
Firefox: Leave My DNS Alone - marichards
https://markalanrichards.com/2019/09/14/firefox-leave-my-dns-alone.html
======
captn3m0
Mozilla jumped the gun on this, all they really needed to do was announce
their DoH application program _before_ they started turning it on by default.

As it stands, Mozilla has a Trusted Recursive Resolver Policy[0], which
CloudFlare abides by, but lots of other resolvers (such as Quad9) are not
allowed to be added to the FF config.

I'd reached out to Mozilla months back asking for the application process
(when they announced the TRR policy). I've been running a DoH resolver from
within Indian jurisdiction (for legal research) - but without Mozilla having a
process - it is just me using it.

[0]: [https://wiki.mozilla.org/Security/DOH-resolver-
policy](https://wiki.mozilla.org/Security/DOH-resolver-policy) [1]:
[https://captnemo.in/doh/](https://captnemo.in/doh/)

------
throw0101a
Paul Vixie gave just gave a talk at vBSDCon about DNS-over-HTTPS where he
outlines some the problems he seems at it. Hopefully the video will be up
shortly, but in the meantime some slides:

* [https://twitter.com/DLangille/status/1169962162854514688](https://twitter.com/DLangille/status/1169962162854514688)

------
rocqua
Agreed. Mostly regarding the part that DNS should be solved at the OS level.
Encrypted DNS is a good idea, HTTPS seems like a questionable encryption
layer, but it will serve. However, apps should not take DNS into their own
hands.

DNS is part of a systems configuration. By setting it, you choose, and can
change, your views of the internet. If all of a sudden, that view becomes
inconsistent across apps, that is confusing. Moreover, if an application gives
an unexpected view of the world (e.g. missing local domains, local redirects,
or local blocks) that can have negative impact.

If we screw this up in our haste to secure DNS, we'll be stuck with another
legacy half-solution our internet infrastructure. This is essentially taking
on global technical debt to get secured DNS requests just a bit faster.

------
Andrew_nenakhov
For us Russians, it's a very welcome feature. Our government illegally does
mass-scale censorship/blocking of websites, making the Internet almost
unusable without commercial VPN, and it looks like soon commercial VPN
services would be blocked too. This DoH feature might help to combat the
problem without complex measures.

~~~
smitty1e
I, for one, rejoice that the United States government has outsourced the
squashing of unpopular, dissenting opinions to private industry.

Having search engines and social media sites implement our censorship affords
American citizens more room to do victory laps about our Constitution.

------
throw0101a
It would be nice if Firefox also had DNS-over-TLS support.

I'm not against encrypted DNS, and can see where DoH can be handy for a lot of
the general public, but as someone in IT, having to jump through hoops to keep
our internal split-horizon DNS workings is annoying.

~~~
marichards
I don't have a problem with DNS-over-TLS, I don't know enough about it... but
I'm afraid I want DNS from Firefox's perspective to be plaintext, transparent
and easy for me to check and even change. Like the filesystem is.

Not just for me, easy for Privacy International to audit when verifying apps
tracking, easy for OpSec on my work laptop and easy for my firewall tooling to
intercept and manage.

I want the OS's network stack to transparently proxy that plaintext request to
an encrypted one: which may well be DoH or DNS over TLS, just like filesystem
drivers proxy plaintext file requests over encrypted hard disks.

Whether this is by a plain text request over loopback, using the existing
plain text DNS protocol or a more efficient OS api I'll happily leave
evolution to resolve: but for now the plaintext protocol might be the fastest
thing to proxy.

