But this is a win overall for privacy.
DNS is used by ISPs to sell user's data and is one way that oppressive regimes track what their users do.
If you're technical enough to understand DNS then you are smart enough to change what the default is.
If you're a system administrator for a company. You should be able to push a profile down to the user's computer to configure DNS how you want.
Claims like these keep surfacing in every discussion. While it is good to contemplate what your ISP spying on you would look like and what you can do to minimize that risk, it is not good to present this as normal behaviour.
From my perspective I am absolutely certain that this is not something that is routinely done, not in established ISPs in democratic countries. The risks would be far too great for a tiny income. Who would you sell to? The advertising networks have their own data sources, and even the web giants with billions of users and trackers embedded in pretty much every web page you visit can't charge much.
Even if you wanted to do this, DNS would be a low value target considering it is cached at every layer. Data mining sFlow logs, which is something every ISP would use anyway for diagnostic purposes, would give you better view of which kind of services users connect to and for how long.
So please don't normalize something that is at best a niche for bad actors. That can lead to decisions for end users, many of whom would be wiser not sending their data off to a foreign third party.
Personally I have no idea whether or not this is a common practice, though I have to agree with xorcist that it's certainly not a given.
Your ISP may do this, but mine does not, so why should Mozilla get to dictate IT policy of my machine (i.e., ignoring resolve.conf)? Or policy of the company where I help run IT?
It reminds me of this silliness I sometimes hear:
"I need to use NAT with IPv6 to protect my network"
Firefox will allow you to set up a DNS rule locally that forces the client to use local dns, if you need it.
You can also configure a DNS over HTTPs server as your DNS.
If you help run IT and care about security. Then you should be blocking direct access to the internet anyway.
All your traffic should be going through a proxy server.
Also defaults should help those that are in weaker security positions. Just because you're lucky to have a good ISP doesn't mean that other people shouldn't be protected by default.
You're knowledgeable enough to configure your DNS, you just gotta learn something different.
This will just allow all applications and appliances to bypass my privacy measures.
You as the local network operator are their adversary and it’s in Samsung’s every interest to bypass. They want and expect a clean connection to the internet. Giving it anything else is a problem to them.
If you’re installing one of these spyware devices in your network and relying on DNS to keep your information private then that’s on you when it doesn’t work. DoH neither creates nor solves human problems.
at this point i expect to see talk of “the VPN”, a new network for hobbyists and academics, that's kinda like the old internet, and we only use devices that are wrapped in it.
It's mostly useless now with everyone defaulting to HTTPS unless you install a root certificate on all your devices.
With some additional duct tape I made privoxy work on https too. I run an instance for each host, though it could be possible to distribute a personal CA certificate.
After all privacy is the goal, isn't it?
> DNS is used by ISPs to sell user's data and is one way that oppressive regimes track what their users do.
It's not a win for privacy, ISPs will still have that data and now third parties will have that data, state actors will have that data in a nice convenient centralized locations, governments will have an ability to force those centralized providers to do censorship for them. As for oppressive regimes - they don't care about DNS data, if they want to spy on people, they will one way or another.
I live in an increasingly oppressive regime. Most of the blocking is done at DNS level. DoH is a great solution. Slamming DoH because they can anyway spy one way or another is a poor argument.
A better solution would have been for Mozilla to fund development of an enduser friendly DNS proxy application which would enable DoH system wide.
The next best solution would be your suggestion, but that too is not practical unless it comes preinstalled on all OSes because the average user won't even know they need something called a DNS proxy. I don't see OS vendors agreeing to preinstall it. Additionally, AFAIK, popular OSes like Android and iOS prior to some versions don't even allow such system-wide DNS proxy configurations.
The practical approach left then is to implement it in browsers, solving it at least for the most common use case on all devices. Everybody knows how to download and install and use browsers. In a discussion forum I frequent, average users ask for ISP censorship bypass solutions all the time. Since Chrome does not support DoH yet, among all the possible solutions - VPN, Tor, SSHproxy - using another browser is actually the most user-friendly, least expensive, most performant option. It helps that it's Mozilla's product because their trust perception is higher than Google/MS/Apple/VPN providers.
I feel Mozilla's taken a good approach overall within the scope of their area of expertise.
Although I find it suspicious that there is just DNS filtering on your ISPs side and no IP filtering. Is it at the stage where it's not even enforced, semi-voluntary censorship by ISPs? Otherwise once the government starts checking compliance it will force IP-based filtering too, where DNS filtering circumvention is useless. And governments don't care about how broad the filtering is. Russia, for example, blocked half of the internet once in an attempt to censor Telegram.
DoH is a simple solution that works for now.
TorBrowser takes it to the other extreme - it's a good secure solution (I think), but not required as of now, and seen as slow with plugin and other usage restrictions.
VPNs, proxies are not seen as good solutions because people prefer free to paid, and they are not as trusted as CF and Mozilla.
Self-managed VPNs/proxies are not easy for the average person to setup.
I will be pretty pissed if I wake up one day and find that Firefox decided to stop using my DNS server and instead started sending my requests to a third-party.
If you want privacy you better firewall everything your computer want to send to Cloudflare,
Cloudflare claims they "will never sell your data or use it to target ads."
You can read their 126.96.36.199 privacy policies here:
Mozilla is now basically dictating policy to organizations.
Frankly, given how much trouble I've had with systemd's DNS meddling, I look forward to applications taking DNS under their own control.
And how long will it take for most ISPs to block this domain when they realize that their DNS servers are not being used anymore? Some of them sell this data so they see it as a source of revenue.
At this point this canary domain will have the same fate as Do Not Track.
> I look forward to applications taking DNS under their own control.
I am sure I can find a hundred applications/programs resolving domains on my machine. It is unrealistic to configure all of them separately. At this point we are back to the OS providing the configuration for all of them.
I’ll keep my firewall-rules banning all DoH-traffic to Cloudflare, just in case.
It's gonna be difficult to block DoH traffic.
Wait until encrypted SNI gets implemented everywhere was well.
And there's a rather short conf.d stub you can create that disables NM's meddling with resolv.conf.
In an ideal world, your probably want some sort of encrypted connection to your own DNS server (unless your LAN is 100% trusted). Maybe something like HTTPS would work... oh wait.
Most people don't have their own DNS server, so their DNS traffic is already who-knows-what server with who-knows-what monetization in place (plus its in plaintext, so the rest of the internet gets it too).
DNS over HTTPS seems like a net win for both types of users. Power users like you get way to encrypt your DNS traffic, and non-technical users get an encrypted connection to a potentially less-hostile DNS server. It sucks that there is now a second place to configure things, but hopefully seeing this work well will put pressure on the OS to adopt DNS over HTTPS natively, bringing the experiment to its final goal (at least, I assume this is the endgame).
I know perfectly well who operates my DNS server: My ISP. If they are doing shady stuff, I can sue them, raise awareness or switch providers.
I can't do the same with hardwired DoH endpoints.
Yes, getting rid of shitty old standards means we have to live with multiple in parallel for a while and in the mean time bear additional complexity/work. Otherwise civilization will never advance.
Yes, "multiple duplicated implementations" is the natural consequence of badly maintained software. But eventually I'd hope OS maintainers get their act together and implementations will start to converge again.
This may be "fine" for (some) home users, but most organizations have a whole bunch of internal-only records. And even a lot of residences have things like printers and such that live under .local: how is the browser supposed to connect to those?
Who the fsck is Mozilla that they get to dictate policy in my IT organization about how DNS "should" work?
Why do you think that is? I understand that their solution is not perfect (nothing ever starts out that way), but the amount of aggression in your comment suggests that something deeper is going on. Do you feel threatened?
I suspect it's fear of change. As people realize that plain-text DNS is a gaping security hole, they are going to start demanding encryption. This means you, the administrator, will have to learn more skills and do more work to keep things running. Things like `.local:` printers may break, and you may have to upgrade your internal DNS servers to RFC8484 so you can keep your split-horizon stuff working. Security is never free.
Or not. None of this is mandatory, and you can just switch it off (and Mozilla will automatically switch it off if they detect an environment like yours, as it says in TFA). The threat isn't Mozilla "deciding policy" for you (they aren't), the threat is that they are calling the industry out for running old & vulnerable DNS standards, and we all know deep inside that they are right.
Until recently, the general understanding was that each network operator was responsible for the clients inside their network - and therefore also had the ability to set the network's configuration.
In 99.99% of the cases, this included access to nonlocal sites on other, public network's, aka "the web", but this was nowhere technically required. Browsers and other DNS-consuming apps were perfectly capable of working within other networks. What a DNS name resolved to was technically a property of the network.
By now, this model is shifted towards the Web as a platform with browsers and DNS as clear parts of it - a platform that is incidentally pay-to-play and centrally controlled by the US because at the very least you need recurring payments for your domain and you need to give companies and institutions located in the US control over your machine.
This shift has been going on for a long time, but I believe HTTPS-everywhere and DoH have served to make this unignorably obvious because those bring the concept of the web platform into the technology stack itself.
To make the tired old car analogy again: In the vast majority of cases, you will drive your car on the public road network and nowhere else. However your car is technically capable of driving off-road or performing highly questionable maneuvers in your backyard because the car itself doesn't have any concept of "public roads", "private roads" or "non-roads". DoH would be adding a device that turns off the engine as soon as you're not on a public road. What exactly constitutes as a "public road" is determined by the car manufacturer.
I do agree that in the long run it might be better for ensuring that "the web" is the same no matter from where you visit, but I think it's definitely more than a simple technical change.
I also think all the heuristics, opt-outs and special rules for corporate network's don't cut it, because they relegate the current default case to an uncommon special case - and developers have a habit of ignoring uncommon special cases. I wouldn't be surprised if we see a lot of non-browser apps and devices in the future that use DoH by default and that an administrator would have to reconfigure by hand for each single installation - or that are simply hardwired to some set of DoH servers without any way to configure them at all.
The root the problem, I suppose, lies with public-key cryptography. We all know encryption is a good thing (unless you want to broadcast private information to the world), but encryption is useless unless you know who you are talking to. When someone comes to you in a ski mask and says, "It's me, your best friend", you probably want to see their face before you tell them any secrets - they could be anybody.
Online, though, how do we know who anybody is? The current answer, for better or worse, is TLS with pay-to-play domain registration and certificate authorities. Decentralized, peer-to-peer systems like PGP have never been easy for consumers to use. You can "off-road" encrypted DNS by running your own DoH server & installing self-signed certificates on your client devices, but that's not an easy option.
"My LAN is my castle" may work for some cases, but most of us conduct business with people all over the world, thanks to the internet. This is the primary use-case for most networks & computer systems.
I'm afraid individuals will continue losing the power struggle as long as decentralized identity systems remain obscure. We need something that's as easy and compelling to use as our current centralized systems. It needs to be something consumers can use it to secure their every-day communications, as easy as visiting an HTTPS web site or chatting with a friend on Facebook. I just don't know how we get from here to there.
False. Opportunistic encryption is useful even if you don't know the other person's identity. This is because it helps prevent wholesale surveillance and "tapping glass":
For the majority of the website I go to on a casual basis, I don't really care who is behind running them. Certainly I want that for my banks and webmail, but not so much for some random weblog that has an article comparing Rust and C.
I'm all for Let's Encrypt, and pushed for it to be introduced at work (both for internal and external sites), but we could have gotten encryption in more places, a lot sooner if connections over plaint-HTTP (tcp/80) could have been upgraded automatically to encryption:
There would have been no lock icon in web browsers, but it would have scrambled a lot of bits. Yes, MITM would still have been possible, but MITM is a targeted attack that takes way more resources than simply vacuuming up everything that goes across the wire.
The insistence of providing identity, IMHO, delayed the securing (or at least 'confidentializing') of communications by many years. LE/ACME is getting us there, but we could have had a lot more encrypted traffic already but for the desire for the little lock icon.
There is a default setting managed by Mozilla which the vast majority of users are expected to use (currently Cloudflare's resolver). You can choose to disable DoH or set your own resolver - however that has to be done manually for every installation of Firefox.
Mozilla is offering a way for networks to signal "don't use DoH here" as described in this article, but Mozilla is intending this to be used for certain specific scenarios only (parental controls and corporate networks) and reserves the right to ignore the signal if it is misused.
To my knowledge, there is no "DoH" entry in DHCP, where a network could specify a local DoH resolver. All articles I've read about it also very much treat it like an application-level protocol, as opposed to the old mechanism where resolution was done centrally by the OS. If this approach is continued, then every application would have to decide for itself which resolver it uses.
I can see how it would be a drawback if the network administrator had no way to configure the setting for all clients.
The device administrator should be the one making the choice about what resolvers to use.
The status quo implementation has been that the operating system handled DNS, which actually did put the power in the hands of the device administrator: I don't think I have ever seen a device that wasn't clearly owned under some crazy MDM scheme where you couldn't choose your own DNS servers. Sure: recently, it happened to have a default to trust the network... but that was just a convenience, and is a "new phenomenon" brought on by DHCP being widely deployed. All of the software wasn't designed with that as an assumption.
So, if I want DoH, why am I not just setting up a custom resolver on my computer, that all of my apps use, including Firefox? The "power struggle" alluded to up-thread is actually much deeper: it is using network operators as an excuse to take power away from users, by moving what used to be an operating system feature into individual applications in a world where DRM via code signature is being deployed to lock users into curated application domains to prevent them from modifying that software to do what they want.
(That said, I mean... the way Firefox implemented this totally still gives the network administrator control, due to the opt-out provision? So in some sense a lot of this conversation is useless... for now.)
They (possibly) do when they're both under the same Director of IT.
Security is everyone's responsibility in an organization, and the folks in Helpdesk (ideally) want to prevent intrusions just as much as the NetOps folks.
No, the device owner should be the one. Which could the company/organization that bought the device in the first place, in which case that is delegated to the IT team.
And if the IT team does not want DoH, it is the IT team that gets the final word.
Mozilla has been nice enough to give options to disable that, and that can easily be done with GPOs on Windows, but not all the world is Windows, and if you have a large Mac or Linux use base that uses Firefox, how will disabling DoH be automated there?
And just because Mozilla has been nice enough, does not mean that other developers will be.
Tell that to the health and financial regulatory regimes that us some of have to work under to ensure people's privacy is respected. I work in health care, and we have data-at-rest and -in-motion encryption and firewalls and application-level ACLs & permissions all over the place in our internal network.
Not being able to resolve internal-only systems, which have absolutely no need/business being in external DNS, because of a change in behaviour in client software is just dumb.
People complain about the stupidity of (e.g.) power plant controls being directly connected to the Internet, or not being air gapped from the folks in Accounting, but then we seem to have developers writing software that will not work very well in these isolated/island networks.
I'm all for the general end-to-end principal (that IPv6 may help bring back) with protection being done by stateful firewalls, but there are all sorts of use cases for private, isolated networks that are behind NAT/NPT gateways that are given ULA addresses.
> As people realize that plain-text DNS is a gaping security hole, they are going to start demanding encryption.
Then use DNS-over-TLS (DoT). It was an RFC (7858) two years before DoH (8484, 2016 vs 2018).
Why does yet another protocol have to be shoehorned into HTTP(S)?
First, they detect split horizon situations and explain how.
Second, if you as an admin want to force disable DoH across the network, they've provided a DNS-based way to do so.
Third, if this really bothers you, Mozilla provides GPO templates (and JSON based methods for other OSes) to configure all of these settings at an application level.
Maybe focus that outrage energy on reading the article before posting?
It's nice that Mozilla may allow setting other DNS servers for DoH, and perhaps will eventually use OS-level settings, but what happens when some dumb ass developer does not?
Perhaps if they implemented DNS-over-TLS (DoT) instead/as well, then we could have encrypted DNS that is still monitorable.
I'm waiting for the day when malware will start using DoH and use Cloudflare as the DNS server. As someone who works in IT, will I have to block CF to prevent that possibility? How many bots have been taken down over the years because their C&C domains were taken over?
For 99% of the people out there, it is.
Can Mozilla stop interfering with my network and get back to doing useful things with Firefox now?
If Mozilla wants to, they are more than welcome to work on encrypted DNS or VPNs or whatever else, but those should be at the OS level. Disrepecting configured OS settings borders on actively malicious behaviour.
How does Mozilla make Microsoft/Apple/Google implement it?
It doesn't need to, the same way it doesn't need to (nor should it) make Microsoft/Apple/Google ship Firefox as the default browser.
99% of the people out there never connect to wifi in coffeeshops?
I'm not even sure you hit the 99% mark if you measure by time spent connected, though I would love to see some data.
(Disclaimer: I work for Mozilla, but have not really been involved with DoH.)
"When DoH is enabled, users will be notified and given the opportunity to opt out."
Yes there is. If your internal recursive DNS servers return an NXDOMAIN for "use-application-dns.net", then Firefox will stick with gethostbyname(3) (or whatever). See:
If you’re using NLnet’s unbound(8) as a recursive DNS server, it’s possible to use the “local-zone” directive to force an NXDOMAIN:
For ISC’s BIND, the response policy zone (RPZ) mechanism does something similar on BIND 9.8+ (it’s more flexible, so more complicated to configure):
I hope so if OS continues to use plaintext (none secure) DNS queries.
However, other DNS providers are available. For instance Google and Quad 9  both provide free DNS over HTTPS services.
Using Google is giving your browsing history to an Ad company, why? At least Quad9 is non-profit. It also provides DNS over TLS, DoT service, which I'm using.
Quad9 is a conglomorate of "Threat Intelligence Partners" and three founding organizations: IBM, Packet Clearing House and Global Cyber Alliance https://www.quad9.net/about/ . What's that third one? I don't know, but it's founded by The City of London Police, NY District Attorney and the Center for Internet Security https://www.globalcyberalliance.org/who-we-are/ that third one is like a hundred "Partners", with such privacy champions as The US Secret Service. Over 100 organizations. What are their incentives? What role do all these organization play and how much access do they have? Who knows.
Compare their privacy policies. They're strikingly similar because Quad9 largely lifted theirs from Google's (I'm assuming, since theirs came later)
Google's policy states they collect private information for 24-48 hours, keep "anonymized" information for 2 weeks and then randomly samples that data for permanent storage:
> Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.
> We delete these temporary logs within 24 to 48 hours.
> In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.
Quad9 collects effectively the same information (except AS) as Google's 2 week logs and says
> All the above data may be kept in full or partial form in permanent archives.
If you want a game theoretic, capitalist analysis, Google has an incentive to keep the web running and keeping it an awesome platform, to make sure humanity's information is created and shared in an open format that they know how to index and that they can freely index, instead of apps or some alternative web or some other walled garden.
But we're bombarded daily with "goog bad" by politicians and journalists, so Google must obviously be just brazenly lying and you should give your DNS history to an organization founded by The City of London Police instead that "share anonymized data on specific domains queried [...] with its threat intelligence partners".
Please double check my work, I didn't read the privacy policies too carefully (I think notably Google stores the AS number and Quad9 doesn't) because I don't actually care, I (along with roughly 100% of internet users) just give all my DNS history in plain text to my ISP.
And I wouldn't spend much time analysing policies, they are all "we pinky swear". Its is there a business incentive in using my data or not.
Anything else like a "VPN" (which is really just a proxy under a cooler name) is somewhere between a half measure, a snake oil hobby or self-sabotage (if you picked the wrong VPN).
You don't trust a large multi national that works on encryption and tries to deny frivolous law enforcement requests when it outright says it samples a small amount of "anonymized" data and doesn't correlate it with anything else it has on you or sell it
>> Is any of the information collected stored with my Google account?
>> Does Google share the information it collects from the Google Public DNS service with anyone outside Google?
>> Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?
yet trust some small, anonymous group of people that set up a proxy that's netting them like $5/month of revenue per user in a highly competitive market?
> [policies] are all "we pinky swear"
Are they not legally binding? But yea, like I said, obviously they're just brazenly lying because of course they are. "goog bad" has been established. I'm not sure how or where... but everyone knows that.
Better be safe and give your data to an organization that lists the US Secret Service as a "Partner".
So it’s clearly an upgrade for Google.
So, given the talk, is the industry finally realizing what Mozilla, Cloudflare and Google are trying to pull off with DoH? I guess this is why the change of hearts from them and letting people block DoH within entire networks, hoping not to attract attention of how much control they want to take away.
If, like me, you already have a solution in place you are happy with and don't like the idea of others (deciding they know what's best for you and) circumventing it, simply ensure that your existing resolvers are configured as described in :
> Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH:
> DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver.
Anyone have any idea if this is the case?
That would at least save me a lot of trouble and work.
But for a browser, an ad-blocking extension works better and is less than a minute to set up. Why force it to use the same DNS blocking?
But didn't iOS get browser adblocking capability in the last couple years?
Pi-hole is awesome.
It's nice that Firefox (currently) still offers options to turn off DoH and to keep using local domains. (although the way DoH and HTTPS-everywhere are structured show that non-internet sites don't seem to have much of a place in the web of the future)
However, now that we have public DoH endpoints available for everyone to query, what will keep non-browser apps and devices from using DoH without any way to opt-out?
Currently, tracking DNS requests seems to be a common way for security and privacy researchers to get some basic information what an app or device is doing on the internet. If DoH is widely deployed, all you'll probably be seeing is encrypted connections to IPs of shared hosters.
This seems like a perfect opportunity for apps and devices to cloak data tracking and other illegitimate requests.
There are ways to make FW rules based on trusted DNS lookups (i.e. you can only do traditional DNS to a trusted DNS server with domain filtering and you can only connect to an IP if a DNS lookup has been performed) but this is extremely hard to maintain in any sort of foolproof way.
The truth is if you allow outbound connectivity then there all the sender needs to do is add 1 more level of obfuscation than you secure against.
Is there anything in DoH mitigating this? Or maybe is this attack vector negligible in practice because most servers typically host multiple websites? At least this adds plausible deniability in a wide range of situations I guess. But is it really true? And for example, would it really help in a country where a website like Facebook is censored? (Since their IP addresses are dedicated).
But this 1) adds a technical hurdle, 2) reduces accuracy of the data captured, and 3) adds a potential legal barrier, as the data is not theirs anymore
(before ISPs could claim that the use of their DNS gave them right to use the data collected)
ESNI can solve this, by encrypting the SNI header while still allowing serving multiple https domains on one IP. But it’s currently mainly implemented by cloudflare.
The benefit they do provide is authentication (ensure that google.com is really google.com) and protection against man-in-middle.
And those are great benefits!!
But it doesn't help anyone to misstate and/oversell the benefits of a new service/protocol.
Yes, but your ISP (including "that coffee shop whose wifi you're using" in ISP here) can't necessarily tell which hostnames you are resolving, if you use DoH (subject to some limitations about what happens after you've resolved the hostname). This is in fact a privacy feature
This is why ESNI is being rolled out, yes?
I'm looking at what my Windows DNS servers return when I put in an empty zone for "use-application-dns.net" and I'd like to see exactly what Firefox is testing for. Windows 2012 R2, at least, returns the SOA and no NXDOMAIN for an "A" query to "use-application-dns.net" with an empty zone. If they're explicitly looking for NXDOMAIN then blocking DOH behavior with Windows DNS servers probably isn't going to work. >sigh<
And to save users even more time, not having to configure this per machine, we could have such assignment be an automatic part of the network infrastructure...
We could call it DHCP and DNS! How about it?
1. Almost nobody --- major tech companies, banks, privacy and security organizations --- uses it. It's decades old, and its adoption, at least in North America and in industry, is zero. There are lots of reasons, but you don't have to care right now.
2. Since almost nothing uses it, there's no real upside to enabling it. But there is a downside! If DNSSEC is misconfigured --- which is easy to do, and it won't get noticed quickly (see: point 1) --- then sites in the DNSSEC-signed zone silently drop off the Internet, as if they never existed. That happened, for instance, to HBO when they launched HBO NOW: nobody on Comcast could see it, because it turned out they'd screwed up DNSSEC, and Comcast had DNSSEC-verifying resolvers.
It's scary that Moz sides with monopolies like Google and Cloudflare on this one.
Not reimplemented (and configured) per application. The user and OS should control the application, not the other way around.
There is a proposal to improve this. Resolves won't know client IPs any more: https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/AN...
Reference client and server implementations should be ready in the next few days.
But a lot of people use DNS over Tor already. For people concerned about privacy, a bit of extra latency is totally acceptable.
Anonymized DNSCrypt is lighter than Tor, has a very clear security model, and relays are less vulnerable to abuse than Tor exit nodes.
The server/relay part is going to be implemented in https://github.com/jedisct1/rust-dnscrypt-server
DNS queries and responses are wrapped, they are never modified. EDNS padding is a horrible hack.
This way, no privacy problems, you're directly contacting authoritarive servers. And you don't rely on a single dns-over-https provider.
Is the latency a big problem there? I would say that with caching it is not too bad.
2. There's plenty of networks that don't let arbitrary DNS traffic out, so this doesn't work without another fallbacks. Fallbacks for security features are bad.
I see that there are legit controversies around DoH. But these "Why don't you just do X?" comments aren't helpful. Try to understand the problem they're trying to resolve.
re: network policy - If you're paying to use a network with policy that you disagree with vote w/ your wallet. If you're using somebody else's network (i.e. a corporate network I'm paid to administer, for example) it's reasonable to accept that you're bound by the owner's policy-- it's their network.
Besides, the number of domains and relatively short TTLs mean that even the big resolvers will not have most requests cached except for the most popular domains.
Using a pi-hole or equivalent, or using this ?
IIRC all DoH requests are sent to Cloudflare. Is there a way to host your own DNS server and use it with DoH instead ?
local-zone: "use-application-dns.net" static
(Though DoH is not an "integration" in that sense.)
I guess a more long term solution is to have a local proxy dns-to-doh, but we are falling back in the solution that only a technical user can setup :
And it means setting up firewall routing and filters, as some softwares don't have settings to add DNS proxy, or even bypass them (Google Chrome for example)
I hope we'll be given the opportunity to disable this, or at the very least show a warning (similar to cert warnings?) that something's off.
They test various network conditions with some results showing DoH and DoT loading webpages faster than udp dns (due to tcp timing out faster than udp on lossy connections )
Of course things will break down if a router is ever configured to use a different IP - but then again, the public DNS with local IP might trigger Firefox' heuristics and cause it to fall back to traditional DNS - so thinks may still work.
But the whole concept of using an on-device web page as config UI seems to become problematic, thanks to HTTPS-everywhere, as there appears to be no way to serve HTTPS from a local, unsupervised device that is frictionless and does not open a security vulnerability.
Maybe you can configure this?
Or perhaps use their canary domain to force Firefox to use local DNS?
Or just configure it yourself?
It's not security if an application can still access the internet.
Why not block all internet access except via a proxy server? Which is what a "real" enterprise would do because they can block what they want and have a secure network.
I use DoH on Firefox and love it but man, I myself would block Firefox in a corporate network I help oversee if this is the default. Matter of fact, web proxies already list DoH resolvers as anonymizing sites.
Even if this involves some profit with cloudflare,this is strategically terrible for long term goals.
TSPs can easily map your usage behaviour to your identity while 3rd party DNS provider will have your behaviour alone. Albeit, TSP will still have IPs you've accessed for data transfer.
TSPs that honour their customers' privacy will allow 3rd party DoH/DoT, esp DoT(ie port:853).
TSP: Telecom service provider