
On Firefox moving DNS to a third party - supakeen
https://blog.powerdns.com/2018/09/04/on-firefox-moving-dns-to-a-third-party/
======
supakeen
An update is that on Reddit a Firefox employee has responded on my crosspost
to reddit:
[https://www.reddit.com/r/firefox/comments/9cx8hk/on_firefox_...](https://www.reddit.com/r/firefox/comments/9cx8hk/on_firefox_moving_dns_to_a_third_party/)

Clarifying that this is just an A/B test and there are no plans to continue
using CloudFlare for all users.

~~~
kodablah
To clarify, only in nightly and previously disclosed [0] (results at [1]).

The article is right to be fearful that FF is pondering a default change, but
until that is even on the table, I'm not worried. Now if they wanted to make
it really really easy for regular users to change from your default ISP DNS to
CloudFlare, I'd actually be OK with that, but I'd expect it to be implemented
like search engine providers where anyone could just as easily be the DNS
provider chosen (ideally without any CloudFlare favoritism). And it would be
clear who your DNS provider is maybe via an icon (if there is real estate for
it).

0 - [https://blog.nightly.mozilla.org/2018/06/01/improving-dns-
pr...](https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-
firefox/)

1 - [https://blog.nightly.mozilla.org/2018/08/28/firefox-
nightly-...](https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-
secure-dns-experimental-results/)

~~~
sp332
They have a contract with CloudFlare with stronger privacy protections for FF
users. This goes beyond the normal CloudFlare privacy policy.
[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/firefox/) They're not just picking providers at random.

~~~
kodablah
I am a bit naive. Who is paying who in this contract? What is either side
getting out of it? Why can it not just be a pluggable DNS provider situation
and let CloudFlare compete with anyone else for opt-in (including extra
privacy features if so desired)? Also curious, why would CloudFlare offer
stronger privacy protections for one type of user and not another...what is
CloudFlare getting out of the lesser-protected users since it is clear
everyone is not given the same treatment?

~~~
sp332
It will almost certainly be configurable. My point is that you'd have to
evaluate the privacy policy of each provider for yourself which is more work
than just picking from a drop-down menu. And even if you put in the normal CF
endpoint, you would only be covered by the normal CF ToS and not by Firefox's
special deal. The "favoritism" has a material impact on privacy.

~~~
kodablah
Surely it can be seen why this comes off as shady. Browser vendor inks deal w/
third party company. Deal includes special provisions company will not
otherwise provide users of its service. Browser vendor promises to give
preference to third party company. Details of deal, at least to me, are not
very transparent.

In general I agree that using other DNS providers besides the ISPs has
benefits. But not sure I think it should funnel to a single, preferred
company. Nor do I think that they should collect anything at all, reduced
compared to their original or not. I think some transparency is deserved here
about the contract if/when a regular FF release is shipped encouraging users
to use Cloudflare, specifically around the motives of wanting this data.
Granted, I am a bit more paranoid than most.

------
brians
This seems well-intentioned but incredibly dangerous. There's no promise CF
can make that justifies trusting them to receive a stream of every request
from every FF browser, with all this trackable metadata.

In particular, I think it would be unsurprising if CF's lines were tapped
upstream. CF and Mozilla staff have a history of treating TLS as if it
protects all content, rather than as a tool for keeping narrowly defined
secrets. I explain further at
[https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-
for-...](https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-
privacy.html) .

~~~
sp332
But since there's already a high risk of ISPs sniffing or even redirecting
this traffic, you'd have to show that the risk for the average user is higher
with CF.

~~~
Coding_Cat
It funnels all _firefox_ requests through CF, as opposed to all _$ISP_
requests. Which one is worse for the user I find hard to say, but they'd
definetely generate two completely different datasets. (for example, CF's set
would be international).

------
dschuetz
This is just like when Facebook wanted to handle all of your iOS traffic via a
VPN app for "secure Internet" reasons. "Trust us, you have nothing to worry
about, your traffic is safe with us" and then they were caught analyzing
traffic data of all apps other than Messenger or Facebook. Yeah. "Trust"

~~~
MasterScrat
> they were caught analyzing traffic data of all apps

Source?

~~~
iancarroll
Onavo has been a critical part of Facebook's recent startup acquisitions, and
the data they had was very powerful.

"The tool shaped Facebook's decision to buy WhatsApp and informed its live-
video strategy, they say. Facebook used Onavo to build its early-bird tool
that tips it off to promising services and that helped Facebook home in on
Houseparty."

[https://www.engadget.com/2017/08/13/facebook-knew-about-
snap...](https://www.engadget.com/2017/08/13/facebook-knew-about-snap-
struggles-through-app-tracking/)

[https://www.foxbusiness.com/features/the-new-copycats-how-
fa...](https://www.foxbusiness.com/features/the-new-copycats-how-facebook-
squashes-2)

------
sudhirj
Given that my ISP currently tracks DNS and blocks whatever they feel like at
that level, I actually think this is a good move.

The measure I'm looking at is that of sensible defaults: is this default more
sensible for a majority of the user base than the existing default? For anyone
outside the rule of GDPR using a regular ISP, this option is far better. The
joint privacy policy Mozilla + Cloudflare is much better than a regular ISP.

And given that we all go and change the DNS of every computer we and our
extended families own to 8.8.8.8, 8.8.4.4 or 1.1.1.1, I don't see why we'd
think Mozilla doing it by default is a bad thing.

------
buckminster
A friend of mine has a simple static hobby website on his own .net domain. It
isn't reachable through CloudFlare DNS. This has been true for over two
months. Google DNS can see it, as can my ISP's.

I recently noticed that his self-hosted email is sometimes being flagged as
spam because it lacks spf.

Is CloudFlare filtering their DNS results, maybe against a spam blacklist?

~~~
Habbie
Can you share the domain name so we can investigate?

~~~
buckminster
I can't share the domain name but its DNS servers are:

    
    
      ns3.cisws.nl
      ns6.cis-websolutions.nl

~~~
mnordhoff
Sharing the domain is usually critical.

Picking a random domain hosted on those nameservers, mdfs.net, it looks like,
of the 4 IPs, 2 are down and 1 of the remaining ones doesn't support TCP.

[http://dnsviz.net/d/mdfs.net/W48OcQ/dnssec/](http://dnsviz.net/d/mdfs.net/W48OcQ/dnssec/)
[https://ednscomp.isc.org/ednscomp/4040283963](https://ednscomp.isc.org/ednscomp/4040283963)

1.1.1.1 is less tolerant than some resolvers of that level of breakage.

[https://community.cloudflare.com/t/ipv6-timeouts-appear-
to-b...](https://community.cloudflare.com/t/ipv6-timeouts-appear-to-be-
racey/30682)

~~~
buckminster
Thanks for having a look. If I understand that correctly the DNS servers are
returning IPv6 addresses for themselves, which aren't functioning. So he needs
to get his host to stop returning the IPv6 addresses (or to fix IPv6).

~~~
mnordhoff
Yup. And also one of the IPv4 IPs isn't doing TCP.

I'm not sure nothing else is wrong, but the IPv6 issue is likely why 1.1.1.1
is having trouble resolving it.

------
justinzollars
Is there any easy way to change/update the DNS lookup server? I do not trust
Cloudflare or Google or anyone for that matter.

------
LinuxBender
Have Mozilla figured out how they are going to handle corp users enabling this
and not breaking corporate DNS?

~~~
supakeen
It's likely that the assumption is that in 'enterprise' or large organizations
software installation and configuration is managed or that they fall back if
they can't (but as the blog post says; DNS over HTTPS is hard to block).

~~~
LinuxBender
I've not seen many orgs manage FF settings. Typically AD policies apply to
MSIE/Edge. Has this changed?

~~~
Arelius
As a single data point, my current and quite large company manages firefox
settings. I discovered this when they turned off the search in address bar
feature...

~~~
reitanqild
If anyone wonders why anyone would do that it might be because the
autocomplete in search bar leaks metadata not only about what you search but
also about what sites you visit.

------
zaarn
That title is a hell of a lot misleading considering this is for an early A/B
test and there are no plans to enable this for all users.

------
_4xjr
Cloudflare's 1.1.1.1 DNS already censors torrent/piracy focused domains, for
example rarbg and thepiratebay.

On the other hand, they resolve websites which are considered illegal in my
country, which would normally be censored by my ISP (e.g. not approved betting
websites).

~~~
eastdakota
This is absolutely false.

~~~
_4xjr
I state my results for when I tested your DNS (related [1])

[1]
[https://www.reddit.com/r/Piracy/comments/8aa0ba/cloudflare_d...](https://www.reddit.com/r/Piracy/comments/8aa0ba/cloudflare_dns_blocking_scihub/)

------
RcouF1uZ4gsC
The big issue with Mozilla, is that they are dependent on outside revenue
(which for the most part ultimately comes from advertising). A big chunk of
their revenue comes from Google. If CloudFlare were to offer Mozilla a lot of
money to use CloudFlare DNS, they would likely do it.

~~~
reitanqild
> The big issue with Mozilla, is that they are dependent on outside revenue

While this is technically true it is kind of misleading to single Mozilla out
as depending on a certain large sponsor given who owns Chrome (and who owns
Edge, IE and possibly less problematic, Safari).

