Firefox Will Soon Encrypt DNS Requests By Default

This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring.

Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology.
Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic."

"We feel confident that enabling DNS-over-HTTPS by default is the right next step."

how does it work?

[fred6666]

Will it still use my DNS server or not?

Re:how does it work?

[Sumguy2436]

As I understand it Mozilla uses Cloudflare's DNS for DNS-over-HTTPS (https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/).

Between Mozilla and Cloudflare I guess we can expect a few sites "accidentally" not getting resolved.

Re:how does it work?

[PrimaryConsult]

I use pihole, so I'm more concerned with things resolving that shouldn't. Cloudflare is nice and all but I like the blocklists.

Re:

[Chewbacon]

Ditto. I trust my DNS (Pihole/Adblock) more than Mozilla's nanny method.

Re:how does it work?

[nyet]

There are literally dozens of 15 year old bugs in bugzilla.. but to a mozilla dev, apparently adding features that not only nobody wants, but will also break infrastructure is the right move.

Re:how does it work?

[overnight_failure]

A slight tangent, but if you like the sound of the cloudflare DoH then you can configure pihole to use it upstream [pi-hole.net].

Re:

[PrimaryConsult]

Thanks for the info! I use quad 9 (there's something unsettling about cloudflare) but I have found instructions for them [quad9.net] as well. After preliminary research I believe I still have to use cloudflared, just will have to point it it to quad9's DNS server.

Re:

[nyet]

https://support.mozilla.org/en... [mozilla.org]

Set up RPZ to return NXDOMAIN for the "use-application-dns.net" canary.

Yes it sucks. Mozilla will likely even remove that eventually. If only they cared about fixing bugs more and adding useless, faddish, internet breaking features.

Re:

[greenwow]

It's correct to put accidentally in quotes since Cloudfare has censored sites in the past.

Re:how does it work?

[FaxeTheCat]

No. The problem is that this bypasses your DNS server, so you lose control over DNS.
To prevent this,you can block access to the DNS over HTTPS servers in your firewall (there are not really many), forcing the browser to use your DNS servers.

Re:

[infolation]

And what happens when you want to use the DNS server of your VPN provider?

If the OpenVPN client bypasses the OS's DNS settings, what happens when the browser wants to bypass the OpenVPN bypass? Who wins?

Re:

[FaxeTheCat]

The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.

Re:how does it work?

[caseih]

Not sure what you mean. Firefox absolutely bypasses your local DNS servers when DNS over HTTPs is enabled. You can set up your own DNS over HTTPS server and manually configure Firefox to use it, but by default it will use cloudfare's DNS servers.

None of this is not automatic in any of the senses that DHCP and normal DNS are. DHCP does not currently provide clients with DoH addresses to use, so the OS is not aware of DoH at all. I'm sure DHCP servers could add support for this like how it was done for netbios stuff. At that point one would expect Firefox to honor the OS-wide DoH setting. But it seems like Firefox wants to go its own way on this.

Re:how does it work?

[FaxeTheCat]

I guess I fell in a semanticst trap... For all practical purposes it is a bypass.

The probem is that appliacations now seem to have their own DoH settings (as there are not OS wide DoH settings available). The problem with HTTPS is that organizations wanting to enforce the use of certain DNS and or DoH servers lose the ability to do this due to the use of HTTPS.
So to get control over DoH, organizations must block all known DoH servers to ensure that the company's own DNS servers are used.

Re:

[nyet]

Exactly. The whole point to DNS is it's an application independent standard. DoH is going to force DNS administrators too keep track of *every single* application vendor's special DoH sauce. Unbelievable that some people here think this is wonderful.

Mozilla's own idiocy is unsurprising, though. This is par for the course for them.

Re:

[WaffleMonster]

The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.

douÂâbleÂâspeak

"language used to deceive usually through concealment or misrepresentation of truth"

Re:

[Aighearach]

No, technical detail.

You don't gain anything by mixing hyperbole with technical details.

Re:

[hawk]

>And what happens when you want to use the DNS server of your VPN provider?

Inconceivable!

I have cox . . . *no-one* uses those unless they don't know how to avoid them ,. . . :)

hawk

Re:how does it work?

[fahrbot-bot]

No. The problem is that this bypasses your DNS server, so you lose control over DNS.

In addition, now your browser will be using one source for DNS and your system and other applications will be using a different one. Even though this *shouldn't* make any difference, it's not really ideal as now you could get two different behaviors.

Remember: A person with one watch knows the time, a person with two is never sure.

Re:

[RhettLivingston]

It's just their default. I'm sure there will be a place for you to say that you'd rather continue to allow your DNS traffic to be monitored or are sophisticated enough to have set one up that acts fully internally.

And for those who are worrying about work environments and parental controls implemented via DNS, RTFA.

At a high level, our plan is to:

• Respect user choice for opt-in parental controls and disable DoH if we detect them;
• Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration; and
• Fall back to operating system defaults for DNS when split horizon configuration or other DNS issues cause lookup failures.

Re:

[nyet]

The same FA that explains that they reserve the right to completely screw it up if they detect "abuse"? That FA?

That's DNS over TLS, not over HTTPS

[raymorris]

Android and some others support DNS over TLS, a more lightweight, technically sound protocol that uses port 853.

Firefox is implementing DNS over HTTPS, a heavier, slower, generally crappier protocol that nobody but Firefox and Cloudflare use. They run it on port 443.

Re:That's DNS over TLS, not over HTTPS

[Junta]

What, you mean to say there are ways to not use HTTP as the underlying protocol for every possilbe little thing? That is blasphemy. Everyone knows the OSI 1-layer model (http is the only layer, get over it)

Re: That's DNS over TLS, not over HTTPS

[Zero__Kelvin]

It would still be a 7 layer model. Quiz: From what layer does firefox operate its network request? Also all TCP/IP uses layers 1-3. Furthermore DNS still uses the same layers for HTTP and HTTPS. This doesn't change the ISO model at all. But hey ... you sounded like you knew you what you were talking about to someone for a bit so I guess that was a short lived win for you.

You seem to have missed their point

[raymorris]

DNS runs just fine over UDP or TCP. Over TCP, it's trivially easy to pipe it through TLS. DNS needs to run on top of layer 4. It always has run on top of layer 4.

Instead of running it on top of layer 4, Firefox is pointlessly running it on top of http, adding three extra unneeded layers. Which seems to be popular these days - put http under everything. Next up, they'll introduce TCP over HTTP.

Re:

[Zero__Kelvin]

I am not understanding how you think that is different from what I said except that I did mislabel at TCP/IP as 1-3 not 4-3 as I haven't needed to look closely at this for a while and remembered the exact layers wrong there (maybe that was your Point?) but for those following along here is the list of what protocols fit where in the ISO model [wikipedia.org]. If it did bypass layer 4 that would be one less layer, not 3 more, however DNS is layer 7 along with Firefox or any other application and HTTP(S). You have Firefox/Ot

Re:

[raymorris]

The point is, HTTP and everything that goes with it is unnessary for DNS.

This is another example of needing a transport (TCP or UDP) and using HTTP instead. DNS can and does ride on top of layer 4. A DNS packet request is directly packaged in a UDP packet. They have have it riding on top of layer 7 instead.

And not just any layer 7 protocol, but the most bloated one in existence. Http includes layer 5 functions (authentication, resume), layer 6 (accept headers, content type), and layer 7. None of which i

Re:

[swillden]

The real problem here is that the OSI model was created by a committee in the abstract, and is not rooted in actual network practice. Almost all arguments about how real protocols map onto the OSI stack are caused by the fact that they really don't.

Re:

[Aighearach]

That was embarrassing. Why do websites have to go all awkward like that, this isn't television.

Re:

[AHuxley]

Your nation's police and ISP will not see as much as it did in the past for free over years of ISP logging.
Unless in a 5 eye nation where the NSA and GCHQ will collect it all :)

Oreo setting.

[Ostracus]

Private DNS setting on mobile: 1dot1dot1dot1.cloudflare-dns.com

Why should I trust Firefox's resolvers?

[La Gris]

Any reason that one could have more trust in Firefox's HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP's or Google's own DNS resolvers?

Why is it an opt-out and not a default off option.

I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.

I just don't like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.

Re:

[FaxeTheCat]

Firefox is at least open about it. Not all applications are.

Re:

[Opportunist]

That's about as comforting as a thug telling me that he's gonna mug me.

Re:

[fibonacci8]

The thug is telling you that you can opt out of being mugged, you just have to say so.

Re:

[weilawei]

I'm just going to not step in the giant pothole the first time, hey?

The thug announced it ahead of time so I can ensure that there aren't any left over instances of his weapon around.

Re:

[overnight_failure]

Unless they're actively informing you during the 'mugging' (since when has that ever happened and even if it had, most ppl click straight through) then all the thug has done is put out a press release that most victims won't read or hear about.

Re:

[fahrbot-bot]

The thug is telling you that you can opt out of being mugged, you just have to say so.

From "The Daily Show" (and other sources): Did this dude just opt out of an armed robbery? [facebook.com]

Re:

[twocows]

It's more like a pickpocket putting up a posting on his blog that if anyone doesn't want to be pickpocketed, all they have to do is opt out by sending him a picture of themselves. However, the opt-out is only valid for the set of clothes that you wear in the picture; if you don't want to be pickpocketed in your other set of clothes, you need to opt those out, too. You're very likely to forget this a few months down the line when you get a new set of clothes. Also, this was all just posted on his blog, so yo

Re:

[WaffleMonster]

Firefox is at least open about it. Not all applications are.

At least Hitler was open about genocide. Not all despotic regimes are.

Re:

[guruevi]

99% of the Internet has no clue what DNS even is, let alone set up their own resolvers.

Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised.

There is a real need to make sure everything goes over VPN for consumers, sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great. You should consider even your own Internet connection to be compromised at this point if you have any I

Re:

[Retired ICS]

"Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised."

You sir, are an absolute idiot!

Re:

[guruevi]

Please elaborate. Calling people idiots while you have no clue what you're talking about is dumb.

Re:

[nyet]

Why on earth would I not pay attention to my own resolvers if I don't trust anyone else's?

Re:

[Retired ICS]

And so how are "they may be compromised"?

Re:

[WaffleMonster]

Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised.

Good grief. Anything and everything "may be compromised". This communicates nothing.

Secondly so what? Assume your networks naming system is compromised. Like the underlying network identifiers resolved are themselves trustworthy so what difference does it really make from a security perspective?

There is a real need to make sure everything goes over VPN for consumers

Pure nonsense. VPNs are an answer to nothing.

All VPNs do is push the same set of problems further out while creating additional opportunities for compromise.

sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great.

This is what end to end security is for. VPNs are NOT

Re:

[Retired ICS]

Actually that is incorrect. The Internet is a completely trusted and trustworthy interconnection of networks that accomplishes exactly what it was designed to do in the manner in which is was designed (and built) to do.

Your problem is likely that you are assuming design goals and processes that are not in evidence and were never intended -- that you are conflating your "wishes and desires" with what actually exists -- and that you are then assigning "trust" and evaluating "trustworthiness" based on your "w

Re:Why should I trust Firefox's resolvers?

[AmiMoJo]

By default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.

So for most people this is a massive privacy upgrade. Even if Mozilla was evil, they are likely far less evil than your ISP and also in less of a position to abuse the collected data.

You can of course opt out or use your own preferred DNS servers, as always.

Re:Why should I trust Firefox's resolvers?

[La Gris]

What you call a massive privacy upgrade over exposing once DNS requests to own country's laws, is more or like trading it for that of the Mozilla's foundation's own country laws.

What I see instead, is a war between third-parties, over who will be first in the pipeline to collect data, while making it harder for the other third-parties down the line to do so.

I think it is a bad move from the Mozilla foundation, with creepy red flags that they are fighting to be "The Internet", because Google is fighting to be "The Internet", because FaceBook, Microsoft and every other IT industry minions tried before.

Re:

[nyet]

Ridiculously short sighted and ignorant sentiment.

Re:

[WaffleMonster]

, but if we read their privacy policy for their DNS server they claim that they never save logs to disk.

There is no privacy policy. There is only a FAQ.

There is no language in any public statement indicating data would not be saved to disk.

and delete any logged data in less than 24 hours.

They explicitly state data is permanently stored including:

Total number of requests processed by each Cloudflare co-location facility
Aggregate list of all domain names requested
Samples of domain names queried along with the times of such queries

Along with standard boilerplate allowances for law enforcement requests for "any tangible thing".

Currently there is zero evidence that Cloudflare sells that data to anyone. On the other hand ISPs are quite open about selling your data to the lowest bidder. In fact they tried to label Mozilla this year's "internet villain" for introducing DoH.

We know for a fact they will at t

Re:

[nyet]

Couldn't agree more with your analysis. In particular, the decreased decentralization AND simultaneous increase in attack surface.

It is unconscionable that Mozilla refuses to listen to both the community and those with clearly a better understanding of both the technology and the risks associated with this idiotic "feature".

Re:

[WaffleMonster]

By default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.

The idea local ISPs are more evil than large scale centralization of everyone's browsing history is backwards.

Centralization creates an aggregation of power which reinforces corruption. Having everyone's D.N.S in one place is more valuable to leverage than a decentralized model where ISPs of varying degrees of integrity may well keep and leverage the information yet with greatly diminished benefit as a result of lacking economy of scale.

If you as an ISP go to Facebook and try and sell D.N.S history of your

Re:

[Retired ICS]

Obviously you know nothing of which you speak.

First of all, Mozilla does not operate the DNS-over-HTTPS endpoints.

Those are run by a company called CloudFlare. CloudFlare is an American company. Currently these endpoints are located in the United States of America and are subject to control by CloudFlare and the United States government (and access by their spooks).

These endpoints are not currently AnyCast, however they may be in the future. That means that the endpoints and the actual servers will, in a

Re:

[OcCbXntZLeOg]

Any reason that one could have more trust in Firefox's HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP's or Google's own DNS resolvers?

They're laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can't handle, for your ow

Re:

[110010001000]

Actually it isn't about censorship, but that they think they can make money off selling your browsing habits. People like money. Mozilla isn't giving away software for fun.

Re:

[Retired ICS]

"They're laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can't handle, for your o

Re: Why should I trust Firefox's resolvers?

[dknj]

I guess you've been triggered by the mention of using Cloudflare's DNS because they don't want to be associated with neo-nazi mass murderers.

Iâ(TM)ll bite, troll. The Cloudflare CEO backtracked on his word within 12 hours because his precious IPO was at risk. The problem here is the same problem with communism, it sounds great on paper, the first and maybe even second generation goes great for everyone, but then leadership changes. And they no longer see it the same way as the founders did. Now what do you do?

In this case, Cloudflare would have all of your data for XX years. What if Cloudflare goes public? Or leadership changes like it

Re:

[twocows]

The Cloudflare CEO backtracked on his word within 12 hours because his precious IPO was at risk.

Do you have a source for this? I have not heard about it.

Re:Why should I trust Firefox's resolvers?

[tk77]

I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.

I just don't like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.

I'm concerned about this as well so decided to dig through Mozilla's documentation. If i'm reading this right:

https://support.mozilla.org/en... [mozilla.org]

A canary domain, "use-application-dns.net", can be configured in the DNS server to return NXDOMAIN, and this will trigger Firefox to not use DoH.

Re:

[nyet]

Mod parent up, thanks.

Re:

[Retired ICS]

Fascinating ... if you look up that domain and whence it resolves you will see that it is a vast conspiracy by CloudFlare, Google, GitHub and Microsoft.

All the more reason not to use it.

Re:

[vrt3]

Thanks, that's really helpful.

For those who use dnsmasq, add this to /etc/dnsmasq/dnsmasq.conf:

# Force use-application-dns.net to NXDOMAIN in order to disable Firefox's DNS
# over HTTPS
address=/use-application-dns.net/

Re:

[Retired ICS]

On Ubiquiti routers use the following to set the dnsmasq option:

set service dns forwarding options address=/use-application-dns.net/

probably the same for Vyatta but I don't know for sure ...

Re:

[nyet]

The point is this centralizes things even further. At least if it is by ISP, every single ISP has to be compromised (intentionally internally or externally maliciously).

And what with the corporate MITM going on, TLS is completely useless anyway.

Re:

[Retired ICS]

Try any ISP? Trust your nations police who will collect it all in some nations?

I don't trust anyone thank you very much. What does that have to do with the price of tea in China?

Have it pass into a nation like the USA with freedom of speech and freedom after speech.
vs any nation who demands every approved ISP keep longs for years?

I do not know what planet you are from but on the planet I am living on the USA is quite the opposite of what you have described. The USA does not have "freedom of speech" nor does it have "freedom after speech". It is the most corrupt hellhole bastion of corruption on the planet.

Nations that want to ban web pages when the gov/big telcos say?

I do not care what anyone else wants. They can get over it. They will get what I decide they can have and they will say thank-y

VPNs anyone ?

[jmccue]

Lots of fun for people using VPNs, which many do when working remotely. I hope the opt-out is well documented and works

Problems for those wanting to control their DNS.

[FaxeTheCat]

As many point out, this is bad for those wanting to control their DNS.

An exampel is that many enterprises have control over what they want the users to access (one reason is to be able to quickly block malicious sites).
The only way to do this is to block access to the DNS over HTTPS servers in firewalls or (ironically) on DNS.

enterprises also have local only dns for some site

[Joe_Dragon]

enterprises also have local only dns for some sites that are not part of any pub dns

Re:Problems for those wanting to control their DNS

[tk77]

It looks like you can disable DoH for your network by returning NXDOMAIN for a specific canary domain ("use-application-dns.net"):

https://support.mozilla.org/en... [mozilla.org]

I've added this on my servers using binds reverse policy zone and adding an empty cname record for the canary domain.

Re:

[phantomfive]

The only way to do this is to block access to the DNS over HTTPS servers in firewalls or (ironically) on DNS.

If you are a corporation and have access to the software installed on the computers, you can require that every browser have a certificate installed so you can read the traffic. This is also something you can do if you are a powerful government.

Re:

[FaxeTheCat]

That is correct.
However, the most widely used DoH servers are known, and the DoH client must look them up using traditional DNS, so blocking (most of) them is relatively simple.

Re:

[OcCbXntZLeOg]

https://github.com/bambenek/bl... [github.com]

Re:

[FaxeTheCat]

At least some of them are already in our RPZ. Thanks for the link!

The servers

[raymorris]

I believe GP said "block access to the DNS over HTTPS servers". It's trivially easy to block all access to the major DoH servers. You don't even have to distinguish between DoH and any other https if you block those servers.

If you did want to distinguish, even just the size of the request and response is a pretty darn good indicator. Starting there, you can then come up with more and more cover ways.

Re:

[FaxeTheCat]

So how are the clients going to find the DoH server if it has an arbitrary IP? Using DNS? We already blocked the DNS name.

Re:

[scdeimos]

It's not. By default, Firefox will be using CloudFare's DNS-over-HTTPS implementation. You can block that quite simply with deny host 1.1.1.1 port tcp/443.

How to turn it off

[Anonymous Coward]

about:config

Change network.trr.mode to 5 (means never to use the DoH service)

I also changed network.trr.uri from whatever url they had for it before to https://127.0.0.1/ [127.0.0.1]

Documented here: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ [mozilla.org]

Re:How to turn it off

[fahrbot-bot]

about:config

Change "network.trr.mode" to 5 (means never to use the DoH service)
I also changed network.trr.uri from whatever url they had for it before to https://127.0.0.1/ [127.0.0.1]
Documented here: Improving DNS Privacy in Firefox [mozilla.org]

Addition documentation: Trusted Recursive Resolver [mozilla.org]

[This all assumes that Mozilla doesn't change or remove the config settings willy-nilly, as they often do.]

From my "user.js" file:

// Control DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR).
// https://blog.nightly.mozilla.o... [mozilla.org]
// https://wiki.mozilla.org/Trust... [mozilla.org]
// 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
// 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.
user_pref("network.trr.mode", 0);

I imagine I'll have to change the value from "0" to "5" in the near future...

Cisco Umbrella and others

[Zarhan]

A couple of my customer organizations are using Cisco Umbrella for blocking DNS requests to phishing and other dangerous domains. The idea is to provide lightweight security framework without having to snoop into end-user traffic too deeply.

We have already notified them that DNS-over-HTTPS is going to cause a headache for them. Looks like the headaches are about to start. Sure, Firefox is open about it, but what about the next application down the line?

I guess we'll just block the list of public DNS-over-HT

Mozilla Payday?

[OcCbXntZLeOg]

I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?

Re:

[serviscope_minor]

How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?

Well that's a lot of hyperbole. If you know enough to have a manual DNS configuration then you can check the relevant boxes to stop Firefox from using DoH. For everyone else, it's a good increase in privacy.

Re:

[WaffleMonster]

I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?

Excellent timing for Cloudfare's IPO...

Forcible opt-in

[mrsam]

I updated to Firefox 69 yesterday. Out of curiosity, I browsed to the settings page, and I already see that it has a "DNS over HTTPS" setting already appears there. And it is turned off.

Does this mean that, at some point in the next month, the good Firefox folks will helpfully turn it on for me?

Re:

[Retired ICS]

Yes. Every setting that you set in a fashion that is contrary to the "approved" setting is subject to be change at any time and without notice to you.

Get used to it.

Re:

[nyet]

Yep. They'll find a bug in the complex option processing, and instead of fixing it, they'll just disable the option. They're that idiotic.

Re:

[nyet]

Not only will they turn it on for you, the option will no longer even exist.

Will mess up DNS based load balancing

[ugen]

This might mess up DNS based load balancing / region selection, where results returned by DNS lookup depend on the source of DNS request. I don't know how prevalent this is now vs. other kinds, but it's a tool and a useful tool at that.

Of course with many users pointing at 8.8.8.8 anyway, I don't know if that's a significant issue.

Firefox and Chrome sure are getting authoritarian

[PrimaryConsult]

Firefox and Chrome seem to be playing a game of "hold my beer" of annoying decisions "for our own good". Chrome takes away https://www/ [www] from the address bar, so I switch to Firefox. Now Firefox is overriding the system DNS server. I really don't want to go back to Chrome but I also don't want to have to look at the status of a checkbox every time Firefox updates. I am a lazy fuck and use the encrypted 'cloud' password store that both Chrome and Firefox offer, so going for Edge or more niche browsers isn't really an option.

Re:

[weilawei]

Brave.

They haven't cocked it up so badly you can't disable the intrusive bits, yet.

You'll have to switch again in a year, but that's been true since web browsers began.

Re:

[Retired ICS]

Well, with Edge you do not have to worry about checking the settings. There are no use settable parts inside!

Re:

[fahrbot-bot]

1: Chrome takes away "https://www/" from the address bar, ...
2: Now Firefox is overriding the system DNS server.

(1) Disable the following flags in Chrome to get this back:

omnibox-ui-hide-steady-state-url-trivial-subdomains
omnibox-ui-hide-steady-state-url-path-query-and-ref

(2) Set the following "about:config" item in Firefox to disable this:

Name: "network.trr.mode"
Value: 5

[See this post [slashdot.org] for more documentation on this Firefox setting.]

Re:

[PrimaryConsult]

Thanks for both, that's made both browsers usable again!

Burying the ability to revert workflow-breaking changes like this in cryptic config settings is reminding me a lot of gconf-editor...

Opt-out

[QuietLagoon]

...Users will be given the option to opt-out, explains Mozilla's official announcement...

Good. But it really should be opt-in, not opt-out.

Umm ...

[fahrbot-bot]

I see that the following config value uses a host name for the Trusted Recursive Resolver (TRR) URI.
How is Firefox going to resolve that ... regular DNS or something hard-coded? Either seems problematic.

Name: "network.trr.uri"
Value: "https://mozilla.cloudflare-dns.com/dns-query"

F***u***c**k Mozilla

[WaffleMonster]

Mozilla is a bunch of two faced liars.

LIE: We care about your privacy not profits.

REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can't be stopped without an equally absurd amount of effort.

LIE: End user will benefit by Cloudflare hijacking everyone's DNS.

REALITY: Bypassing local DNS policy endangers end users in multiple ways:

1. Non Internet names will now be leaked to Cloudflare
2. DNS based filters installed on network to protect end users will be bypassed
3. Cloudflare will have aggregated access all users browsing history

I would add this is very interesting timing given Cloudflare is as we speak actively in late stage process of becoming a publically traded corporation.

No information is being kept from eavesdroppers they couldn't get by inspecting IP header, SNI or cert ident. The idea local DNS operators are not trustworthy while large centralized providers are saints is obviously not a serious concept. It's all doublespeak designed to make people feel good about being fucked over by yet another corporate power play.

Re:

[Dagger2]

REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can't be stopped without an equally absurd amount of effort.

It really does phone home a ridiculous amount, but you can block most of it just by blocking DNS resolution for *.(mozilla|firefox).(com|net|org).

...wait.

Re:

[serviscope_minor]

Yeah, same here. My in-house DNS server blocked it (thankfully.) I set up a block list based on blacklisted site information from mvps.org and pgl.yoyo.org This is exactly the kind of thing that would get through (against my express wishes and configuration) with this new DoH service. No thank you.

So you're an advanced user. That's great, continue to be an advanced user and check the little checkbox to make firefox use the system DNS. And from the DoH wikipedia page:

The Internet Watch Foundation and the Int

Re:

[Retired ICS]

Hear Hear! But how will the proles know what is going on since their web browser won't work to be able to read the story?

That is the problem with the internet off switch. Before you can post that video on twit-twat that will save the world, you have to reboot the internet.

Re:

[nyet]

> Mozilla is open about it, the tell you how to disable it (just three clicks: Menu, Settings, DNS over HTTPS). Don't be lazy.

I guarantee Mozilla will remove this option entirely the instant a bug is filed due to the complexity of the disable options.

And when they do, the ability to disable DoH will vanish.