Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Firefox Encryption Mozilla Privacy Security

Firefox Will Soon Encrypt DNS Requests By Default (engadget.com) 147

This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring.

Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology.

Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic."

"We feel confident that enabling DNS-over-HTTPS by default is the right next step."
This discussion has been archived. No new comments can be posted.

Firefox Will Soon Encrypt DNS Requests By Default

Comments Filter:
  • how does it work? (Score:5, Interesting)

    by fred6666 ( 4718031 ) on Sunday September 08, 2019 @09:37AM (#59170896)

    Will it still use my DNS server or not?

    • Re:how does it work? (Score:4, Informative)

      by Sumguy2436 ( 6186944 ) on Sunday September 08, 2019 @09:44AM (#59170906)
      As I understand it Mozilla uses Cloudflare's DNS for DNS-over-HTTPS (https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/).

      Between Mozilla and Cloudflare I guess we can expect a few sites "accidentally" not getting resolved.
    • Re:how does it work? (Score:5, Informative)

      by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @09:46AM (#59170914)
      No. The problem is that this bypasses your DNS server, so you lose control over DNS.
      To prevent this,you can block access to the DNS over HTTPS servers in your firewall (there are not really many), forcing the browser to use your DNS servers.
      • And what happens when you want to use the DNS server of your VPN provider?

        If the OpenVPN client bypasses the OS's DNS settings, what happens when the browser wants to bypass the OpenVPN bypass? Who wins?
        • The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.
          • Re:how does it work? (Score:5, Informative)

            by caseih ( 160668 ) on Sunday September 08, 2019 @10:41AM (#59171058)

            Not sure what you mean. Firefox absolutely bypasses your local DNS servers when DNS over HTTPs is enabled. You can set up your own DNS over HTTPS server and manually configure Firefox to use it, but by default it will use cloudfare's DNS servers.

            None of this is not automatic in any of the senses that DHCP and normal DNS are. DHCP does not currently provide clients with DoH addresses to use, so the OS is not aware of DoH at all. I'm sure DHCP servers could add support for this like how it was done for netbios stuff. At that point one would expect Firefox to honor the OS-wide DoH setting. But it seems like Firefox wants to go its own way on this.

            • Re:how does it work? (Score:4, Informative)

              by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @11:36AM (#59171228)
              I guess I fell in a semanticst trap... For all practical purposes it is a bypass.

              The probem is that appliacations now seem to have their own DoH settings (as there are not OS wide DoH settings available). The problem with HTTPS is that organizations wanting to enforce the use of certain DNS and or DoH servers lose the ability to do this due to the use of HTTPS.
              So to get control over DoH, organizations must block all known DoH servers to ensure that the company's own DNS servers are used.
              • by nyet ( 19118 )

                Exactly. The whole point to DNS is it's an application independent standard. DoH is going to force DNS administrators too keep track of *every single* application vendor's special DoH sauce. Unbelievable that some people here think this is wonderful.

                Mozilla's own idiocy is unsurprising, though. This is par for the course for them.

          • The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.

            douÂâbleÂâspeak

            "language used to deceive usually through concealment or misrepresentation of truth"

        • by hawk ( 1151 )

          >And what happens when you want to use the DNS server of your VPN provider?

          Inconceivable!

          I have cox . . . *no-one* uses those unless they don't know how to avoid them ,. . . :)

          hawk

      • by fahrbot-bot ( 874524 ) on Sunday September 08, 2019 @01:41PM (#59171536)

        No. The problem is that this bypasses your DNS server, so you lose control over DNS.

        In addition, now your browser will be using one source for DNS and your system and other applications will be using a different one. Even though this *shouldn't* make any difference, it's not really ideal as now you could get two different behaviors.

        Remember: A person with one watch knows the time, a person with two is never sure.

      • It's just their default. I'm sure there will be a place for you to say that you'd rather continue to allow your DNS traffic to be monitored or are sophisticated enough to have set one up that acts fully internally.

        And for those who are worrying about work environments and parental controls implemented via DNS, RTFA.

        At a high level, our plan is to:

        • Respect user choice for opt-in parental controls and disable DoH if we detect them;
        • Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration; and
        • Fall back to operating system defaults for DNS when split horizon configuration or other DNS issues cause lookup failures.
        • by nyet ( 19118 )

          The same FA that explains that they reserve the right to completely screw it up if they detect "abuse"? That FA?

    • by AHuxley ( 892839 )
      Your nation's police and ISP will not see as much as it did in the past for free over years of ISP logging.
      Unless in a 5 eye nation where the NSA and GCHQ will collect it all :)
  • Private DNS setting on mobile: 1dot1dot1dot1.cloudflare-dns.com

  • by La Gris ( 531858 ) <<lea.gris> <at> <noiraude.net>> on Sunday September 08, 2019 @09:45AM (#59170910) Homepage

    Any reason that one could have more trust in Firefox's HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP's or Google's own DNS resolvers?

    Why is it an opt-out and not a default off option.

    I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.

    I just don't like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.

    • Firefox is at least open about it. Not all applications are.
      • That's about as comforting as a thug telling me that he's gonna mug me.

        • The thug is telling you that you can opt out of being mugged, you just have to say so.
          • I'm just going to not step in the giant pothole the first time, hey?

            The thug announced it ahead of time so I can ensure that there aren't any left over instances of his weapon around.

          • Unless they're actively informing you during the 'mugging' (since when has that ever happened and even if it had, most ppl click straight through) then all the thug has done is put out a press release that most victims won't read or hear about.
          • The thug is telling you that you can opt out of being mugged, you just have to say so.

            From "The Daily Show" (and other sources): Did this dude just opt out of an armed robbery? [facebook.com]

          • It's more like a pickpocket putting up a posting on his blog that if anyone doesn't want to be pickpocketed, all they have to do is opt out by sending him a picture of themselves. However, the opt-out is only valid for the set of clothes that you wear in the picture; if you don't want to be pickpocketed in your other set of clothes, you need to opt those out, too. You're very likely to forget this a few months down the line when you get a new set of clothes. Also, this was all just posted on his blog, so yo
      • Firefox is at least open about it. Not all applications are.

        At least Hitler was open about genocide. Not all despotic regimes are.

    • Re: (Score:2, Interesting)

      by guruevi ( 827432 )

      99% of the Internet has no clue what DNS even is, let alone set up their own resolvers.

      Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised.

      There is a real need to make sure everything goes over VPN for consumers, sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great. You should consider even your own Internet connection to be compromised at this point if you have any I

      • "Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised."

        You sir, are an absolute idiot!

      • Even if you set up your own resolvers, if you don't keep up with it, you should consider that they may be compromised.

        Good grief. Anything and everything "may be compromised". This communicates nothing.

        Secondly so what? Assume your networks naming system is compromised. Like the underlying network identifiers resolved are themselves trustworthy so what difference does it really make from a security perspective?

        There is a real need to make sure everything goes over VPN for consumers

        Pure nonsense. VPNs are an answer to nothing.

        All VPNs do is push the same set of problems further out while creating additional opportunities for compromise.

        sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great.

        This is what end to end security is for. VPNs are NOT

        • Actually that is incorrect. The Internet is a completely trusted and trustworthy interconnection of networks that accomplishes exactly what it was designed to do in the manner in which is was designed (and built) to do.

          Your problem is likely that you are assuming design goals and processes that are not in evidence and were never intended -- that you are conflating your "wishes and desires" with what actually exists -- and that you are then assigning "trust" and evaluating "trustworthiness" based on your "w

    • by AmiMoJo ( 196126 ) on Sunday September 08, 2019 @10:48AM (#59171078) Homepage Journal

      By default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.

      So for most people this is a massive privacy upgrade. Even if Mozilla was evil, they are likely far less evil than your ISP and also in less of a position to abuse the collected data.

      You can of course opt out or use your own preferred DNS servers, as always.

      • by La Gris ( 531858 ) <<lea.gris> <at> <noiraude.net>> on Sunday September 08, 2019 @11:41AM (#59171240) Homepage

        What you call a massive privacy upgrade over exposing once DNS requests to own country's laws, is more or like trading it for that of the Mozilla's foundation's own country laws.

        What I see instead, is a war between third-parties, over who will be first in the pipeline to collect data, while making it harder for the other third-parties down the line to do so.

        I think it is a bad move from the Mozilla foundation, with creepy red flags that they are fighting to be "The Internet", because Google is fighting to be "The Internet", because FaceBook, Microsoft and every other IT industry minions tried before.

      • By default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.

        The idea local ISPs are more evil than large scale centralization of everyone's browsing history is backwards.

        Centralization creates an aggregation of power which reinforces corruption. Having everyone's D.N.S in one place is more valuable to leverage than a decentralized model where ISPs of varying degrees of integrity may well keep and leverage the information yet with greatly diminished benefit as a result of lacking economy of scale.

        If you as an ISP go to Facebook and try and sell D.N.S history of your

      • Obviously you know nothing of which you speak.

        First of all, Mozilla does not operate the DNS-over-HTTPS endpoints.

        Those are run by a company called CloudFlare. CloudFlare is an American company. Currently these endpoints are located in the United States of America and are subject to control by CloudFlare and the United States government (and access by their spooks).

        These endpoints are not currently AnyCast, however they may be in the future. That means that the endpoints and the actual servers will, in a

    • Re: (Score:3, Interesting)

      Any reason that one could have more trust in Firefox's HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP's or Google's own DNS resolvers?

      They're laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can't handle, for your ow

      • Actually it isn't about censorship, but that they think they can make money off selling your browsing habits. People like money. Mozilla isn't giving away software for fun.

      • "They're laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can't handle, for your o

    • by tk77 ( 1774336 ) on Sunday September 08, 2019 @11:28AM (#59171206)

      I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.

      I just don't like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.

      I'm concerned about this as well so decided to dig through Mozilla's documentation. If i'm reading this right:

      https://support.mozilla.org/en... [mozilla.org]

      A canary domain, "use-application-dns.net", can be configured in the DNS server to return NXDOMAIN, and this will trigger Firefox to not use DoH.

      • by nyet ( 19118 )

        Mod parent up, thanks.

        • Fascinating ... if you look up that domain and whence it resolves you will see that it is a vast conspiracy by CloudFlare, Google, GitHub and Microsoft.

          All the more reason not to use it.

      • by vrt3 ( 62368 )

        Thanks, that's really helpful.

        For those who use dnsmasq, add this to /etc/dnsmasq/dnsmasq.conf:

        # Force use-application-dns.net to NXDOMAIN in order to disable Firefox's DNS
        # over HTTPS
        address=/use-application-dns.net/

        • On Ubiquiti routers use the following to set the dnsmasq option:

          set service dns forwarding options address=/use-application-dns.net/

          probably the same for Vyatta but I don't know for sure ...

  • Lots of fun for people using VPNs, which many do when working remotely. I hope the opt-out is well documented and works
  • by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @09:51AM (#59170928)
    As many point out, this is bad for those wanting to control their DNS.

    An exampel is that many enterprises have control over what they want the users to access (one reason is to be able to quickly block malicious sites).
    The only way to do this is to block access to the DNS over HTTPS servers in firewalls or (ironically) on DNS.
  • How to turn it off (Score:5, Informative)

    by Anonymous Coward on Sunday September 08, 2019 @10:14AM (#59171000)
    about:config

    Change network.trr.mode to 5 (means never to use the DoH service)

    I also changed network.trr.uri from whatever url they had for it before to https://127.0.0.1/ [127.0.0.1]

    Documented here: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ [mozilla.org]
  • A couple of my customer organizations are using Cisco Umbrella for blocking DNS requests to phishing and other dangerous domains. The idea is to provide lightweight security framework without having to snoop into end-user traffic too deeply.

    We have already notified them that DNS-over-HTTPS is going to cause a headache for them. Looks like the headaches are about to start. Sure, Firefox is open about it, but what about the next application down the line?

    I guess we'll just block the list of public DNS-over-HT

  • Mozilla Payday? (Score:3, Interesting)

    by OcCbXntZLeOg ( 6195574 ) on Sunday September 08, 2019 @10:53AM (#59171100)
    I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?
    • How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?

      Well that's a lot of hyperbole. If you know enough to have a manual DNS configuration then you can check the relevant boxes to stop Firefox from using DoH. For everyone else, it's a good increase in privacy.

    • I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?

      Excellent timing for Cloudfare's IPO...

  • I updated to Firefox 69 yesterday. Out of curiosity, I browsed to the settings page, and I already see that it has a "DNS over HTTPS" setting already appears there. And it is turned off.

    Does this mean that, at some point in the next month, the good Firefox folks will helpfully turn it on for me?

    • Yes. Every setting that you set in a fashion that is contrary to the "approved" setting is subject to be change at any time and without notice to you.

      Get used to it.

      • by nyet ( 19118 )

        Yep. They'll find a bug in the complex option processing, and instead of fixing it, they'll just disable the option. They're that idiotic.

    • by nyet ( 19118 )

      Not only will they turn it on for you, the option will no longer even exist.

  • by ugen ( 93902 ) on Sunday September 08, 2019 @11:21AM (#59171188)

    This might mess up DNS based load balancing / region selection, where results returned by DNS lookup depend on the source of DNS request. I don't know how prevalent this is now vs. other kinds, but it's a tool and a useful tool at that.

    Of course with many users pointing at 8.8.8.8 anyway, I don't know if that's a significant issue.

  • by PrimaryConsult ( 1546585 ) on Sunday September 08, 2019 @11:35AM (#59171226)

    Firefox and Chrome seem to be playing a game of "hold my beer" of annoying decisions "for our own good". Chrome takes away https://www/ [www] from the address bar, so I switch to Firefox. Now Firefox is overriding the system DNS server. I really don't want to go back to Chrome but I also don't want to have to look at the status of a checkbox every time Firefox updates. I am a lazy fuck and use the encrypted 'cloud' password store that both Chrome and Firefox offer, so going for Edge or more niche browsers isn't really an option.

    • Brave.

      They haven't cocked it up so badly you can't disable the intrusive bits, yet.

      You'll have to switch again in a year, but that's been true since web browsers began.

    • Well, with Edge you do not have to worry about checking the settings. There are no use settable parts inside!

    • 1: Chrome takes away "https://www/" from the address bar, ...
      2: Now Firefox is overriding the system DNS server.

      (1) Disable the following flags in Chrome to get this back:

      omnibox-ui-hide-steady-state-url-trivial-subdomains
      omnibox-ui-hide-steady-state-url-path-query-and-ref

      (2) Set the following "about:config" item in Firefox to disable this:

      Name: "network.trr.mode"
      Value: 5

      [See this post [slashdot.org] for more documentation on this Firefox setting.]

      • Thanks for both, that's made both browsers usable again!

        Burying the ability to revert workflow-breaking changes like this in cryptic config settings is reminding me a lot of gconf-editor...

  • ...Users will be given the option to opt-out, explains Mozilla's official announcement...

    Good. But it really should be opt-in, not opt-out.

  • I see that the following config value uses a host name for the Trusted Recursive Resolver (TRR) URI.
    How is Firefox going to resolve that ... regular DNS or something hard-coded? Either seems problematic.

    Name: "network.trr.uri"
    Value: "https://mozilla.cloudflare-dns.com/dns-query"

  • by WaffleMonster ( 969671 ) on Sunday September 08, 2019 @06:06PM (#59172174)

    Mozilla is a bunch of two faced liars.

    LIE: We care about your privacy not profits.

    REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can't be stopped without an equally absurd amount of effort.

    LIE: End user will benefit by Cloudflare hijacking everyone's DNS.

    REALITY: Bypassing local DNS policy endangers end users in multiple ways:

    1. Non Internet names will now be leaked to Cloudflare
    2. DNS based filters installed on network to protect end users will be bypassed
    3. Cloudflare will have aggregated access all users browsing history

    I would add this is very interesting timing given Cloudflare is as we speak actively in late stage process of becoming a publically traded corporation.

    No information is being kept from eavesdroppers they couldn't get by inspecting IP header, SNI or cert ident. The idea local DNS operators are not trustworthy while large centralized providers are saints is obviously not a serious concept. It's all doublespeak designed to make people feel good about being fucked over by yet another corporate power play.

    • REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can't be stopped without an equally absurd amount of effort.

      It really does phone home a ridiculous amount, but you can block most of it just by blocking DNS resolution for *.(mozilla|firefox).(com|net|org).

      ...wait.

To err is human, to moo bovine.

Working...