If instead what you worry about is the government spying on your traffic then complaining about DoH is even more silly - DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
DoH is vital to protect users around the world from censorship and worse. Enabling it by default is a good thing - protecting users from abuse shouldn't only be opt-in. There has to be SOME default chosen, and the default needs to be a site large and well run enough to a) handle the load, and b) be in the firefox HSTS preload list. There aren't a lot of good DoH providers that fit these criteria - CF is one of the few.
As it stands Mozilla is switching out our local ISP for CloudFlare without asking our consent which means my traffic data is now spread around one more company - that seems like less privacy.
And I am not looking forward to finding out the fun ways in which this will break our local DNS.
The idea that Cloudflare is in way more trustworty than my local ISP is at best naïve. All this creates is another huge centralized pool of data with no oversight whatsoever except the promise of some company that is currently growing fast, that they will not do anything with that data. Come the times when money becomes tight again, we'll see how well that promise holds up.
Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
That's not privacy - that's just silly
According to their blog post discussing the matter, they fully intend to inform the user of the change and give them the opportunity to opt out.
>When DoH is enabled, users will be notified and given the opportunity to opt out
Seems obvious, but is wrong. If there is a really obvious obstacle to anything, which immediately comes to mind, chances are people addressed this already.
In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
> Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
What happens if they get a FISA warrant? How does your contract protect users that before didn't have their DNS queries sent to US companies?
When you visit any of my websites, which are not on shared IPs, then not only will you continue to inform your ISP that you're doing so (regardless of the existence of ESNI), but you will additionally be informing cloudflare too.
What's your solution? That I centralise all my websites behind Cloudflare? In the name or privacy? Laughable.
> and Cloudflare can gather them from DNS
but is contractually forbidden from saving that information.
> What happens if they get a FISA warrant?
They have to follow the law? Wrong threat model.
You are not permitted to hand-wave corrupt government interception or rubberhosing of civilian data as "wrong threat model." These technologies are central to, and must be focused specifically on, protecting all civilian data from all governments. That is the primary purpose of all privacy systems. Not to protect you from coffee-shop denizens trying to snoop which dating sites you use.
If it's one of the large monopoly providers, it's as much a one-stop-shop as Cloudfront is.
Though outside the US, the NSA doesn't require a FISA warrant to intercept data, nor does it face any US legal restrictions on doing so.
At least from a general perspective I don't see a big difference.
> And there’s no logging.
Until the courts say there must be.
I used to work at an ISP.
We configured (wrote policy language for) our DPI platforms to do header inspection of all HTTPS traffic to measure customer experience to different websites, to improve the customer experience.
The raw data was (theoretically) accessible to ~4 people and deleted as soon as ETL had succeeded, and the anonymised results (aggregated only by region, product etc.) were available to the operations team (another ~8) and product management (~4).
This complies with our countries personal information regulations.
Mozilla proponents seem to be quite anti-ISP.
Why is that?
>> What happens if they get a FISA warrant?
> They have to follow the law? Wrong threat model.
If this happens for non-US citizens, this is violation of privacy laws of the affected user.
If this is rolled out, I will either ensure my distro switches this off by default, or have to consider changing browsers (away from Firefox).
The data would still end up at yet one more company, compared to the status quo.
Trust works if I know the people involved - but I don't know a single individual at Mozilla (or Cloudflare for that matter). That Mozilla trusts Cloudflare is besides the point if I don't really know who they are.
The entity I am actually trying to trust is example.com - all this shuffling around trust in increasing layers of complexity is missing the point of the actual problem: Bootstrapping a connection to example.com without revealing to a 3rd part that that is what one is trying to do.
You seem to think that:
1)No company in the history of the world, has ever violated a contract?
2)No government has ever forced a company to give up information that it is contractually obliged not to give up
3)No hacker has ever hacked into a company's systems and exfiltrated data the company was contractually obliged not to share
You seem to think that if a contract has been concluded, it is impossible for it to be violated.
Then there are also the problems of making all Firefox browsers depend on the availability of CloudFlare.
It's as simple as this. Now I do prefer a society of trust over excessive technological means, but let's not pretend like sending data to an additional third party is somehow more or even just as private as not sending it in the first place.
So if Cloudfare maintains a log of your requests who cares, that log is useless since they can't identify you as soon as you change your IP address. While using standard DNS the provider can identify you and can log all you DNS requests, even if you don't the default ISP DNS servers, since they can simply intercept and decode all the traffic on the DNS port. And not only your provider, everyone in the path between your PC and the DNS server, even at LAN level, for example in public WiFi networks like in airports, schools, companies, the administrators can log all your DNS traffic, and put filters on it.
> Sure, encrypting DNS is a good thing. But this is just like trying to make email more secure by using a 3rd party encryption gateway - all it does is moving around who to trust.
Make up your mind are you worried about the number of people that can see your dns or not?
> it's trivial to change your DoH provider
Cloudfare is the default.
Cloudfare is the only provider listed.
Cloudfare will be On by default, so it will be that for 99.999% of Firefox users.
That ain't right no matter how well intended it is.
So the status quo is no better than this, and at least this is encrypted and protected by a privacy guarantee.
Now I agree that ideally a user-visible preference should be created for the DoH resolver, but I don't think that's a blocking issue. Just like the accounts features uses a mozilla server, and chrome uses google accounts, and both use google safe browsing lists, browsers have always made the decision to hardcode various external service providers.
You're completely missing the point. Users have many different ISPs, and them knowing DNS queries is not a problem because it's the ISP anyway. Now a browser wants to change that behavior, and send ALL queries to one american company.
Of course there's arguments for and against these aspects in the case of name resolution, both technical and on a legislative level, but maybe a net win in terms of privacy protection for the majority of users is still worth it. And should Cloudflare or whoever decide to misbehave with the data we send, it'll at least be easy to switch to other providers when DoH is widely adopted.
DNS over TLS has other issues. There's a nice comparison there https://dnscrypt.info/faq/ I have been using local resolver on 53, that forwards all requests from my LAN into DNSCrypt (and sends that over a VPN tunnel). That way I maintain privacy, and decentralization as well as being able to simply use the DNS resolver built into my OS.
I have to wonder though with HTTP/3 https://en.wikipedia.org/wiki/HTTP/3 being QUIC based, will we see DNS over QUIC? https://en.wikipedia.org/wiki/QUIC
Seems like Firefox doesn't even support QUIC at the moment. https://bugzilla.mozilla.org/show_bug.cgi?id=1158011
So Firefox could at most support either Google QUIC (internal prototype, now obsolete, who cares?) or a random draft that may end up not resembling the final product. If they haven't decided to do either it doesn't seem like a big deal.
Ah yes you're right. Also Mozilla (M. Thomson, Ed) is on the author list there so I expect they will support it when it is finalized.
Hopefully then they also support DNS over QUIC, I expect they probably will once QUIC is finalized. I think DoH is just a stop-gap measure to be honest.
For most people, if you can't trust your ISP, you have bigger problems.
For people who can trust their ISP, why should we all by default be affected by the fact that the Mozilla developers seem to all live in a non-free or non-democratic country.
Maybe they should instead focus on fixing the US political system that results in their current situation, rather than trying to use technical means to solve political problems.
I have a very specific case for this: in the days before and during the referendum for the Catalonia independence (Oct 1s 2017), all the spanish ISPs where blocking access to the websites related with the referendum, using DPI to look for the SNI hostname. One of the main reasons to enable DoH in FF is to enable the encrypted SNI feature https://miketabor.com/enable-dns-over-https-and-encrypted-sn...
Which is already a lot better than getting 100% from simply spying on CloudFlare or serving them with "National Security Letters".
My DNS requests traverse my ISP's network to my ISP's DNS server (or my employer's ISP's DNS server if I'm at work).
I live in a country where I have very strong privacy protections and what my ISP can and can't do with my DNS requests is extremely limited.
If my DNS requests are sent to CloudFlare or Google instead, my DNS requests are under American jurisdiction, where I have no rights and both American businesses and the American government can do whatever they please with no real recourse.
The reason why browsers are moving to features like DoH and eSNI as defaults is because it's every type of nation that is now instituting pervasive surveillance against its citizens
You also can't trust laws since ISPs can be hacked or infiltrated from the inside
In terms of personal protection encryption trumps law
Cloudflare isn't magically free from the same threats.
There's very few countries with such strong privacy protections, even in the Western world.
Not sure it matters, but only by a small margin is that true. 500M vs 515M.
I'm not familiar with DoH. Would it allow CloudFlare to match domain names to IP addresses still? If so, then I don't see how it adds any value to the current solution. If anything, it creates a false sense of security which is worse than no security at all.
What's the point of encrypting the DNS lookup step if a middleman can still potentially see everything in plaintext?
Institutions providing internet access, but with an obligation or operational requirement to block certain kinds of content (e.g. insufficient network capacity on the free WiFi at a hospital to allow streaming video for all visitors) would not be able to do it at all.
Privacy proponents seem to forget that there are sometimes reasonable reasons to allow traffic to be blocked, and instead of looking for a real solution, are imposing ridiculous "solutions" on all Firefox users.
Now, Cloudfare will see them too. (if this would come to my country).
But they can already see what sites I visit because they are my ISP and carry my packets.
In Mozilla's new default implementation Cloudflare will also see them, without me ever knowing (as an average user).
Exaggerating slightly ... but not that much really. And all in the good name of privacy and security.
It is also amazing how people (Americans ?) are not willing to admit I want MY jurisdiction to apply. Not an American one. I want the choice.
> I want the choice.
Then turn it off. But the default protects more people than it harms.
I don't doubt the intentions of Mozilla. But, I expect Mozilla to set the bar much higher.
> But the default protects more people than it harms.
Sorry, not good enough for me. They should not be promoting a private company centralized solution. They really should be pushing for a decentralized and distributed solution that is yet secure for everyone involve and promote that.
The destination IP is more than enough to build a customer profile. It's not terribly relevant if you visited Youtube or Maps. Just analyzing netflow logs will give much more information than what services you use, such as for how long you use them and if you stream any media during that time.
Should you wish to have more information than that on your customers you'd have to buy it from someone who runs code in most web pages you visit. There are plenty of those, too.
Why the hell would anyone buy hardware from an evil spyware company such as Google?
Of course you can never trust a private corporation to do stuff in the public interest.
DoH doesn't prevent ISP monitoring. Even if they cannot see the DNS request, the browser sends the ISP the returned A/AAAA record in the header of a TCP SYN packet. The ISP necessarily sees the hosts you are connecting to; they don't need to see the DNS traffic. DoH to Cloudflare allows both Cloudflare and the ISP to monitor your pattern-of-life.
> DoH is vital to protect users around the world from censorship and worse.
Yes, it would be a useful tool to fight censorship, but don't conflate that with monitoring traffic. The ISP still sees the addresses and ports in the IP+TCP headers.
But of course, then the problem is punted to SNI, since your TLS Hello packet will probably send the host name with the setup packet, leaking the host then. So we're back to square one. To be fair, Firefox and Cloudflare are also working on ESNI, in which case, from what I understand, your DoH reply will include the A/AAAA record and the public key to encrypt SNI names with, which plugs that final major hole.
So I think the A/AAAA record being exposed doesn't necessarily tank everything, but it certainly isn't perfect, either. But realistically none of these solutions were 100% perfect and a unique A/AAAA record was always going to expose you to a significant amount of side analysis, I think. In general, it just raises the bar and lets us place more trust in the "last hop" between you and the resolvers, much like many other improvements over the past few years, and originally envisioned by e.g. DNSCrypt. In general I feel the actual host header is more important than the A/AAAA record (it is at least more accurate), but I could be super wrong about that.
(The more general discussion about a few major players being able to shape major internet changes for users like this, and general consolidation of the internet is, I think, extremely relevant. But also beyond just this particular exercise.)
Of all the governments to worry about, the ones in the EU (as well as US, CA, AU, NZ), are the ones I'd least be concerned with, relatively speaking.
They're enabling this in the US, and yet even with all its problems, it's the one country that the average web surfer would have to worry least about when visiting "inappropriate" sites.
Great. Then enable it in countries where it's actually a problem. As a Canadian I do not feel a need for this, and I worry about Cloudflare getting an NSL more than I worry about CSIS/RCMP tapping glass.
Completely wrong threat assesment in my opinion. You should always be concerned about your own government. It isn't only the axis of evil that imprisons people with leaks about heavy privacy invasions.
Russia and China have anything about you and you are a citizen of a western nation? Great, because that doesn't matter at all.
You know who poses the greatest threat in motorsports? It is the other driver on your team.
Who says I'm not? But I have recourse with government. What recourse do I have with a private corporation that's based in a country with such law privacy laws.
My e-mail is hosted on Canadian soil with a direct-connect to TorIX (and I personally know the people who run the servers).
I know when I hit a foreign corporation (AMZN, GOOG, etc.) that my data is probably up for grabs, but I also know when when my traffic is not leaving Canadian (digital) soil.
So yes, I know all about ECHELON et al, but I know how the packets I send out are generally routed as well.
Not true. ISPs typically record and store netflow-like data, very rarely DNS-data (I'd say storing DNS data is even unusual). If ISPs are in a position to get more detailed than netflow data on you they resort to things like deep packet inspection (DPI), which doesn't rely on DNS, pretty much all mobile/cellular ISPs do that today.
Not true either. DoH can't do anything against censorship and if enabled by default in all browsers can actually give worldwide censorship powers to a single US entity that already has something akin "we will block anything we don't like and do anything our government wants" in their ToS.
So, yes, average Internet user isn't very familiar with DNS. Maybe privacy wars will lead to growing awareness in this area though.
(1) There is no informed consent happening here, highlighting to a user, say in Europe, that this would lead to a U.S.-regulated entity knowing a lot about their browsing history. Regular users can't be expected to understand that that is what this setting implies but will think of "DNS over HTTPS" as technical mumbo jumbo that they don't need to pay attention to and that they should keep at default.
(2) The dropdown doesn't have any options besides Cloudflare. In order to use the "Other" option, the user would have to research URLs of providers on the Web, which seems like so much friction that few people will do this.
They do NOT want the list to go:
Sketchy Valley Company with six months runway and no clear plan how to make a profit
The Actual Mob, really
Great Britain's Ministry of Truth
Russian Media Company owned by Vladimir Putin
And then have news sites going "Why are all these obviously untrustworthy folks listed?" when the answer would be "Oh we heard that people didn't like the short list of actually trustworthy providers so we added all the other ones that we don't trust too!"
I also don't believe that Mozilla has the ability to greatly influence the way Cloudflare would run their service, given that they're probably not paying a lot (or anything at all; don't know the particulars), and are unlikely to be a major component of Cloudflare's revenue. Cloudflare has much more to lose by picking a fight with the U.S. government (think government surveillance) or by pissing off major advertising networks and media corporations (think surveillance capitalism) who make up the lion's share of their revenue on Cloudflare's core webcaching business.
Like I've asked before, should Mozilla also start including an obfuscating VPN by default, to bypass the Chinese firewall?
This is a political issue, and one that I don't think Mozilla should even get involved in because it could have very ugly consequences --- just focus on making a good browser and leave the politics (and VPN/firewall-busters) to others.
While true for you or me, the vast majority of people will have this enabled by default - probably not even realising it's on
DigitalCourage was one of the names mentioned as a potential EU-based DoH provider.
This is very bad for Erdoğan. They won't be able to block DNS over HTTPS. Thus teir classic DNS blocks will be useless. Last time I've checked there was over 300K blocked domains via DNS. Even 188.8.131.52 doesn't work.
Of course they will. The DoH server can be blocked just like any other.
Said own country might one day decide to restrict access/log visits to controversial site X (e.g. Tibet, government critical news, piratebay etc.), which does not affect your DNS based in foreign country
That seems pretty shady to me
Trusting your ISP, even in a country with data protection laws like Sweden, is naive. I'd much rather trust a company that tells me "this is the data we store. This is the data we share with APNIC and no-one else".
This should be, if not illegal at least highly problematic in the eyes of the law. At best the ISPs got a "better behave, because next time ...".
All ISPs have data sharing with "selected partners to ensure service quality" which, at least until GDPR, meant basically that they could sell data.
Whereas cloudflare states that the 184.108.40.206 data will only ever be shared with APNIC in anonymised form (which they define). Cloudflare defines what data they share for 220.127.116.11 users, which my ISP does not. I trust cloudflare, at least right now. If they were to change their retention policies and agreement I would maybe reconsider.
But basically, i know my ISP, and they don't log dns queries.
Most ISP's (the ones i have worked with) don't save DNS requests. They usually save netflow.
I also use vpn (my own), with its own dns resolver, for when i don't trust middle man.
It seems trivial to select a half a dozen likely candidates and let the user choose between them on install.
Honestly I'd like them to do the same with the search engine. Yes, it's simple enough to change the default, but it'd be nice to choose up-front.
Most Firefox users do not care. Those that do can figure out how to change it easily enough.
My ISPs caching DNS, and any caching DNS running on IP addresses belonging/advertised by my ISP by BGP to various CDNs, are the best possible responses.
I don't care if the p99 DNS response from my ISP is 50% slower than Cloudflare, if the streaming video, or large download, or many small files requests are better served by CDNs in my ISPs network that are not visible to Cloudflare.
All DNS benchmarks I have seen focus only on the DNS response time, never on the DNS response quality.
But that's because they are mostly written by people who don't know how the internet (or competent ISPs) actually work. Some of them even seem to log errors when they get unexpected responses for some well-known URLs (like google.com) because they don't know there are new Google sites than when they last checked ...
Germany: Storing data for a limited period of time so that data pertaining to individuals can be requested on a case-by-case basis by law enforcement (we are talking Police, not all of government). Not a big deal.
U.S.: Highly developed and well resourced mass surveillance in operation on both the business side (surveillance capitalism) and government side (NSA). Privacy laws that protect only U.S.-based persons and declare data pertaining to foreign persons to be fair game. Big f*ing deal.
Author is based in Switzerland.
But since you mentioned Germany - German security services have no legal authority to indiscriminately monitor internet traffic, particularly not inside the country. They got into trouble with parliament the last time they got caught doing it.
For ISPs, there's no business value in intercepting or logging customer traffic. They're not allowed to use such data themselves, like for advertising purposes. At "large ISP" scale (tens to hundreds of gigabits), equipment that can intercept DNS queries at line rate is very expensive and adds a lot of infrastructure complexity. ISPs operate on thin margins and have zero incentive to deploy such equipment or otherwise mess with traffic.
They're legally mandated to store some metadata like IP address assignments and flow/CGNAT data for a limited period of time and aren't terribly happy about it, at the very least because it's expensive to collect and store it with no benefit. Deutsche Telekom has recently sued the government about it and won. The so-called "Vorratsdatenspeicherung" is a recurrent topic in German politics with conservative governments introducing it, and then having to scrap it when it gets challenged in court by civil rights groups and/or companies.
In either case, DNS request data is NOT metadata and would never be inspected and stored unless there's a specific warrant.
Deutsche Telekom once redirected NXDOMAIN responses to an OpenDNS-like landing page with suggestions ("Navigationshilfe") and had to stop doing it when people complained to authorities.
Exporting and analyzing sampled packet headers or flows is pretty cheap and a standard feature with carrier-grade routing equipment (NetFlow/IPFIX and/or sFlow). IP assignments are basic accounting data that every ISP has.
Inspecting packet contents is very different and requires plenty of expensive extra equipment and/or complicated network engineering to redirect traffic to a centralized analyzer, which increases latency. It's only done if necessary, like temporary rerouting for ingress DDoS mitigation.
(source: worked in the industry)
> Masses off unfounded FUD - the article deliberately buries that it's trivial to change your DoH provider if you're silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have far more lucrative avenues open than selling DNS requests by IP).
Personally, I do trust CloudFlare and understand Mozilla's choice, but I do agree with the centralization concerns. It's a difficult set of tradeoffs, and characterizing the author's concerns as "unfounded FUD" is not fair.
> security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).
The author appears to be from Switzerland, and it's not clear at all why "security services" (who?) in Germany "especially" have few restrictions.
That refers to news and new laws in recent years, which extended their surveillance capabilities. Also, it is relevant because Germany both has relative strong data protection against non-state actors, but also quite capable intelligence agencies.
That said, I think arguing about state actors is the wrong threat model for this discussion.
My post was just a rebuttal to GP's framing the discussion around vague accusations towards state actors.
> security services captures the meaning quite well
It really doesn't. The various secret services (internal, external, military) are reporting to parliament (not the whole of it, just a close circle/committee nevertheless having received trust by being elected), and their heads are nominated by the government. It's of course entirely within your right to criticize their existence or operations, but yielding power to private monopolies based in another country without any public control whatsover and potential ties to foreign secret services (we don't really know) can't possibly solve whatever problem you're on to, and shouldn't be justified on such vague arguments.
Very long term we might trend away from that, just as eventually countries which had outlawed capital punishment "except in times of war" realised they had no intention of doing it in a war either so many of them began removing that caveat. But today this is the case with every such restriction I've seen, it either says in the law itself that it doesn't apply to security services or there's a superseding law that says the security services needn't obey the data protection rules.
Disclaimer: I do not work or have any financial connection to that service
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
> The organization said it's been asking ISPs and providers of network-based parental control solutions to add a "canary domain" to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.
And I'm already set for the DoH switch
Anyone upstream that wants to start censoring or logging can just add this canary domain and continue business as usual.
I don't think anyone believes CF will start selling data, that's not what the article argues.
Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.
This isn't black and white. Yes there is upside (as both you and the article agree), but the downside of how DoH is implemented here is that you have to point all your DNS queries to a US company. Historically we've seen how this is a bad idea for global internet privacy (eg. PRISM, etc).
CF is not a private company funded by a foundation with a time until the funding runs out measured in 30-40 years. It is a public company with a small number of customers that provide majority of its revenue.
It simply isn't prudent to say that it won't explore other revenue streams in future and that monetization of data won't be one of those streams.
> Regardless, it's opt-out not opt-in. Which is against newer consumer protection laws such as GDPR.
I understand the argument in theory.. but the reality is CF is a more trustworthy DNS provider than basically any consumer ISP in the EU.
Historically we've seen many cases of US companies handing over data to US authorities (willingly or not).
The problem with the US is that data is being used against you, like recent events have shown.
Quite an important detail.
The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.
Exactly. If Mozilla wants to, it's more than welcome to reach into the VPN area with its own products, but I don't believe this functionality should be part of a browser. They're already reaching into the VPN area, should they also investigate bypassing Chinese censorship with their own "firewall-busting" obfuscating VPN? That's not something most users want nor need in their browsers, and such functionality is really a cat-and-mouse game that I think is best left to smaller and less-well-known entities.
It's unfortunate that browsers are already beyond "neutral", when IMHO the only thing they should do is fetch exactly the page URL that was entered and display it.
Edit: yes, apparently people disagree and want Mozilla to control what the Internet (and every user, ignoring his/her default configuration) does. This is really really disturbing.
I strongly disagree. Browsers deal with a hostile environment that poses countless threats to their users, and need to be safe. Arguing that browsers should be minimal and not protect privacy is like arguing that cars should be minimal and not have seat belts.
There is an argument that ensuring privacy in DNS could be done outside the browser. I think HTTPS is a good precedent for putting privacy in the scope of the browser; the browser should attempt to ensure that privacy expected by the user is established or it should refuse to operate.
I disagree with the solution of trusting Cloudflare, but privacy should be considered crucial to user safety in modern browser design decisions.
I strongly disagree. A browser has one job, and that is to follow and render URLs. Secure connections and such are services provided by other components of the OS, and the browser should absolutely use those services but not attempt to overreach its main purpose. It's really the principle of "do one thing and do it well".
To spin your analogy, you're arguing that cars should have seatbelts that also check your age and blood alcohol level because "that's also a safety thing".
There is an argument that ensuring privacy in DNS could be done outside the browser
Yes, the same way that VPN clients are; and I'm perfectly happy for Mozilla to be working in that area, but most certainly do not put that in the browser and do not make it default.
This sounds good on the surface, but falls apart at the smallest level of logical scrutiny.
It's akin to saying, "a car should only accelerate, decelerate and make turns!" After all, that's a car's main purpose.
Whereas the fact of the matter is that modern cars are built to be able to handle all kinds of hostile environments and have numerous defense and safety mechanisms in order to keep their passengers safe.
The same applies to Internet browsers.
So browsers can throw up their hands and say "we are as secure as the OS" or they can do it themselves. Not ideal but the alternative is worse for users.
Nothing. Absolutely nothing. Work within the environment you're given.
Basically every device on the planet is right now configured to blindly accept whatever DNS server is handed to it by DHCP and there is really no movement on changing that.
...and that's just fine, because I trust my LAN more than some third party in another country.
wow. not only has history rejected your premise, but the many technologies that exist today in a web browser prove you wrong.
The essential Multics vs Unix mindset clash. One application to rule them all vs. a versatile toolbox of interchangeable modules. Telco heads vs hacker heads.
In the end, the hackers always win - but the telcos grow to be fat cats.
It all feels like a step-by-step attempt at turning general-purpose computers into cable TV.
"rm"'s purpose is only to delete, yet it still tries to ensure safety and sanity with its flags: -r, -f, --no-preserve-root, etc. Even simple tools should be safe by default.
VPNs are not a substitute for, nor a better solution than DoH in the same way as they are not for HTTPS or SSH.
This is beside the point. Mozilla make a browser. They don't make the address resolution code for the underlying operating system. Operating system vendors are of course going to start to support DNS-over-https.
You can disable dns-over-https if you don't want it enabled. Just go to about:config and set network.trr.mode. to 5
It was also possible to disable Ubuntu from sending your desktop searches to online retailers:
Just because something can be disabled does not necessarily mean it should be enabled by default in the first place.
Edit: I've just checked and there is the ability in the settings screen to set a custom DoH provider. So once your pihole can do it you can set it there.
So for me the trr mode is stored in /home/sean/.mozilla/firefox/k3dmofx7.default/prefs.js
If you don't like CF just switch to different provider https://github.com/curl/curl/wiki/DNS-over-HTTPS
I trust my ISP and government more than a US company I have no formal contract with and the US government.
Also, there's the whole 'applications should not override system level settings' thing. My DHCP pushes a local (caching) DNS server that also does name resolution for internal services. This change would break that for all Firefox users on my network.
And every single intermediary and whoever else might be listening in? This is an unencrypted plaintext connection. Which is the main point here. The whole "we trust ISP more" thing is completely beside the point. The point is DNS is horribly insecure nowadays, and it is about damn time we switch to something better.
> Also, there's the whole 'applications should not override system level settings' thing.
Hopefully, DoH will become a system level setting eventually.
Thus, Cloudflare is the problematic intermediary.
The only thing the snooper won't be sure with is, which Cloudflare client asked for that record.
You're not affected then, because the DoH rollout w/ Cloudflare as the default is only planned for the US.
Because if you do, at that point they are your "ISP" for purposes of this discussion. Do you still trust them more than Cloudflare?
(For a desktop machine, obviously this is not an issue, but for pretty much anyone with a laptop this is something that needs to be worried about.)
As far as internal services, is this a split-horizon setup? As far as I understand, the plan is to detect those and fall back from DoH to normal DNS as needed.
I wish Windows 10 and other operating systems natively supported DNS-over-HTTPS, but many don't. So they have to work around that lack of support.
I do not! I'd rather have that anon US co. than any government.
I use https://odvr.nic.cz/doh
I feel like at least in Europe, a large majority of people would trust their government and local ISP much more than some company halfway over the world with basically no accountancy in your own country, especially an American one since it means your data is basically at the mercy of the US government.
Seems like this is a very good move for them.
I still trust my DNS servers (or those of most ISPs, for that matter) more than I trust Cloudflare. I'd rather have intelligence services go through the effort of infiltrating every single ISP separately to get any useful dragnet intelligence, instead of just one large entity that can illegally collect all traffic from all users of a web browser.
 - https://github.com/q3k/rsh-unbound
 - https://hazard.mf.gov.pl/Ustawa
And I very much hope they aren't contemplating rolling this out in Europe.
Having worked for a major European telco, I get the impression that the amount of regulation they face around data protection and privacy is tremendous and my experience has been that this stuff is by no means taken lightly either.
It would never in a million years occur to me to route my traffic in such a way as to circumvent the legal protections it enjoys as long as it stays within a European ISP's network and instead encrypt it and send it off to a nearly unregulated entity in a foreign country.
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
These are much stronger guarantees than my ISP's.
Your ISP has access to more detailed data on you than DNS queries. Also CF servers are typically located in the same jurisdiction as your government and send unencrypted DNS queries from there. Now instead of dealing with every ISP your government has to deal with just one company in one location, no need to even ask that company anything, just come in and setup mirroring point, very convenient for the government, not very good for you.
Even with DoH, my ISP already sees all of my network traffic. My DNS queries will effectively be anonymized by their recursive name servers.
I believe the GP comment was referring to government surveillance. This is a thing in Europe and GDPR won't protect you from it.
Also, good news for you: Since you live in Europe, the announced switch to DoH with Cloudflare as the default for Firefox users in the US won't affect you.
The people fighting for the status quo probably know how to run their own resolver, even with DoH or DTLS. But Mozilla's conundrum is how to protect everyone 's privacy (and to a certain extent, security). DoH, despite all its flaws, attempts to do that by piggy-backing on already working infrastructure, so it seems like a good fit to move everyone to DoH. But then, they're the chicken-and-egg problem. How do you make sure people deploy local DoH resolvers if no browser enforces the move to DoH ? How do you make sure those resolvers are truthful, or even respect local law (having both is often impossible).
So, you need to compromise. I'd have preferred to have temporary non-profit third party entity handle this à-la-Letsencrypt, but Mozilla deemed its contract with Cloudflare sufficient to provide enough guaranties. Ideally, name resolution should be done closer to the user instead of being centralized like that. But by arguing instead of experimenting we just keep the status quo. Time will tell if this was a bad decision. But it's not as clear cut as this blog post says it is.
> Mozilla's conundrum is how to protect everyone 's privacy
And exactly how does this protect user's privacy? Instead of the user's ISP being able to see where the user connects now both cloudflare AND the user's ISP (via seeing the connection itself) can tell.
Re: privacy: by not having lying DNS or no NXDOMAIN, there is also less tracking (say, fingerprinting in ad web pages).
And in the ISP's case, you're assuming they already do DPI, otherwise they now see IPs, which might not mean much in the CDN case. But if they do DPI, it will be resolved once ESNI starts being deployed.
What if ISPs block requests with eSNI for all users, in order to be able to remain compliant with legal intercept legislation (e.g. warrant for suspected child porn investigation)?
There are conflicting desires with trade-offs, and all Mozilla is doing here is escalating the war, rather than trying to reach agreement with the rest of the industry on how to satisfy two different requirements.
Switching from a technical measure of privacy (no data being shared) to hope isn't the right way to go.
> But if they do DPI, it will be resolved once ESNI starts being deployed.
This underestimates DPI vendors. eSNI can't stop them, they will just move to exploit side channel information (traffic patterns) to identify which websites you are visiting. People need to remember, that DPI industry has been fighting with obfuscation for years, it's a war where Cloudflare and Mozilla are compete newbies.
How often to corporations take other corporations to court over contract disputes? I think it's pretty often.
You're right. But so are Mozilla.
Here we are 30 years into the web, and we're still using plain old DNS. DNS over TLS should have caught on, but it didn't. Apple and Microsoft had years to ensure it's implemented as standard, but they didn't.
The points this article makes - about DHCP options, about multiple providers, are very valid.
But they're also just talking shops.
The biggest problems here seems to be
1) DHCP can't give internal DOH servers. When I'm at home I want it landing on my own DOH server, but when I'm away I want to use a different one.
2) Internal DNS resolving falls to bits
Anyone who wants to can configure their dhcp client to ignore it, or use a different service, you could even have applications doing that too, but this would allow a network operator to tell people where the recommended resource is.
Likewise if you want to change your DNS provider yourself you would have a single location on your machine to do it for the entire OS, rather than having to change 50 different applications.
This is what I would like to see as a default (and included in routers). In fact, it's what I already do myself.
I think (as others here have said) that the privacy concerns the article raises are mostly FUD. But I do agree with the article when it says handling DNS at the application level is kind of a terrible idea (even though it might seem justified in this case). If the end result is that every application has its own built in network stack, that's going to be terrible for security, usability, and make it much harder to debug third-party apps.
So enable DoT instead.
People say that it's trivial to change. It's trivial to change for us who are technically minded. It's far from obvious and will not be changed by non-technical users.
This will only increase the massive amount of data that Cloudflare gets about people's online behavior. I am always very skeptical of centralization and of having a company get this much information. Remember google's Don't be evil? I'm extremely uncomfortable with such a massive centralization of data.
People might say that the status co is not great because DNS is sent to the ISP. I'd argue the status co is better because it's far less centralized. And, at least for Europeans, I trust European legislation better than US legislations.
I can understand the argument that some countries have mass surveillance and it's a net positive for users in those countries since it will protect them. But in that case, I feel that the default should be randomized from a list of provider, not only one company. I also would be much less concerned by this if it was an option on first startup with a clear explanation (even though users tend to not read and blindly click accept, it's at least more of an informed consent)
And anyway, that purpose of preventing mass surveillance and blocking in those countries where it would actually be useful seems to be moot because of:
> Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.
So, if isp in countries with censorship can use a canary website to prevent users from bypassing "legally-set blocklists". What is the point again of enabling this?
No, it explicitly won't.
> The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.
> Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law.
> The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates.
This doesn't really matter if you live in the US, but most of us don't.
1. centralization of all dns lookups is worrisome
2. Dns should not be handled by applications. It should be handled by the operating system.
I see a lot of people conflating the two in the comments.
I disagree. It has become common for the OS to handle DNS globally. This can provide nice cache efficiency/centralized configuration benefits. But it is also much less flexible and unlike e.g. the OS's Certificate Authority Registry there's no update/revocation benefits.
DNS over HTTPS being configurable in the browser gives us more flexibility. For example you want to AdBlock but not risk breaking OS Updates, you want to split-tunnel a VPN connection then pick which resolver for the browser, or you even want to use a different non-"internet"/non-ICANN network only in a single browser/instance you now can. That's powerful.
DNS by the OS is common in 2019. But saying it "should" without explanation isn't a strong argument except towards the status quo.
PS - If you think of a web browser like an "app ecosystem" this line of thinking makes a heck of a lot of sense. The OS is just a host for a sub-"OS" ecosystem. There's a reason browsers already have their own configuration for e.g. web cams, microphones, sound/mute, language, 3D acceleration, and security that already end-run around what the OS is trying to dictate.
I agree with #1 but why it should be managed by the OS?
If you are currently using private DNS server with internal domains and don't know about changes firefox is going to make, firefox will resolve you domains incorectly
while all your tools like nslookup and dig will show correct information.
And then when you do figure it out, you will have to go to every single user and help them fix firefox setup. (because most of such small businesses don't have their own AD)
I first though about blocking it at companies firewall level, but thats tricky, because you don't want to break everything else that uses cloudflare.
Example: Say you use hosts file to block porn and other shady sites for your kid, all they have to do is use chrome.
A bug that I cannot reproduce. Chrome follows my HOSTS file fine on Windows 10. But even if it didn't it would still be off-topic.