
British ISP Lobbyists Backtrack on Calling Mozilla a Villain for DNS-over-HTTPS - baud147258
https://www.theregister.co.uk/2019/07/10/ispa_clears_mozilla/
======
TheRealPomax
I love how their actual retraction, ([https://www.ispa.org.uk/ispa-withdraws-
mozilla-internet-vill...](https://www.ispa.org.uk/ispa-withdraws-mozilla-
internet-villain-nomination-and-category/)) includes a list of what "Any
implementation of DoH [...] should be capable of achieving [in terms of] the
expected privacy and security benefits" and then basically just lists
everything Mozilla already champions.

It just makes the whole thing even more sad.

------
Townley
A few online tutorials mention enabling DoH through about:config but my
Firefox version doesn't have those settings.

This is what I had to do to enable DoH through Firefox preferences:

\- Click the hamburger icon

\- Go to preferences

\- Scroll down to network settings and click settings

\- Click "Enable DNS over HTTPS"

(By default, this uses Cloudflare as your DNS server, but that can be further
configured if you want)

~~~
FPGAhacker
Thanks. On my work computer it is under options instead of preferences, but
otherwise the same.

~~~
jraph
I bet your work computer runs Windows then :-)

------
smhenderson
Well I hadn't really thought too much about DoH until now but now I've gone
and enabled it on a few machines.

While I don't love all the snark in the article I'm glad this was brought to
my attention. Hopefully this raises enough awareness that it has the exact
opposite effect of what the ISPA in the UK hoped for.

~~~
pluc
Exactly. If I was them I'd claim that was precisely the objective - any press
is good press. Labeling them a villain temporarily did more for Mozilla/DoH
than labeling them the ultimate good guy would have.

------
codedokode
In case anybody is interested, you can visit
[https://www.cloudflare.com/ssl/encrypted-
sni/](https://www.cloudflare.com/ssl/encrypted-sni/) to see whether you have
all features that prevent leaking the domain names that you visit. In Firefox
67 with network.security.esni.enabled set to true, all tests are passed.

------
abhink
From ISPA's website, one of the reasons to oppose DoH:

> User choice: An application switching to DoH should ensure that this switch
> does not undermine choices that have been previously made by the user. For
> example, if parents have decided to filter an internet connection in their
> home via network or local level DNS controls, these choices should not
> simply be ignored by the application.

If a parent is capable of filtering out internet traffic at DNS level, then
they should be capable of doing the same on top of DoH.

Then, after some more vague concerns and handwaving, at the very end we have:

> User and access-network-operator support: If DoH doesn’t work or is slow, a
> customer’s internet access will be affected. The customer will contact their
> ISP, not the DoH provider, but the ISP won’t be able to fix things for them.
> As a minimum, any application switching to DoH should ensure that the
> selected resolver should provide a 24/7 user call centre reachable via low-
> cost/local rate telephony and an online support capability. Support for
> fault-diagnosis and resolution between ISP, resolver and users should also
> be provided.

I mean, I get that if a person is unaware of a custom DNS that some
application is using they might fault ISPs for network failures due to DNS
trouble, but this would happen with any DNS irrespective of DoH.

~~~
EGreg
Or, you know, we can all collectively start to move off DNS, the way we did
with IPv4

~~~
asymptotically2
What do you suggest we use to replace DNS?

------
Jazgot
Mozilla's DoH and ESNI are absolute killer features. Now you can visit
thepiratebay.org in the UK without any issues.

~~~
andreareina
network.security.esni.enabled in about:config

Hadn't realized FF had shipped support for it already.

------
practical_lem
To be honest, I think that DNS-over-HTTPS is pretty awkward. (I use DNS-over-
TLS, by the way).

Also, we still have the problem with the unencrypted SNI after the name is
resolved.

~~~
darkhorn
You can enable ESNI from about:config in Firefox.

~~~
practical_lem
That's a great news! Thank you.

~~~
codedokode
By the way you can check your browser here
[https://www.cloudflare.com/ssl/encrypted-
sni/](https://www.cloudflare.com/ssl/encrypted-sni/) . My Firefox has all
tests passed.

------
lgats
> For example, if you configure your system to use Cloudflare's DoH service
> and visit a Cloudflare-hosted site over HTTPS, such as El Reg, your ISP will
> only see outbound connections to Cloudflare and have no idea what exactly
> you're leafing through: in this case, The Reg.

Doesn't the "HOST" field of the HTTPS negotiation give this data away to the
ISP anyways?

~~~
codedokode
If you use ESNI (that encrypts SNI field in SSL handshake) and the server uses
ESNI, and you both use TLS 1.3 (that encrypts server certificate) then it is
difficult to determine domain name. Latest Firefox supports both of there
features, as well as DoH.

------
pessimizer
Previous discussion about nomination:
[https://news.ycombinator.com/item?id=20358300](https://news.ycombinator.com/item?id=20358300)

------
everybodyknows
Previous HN on DNS-over-HTTPS in Firefox:

[https://news.ycombinator.com/item?id=20371741](https://news.ycombinator.com/item?id=20371741)

------
msla
Can I use a PiHole or equivalent after turning on DNS-over-HTTPS?

~~~
nodja
No. What you want to do is enable DoH on the pihole itself.

[https://docs.pi-hole.net/guides/dns-over-https/](https://docs.pi-
hole.net/guides/dns-over-https/)

This would essentially enable DoH on all the computers that use the pihole as
DNS, assuming you're not worried about people snooping on your own LAN.

~~~
msla
So when Firefox demands DoH for good and all, it won't work with a PiHole
because it will demand to only talk to Cloudflare's DNS and the PiHole won't
be able to MITM it?

~~~
codedokode
You can change URL for DNS resolver in Firefox using 'network.trr.uri' option
or disable it:
[https://wiki.mozilla.org/Trusted_Recursive_Resolver](https://wiki.mozilla.org/Trusted_Recursive_Resolver)

~~~
msla
Which goes away when Mozilla takes that about:config option away.

------
jacknews
Love the labeling. Were they red-haired too?

