Hacker News new | past | comments | ask | show | jobs | submit login
Turn off DoH, Firefox (ungleich.ch)
408 points by telmich 9 days ago | hide | past | web | favorite | 411 comments





This is painful to read. Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).

If instead what you worry about is the government spying on your traffic then complaining about DoH is even more silly - DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).

DoH is vital to protect users around the world from censorship and worse. Enabling it by default is a good thing - protecting users from abuse shouldn't only be opt-in. There has to be SOME default chosen, and the default needs to be a site large and well run enough to a) handle the load, and b) be in the firefox HSTS preload list. There aren't a lot of good DoH providers that fit these criteria - CF is one of the few.


There's nothing that makes Cloudflare the more "privacy friendly" 3rd party. "Privacy friendly" would be a mechanism by which my desire to communicate with "example.com" involved my computer and the computer at example.com with no third party in between.

As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company - that seems like less privacy.

And I am not looking forward to finding out the fun ways in which this will break our local DNS.

The idea that Cloudflare is in way more trustworty than my local ISP is at best naïve. All this creates is another huge centralized pool of data with no oversight whatsoever except the promise of some company that is currently growing fast, that they will not do anything with that data. Come the times when money becomes tight again, we'll see how well that promise holds up.

Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.

That's not privacy - that's just silly


>As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent

According to their blog post discussing the matter, they fully intend to inform the user of the change and give them the opportunity to opt out.

>When DoH is enabled, users will be notified and given the opportunity to opt out

https://blog.mozilla.org/futurereleases/2019/09/06/whats-nex...


> that seems like less privacy.

Seems obvious, but is wrong. If there is a really obvious obstacle to anything, which immediately comes to mind, chances are people addressed this already.

In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https


Before, my ISP could gather the domains I visit by DNS. Now, they can still gather them from the IP addresses and SNI, and Cloudflare can gather them from DNS. I'm really struggling to see how this isn't a reduction in privacy.

> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

What happens if they get a FISA warrant? How does your contract protect users that before didn't have their DNS queries sent to US companies?


Which is why SNI encryption is an important next step.

SNI encryption is only useful if the website you're visiting shares the IP with lots of other websites. E.g, they're sitting behind cloudflare.

When you visit any of my websites, which are not on shared IPs, then not only will you continue to inform your ISP that you're doing so (regardless of the existence of ESNI), but you will additionally be informing cloudflare too.

What's your solution? That I centralise all my websites behind Cloudflare? In the name or privacy? Laughable.


Your ISP can gather them with much, much more effort. There is privacy value in making things harder. The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?

> and Cloudflare can gather them from DNS

but is contractually forbidden from saving that information.

> What happens if they get a FISA warrant?

They have to follow the law? Wrong threat model.


> Wrong threat model.

You are not permitted to hand-wave corrupt government interception or rubberhosing of civilian data as "wrong threat model." These technologies are central to, and must be focused specifically on, protecting all civilian data from all governments. That is the primary purpose of all privacy systems. Not to protect you from coffee-shop denizens trying to snoop which dating sites you use.


Your ISP is subject to the same FISA warrant threat.

If it's one of the large monopoly providers, it's as much a one-stop-shop as Cloudfront is.


Not outside the US. Now unless Mozilla decides to pick a different DoH party for deployment in EU, the problem will come back.

Fair point. I'd meant to add "inside the US". The warrant hypo strongly implies this, though as you note, needn't necessarily.

Though outside the US, the NSA doesn't require a FISA warrant to intercept data, nor does it face any US legal restrictions on doing so.


The internet is as much of a monopoly outside of the US for example Tiscali in Europe. We have the same kangaroo courts when it comes to getting warrants to invade people privacy.

At least from a general perspective I don't see a big difference.


But it's not one or the other; an EU court will make a warrant for the ISP traffic data, and an US court for the DNS requests. You become vulnerable to both.

1.1.1.1 operates on edges of CloudFlare CDN - EU users will be handled by EU DNS server. And there’s no logging.

Cloudflare is still a US company. Do you have any FISA jurisprudence showing that simply running the server on another country makes it immune to warrants?

> And there’s no logging.

Until the courts say there must be.


> The only motivation your ISP has for logging this is making money; if getting the information is too tedious and expensive why would they bother?

I used to work at an ISP.

We configured (wrote policy language for) our DPI platforms to do header inspection of all HTTPS traffic to measure customer experience to different websites, to improve the customer experience.

The raw data was (theoretically) accessible to ~4 people and deleted as soon as ETL had succeeded, and the anonymised results (aggregated only by region, product etc.) were available to the operations team (another ~8) and product management (~4).

This complies with our countries personal information regulations.

Mozilla proponents seem to be quite anti-ISP.

Why is that?

>> What happens if they get a FISA warrant?

> They have to follow the law? Wrong threat model.

If this happens for non-US citizens, this is violation of privacy laws of the affected user.

If this is rolled out, I will either ensure my distro switches this off by default, or have to consider changing browsers (away from Firefox).


Even if this infrastructure was run by Mozilla itself, and they really really promised me that they would not do anything with the data - that's all I would have - a promise ( which is also how cloudflare words it btw [0]). Which in the asymetric situation that puts me in, is not worth all too much to me, because I will never be able to verify it.

The data would still end up at yet one more company, compared to the status quo.

Trust works if I know the people involved - but I don't know a single individual at Mozilla (or Cloudflare for that matter). That Mozilla trusts Cloudflare is besides the point if I don't really know who they are.

The entity I am actually trying to trust is example.com - all this shuffling around trust in increasing layers of complexity is missing the point of the actual problem: Bootstrapping a connection to example.com without revealing to a 3rd part that that is what one is trying to do.

[0] https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...


> To mitigate this risk, our partners are contractually bound to adhere to this policy.

You seem to think that: 1)No company in the history of the world, has ever violated a contract?

2)No government has ever forced a company to give up information that it is contractually obliged not to give up

3)No hacker has ever hacked into a company's systems and exfiltrated data the company was contractually obliged not to share

You seem to think that if a contract has been concluded, it is impossible for it to be violated.

Then there are also the problems of making all Firefox browsers depend on the availability of CloudFlare.


Ceteris paribus, not having the data is strictly, mathematically more private and secure than having the data but being contractually obliged not to distribute it around. Contracts change, laws change, accidental leaks and targeted attacks happen, there's FISA, and there's a non-zero probability that Cloudflare suddenly decides that half of Europe is Nazis and don't deserve their contractual protections anymore (I'm sorry, but Cloudflare walked into that one themselves).

It's as simple as this. Now I do prefer a society of trust over excessive technological means, but let's not pretend like sending data to an additional third party is somehow more or even just as private as not sending it in the first place.


You are not considering that IP addresses are dynamic. Only your provider can associate your IP address with you, and thus associate the DNS requests that you make with your identity. Cloudfare can't, because today you have one IP, tomorrow you can have another. And this without talking about providers that puts you inside a NAT, like it's common with mobile connections, where thousands of different costumers shares the same IP address, and thus only the provider can really log your DNS traffic.

So if Cloudfare maintains a log of your requests who cares, that log is useless since they can't identify you as soon as you change your IP address. While using standard DNS the provider can identify you and can log all you DNS requests, even if you don't the default ISP DNS servers, since they can simply intercept and decode all the traffic on the DNS port. And not only your provider, everyone in the path between your PC and the DNS server, even at LAN level, for example in public WiFi networks like in airports, schools, companies, the administrators can log all your DNS traffic, and put filters on it.


In the US, it's been my experience that cable IP addresses rarely change.

> As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company

> Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.

Make up your mind are you worried about the number of people that can see your dns or not?


Don't oversimplify the issue.

> it's trivial to change your DoH provider

Cloudfare is the default.

Cloudfare is the only provider listed.

Cloudfare will be On by default, so it will be that for 99.999% of Firefox users.

That ain't right no matter how well intended it is.


And for regular DNS, their ISP/employer/school will be the service provider for 99.9999% of users. Regular DNS is not exactly easy to find (on Windows, it's under Settings -> Network -> Change Adapter Options -> Adapter Name -> IPv4 -> Properties), which is arguably as hard as going to about:config. And there is no menu of providers listed--nor does it explain who would choose the "automatic" DNS server options (the one that uses DHCP).

So the status quo is no better than this, and at least this is encrypted and protected by a privacy guarantee.

Now I agree that ideally a user-visible preference should be created for the DoH resolver, but I don't think that's a blocking issue. Just like the accounts features uses a mozilla server, and chrome uses google accounts, and both use google safe browsing lists, browsers have always made the decision to hardcode various external service providers.


> So the status quo is no better than this

You're completely missing the point. Users have many different ISPs, and them knowing DNS queries is not a problem because it's the ISP anyway. Now a browser wants to change that behavior, and send ALL queries to one american company.


Indeed, I think that in this case, on the whole, more privacy is achieved by decentralization rather than by encryption...

So the solution could be to make it so that there are many DoH providers and a browser would choose one of them randomly (or by user's choice).

Or -- much better -- use DoT instead of DoH so port 443 isn't getting misused for DNS.

While that's an unpopular opinion I tend to agree, I'm still on the fence if that's really bad or if I'm just grumpy about change though. It really feels like instead of fixing the underlying problems we're duct taping the internet by moving HTTPS to OSI layer 4 and making TCP and the concept of ports obsolete for a majority of use cases - which in many cases implies a loss of control. I'm honestly not sure why our sector pushes HTTPS solutions over plain TLS, is it just because it blends in with web traffic and it's easier to grasp because more people are familiar with the basic concepts?

Of course there's arguments for and against these aspects in the case of name resolution, both technical and on a legislative level, but maybe a net win in terms of privacy protection for the majority of users is still worth it. And should Cloudflare or whoever decide to misbehave with the data we send, it'll at least be easy to switch to other providers when DoH is widely adopted.


You're right of course, but HTTP(S) only 'won' because of the web.

> Or -- much better -- use DoT instead of DoH so port 443 isn't getting misused for DNS.

DNS over TLS has other issues. There's a nice comparison there https://dnscrypt.info/faq/ I have been using local resolver on 53, that forwards all requests from my LAN into DNSCrypt (and sends that over a VPN tunnel). That way I maintain privacy, and decentralization as well as being able to simply use the DNS resolver built into my OS.

I have to wonder though with HTTP/3 https://en.wikipedia.org/wiki/HTTP/3 being QUIC based, will we see DNS over QUIC? https://en.wikipedia.org/wiki/QUIC

Seems like Firefox doesn't even support QUIC at the moment. https://bugzilla.mozilla.org/show_bug.cgi?id=1158011


The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020? They missed all their advisory target dates (July 2019) for actually writing documents, and that isn't the end by any means for a protocol like this.

So Firefox could at most support either Google QUIC (internal prototype, now obsolete, who cares?) or a random draft that may end up not resembling the final product. If they haven't decided to do either it doesn't seem like a big deal.


> The IETF QUIC isn't finished. Periodically the Working Group thinks it has stopped fiddling with the low-level bit layout and is ready to focus on polish, then somebody finds a show stopper that means revisiting the low-level bits. Maybe 2020?

Ah yes you're right. Also Mozilla (M. Thomson, Ed) is on the author list there so I expect they will support it when it is finalized.

https://datatracker.ietf.org/doc/draft-ietf-quic-transport/

Hopefully then they also support DNS over QUIC, I expect they probably will once QUIC is finalized. I think DoH is just a stop-gap measure to be honest.

https://datatracker.ietf.org/doc/draft-huitema-quic-dnsoquic...


Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.

> Then it would be easier for an ISP to block encrypted DNS (by port number). It is better to masquerade everything as normal HTTPS to make blocking more difficult.

For most people, if you can't trust your ISP, you have bigger problems.

For people who can trust their ISP, why should we all by default be affected by the fact that the Mozilla developers seem to all live in a non-free or non-democratic country.

Maybe they should instead focus on fixing the US political system that results in their current situation, rather than trying to use technical means to solve political problems.


What if you can trust your ISP most of the times but not during a specific time? For example, when there are civilian protests/acts which the current government doesn't like?

I have a very specific case for this: in the days before and during the referendum for the Catalonia independence (Oct 1s 2017), all the spanish ISPs where blocking access to the websites related with the referendum, using DPI to look for the SNI hostname. One of the main reasons to enable DoH in FF is to enable the encrypted SNI feature https://miketabor.com/enable-dns-over-https-and-encrypted-sn...


That would break the internet for many innocent souls behind firewalls.

Tor has some nice papers about what happens if you try that: the NSA and KGB each run a server and content themselves with getting a sample of the population.

> the NSA and KGB each run a server and content themselves with getting a sample

Which is already a lot better than getting 100% from simply spying on CloudFlare or serving them with "National Security Letters".


The other viable doh provider is google. Other’s timeout is simply not worth the request, in my experience. How does one choose from these two?

No, the other viable option is not enabling DoH by default.

And that should surely be the default. What's Mozilla's intent to send DNS queries to Cloudflare by default, and require regular DNS resolution to be configured manually?

Yes, that's exactly their plan at the moment. Hence the whole brouhaha.

privacy-wise, plaintext is the worst option possible.

I disagree, at least in my situation.

My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).

I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.

If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.


So it depends on the country. In my country (Russia) all Internet traffic is being recorded by the ISP for the last month and sites are blocked on political reasons. For me having DoH with Cloudflare is better.

Ditto in Australia

The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens

You also can't trust laws since ISPs can be hacked or infiltrated from the inside

In terms of personal protection encryption trumps law


> You also can't trust laws since ISPs can be hacked or infiltrated from the inside

Cloudflare isn't magically free from the same threats.


> I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.

There's very few countries with such strong privacy protections, even in the Western world.


From what I can tell, all countries covered by the GDPR heavily limit what an ISP can do with DNS queries. That covers 515M people, which is more than the populations of three mentioned countries (US, Russia and Australia) put together.

> which is more than the populations of three mentioned countries (US, Russia and Australia) put together.

Not sure it matters, but only by a small margin is that true. 500M vs 515M.


A lot of these countries currently have laws to record years of DNS logs for future analysis by the police. Due to the abuse these countries have done in the past about it, I do not want any record personally.

That’s a very good point. In fact all of them do, because the same EU that mandates GDPR also mandates data retention, which only differs in details in member states.

That's a very good point.

I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.

What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?


Couldn’t your isp watch traffic to pull out SNI information?

the next step is eSNI and judging by the DoH rollout that will also be a new level of controversy advocating against it

What are the arguments against eSNI?

> What are the arguments against eSNI?

Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.

Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.


Your request will hit CloudFlare edge node in your country and be served from there. Under your jurisdiction.

I can think of something worse: sending all your DNS queries to an unregulated third party.

This is already what happens. Your DNS queries have to go somewhere, and unless you control the DNS servers, there's a third party in the loop somewhere.

Not really, my DNS requests go to my ISP's DNS server. And the ISP sees the requests anyway since they are the one forwarding all the packets.

Now, Cloudfare will see them too. (if this would come to my country).


But your ISP won't see them. They'll see that some requests are being made to Cloudflare, but not anything about the content.

No I mean in my current situation if my ISP is also my DNS provider they will get the requests.

But they can already see what sites I visit because they are my ISP and carry my packets.

In Mozilla's new default implementation Cloudflare will also see them, without me ever knowing (as an average user).


With TLS1.3, encrypted SNI, encrypted DNS the ISP can only see the IP address you are connecting to, not a domain name. For Google's resources it only sees that you are connecting to Google's network, but is it Youtube or Gmail or Maps, they cannot tell (which is awesome by the way).

And down the toilet goes the (distributing and caching) Inter-Net. Long live to the new Cloud-Net. Cloudfare and Google are achieving what Compuserve and AOL could not.

Exaggerating slightly ... but not that much really. And all in the good name of privacy and security.

It is also amazing how people (Americans ?) are not willing to admit I want MY jurisdiction to apply. Not an American one. I want the choice.


Caching died with insecure HTTP, and that's okay.

> I want the choice.

Then turn it off. But the default protects more people than it harms.


Well, it's not really a choice if for security I must give up on jurisdiction ?

I don't doubt the intentions of Mozilla. But, I expect Mozilla to set the bar much higher.

> But the default protects more people than it harms. Sorry, not good enough for me. They should not be promoting a private company centralized solution. They really should be pushing for a decentralized and distributed solution that is yet secure for everyone involve and promote that.


SNI isn't super useful to profile customers by itself. Now of course encrypted SNI will be a welcome addition to the protocol, but it won't get rid of traffic profiling.

The destination IP is more than enough to build a customer profile. It's not terribly relevant if you visited Youtube or Maps. Just analyzing netflow logs will give much more information than what services you use, such as for how long you use them and if you stream any media during that time.

Should you wish to have more information than that on your customers you'd have to buy it from someone who runs code in most web pages you visit. There are plenty of those, too.


Hence your request goes to yet another party: your ISP (by necessity via IP destination in your IP headers), the site you want to go to, and to Cloudflare/Google as DNS provider and as fourth party. Whereas with regular DNS, your ISP's nameserver gets DNS queries, hence only three parties are involved. Eg what ndidi, apexalpha said.

With Tor ISP can't even see the final address, but maybe Tor has its own solutions for DNS?

Onion sites use a keypair as their "name"

ISP and government are that "unregulated third party".

ISPs are highly regulated, as opposed to Cloudflare and Google. The only effect here is that Google closes another "loophole" in their view where web visit signals are send to another party (other than Google), and Cloudflare wanting their share of the cake as well. Has Mozilla disclosed what Cloudflare is paying them for being listed as default DoH provider?

ISP's are highly regulated when it comes to DNS? Not here in the US they are not.

Well to buy a domain you need to go to an accredited registrar for the respective TLD. And DNS registrations, renewals, etc. are standardized (and have TLD-specific policies). Also, you're entitled to transfer your domain name to another registratr, etc., also with a public and transparent protocol. The registrar will then arrange for their nameserver being registered as authoritative for your domain on the TLD's root domain server, etc. What's the problem with US ISPs here? That they're selling DNS query records (with your IP) against their nameservers? That's in the same territory as Cloudflare and Google, and will only stop with proper privacy laws; certainly not by giving up on the decentralized nature of DNS and giving all traffic/signals to Cloudflare/Google.

aren't you still sending your data to unregulated third party with any ISP? (i dont live in the US so i am not aware if they're regulated in this regard)

Plaintext doesn't route every god damn request through Google or Cloudfare.

If you have a Chromecast, it's already sending the DNS requests to 8.8.8.8 unless you specifically block the IP.

> If you have a Chromecast

Why the hell would anyone buy hardware from an evil spyware company such as Google?

Of course you can never trust a private corporation to do stuff in the public interest.


I think you mistook it. I was talking about doh providers, not all options, and responded to a line completely tangential, if not unrelated to what you try to bring here. An answer looking for a question, I guess?

Even Quad9[1] or NextDNS[2]? Quad9 works well for me.

[1]: https://quad9.net/doh-quad9-dns-servers/ [2]: https://nextdns.io/


> DNS requests are routinely ... monitored by ISPs

DoH doesn't prevent ISP monitoring. Even if they cannot see the DNS request, the browser sends the ISP the returned A/AAAA record in the header of a TCP SYN packet. The ISP necessarily sees the hosts you are connecting to; they don't need to see the DNS traffic. DoH to Cloudflare allows both Cloudflare and the ISP to monitor your pattern-of-life.

> DoH is vital to protect users around the world from censorship and worse.

Yes, it would be a useful tool to fight censorship, but don't conflate that with monitoring traffic. The ISP still sees the addresses and ports in the IP+TCP headers.


Well, the A/AAAA record and the host you're contacting aren't necessarily the same information, right? You could connect to 10 wildly different sites all behind a CDN and get the same A record for all of them, but vastly different results. It's the host, not the A/AAAA record, that leaks the most information in such a case. DoH/DoT plugs the host being leaked in the DNS packet, then.

But of course, then the problem is punted to SNI, since your TLS Hello packet will probably send the host name with the setup packet, leaking the host then. So we're back to square one. To be fair, Firefox and Cloudflare are also working on ESNI, in which case, from what I understand, your DoH reply will include the A/AAAA record and the public key to encrypt SNI names with, which plugs that final major hole.

So I think the A/AAAA record being exposed doesn't necessarily tank everything, but it certainly isn't perfect, either. But realistically none of these solutions were 100% perfect and a unique A/AAAA record was always going to expose you to a significant amount of side analysis, I think. In general, it just raises the bar and lets us place more trust in the "last hop" between you and the resolvers, much like many other improvements over the past few years, and originally envisioned by e.g. DNSCrypt. In general I feel the actual host header is more important than the A/AAAA record (it is at least more accurate), but I could be super wrong about that.

(The more general discussion about a few major players being able to shape major internet changes for users like this, and general consolidation of the internet is, I think, extremely relevant. But also beyond just this particular exercise.)


> This is especially true in the country the author appears to be based (Germany).

Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.

They're enabling this in the US, and yet even with all its problems, it's the one country that the average web surfer would have to worry least about when visiting "inappropriate" sites.

* https://en.wikipedia.org/wiki/Room_641A

> DoH is vital to protect users around the world from censorship and worse.

Great. Then enable it in countries where it's actually a problem. As a Canadian I do not feel a need for this, and I worry about Cloudflare getting an NSL more than I worry about CSIS/RCMP tapping glass.

* https://en.wikipedia.org/wiki/National_security_letter


> Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.

Completely wrong threat assesment in my opinion. You should always be concerned about your own government. It isn't only the axis of evil that imprisons people with leaks about heavy privacy invasions.

Russia and China have anything about you and you are a citizen of a western nation? Great, because that doesn't matter at all.

You know who poses the greatest threat in motorsports? It is the other driver on your team.


> ... * concerned about your own government.*

Who says I'm not? But I have recourse with government. What recourse do I have with a private corporation that's based in a country with such law privacy laws.


I know it was a rhetorical question but here it needs to be spelled out:

None.


Least concerned with? Have you already forgotten about Snowden? Do you know about Five Eyes (or even Fourteen Eyes)? In Canada they outsource surveillance of Canadians to overseas Five Eyes partner agencies so they evade their own privacy laws. It's reasonable to assume that other Five Eyes countries do the same.

I'm with an ISP that has a direct link to TorIX, which has a who's who of the major Internet properties and CDNs:

* https://www.torix.ca/peers/

My e-mail is hosted on Canadian soil with a direct-connect to TorIX (and I personally know the people who run the servers).

I know when I hit a foreign corporation (AMZN, GOOG, etc.) that my data is probably up for grabs, but I also know when when my traffic is not leaving Canadian (digital) soil.

So yes, I know all about ECHELON et al, but I know how the packets I send out are generally routed as well.


Alright, in case your government leverages allied ones to evade domestic legislation, foreign governments are a threat. But the initiative for surveillance still lies with your own government. That would only confirm the need to hold your own government accountable.

> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services

Not true. ISPs typically record and store netflow-like data, very rarely DNS-data (I'd say storing DNS data is even unusual). If ISPs are in a position to get more detailed than netflow data on you they resort to things like deep packet inspection (DPI), which doesn't rely on DNS, pretty much all mobile/cellular ISPs do that today.

> DoH is vital to protect users around the world from censorship and worse.

Not true either. DoH can't do anything against censorship and if enabled by default in all browsers can actually give worldwide censorship powers to a single US entity that already has something akin "we will block anything we don't like and do anything our government wants" in their ToS.


You might look into "passive DNS" services that collect and provide servies based on DNS data collected by ISPs and carriers. It's often more or less anonymized, and often used for good things too - but not wholly harmless.

you too have ignored "it's trivial to change your DoH provider"

The average internet user probably has no idea what DNS or HTTPS are, let alone DoH (which even I as a technical user had forgotten existed before I read this post). Defaults matter a whole lot. I haven't formed a definitive opinion on DoH but either way saying "you can configure it so it doesn't matter" is not reasonable in my opinion.

It's interesting that when Russia started blocking access to some popular websites a few years ago, the instructions for installation of VPN were found in all places. The case - then, for example, attempts to block Telegram servers lead to unexpected unblocking some forbidden sites, like kasparov.ru - shows how some networking skills can be grown en masse in a short period of time.

So, yes, average Internet user isn't very familiar with DNS. Maybe privacy wars will lead to growing awareness in this area though.


It's actually not, or am I somehow missing that this is a feature that Mozilla has announced as part of this move? Users who are not technical powerusers will not understand the real security implications of "Enable DNS over HTTPS", and right now I can't find a setting to change the provider anywhere in the settings dialogue, and about:config and enterprise policies are not something that regular users mess with.

It's in Options/Preferences > Network Settings > Settings, scroll to the bottom and select Custom from the Use Provider dropdown. I added AdGuard's DNS over HTTPS address. https://dns.adguard.com/dns-query

Haha. Okay: Actually didn't see it because that one line landed below the fold on my resolution (960px height, fixed taskbar on Windows). Rookie mistake. But also bad UI design if this is actually something that's important and that users should pay attention to.

But.

(1) There is no informed consent happening here, highlighting to a user, say in Europe, that this would lead to a U.S.-regulated entity knowing a lot about their browsing history. Regular users can't be expected to understand that that is what this setting implies but will think of "DNS over HTTPS" as technical mumbo jumbo that they don't need to pay attention to and that they should keep at default.

(2) The dropdown doesn't have any options besides Cloudflare. In order to use the "Other" option, the user would have to research URLs of providers on the Web, which seems like so much friction that few people will do this.


The dropdown in (2) doesn't have any other options because of the thing you're worried about in (1). Mozilla seeks specifically to contract with DoH operators to secure the operator's consent to protect their users and never do most of the things you're worried they might do.

They do NOT want the list to go:

Cloudflare

Sketchy Valley Company with six months runway and no clear plan how to make a profit

The Actual Mob, really

Google

Great Britain's Ministry of Truth

Russian Media Company owned by Vladimir Putin

And then have news sites going "Why are all these obviously untrustworthy folks listed?" when the answer would be "Oh we heard that people didn't like the short list of actually trustworthy providers so we added all the other ones that we don't trust too!"


In a very long-winded and theatrical way you are making the point that you believe that there are no credible alternatives out there. I believe there are. I believe that, as soon as any company puts their HQ and their servers in Europe they have a credibility-advantage over cloudflare right there on the legal front and on regulatory oversight.

I also don't believe that Mozilla has the ability to greatly influence the way Cloudflare would run their service, given that they're probably not paying a lot (or anything at all; don't know the particulars), and are unlikely to be a major component of Cloudflare's revenue. Cloudflare has much more to lose by picking a fight with the U.S. government (think government surveillance) or by pissing off major advertising networks and media corporations (think surveillance capitalism) who make up the lion's share of their revenue on Cloudflare's core webcaching business.


But it is actually easy to change.

https://i.imgur.com/GuP5a8F.png


Open settings and search for DNS. There will be a single button for you to click and "Enable DNS over HTTPS" is at the bottom.

DoH is vital to protect users around the world from censorship and worse.

Like I've asked before, should Mozilla also start including an obfuscating VPN by default, to bypass the Chinese firewall?

This is a political issue, and one that I don't think Mozilla should even get involved in because it could have very ugly consequences --- just focus on making a good browser and leave the politics (and VPN/firewall-busters) to others.



And route all (Firefox) internet traffic of the world through the US.

Mozilla is working to add a tor mode or add on.

I dont think they are in a position to be trustworthy enough to offer that. Not after the fiasco with their expired addon certificate sabotaging Tor. I still dont see how the standard practice in Firefox to just silently disable addons is anything but malice.

> the article deliberately buries that it's trivial to change your DoH provider

While true for you or me, the vast majority of people will have this enabled by default - probably not even realising it's on


And? Those same people are likely using their ISP or Google for DNS right now. How is this worse?

The default (which the majority of people will be using) is not Google, it's their ISP. And in the vast majority of cases, their ISP is under the jurisdiction of their country, while Google and Cloudflare have to obey the laws of a foreign country. Said foreign country might one day decide that for instance Google and Cloudflare now have to log the IP address of everyone who does a DNS lookup for news.ycombinator.com, even if the laws in the user's country forbid it.

Mozilla is only applying this in the US.

To start with

According to a CCC talk about DNS security, Mozilla is going to enable providers on a regional-basis by partnering with privacy-friendly non-profits.

DigitalCourage was one of the names mentioned as a potential EU-based DoH provider.


This!

This is very bad for Erdoğan. They won't be able to block DNS over HTTPS. Thus teir classic DNS blocks will be useless. Last time I've checked there was over 300K blocked domains via DNS. Even 8.8.8.8 doesn't work.


> They won't be able to block DNS over HTTPS

Of course they will. The DoH server can be blocked just like any other.


Eh, this is a losing battle for them. In theory any HTTPS server can be a DoH server if set up for it. One key for the future is to have so many DoH servers available for people in countries that filter that there is no way the government can block them all.

My uBlock Origin contains over 100k filter rules, and I pay zero for it. I doubt a company can't sell a list of open DoH servers for a reasonable price.

How they are going to block servers who have DoH url? DNS level block or IP block. May be SNI level block but in few years we will have ESNI.

To access a DNS-over-HTTP server, you need its IP (otherwise it would be a circular problem - must have DNS to access DNS). So they can just block the IP/port.

Why can't they block 1.1.1.1?

They can block but you can make any https page into DoH. What they are going to do? Block every web site?

No, just the ones that run DoH.

Wrong way around.

Said own country might one day decide to restrict access/log visits to controversial site X (e.g. Tibet, government critical news, piratebay etc.), which does not affect your DNS based in foreign country


Said country will just block the Cloudflare DoH server as well, forcing users to switch to a controlled DNS server.

Well, if the user has configured their router to use their preferered DNS provider, and this is enabled, and they don't realise, then as far they are concerned all their requests are going via that provider, when in fact they are going out somewhere else.

That seems pretty shady to me


It's worse, because the local ISP is more trustworthy and additionally you enable cloudflare for large scale profiling. And don't claim they won't do it, it's just a matter of time

I scoff at the idea that Comcast is more trustworthy than Cloudflare.

Telia in Sweden has shared data with "selected partners" in a way that led to customers being extorted because of, among other things, porn surfing history and torrent downloading.

Trusting your ISP, even in a country with data protection laws like Sweden, is naive. I'd much rather trust a company that tells me "this is the data we store. This is the data we share with APNIC and no-one else".


Are you kidding? My ISP is blocking wikipedia.org, i.imgur.com, imbd.com, torproject.org, and many other.

I live in Sweden and I would never trust any ISP. There are too many cases of data shared with "business partners" that led to things like tries to extort torrent users or porn surfers (even reputable ISPs).

This should be, if not illegal at least highly problematic in the eyes of the law. At best the ISPs got a "better behave, because next time ...".

All ISPs have data sharing with "selected partners to ensure service quality" which, at least until GDPR, meant basically that they could sell data.

Whereas cloudflare states that the 1.1.1.1 data will only ever be shared with APNIC in anonymised form (which they define). Cloudflare defines what data they share for 1.1.1.1 users, which my ISP does not. I trust cloudflare, at least right now. If they were to change their retention policies and agreement I would maybe reconsider.


I'm fairly sure that most, even non-technical users understand fairly well that their ISP can snoop on their internet connection. On the other hand I doubt that my mom expects that when she connects to https://www.impots.gouv.fr/ her browser pings an american-owned server to get access.

If she does it from a Chromebook/Chromebox, then all the requests are likely routed through Google DNS.

Tracetouting that address could reveal a lot more foreign-owned (and built) servers in the path, so I’m not sure what your litmus test is.

It's significantly better actually - gets around DNS blocking put in place by malicious ISPs and governments.

Well there is whole article linked explaining just that.

But basically, i know my ISP, and they don't log dns queries.

Most ISP's (the ones i have worked with) don't save DNS requests. They usually save netflow.

I also use vpn (my own), with its own dns resolver, for when i don't trust middle man.


> There has to be SOME default chosen

It seems trivial to select a half a dozen likely candidates and let the user choose between them on install.

Honestly I'd like them to do the same with the search engine. Yes, it's simple enough to change the default, but it'd be nice to choose up-front.


Yes, it's trivial. It's also very annoying to the probably 99% of users who don't care about it at all, especially if this becomes just one of many settings that needs to be configured on startup.

Make it random then.

Random security settings that differ with each installation? No thanks, I’d rather not play dice with security.

Every question you make a potential user/customer answer is a potential loss of conversion.

Most Firefox users do not care. Those that do can figure out how to change it easily enough.


But Cloudflare also happen to be the fastest DNS resolver.

Fastest isn't necessarily best.

My ISPs caching DNS, and any caching DNS running on IP addresses belonging/advertised by my ISP by BGP to various CDNs, are the best possible responses.

I don't care if the p99 DNS response from my ISP is 50% slower than Cloudflare, if the streaming video, or large download, or many small files requests are better served by CDNs in my ISPs network that are not visible to Cloudflare.

All DNS benchmarks I have seen focus only on the DNS response time, never on the DNS response quality.

But that's because they are mostly written by people who don't know how the internet (or competent ISPs) actually work. Some of them even seem to log errors when they get unexpected responses for some well-known URLs (like google.com) because they don't know there are new Google sites than when they last checked ...


A minor quibble, but the url ends in .ch, and the company address is in Switzerland. Why do you say the author is in Germany? (Am I missing something?)

> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).

Germany: Storing data for a limited period of time so that data pertaining to individuals can be requested on a case-by-case basis by law enforcement (we are talking Police, not all of government). Not a big deal.

U.S.: Highly developed and well resourced mass surveillance in operation on both the business side (surveillance capitalism) and government side (NSA). Privacy laws that protect only U.S.-based persons and declare data pertaining to foreign persons to be fair game. Big f*ing deal.


European privacy laws are great, but I’m not so sure it’s as simple as you make it out to be. German intelligence also cooperates with the US on NSA surveillance.

https://www.reuters.com/article/us-germany-spying-merkel/mer...


> DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).

Author is based in Switzerland.

But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.

For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.

They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won[1]. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies[2].

In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.

Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities[3].

Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.

Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.

(source: worked in the industry)

> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).

Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.

[1]: https://web.archive.org/web/20180511081552/http://www.vg-koe...

[2]: https://de.wikipedia.org/wiki/Vorratsdatenspeicherung

[3]: https://www.golem.de/news/t-online-navigationshilfe-telekom-...


Your post is painful to read. Masses of unfounded FUD.

> security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).

The author appears to be from Switzerland, and it's not clear at all why "security services" (who?) in Germany "especially" have few restrictions.


The usual list of security services, BND etc., not sure why adding lists of acronyms is important to you, when "security services" captures the meaning quite well.

> "especially"

That refers to news and new laws in recent years, which extended their surveillance capabilities. Also, it is relevant because Germany both has relative strong data protection against non-state actors, but also quite capable intelligence agencies.

That said, I think arguing about state actors is the wrong threat model for this discussion.


> I think arguing about state actors is the wrong threat model for this discussion

My post was just a rebuttal to GP's framing the discussion around vague accusations towards state actors.

> security services captures the meaning quite well

It really doesn't. The various secret services (internal, external, military) are reporting to parliament (not the whole of it, just a close circle/committee nevertheless having received trust by being elected), and their heads are nominated by the government. It's of course entirely within your right to criticize their existence or operations, but yielding power to private monopolies based in another country without any public control whatsover and potential ties to foreign secret services (we don't really know) can't possibly solve whatever problem you're on to, and shouldn't be justified on such vague arguments.


Laws restricting what the government and private entities can do with data almost invariably (e.g. the GDPR) just have a blanket exception for security services.

Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.


I don't really see how DoH helps because the IP is still flowing between host and client. What does it matter if they can't see the DNS request? They still see the ip values flying between your computer and TheGreatSatan.us.xxx ? Only a VPN can help here anyway. DoH is good for making sure the IP matches up to the host address because it can verify the IP returned is the one that it is in actually rather than a state actor substitution.

So far I'm using NextDns.io at home, which is DoH and also applies ad-filtering. I haven't heard of any security concerns yet

Disclaimer: I do not work or have any financial connection to that service


It will actually not be used anymore, because firefox avoids your local DoH setup.

> For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.

> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.

> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.

https://www.zdnet.com/article/mozilla-to-gradually-enable-dn...

And I'm already set for the DoH switch https://i.imgur.com/GuP5a8F.png


Doesn't this completely defeat the whole thing?

Anyone upstream that wants to start censoring or logging can just add this canary domain and continue business as usual.


I tried NextDns but it's extremely slow for me. (I live in central Europe.)

Since this moment Firefox should be actively prohibited in any security-conscious workplace - because it will leak some or whole map of internal resources to the third party, which has absolutely no business knowing what resources are deployed in the local network. And deciding what's good for users without making them explicitly and consciously confirm this choice is bad, worse than censorship.

> if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).

I don't think anyone believes CF will start selling data, that's not what the article argues.

Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.

> DoH is vital to protect users around the world from censorship and worse.

This isn't black and white. Yes there is upside (as both you and the article agree), but the downside of how DoH is implemented here is that you have to point all your DNS queries to a US company. Historically we've seen how this is a bad idea for global internet privacy (eg. PRISM, etc).


> I don't think anyone believes CF will start selling data, that's not what the article argues.

CF is not a private company funded by a foundation with a time until the funding runs out measured in 30-40 years. It is a public company with a small number of customers that provide majority of its revenue.

It simply isn't prudent to say that it won't explore other revenue streams in future and that monetization of data won't be one of those streams.


Good point. I meant there is no reason to dispute the article because it talks about CF monetizing that data. Because it doesn't.

> I don't think anyone believes CF will start selling data, that's not what the article argues.

> Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.

I understand the argument in theory.. but the reality is CF is a more trustworthy DNS provider than basically any consumer ISP in the EU.


This is where me and the author disagree with you. In most places in Europe there is a complete distrust of US companies and hosting anything on US soil.

Historically we've seen many cases of US companies handing over data to US authorities (willingly or not).


This is not speculation it's first hand opinion, I am from the UK, i distrust all UK ISPs, their DNS is filth and they are suspected of working with GCHQ... I agree US companies and US law in general are worse for data protection than the EU, but on per company basis CF is more trustworthy and half of the purpose of their DNS is to attempt to provide more privicy.

And practically, US companies are not restricted from selling of user data to third parties, while EU companies are.

I think in most countries, government can approach domestic companies to hand over data in case of illegal action.

The problem with the US is that data is being used against you, like recent events have shown.


You do not have to point your DNS queries to a US company, this is completely false. You can point your DNS queries at whichever DoH provider you want - you can even run your own DoH provider if you want to.

I should have worded that differently: the default is a US company. Which applies to everyone who doesn't change it specifically for Firefox (the vast majority of users).

...users in the US.

Quite an important detail.


It's very disturbing to see the overreach that Mozilla has resorted to and the "privacy" argument (it was "security" before that...) being used to justify essentially ignoring system configuration. My ISP has more accountability than a company in another country.

The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.

Exactly. If Mozilla wants to, it's more than welcome to reach into the VPN area with its own products, but I don't believe this functionality should be part of a browser. They're already reaching into the VPN area[1], should they also investigate bypassing Chinese censorship with their own "firewall-busting" obfuscating VPN? That's not something most users want nor need in their browsers, and such functionality is really a cat-and-mouse game that I think is best left to smaller and less-well-known entities.

It's unfortunate that browsers are already beyond "neutral", when IMHO the only thing they should do is fetch exactly the page URL that was entered and display it.

Edit: yes, apparently people disagree and want Mozilla to control what the Internet (and every user, ignoring his/her default configuration) does. This is really really disturbing.

[1] https://news.ycombinator.com/item?id=20927832


> the only thing [browsers] should do is fetch exactly the page URL that was entered and display it.

I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.

There is an argument that ensuring privacy in DNS could be done outside the browser. I think HTTPS is a good precedent for putting privacy in the scope of the browser; the browser should attempt to ensure that privacy expected by the user is established or it should refuse to operate.

I disagree with the solution of trusting Cloudflare, but privacy should be considered crucial to user safety in modern browser design decisions.


I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.

I strongly disagree. A browser has one job, and that is to follow and render URLs. Secure connections and such are services provided by other components of the OS, and the browser should absolutely use those services but not attempt to overreach its main purpose. It's really the principle of "do one thing and do it well".

To spin your analogy, you're arguing that cars should have seatbelts that also check your age and blood alcohol level because "that's also a safety thing".

There is an argument that ensuring privacy in DNS could be done outside the browser

Yes, the same way that VPN clients are; and I'm perfectly happy for Mozilla to be working in that area, but most certainly do not put that in the browser and do not make it default.


>> It's really the principle of "do one thing and do it well".

This sounds good on the surface, but falls apart at the smallest level of logical scrutiny.

It's akin to saying, "a car should only accelerate, decelerate and make turns!" After all, that's a car's main purpose.

Whereas the fact of the matter is that modern cars are built to be able to handle all kinds of hostile environments and have numerous defense and safety mechanisms in order to keep their passengers safe.

The same applies to Internet browsers.


What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy? This is pretty much how we got here. Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.

So browsers can throw up their hands and say "we are as secure as the OS" or they can do it themselves. Not ideal but the alternative is worse for users.


What do you do as a browser vendor when the OS fails to provide you meaningful security and privacy?

Nothing. Absolutely nothing. Work within the environment you're given.

Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.

...and that's just fine, because I trust my LAN more than some third party in another country.


> I strongly disagree. A browser has one job, and that is to follow and render URLs.

wow. not only has history rejected your premise, but the many technologies that exist today in a web browser prove you wrong.


>>browsers should do one thing >browsers should do it all

The essential Multics vs Unix mindset clash. One application to rule them all vs. a versatile toolbox of interchangeable modules. Telco heads vs hacker heads.

In the end, the hackers always win - but the telcos grow to be fat cats.


In a way, it's a Multics vs. Multics clash. I already have one application to rule them all. My operating system. I do not appreciate when the browser tries to supersede it. Not (just) because of philosophical reasons, but because browsers completely suck at being operating systems. The web takes a lot of control from the users, and offers near-zero interoperability.

It all feels like a step-by-step attempt at turning general-purpose computers into cable TV.


I don't think this is at odds with "should do one thing well". Safety is not an application in itself, it is a design principle.

"rm"'s purpose is only to delete, yet it still tries to ensure safety and sanity with its flags: -r, -f, --no-preserve-root, etc. Even simple tools should be safe by default.


We already have applications that can take all your traffic and send it over an encrypted tunnel somewhere else, if you don't want to exit to the Internet from a place you don't trust. They're called VPN clients. DoH is like a partial VPN client. It doesn't belong in the browser.

DoH servers are not open proxies, they're just DNS resolvers with support for a security layer; they are comparable to HTTPS, SMTPS, SSH, etc. servers, not to a VPN.

VPNs are not a substitute for, nor a better solution than DoH in the same way as they are not for HTTPS or SSH.


> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.

This is beside the point. Mozilla make a browser. They don't make the address resolution code for the underlying operating system. Operating system vendors are of course going to start to support DNS-over-https.

You can disable dns-over-https if you don't want it enabled. Just go to about:config and set network.trr.mode. to 5


> You can disable dns-over-https if you don't want it enabled.

It was also possible to disable Ubuntu from sending your desktop searches to online retailers:

* https://www.pcworld.com/article/2889895/how-to-stop-ubuntu-f...

Just because something can be disabled does not necessarily mean it should be enabled by default in the first place.


That's a really strange comparison. You know that mozilla has an agreement with cloudflare under which cloudflare has agreed not to log dns queries right?

Maybe Mozilla has such an agreement, but I don't. I have a contract with my ISP, and thr GDPR applies to that contract. CF? Not so much.

1)Since the agreement is about processing of this data it really doesn't matter whether you have a contract with CF 2)You don't need any contractual relationship to have GDPR apply to processing your data. If you're a European data subject then GDPR applies to any processing of your personally-identifiable data whoever is processing it and wherever they're doing it. If you're not a European data subject then GDPR would only apply if the company was a European company or if the processing was happening in Europe.

Thanks. I feel this should just be a setting on the settings screen. I use a PiHole DNS service at home which I want to keep using over this.

It is. I just never use the settings screen. See here for how you toggle it, including screenshots. I would expect that the new version will be similar.

https://www.zdnet.com/article/how-to-enable-dns-over-https-d...

Edit: I've just checked and there is the ability in the settings screen to set a custom DoH provider. So once your pihole can do it you can set it there.


It should be a setting in a standard dot file. I don't understand why Mozilla can't create a simple configuration file like most applications.

All these settings are stored in ~/.mozilla/firefox/<profile name>

So for me the trr mode is stored in /home/sean/.mozilla/firefox/k3dmofx7.default/prefs.js


I've tried changing prefs from that file and it is a mess. Not adequately documented either. Standard INI-format would be ideal.

Of course, I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!

If you don't like CF just switch to different provider https://github.com/curl/curl/wiki/DNS-over-HTTPS


> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!

I trust my ISP and government more than a US company I have no formal contract with and the US government.

Also, there's the whole 'applications should not override system level settings' thing. My DHCP pushes a local (caching) DNS server that also does name resolution for internal services. This change would break that for all Firefox users on my network.


> I trust my ISP and government more than a US company I have no formal contract with and the US government.

And every single intermediary and whoever else might be listening in? This is an unencrypted plaintext connection. Which is the main point here. The whole "we trust ISP more" thing is completely beside the point. The point is DNS is horribly insecure nowadays, and it is about damn time we switch to something better.

> Also, there's the whole 'applications should not override system level settings' thing.

Hopefully, DoH will become a system level setting eventually.


If you use your ISP's DNS servers, there is no intermediary between you and them.

If you use wi-fi without a VPN, you have the coffee shop and the coffee shop's ISP. And anyone listening there. Of course there is cleartext SNI even for SSL connections... but alas.

What coffee shop ? I only connect to wifi at home and at the office.

And you're the only person who uses mobile computing devices.

Not sure what point you’re trying to make here.

Unless your ISP is running Huawei equipment. ;)

There aren't many intermediaries if you use your ISP's internal resolvers.

And there are intermediaries between Cloudflare/other DoH providers and the respective authoritative nameservers anyway.

My ISP is subject to specific regulations for licensed network providers, which Cloudflare isn't.

Thus, Cloudflare is the problematic intermediary.


But unless they have the private key for CloudFlare certs, they can't snoop in so it doesn't matter if there are intermediaries in between.

The traffic between Clouflare and the authoritative nameservers will be good old 53/udp.

The only thing the snooper won't be sure with is, which Cloudflare client asked for that record.


> I trust my ISP and government more than a US company I have no formal contract with and the US government.

You're not affected then, because the DoH rollout w/ Cloudflare as the default is only planned for the US.


That is not an argument, it is clear that this is supposed to be deployed by default.

... only for users in the US. Are you aware of other plans?

For now

Do you ever use wifi in a coffeeshop or hotel?

Because if you do, at that point they are your "ISP" for purposes of this discussion. Do you still trust them more than Cloudflare?

(For a desktop machine, obviously this is not an issue, but for pretty much anyone with a laptop this is something that needs to be worried about.)

As far as internal services, is this a split-horizon setup? As far as I understand, the plan is to detect those and fall back from DoH to normal DNS as needed.


> applications should not override system level settings

I wish Windows 10 and other operating systems natively supported DNS-over-HTTPS, but many don't. So they have to work around that lack of support.


> I trust my ISP and government more than a US company I have no formal contract with and the US government.

I do not! I'd rather have that anon US co. than any government.


You can use different DoH server, you can setup your own, that's not a problem

https://www.ghacks.net/2018/04/02/configure-dns-over-https-i...

I use https://odvr.nic.cz/doh


This is exactly why DoH is enabled by default in the US only.

I do trust my ISP and my government more than I trust CloudFlare.

It seems very American to me to trust a private actor such as CouldFlare more than your own government.

I feel like at least in Europe, a large majority of people would trust their government and local ISP much more than some company halfway over the world with basically no accountancy in your own country, especially an American one since it means your data is basically at the mercy of the US government.


Cloudflare has a better track record than most ISPs and governments.

Aren't there a bunch of European ISPs applying government enforced DNS blocking?

Seems like this is a very good move for them.


The ISP I run is applying [1] such blocks on our DNS recursors (blocking illegal online gambling domains, as per legal requirements [2]).

I still trust my DNS servers (or those of most ISPs, for that matter) more than I trust Cloudflare. I'd rather have intelligence services go through the effort of infiltrating every single ISP separately to get any useful dragnet intelligence, instead of just one large entity that can illegally collect all traffic from all users of a web browser.

[1] - https://github.com/q3k/rsh-unbound

[2] - https://hazard.mf.gov.pl/Ustawa


Couldn't agree more.

And I very much hope they aren't contemplating rolling this out in Europe.

Having worked for a major European telco, I get the impression that the amount of regulation they face around data protection and privacy is tremendous and my experience has been that this stuff is by no means taken lightly either.

It would never in a million years occur to me to route my traffic in such a way as to circumvent the legal protections it enjoys as long as it stays within a European ISP's network and instead encrypt it and send it off to a nearly unregulated entity in a foreign country.


I trust Mozilla and the contract they have with CloudFlare (not just CloudFlare by itself) more than my ISP.

> https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

These are much stronger guarantees than my ISP's.


Is your ISP in the US and your government the US government? The DoH rollout w/ Cloudflare is only planned for the US.

> The DoH rollout w/ Cloudflare is only planned for the US.

For now.


> I'd rather trust unecncrypted plaintext DNS queries that go to my ISP and government!

Your ISP has access to more detailed data on you than DNS queries. Also CF servers are typically located in the same jurisdiction as your government and send unencrypted DNS queries from there. Now instead of dealing with every ISP your government has to deal with just one company in one location, no need to even ask that company anything, just come in and setup mirroring point, very convenient for the government, not very good for you.


They can log unencrypted DNS queries coming from Cloudflare, yes. But they can't correlate those with the incoming encrypted queries, not when the amount of traffic coming in is as vast as it will be. It doesn't help much to know "some Firefox user somewhere tried to resolve such-and-such domain".

Absolutely. This warning seems disingenuous and will confuse many normal people. DNS over HTTPs and DNS over TLS are good things and increase our privacy. People should switch to them.

Are there any GDPR compliant entities there? Preferably some company/organization from Europe?

I live in Europe and I do trust my ISP (and government, which has a decent track record at enforcing GDPR).

Even with DoH, my ISP already sees all of my network traffic. My DNS queries will effectively be anonymized by their recursive name servers.


> I live in Europe and I do trust my ISP (and government, which has a decent track record at enforcing GDPR).

I believe the GP comment was referring to government surveillance. This is a thing in Europe and GDPR won't protect you from it.

Also, good news for you: Since you live in Europe, the announced switch to DoH with Cloudflare as the default for Firefox users in the US won't affect you.


This is a gross over-simplification. Cloudflare is required by contract to respect your privacy, which is much stronger than even the privacy laws have here in the EU since it addresses everyone, not just the EU population:

https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...

The people fighting for the status quo probably know how to run their own resolver, even with DoH or DTLS. But Mozilla's conundrum is how to protect everyone 's privacy (and to a certain extent, security). DoH, despite all its flaws, attempts to do that by piggy-backing on already working infrastructure, so it seems like a good fit to move everyone to DoH. But then, they're the chicken-and-egg problem. How do you make sure people deploy local DoH resolvers if no browser enforces the move to DoH ? How do you make sure those resolvers are truthful, or even respect local law (having both is often impossible).

So, you need to compromise. I'd have preferred to have temporary non-profit third party entity handle this à-la-Letsencrypt, but Mozilla deemed its contract with Cloudflare sufficient to provide enough guaranties. Ideally, name resolution should be done closer to the user instead of being centralized like that. But by arguing instead of experimenting we just keep the status quo. Time will tell if this was a bad decision. But it's not as clear cut as this blog post says it is.


A contract where cloudflare receives no consideration isn't particularly comforting, as such agreements are routinely ignored by courts (or equivalently by capping damages at nothing).

> Mozilla's conundrum is how to protect everyone 's privacy

And exactly how does this protect user's privacy? Instead of the user's ISP being able to see where the user connects now both cloudflare AND the user's ISP (via seeing the connection itself) can tell.


Re: the contract, let's hope you're wrong.

Re: privacy: by not having lying DNS or no NXDOMAIN, there is also less tracking (say, fingerprinting in ad web pages).

And in the ISP's case, you're assuming they already do DPI, otherwise they now see IPs, which might not mean much in the CDN case. But if they do DPI, it will be resolved once ESNI starts being deployed.


> But if they do DPI, it will be resolved once ESNI starts being deployed.

What if ISPs block requests with eSNI for all users, in order to be able to remain compliant with legal intercept legislation (e.g. warrant for suspected child porn investigation)?

There are conflicting desires with trade-offs, and all Mozilla is doing here is escalating the war, rather than trying to reach agreement with the rest of the industry on how to satisfy two different requirements.


> Re: the contract, let's hope you're wrong.

Switching from a technical measure of privacy (no data being shared) to hope isn't the right way to go.

> But if they do DPI, it will be resolved once ESNI starts being deployed.

Once.


> > But if they do DPI, it will be resolved once ESNI starts being deployed.

> Once.

This underestimates DPI vendors. eSNI can't stop them, they will just move to exploit side channel information (traffic patterns) to identify which websites you are visiting. People need to remember, that DPI industry has been fighting with obfuscation for years, it's a war where Cloudflare and Mozilla are compete newbies.


These are just unsubstantiated assertions. Fingerprinting does exist, but what you're saying is that there might be methods we haven't foreseen that will be implemented to improve DPI analysis and tampering. So what ? Do nothing in the meantime ?

It's true hope isn't the proper answer. But IANAL is.

> "This is a gross over-simplification. Cloudflare is required by contract to respect your privacy"

How often to corporations take other corporations to court over contract disputes? I think it's pretty often.


It is indeed. We'll see if Mozilla's lawyers are good at writing contracts once the Mozilla vs Oath case resolves:

https://blog.mozilla.org/blog/2017/12/05/mozilla-files-cross...


> The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!

You're right. But so are Mozilla.

Here we are 30 years into the web, and we're still using plain old DNS. DNS over TLS should have caught on, but it didn't. Apple and Microsoft had years to ensure it's implemented as standard, but they didn't.

The points this article makes - about DHCP options, about multiple providers, are very valid.

But they're also just talking shops.

The biggest problems here seems to be 1) DHCP can't give internal DOH servers. When I'm at home I want it landing on my own DOH server, but when I'm away I want to use a different one. 2) Internal DNS resolving falls to bits


Agreed, I'd prefer setting up the DNS-over-HTTPS config at the gateway level (and either push the config over DHCP, or have the gateway act as a local resolver, which forwards the new requests over DoH), but we're not there yet.

In theory isn't it "just" a matter of agreeing a DHCP option number, then having the DHCP client (or vpn client or whatever) be responsible for passing it to applications that want it (including the system resolver, be that mDNSResponder, systemd, glibc, whatever windows uses)

Anyone who wants to can configure their dhcp client to ignore it, or use a different service, you could even have applications doing that too, but this would allow a network operator to tell people where the recommended resource is.

Likewise if you want to change your DNS provider yourself you would have a single location on your machine to do it for the entire OS, rather than having to change 50 different applications.


> have the gateway act as a local resolver, which forwards the new requests over DoH

This is what I would like to see as a default (and included in routers). In fact, it's what I already do myself.

I think (as others here have said) that the privacy concerns the article raises are mostly FUD. But I do agree with the article when it says handling DNS at the application level is kind of a terrible idea (even though it might seem justified in this case). If the end result is that every application has its own built in network stack, that's going to be terrible for security, usability, and make it much harder to debug third-party apps.


I use my pfsense router as a DoH recursive resolver, so while DNS is unencrypted inside my local network, all requests are protected when the enter the internet.

> DNS over TLS should have caught on, but it didn't.

So enable DoT instead.


As someone who has donated to Mozilla over the years and used Firefox as much as possible, this makes me very unlikely to donate in the future.

People say that it's trivial to change. It's trivial to change for us who are technically minded. It's far from obvious and will not be changed by non-technical users.

This will only increase the massive amount of data that Cloudflare gets about people's online behavior. I am always very skeptical of centralization and of having a company get this much information. Remember google's Don't be evil? I'm extremely uncomfortable with such a massive centralization of data.

People might say that the status co is not great because DNS is sent to the ISP. I'd argue the status co is better because it's far less centralized. And, at least for Europeans, I trust European legislation better than US legislations.

I can understand the argument that some countries have mass surveillance and it's a net positive for users in those countries since it will protect them. But in that case, I feel that the default should be randomized from a list of provider, not only one company. I also would be much less concerned by this if it was an option on first startup with a clear explanation (even though users tend to not read and blindly click accept, it's at least more of an informed consent)

And anyway, that purpose of preventing mass surveillance and blocking in those countries where it would actually be useful seems to be moot because of: > Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.

> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.

So, if isp in countries with censorship can use a canary website to prevent users from bypassing "legally-set blocklists". What is the point again of enabling this?


> This will only increase the massive amount of data that Cloudflare gets about people's online behavior

No, it explicitly won't.

Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

https://support.mozilla.org/en-US/kb/firefox-dns-over-https


Which sounds nice in theory, but there are the usual legal exceptions:

> The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.

> Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law.

> The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates.

This doesn't really matter if you live in the US, but most of us don't.


There are two points:

1. centralization of all dns lookups is worrisome

2. Dns should not be handled by applications. It should be handled by the operating system.

I see a lot of people conflating the two in the comments.


I want to address #2.

I disagree. It has become common for the OS to handle DNS globally. This can provide nice cache efficiency/centralized configuration benefits. But it is also much less flexible and unlike e.g. the OS's Certificate Authority Registry there's no update/revocation benefits.

DNS over HTTPS being configurable in the browser gives us more flexibility. For example you want to AdBlock but not risk breaking OS Updates, you want to split-tunnel a VPN connection then pick which resolver for the browser, or you even want to use a different non-"internet"/non-ICANN network only in a single browser/instance you now can. That's powerful.

DNS by the OS is common in 2019. But saying it "should" without explanation isn't a strong argument except towards the status quo.

PS - If you think of a web browser like an "app ecosystem" this line of thinking makes a heck of a lot of sense. The OS is just a host for a sub-"OS" ecosystem. There's a reason browsers already have their own configuration for e.g. web cams, microphones, sound/mute, language, 3D acceleration, and security that already end-run around what the OS is trying to dictate.


> 2. Dns should not be handled by applications. It should be handled by the operating system.

I agree with #1 but why it should be managed by the OS?


No one wants a proliferation of different applications which all have different settings to access the network, especially when the OS provides centralised functionality to do so.

Because the OS gets provisioned with DNS by DHCP. Because the OS incorporates the hosts file. Any internal domains or local domain edits are not covered by this.

Because in most cases you don't want different applications to use different settings.

If you are currently using private DNS server with internal domains and don't know about changes firefox is going to make, firefox will resolve you domains incorectly while all your tools like nslookup and dig will show correct information.

And then when you do figure it out, you will have to go to every single user and help them fix firefox setup. (because most of such small businesses don't have their own AD)

I first though about blocking it at companies firewall level, but thats tricky, because you don't want to break everything else that uses cloudflare.


It's annoying. I've already experienced this with chrome as chrome ignores my hosts file settings.

Example: Say you use hosts file to block porn and other shady sites for your kid, all they have to do is use chrome.


This has nothing to do with the topic. Chrome isn't replacing the OS's DNS resolver, and that bug is just that: a bug.

A bug that I cannot reproduce. Chrome follows my HOSTS file fine on Windows 10. But even if it didn't it would still be off-topic.


Same reason applications use syscalls instead of writing low level code to write directly to your HDD. The entire point of an OS is to abstract away low-level crap, and DNS is (imo) part of that.

Because I don't want to have to manage 400 configs when I can manage 1.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: