Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Nightly Secure DNS Experimental Results (nightly.mozilla.org)
41 points by Vinnl on Aug 28, 2018 | hide | past | web | favorite | 14 comments

It's quite dissapointing how much outraged the initial announcement of DoH generated and then the results are mostly ignored.

I find it quite exiciting tbh, the improvements seem to be far on the good side, it might help mobile users a lot (my mISP interferes with DNS to block VPN and tries to show ads if it fails to resolve an address).

Of course they'll have to work making sure that privacy is preserved and poeple outside the US don't have their data shipped of to the US.

I missed the initial announcement, what was all the outrage about?

Mostly that Mozilla was selling out users to Cloudflare and they would enable the Cloudflare DNS per default for all users on release.

Maybe this is just me, but those performance claims seem a bit dubious. Or rather the visualisation is suspect. While it's clear that DoH performed better in the cases where DNS had a hiccup I can't say with certainty DoH didn't have similar hiccups that were hidden by the way they presented the data.

In fact, assuming there's no deep meaningful dependence between the performance of DoH and DNS requests then ordering by the performance of DNS requests clusters all the bad DNS requests and shuffles the DoH requests randomly. It's therefore not surprising that after averaging you see a spike of bad DNS requests which is absent for the DoH requests (you're essentially looking at the quantile function of the DNS requests minus the average of the DoH requests).

Edit: unless what we're looking at is the difference of both quantile functions, but then the language describing the graph is a bit confusing and just plotting both quantile functions would have saved a lot of confusion.

I took part in this and noticed no difference compared to traditional DNS in terms of speed.

The more important question is who we trust though. Currently, the DNS information where we go on the web is spread across a number of national internet service providers. In some countries, they feed this info to the NSA. In others, they may not.

This new DNS system makes everybody use a single DNS endpoint, the same one across the world located in the US.

Is this better or worse? Depends on your isp and country.

> This new DNS system makes everybody use a single DNS endpoint, the same one across the world located in the US.

This was only the case in this experiment. From the article:

> We’re also working on privacy preserving ways of dividing the DNS transactions between a set of providers, and/or partnering with servers geographically.

That is still less different providers than can currently be used, so it is something that we should be concerned with long-term, but I don't think, it makes sense to throw the technology away. Just be concerned that there are the right kind of providers used for this.

I figure, this is become like the CA infrastructure, for better or for worse. uses anycast so it's effectively being served by any of Cloudflare's point of presences (152 data centers around the world).

I don't think Mozilla will end up forcing a single DNS endpoint, likely, they will have a GUI to configure this.

If I had to guess, they will likely have a heuristic where your local DNS is first checked somewhat regularly if it supports DoH, if not use the one configured in Firefox, if DoH is enabled that is.

> The experiment generated over a billion DoH transactions and is now closed. You can continue to manually enable DoH on your copy of Firefox Nightly if you like.


> Using HTTPS with a cloud service provider had only a minor performance impact on the majority of non-cached DNS queries as compared to traditional DNS. Most queries were around 6 milliseconds slower, which is an acceptable cost for the benefits of securing the data. However, the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.

As an individual,this is great news for me. But for corporate use,this means having to intercept https unless you can turn DoH off via GPO or something.

These days,credential and PII theft phishing is a huge concern. Without intercepting https,the only way to know if a user went to a phishing site is by logging DNS or relying on SNI(SNI encryption is being developed as well).

I'm sure it'll end up in https://github.com/mozilla/policy-templates/blob/master/READ... if it gets officially added and released.

Though I will say inspecting DNS for phishing protection is like watching your front door to catch a burglar.

Once you know of a phishing attack (or malware activity) you need to check what users fell for it. For prevention, your run of the mill phishing campaign blasts emails at a large number of recipients,you can block domains it uses to prevent infection or visits to malicious URLs.

In essence,defenders need to monitor for and block attacker infrastructure.

To the Mozillians that follow these threads,

Shame on you for making studies like this opt-out. Look, I get that making it opt-in would reduce your sample size but this kind of thing isn't acceptable for a browser that's supposed to respect the user -- you're literally using dark patterns. Expressed consent should be the standard.

You're targeting Nightly users, the very people who know enough to make an informed decision as to whether they want to participate in the study, please just let us make an informed decision. Have a big modal pop-over when the browser starts, explain the experiment and give the user an unbiased choice -- don't select participate by default, don't make the decline button gray and sad, don't shame the user with the decline button text. I would have been excited to participate.

The article specifies that only users on Nightly who opted in previously to Nightly _Experiments_ were targeted, and were in the dataset. The first experiment you join in Firefox usually has several steps of confirmations and opt-ins.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact