determine
how well DNS-over-HTTPS works.

I'm not sure if this is better or worse than I initially thought it was.

[0] [https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-
ove...](https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/)

~~~
bzbarsky
> Cloudflare is going to have a huge list of internal stuff used by Firefox
> Nightly users

By Firefox Nightly users who agree to be in the study, yes?

------
nykolasz
First, I have to say that I love cloudflare, but the last thing we need is the
centralization of all our DNS resolution to them. Please Mozilla, don't give
anyone too much power.

And if DNS over HTTPS is the way to go (which might be), _give the user a
choice_. There are 3 public resolvers already offering DNS over HTTPS:

    
    
      Google[1] (was the first one to support it) 
      CloudFlare[2]
      CleanBrowsing[3] (for security and/or adult filtering)
    

And hopefully Quad9 will join the list soon. I hope this doesn't become a
"search engine" war that the company that pays more becomes the chosen DNS.
Please Mozilla, don't do that.

* 1: [https://developers.google.com/speed/public-dns/docs/dns-over...](https://developers.google.com/speed/public-dns/docs/dns-over-https)

* 2: [https://developers.cloudflare.com/1.1.1.1/dns-over-https/](https://developers.cloudflare.com/1.1.1.1/dns-over-https/)

* 3: [https://cleanbrowsing.org/dnsoverhttps](https://cleanbrowsing.org/dnsoverhttps)

------
TimMeade
What about if you have private DNS servers that has sites that cloudflare does
not have? For example internal intranets etc?

So mozilla will not work at all in that case?

~~~
xg15
I think as far as browsers are concerned, there are no private DNS names
anymore for a good while already - either everyone on the internet knows your
DNS or it doesn't exist.

See the similar problem with TLS certificates...

(edit) Ok, that was indeed put more dramatically than necessary. My point is
that private DNS names seem to be heavily discouraged by browsers _default_
configurations.

You can change both the DNS resolver as well as install custom CAs - however,
this has to be done again for each client. If you want to have your sites
visited by clients that you don't administrate, you're out of luck.

(warning - rant follows) The direction browser vendors would like the
ecosystem to move also seems quite clear to me - there is a strong push to get
everyone on HTTPS, at the same time CAs are themselves increasingly regulated
by browser vendors and cannot hand out certificates for IPs and private DNS
names anymore. Now the next step seems to be DNS. If that is not a
platformisation of the web, I don't know what is.

~~~
telmich
Can only heavily disagree with this one. The reason why BIND has views is
because bigger organisation (like universities) employ different views
depending on whether you are internal or external.

~~~
xg15
But this is the exact point. With DoH active by default (and no custom
configuration set), every instance of Firefox will appear to be querying your
DNS from outside, no matter if the machine is inside the LAN or not.

------
qiqitori
More information: [https://blog.nightly.mozilla.org/2018/06/01/improving-dns-
pr...](https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-
firefox/)

According to this page:

\- you can already test this right now

\- you can provide your own server

And some more:
[https://en.wikipedia.org/wiki/DNS_over_HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS)

~~~
foepys
> \- you can provide your own server

Nobody will do this except for maybe 5 individuals and a few dozen
cooperations simply because there are no other public DoH servers around.

~~~
vetinari
Many already run their own resolvers, so providing DNS-over-HTTPS proxy is not
a problem.

What is THE problem, is configuring the browser. No one is going to
reconfigure their browser after each connection to a different network.
There's a reason why we moved from static configuration towards DHCP, which
can configure network-specific settings. DNS is a network-specific setting,
and Mozilla is breaking it.

~~~
pastage
Split horizon was always a bad hack, there has always been alternatives. DoH
could be used on the default DNS servers too, there is value of encrypted DNS
on LAN as well.

~~~
vetinari
> Split horizon was always a bad hack, there has always been alternatives.

I always see this repeated as a mantra, but never it's rationale. No company
is going to advertise their internal infrastructure needlessly. There's no
upside in the world knowing that your _kdc._tcp.company.com is 192.168.10.20;
but there are downsides.

> DoH could be used on the default DNS servers too, there is value of
> encrypted DNS on LAN as well.

Sure, but hardcoding or statically-configuring the value is not the way. LANs
need to have their DHCP tags respected. If one of them is "use this URL for
DoH-server", that's fine.

------
petters
> And your ISP knows where you connect to anyways. So the data or information
> generated by their DNS server provides no additional information to them.

This is not correct. Your ISP only knows what IP you are connecting to and
that is not enough in general. E.g. Cloudflare.

~~~
sofaofthedamned
With SNI they also know the domain you're connecting to.

~~~
pas
There are people working on encrypted SNI:
[https://huitema.wordpress.com/2017/09/12/cracking-the-sni-
en...](https://huitema.wordpress.com/2017/09/12/cracking-the-sni-encryption-
nut/) it'll take some time, but we'll get there hopefull soon.

~~~
sofaofthedamned
Good point, but it's not here now. It is however better than the old days
where you needed your own IP address to do TLS/HTTPS.

------
mhkool
I rather use a DNS cloud that promises to wipe logs every 24 hours than a DNS
server of an ISP who is guaranteed to spy on me.

~~~
a012
There are many public DNS providers those promise to not logs DNS queries. I
don't know precisely but if Mozilla forces user to use Cloudflare DNS is the
deal breaker.

~~~
Xylakant
They don’t. It’s the default if you choose to enable the feature, but there
are other compatible DNS providers, pick any that suits you (or just don’t
enable the feature and keep doing what you’re doing now)

------
jchw
Well, you have to trust _some_ third party. Personally, I think Cloudflare's
DNS is pretty trustworthy based on what we know. It's WAY better than sending
unencrypted DNS requests to arbitrary network-dependent third parties, in my
opinion.

If you gravely fear Cloudflare for some reason, Google also provides a DNS
over HTTPS server, along with a couple others. You can probably set Firefox to
use that.

But if we we're OK treating this as insensitive data not needing encryption
before, worrying about trusting third parties is not even the beginning of the
problem.

------
kingofhdds
There are many countries where ISPs are obliged by law to spy on users, and
retain logs for many years. DNS manipulation also used as a cheap censorship
mechanism. So Cloudflare easily can be a better option for hundreds of
millions if not billions of people. As a rule, local actors present way more
serious threat compared to US agencies for majority of the planet's
population. That said, Mozilla, of course, must be very transparent with such
big changes, and explain them to users not using just "more secure" wording.

~~~
_Codemonkeyism
So data is safest in the country with the largest spying budget and the most
spies. Not convinced.

~~~
kingofhdds
You are refuting the statement I never made. There's no such thing as general
threat. So who's data? If you are Julian Assange you should be afraid of US
spying agencies, but if you are an Uzbekistani dissident it's your gov't
repressive machine you should care about, and tracking possibilities of your
direct adversary will be diminished with the discussed Mozilla's move. If you
are an average Joe in a small town you may find it safer to trust faraway
commercial entity rather then your neighbor's nephew who works in a local ISP.

------
StavrosK
I use Cloudflare's resolver, but I actually agree with this. I don't want
every device in my local network ignoring my Pi hole or my custom DNS entries,
I don't want the device of everyone in my country being subject to
surveillance requests from the NSA (and Cloudflare is legally (if you call
warrantless wiretaps legal) required to comply), and I don't like the
centralization this brings.

If I recall correctly, this also breaks geographical-based DNS resolution?

~~~
geertj
> I don't want the device of everyone in my country being subject to
> surveillance requests from the NSA (and Cloudflare is legally (if you call
> warrantless wiretaps legal) required to comply), and I don't like the
> centralization this brings.

Agreed that this introduces additional centralization. Maybe Mozilla could
work to with other third parties in different jurisdictions to see if there's
interest to spin up additional DOH servers. That said, if your threat model
includes the NSA then this would probably be far from sufficient.

~~~
StavrosK
As always, it's not "the NSA is targeting me specifically", it's "they're
doing dragnet surveillance for potentially 'interesting' data and who knows
how they'll choose to harass me".

There is literally no single country in the world I would like my data sent to
than the US. Even China is preferable.

------
xg15
For reference, the privacy agreement between Cloudflare and Mozilla:
[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/firefox/)

~~~
claudius
Great, all your data is stored for 24 hours and then collected in "anonymised"
form for further processing and "internal research"! Also no mention of
penalties, either for Cloudflare as a company or the responsible employees
(starting with the CEO) in case of a violation. And no notice period of any
time should Cloudflare decide to change those terms and have thousands of
browsers still pointed at its resolvers.

Why would this make Cloudflare appear remotely trustworthy?

~~~
477353468463695
It's a legally binding contract between Cloudflare and Mozilla. If Cloudflare
were to violate it, Mozilla could sue and a judge would determine the
penalties for Cloudflare. There should be some rough guidelines written into
law as well.

And we're definitely not talking about small amounts. Cloudflare violating it
would result in Mozilla violating the privacy of millions, which can be
interpreted as significant damages to the citizens. They're also both situated
in California, so privacy will be valued by a judge. Given Mozilla's public
image as a privacy-friendly organization, they could also push charges for
damaging that image.

That penalty + the damage to Cloudflare's own reputation, I cannot imagine
they would survive.

~~~
xg15
Note also:

> _Cloudflare will also collect and store the following information as part of
> its permanent logs. [...]

\- Aggregate list of all domain names requested_

So while they might not associate it with a person, they _will_ collect all
domain names they get and store them for their own purposes.

~~~
patrickmcmanus
restricted to: "solely to improve the performance of Cloudflare Resolver for
Firefox and to assist us in debugging efforts if an issue arises"

------
jpalomaki
Nothing against Cloudflare, but I don’t think it is good in general for the
Internet that they are getting so critical.

For them this sounds like a good deal (is money involved here?). Having more
control of DNS should mean they can provide better service for their
customers.

~~~
foepys
> For them this sounds like a good deal (is money involved here?).

There is a lot of money involved. When you resolve DNS only over Cloudflare,
all Cloudflare sites will have a much lower DNS resolution time than any
domain that is not hosted by CF's DNS service. CF can also do geo DNS more
efficiently, potentially saving millions in edge nodes.

------
xg15
So yet another step to centralize security with browsers and override any
descisions of local admins. Great...

------
anonymfus
Where exactly Firefox/Mozilla people say that they plan to enable it by
default?

------
znpy
Sigh. Mozilla had just made Firefox usable again... And now good reasons for
leaving it again are coming up.

~~~
chrisper
So what is the alternative? Chrome, edge, and Vivaldi?

~~~
dingo_bat
I've been using Brave. It's beta quality software but works surprisingly well.

~~~
znpy
Brave on Android is the way to go. Literally the best browser.

------
_Codemonkeyism
Most important point from the article

"Let's stop here for the moment and repeat: With Mozilla's change, any (US)
government agency can basically trace you down." \- with ease I might add.

------
ezoe
I was thinking about this issue. Once this feature is on by default, all
Firefox DNS query goes through the Cloudflare, a for-profit company which
resides on US whose government is infamous for spying everything.

My conclusion is, what's the difference?

Currently, Cloudflare is one of the major CDN in the world and most traffics
goes through them.

Even worse, by it's nature, Cloudflare and most of the CDNs are practically
doing MITM attack so they can cache the data. For that, HTTPS isn't that
secure the most browser vendor want us believe to be. The rise of CDN cause
serious single point of failure but most of us don't worry about it like DNS.

To solve this problem, we need to invent completely decentralized new network
that doesn't relies on the current Internet even at the physical layer.
Probably fallback to the level such that we carry storage by foot or pickup
dead drops.

------
kijin
I don't like the way Cloudflare is centralizing everything, but I would use
Cloudflare any day over my ISP. Seriously, fuck my ISP.

I would support this feature on the condition that users are able to choose
which DNS service to use by default, especially as more public DNS services
begin to adopt DoH. Developers like us will also need the ability to use
/etc/hosts or route queries to a local instance of dnsmasq.

Obviously there's a switch somewhere in about:config, because Firefox is also
involved with the Tor project which requires the ability to route DNS queries
through Tor. This switch should be accessible to the user, just like the
choice of default search provider.

------
telmich
The Internet is not made for centralisation!

~~~
Nokinside
The internet has decentralized architecture underneath but the model is being
abandoned because traffic volumes are too high for the naive decentralized
architecture.

Today 60% of the global internet traffic goes trough CDN's. In 2021 it will be
over 70% in 2021 (over 90% in North America). There is whole "internet cache"
industry standing between clients and servers.

When you connect to some site in the internet, most of the data comes from
some of these: Google CDN,,MaxCDN, Akamai, MS/Azure CDN, Limelight, EdgeCast,
Amazon CDN, Coudfare,Rackspace, Incapsula, ...

The issue here is not decentralization vs centralization, it's about browser
selecting something for a user as a default.

~~~
rini17
You cannot compare CDN with DNS which does not require high traffic volumes
nor expensive servers.

The issue is pervasive laying of trust into "benevolent" third parties, CA's
apparently are not enough and we now must have Trusted Recursive Resolvers,
too. And it's more and more difficult to set up alternative infrastructure
which does not rely on them.

~~~
Nokinside
>You cannot compare CDN with DNS

I didn't compare them.

------
hoppelhase
This proposal introduces a lot of complexity. It requires JSON parsing, HTTP
and TLS. A bug in one of these components could is likely to occur.

In contrast, DNS is very simple and can be implemented with a lot less code.

~~~
Gaelan
The JSON/HTTP protocol may be more complex than DNS, but Firefox is likely to
already have a very good implementation. TLS is new, but important.

------
simias
I think it's a nice feature to have but it has to be opt-in, you can't set the
precedent that it's fine for a web browser to hijack your web traffic, even if
it's for a good reason.

------
octosphere
To be honest I think it's great news. I would much rather trust Cloudflare to
handle my (encrypted) DNS than my ISP. I'm based in the U.K and there are very
few ISPs that have private DNS - you often hear stories of (U.K) ISPs selling
data out the backdoor to comply with things like the Investigatory Powers
Act[1].

[1]
[https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016](https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016)

But besides Mozilla's efforts, I am careful not to browse anything political
using a vanilla ISP. Anything sensitive is browsed with Tor for anonymity. I
only use a VPN for routing traffic over hostile networks like public wifi
hotspots / Starbucks wifi. A VPN is not inherently private but a VPN does have
its uses, like for viewing geo-locked content (Like the 'This video is
unavailable in your country' scenario).

Also for further research if you want to know more about 'trusted' Internet:
[https://www.youtube.com/watch?v=a4UXnZaunJQ](https://www.youtube.com/watch?v=a4UXnZaunJQ)

------
_Codemonkeyism
The US has the largest spying budget and the most spies.

And FF thinks it makes it more secure for me if the transfer all my browsing
meta data to the US.

I don't think so.

------
Ceezy
That s just a feature. You can choose not to use it. Why so much noise?

~~~
Vinnl
As I understand it that's even the default choice, and CloudFlare is just the
provider they're currently testing this with for those who do choose and do
not configure their own provider.

~~~
telmich
The point is though that users won't change their defaults. When Mozilla sets
the default to Cloudflare, > 99.9% of the users will use it.

~~~
Vinnl
So the default is that this is off. If and when that changes, the question
that should be relevant is whether the majority of those users is better
served with CloudFlare than their ISP, given their threat model.

------
angry_octet
I know my ISP is required by govt to log all meta data (websites, IPs, email
headers). If I'm not using a VPN, it's all logged. Encrypted SNI is coming,
but without encrypted DNS it's all still logged. So it seems like a net win,
even if cloudflare is logging everything.

Too bad dnscurve hasn't taken off more.

~~~
the8472
But you don't need to depend on cloudflare here. If you have a VPN you can
also tunnel your DNS lookups to a custom resolver through the VPN.

------
mcny
Sorry if this is off topic but where does DNS over https leave my pi hole?

Is it possible (in the future) to do dns over https from my router to the
pihole and then dns over https from the pihole to Google or Cisco open DNS?

How would it work? Wouldn’t the router need to trust the https certificate
that my pihole presents? Thank you!

~~~
telmich
That would work. DoH is "just" a replacement for UDP in this context. However
when Mozilla changes the default to DoH of Cloudflare, you will need to
manually change all firefox installations.

~~~
crtasm
Other posters on this thread point out that Firefox has no plans to make it a
default.

------
rschoultz
This feature will break dns-based geo-lookup, so as a user I might get
directed to services that are 130ms away from me instead of 1-5ms. For any
client application, this will likely have strong negative effects on user
experience.

~~~
nebulous1
I somewhat doubt cloudflare have overlooked that

~~~
rschoultz
It seems like you are right. On the company's pages I find "... Instead of
doing this, Cloudflare will make the request from one of their own IP
addresses near the user. This provides geolocation without tying it to a
particular user. ".

Still, my concern is that this is no longer a function of the technology, but
by a service that is maintained by one company, limited to the coverage that
they provide in different parts of the world.

------
tootahe45
I think he forgot to write the part about how it is dangerous or not 'more
secure in general' after explaining why it is for the average user who is
likely to connect to any open wifi network without setting static DNS.

------
jplayer01
I don't understand why so many people are critical of people being wary about
how a company deals with our data, especially one in Mozilla's position. Did
all of you sleep through the past twenty years?

------
kiriakasis
The only point in this is that mozzilla will apply it as a default, which then
is retracted at the end.

As of now this only serve to start a flamewars over all the drama people have
with mozzilla

------
chunsj
As a man in a country where constant censoring is performed by the government
this movement at least make it harder for the gov censor/monitor people.

~~~
telmich
Which country is that?

------
peterwwillis
Just because what you're doing is private doesn't mean it's secure. Just
because what you're doing is secure doesn't mean it's private.

No whistleblower should ever just expect that doing things the normal way is
private or safe for them. If you wear a tinfoil hat, you need an entirely
different operational language than typical users have, because your needs are
totally different.

~~~
mrob
Privacy improves security for everybody. If an attacker can read all your DNS
lookups then it's easier for them to target a spear-phishing attack against
you.

~~~
peterwwillis
Privacy _may_ improve security, but usually not. It is a sometimes unintended
consequence.

If I want to tell you a secret, I will bring you into a private room. Now we
have privacy. If someone wants to listen in on our conversation, they will
plant a bug in that room, or listen through the wall. To remain secure, I must
add security countermeasures to prevent the bugs from transmitting, or extra
noise to make being overheard difficult.

Your ISP's DNS might be more private, but if an attacker can poison your ISP's
DNS cache (it has happened to me on my ISP) you won't be more secure. It's
more secure to use a hardened DNS service, which is usually not local. But
yes, this could be a minor privacy concern with a big enough attacker.

Just because you add privacy does not mean you added security. Just like
because you add security does not mean you have privacy.

So please be honest about the motives for things like this. If you want more
privacy, say so. Don't say it's a security problem when it's not.

------
Hnrobert42
Does anyone know about this website? I am skeptical of a .ch domain
criticizing something that would make censorship harder.

------
crtasm
I suppose a small upside to this is it will prompt some people to look into
how trustworthy their ISP's DNS is.

------
the8472
If you don't trust local ISPs the solution is not to put your eggs into the
cloudflare basket which could then be plundered by the NSA fox.

Instead tunnel all traffic to some rented box in a jurisdiction _of your
choice_ and then run your own DNS resolver either in your home network or on
that box.

------
eps
It really comes down to if it's going to be a silent default or a verbose opt-
in.

Anyone got a link to this announcement?

------
Pyxl101
> The Domain Name System (DNS) is a service used in converting a computer’s
> host name or a Top-Level Domain (TLD) into an IP address

Hostnames and TLDs are different concepts in DNS. It is a mistake to conflate
them.

TLDs are the top level (rightmost) part of domain names, such as specifically
“com” in “example.com”.

------
_Codemonkeyism
Updated:

"We wrote in a previous version that "the next Mozilla patch in September"
will enable DoH by default. We corrected that part as it is not clearly stated
on Mozilla's blog, as can be seen in the screenshot below."

------
nobleach
While developing, I hack my /etc/hosts to point at a local dev environment. Is
this to say that Firefox would ignore that as well?

------
yellowapple
I imagine this has a lot of potential to break things on corporate intranets.
Or does TRR have some kind of mechanism to check for that?

------
ferongr
Seems like my decision to migrate off Firefox was the right one.

------
some_account
I think it's a great option for people who can't trust their isp. I've been
using it in nightly for a month or so and it works nicely.

Making it default would be controversial though. Right now it's opt in.

------
telmich
If you agree and think it's dangerous, help us to spread the word on twitter
[https://twitter.com/ungleich/status/1026041643340845057](https://twitter.com/ungleich/status/1026041643340845057)
\- maybe it helps to make Mozilla rethink this "feature".

~~~
cptskippy
Think what is dangerous? Encrypted DNS? Choosing a DNS provider you don't like
for an experimental feature because the support that feature? Trying to make
the web safer and less creepy?

I think you have a fundamental misunderstanding of what is this experiment is
configured the way it is and you're just being a Chicken Little.

------
YouAreGreat
Why would Google's own Mozilla do this... unless Google is planning to buy
Cloudflare.

------
alphaaurigae
dont touch my dns settings, srsly!

