Firefox Extends Privacy and Security of Canadian Internet Users With By-default DNS-over-HTTPS Rollout in Canada (mozilla.org) 108
In a few weeks, Firefox will start the by-default rollout of DNS over HTTPS (or DoH for short) to its Canadian users in partnership with local DoH provider CIRA, the Canadian Internet Registration Authority. From a report: DoH will first become a default for 1% of Canadian Firefox users on July 20 and will gradually reach 100% of Canadian Firefox users in late September 2021 -- thereby further increasing their security and privacy online. This follows the by-default rollout of DoH to US users in February 2020. As part of the rollout, CIRA joins Mozilla's Trusted Recursive Resolver (TRR) Program and becomes the first internet registration authority and the first Canadian organization to provide Canadian Firefox users with private and secure encrypted Domain Name System (DNS) services.
I'm not clear on how DNS over HTTPS helps privacy (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: I'm not clear on how DNS over HTTPS helps priv (Score:4, Informative)
If your DNS queries are in the hands of somebody other than who your traffic is being routed through (whether that is your ISP or a VPN provider) then there's a lot less that they can glean about your usage habits.
The traffic carrier just sees IP addresses and mostly encrypted traffic (unless you frequent non-tls protected sites and don't use extensions like HTTPS everywhere) which is basically useless given the way CDNs share IP addresses among multiple sites.
The DNS provider just sees which sites you request an IP address for, but they don't know anything like how long you visited the site, whether it was just to fetch a single resource or several, etc. For example, they can't likely tell whether you went to Facebook, or you just visited another site that has a stupid like button on it that you just ignored. So on its own, not terribly useful, though the info that can be gleaned is so minimal that it's not likely to be worth anything to marketers unless they could somehow tie a physical address to your IP address.
However, if you combine the two, you can glean a fair bit of info that marketers will like, encrypted or not. For example, are you spending a lot of time at Zillow? If so, realtors and lenders would gladly pay to know who you are. ISPs can also tie this to your billing address. They can and do monetize this in some countries. This is why they generally hate the idea of web browsers including DoH by default.
Re: (Score:3)
Re: (Score:2)
The ISP that cares enough to track you can easily implement a DoH request for every new IP you wish to visit. If the response generates a successful request they can then block that IP and your browser will revert to their provided DNS. If you don't trust your ISP use a VPN to a trusted network.
DoH just monetizes DNS for a select few.
Re: (Score:2)
DoH just monetizes DNS for a select few.
You lost me here.
Re: (Score:2)
Thanks for that. I will configure my Pihole box to block the canary domain use-application-dns.net. I do not want DNS-over-HTTPS forced on me.
Re: (Score:3)
Oh, look at that! Pi-Hole already does that.
# Prevent Firefox from automatically switching over to DNS-over-HTTPS
# This follows https://support.mozilla.org/en... [mozilla.org]
# (sourced 7th September 2019)
add_dnsmasq_setting "server=/use-application-dns.net/"
Re: (Score:2)
An ISP going that route had better be sure that's what their paying customers want. Did you ask your paying customers what they want?
No. Because if you did, it would be opt-in.
Fuck you, and fuck Firefox.
Re:I'm not clear on how DNS over HTTPS helps priva (Score:5, Informative)
Re: (Score:3, Insightful)
You just admitted that the only real protection mozilla offers is that which mozilla's lawyers can make stick. The HTTP/S wrapped around DNS is merely an excuse to stick more HTTP/S everywhere (like it's XML), and only shuffles the problem around. It also takes more power away from the end-user, who typically relied on the recursors offered by his ISP.
So from the benevolence of your ISP, whom you are paying so they are selling you out, to the benevolence of mozilla and its friends, whom you are not paying (
Re: (Score:2)
Re: (Score:1)
Math as interpreted by people with "programmer" restrictions on their driver's licence. Heartbleed, anyone? Moreover, it takes away the assurances that DNSsec might give you (as broken as that is). And the only real protection you have against MITM is... that the SSL certificate issuers don't give the wrong kind of certificate to the wrong kind of people. As discerned by those same issuing companies. According to their own criteria, not even state law.
I have a hard time discerning whether your attempts at r
Re: (Score:2)
I have a hard time discerning whether your attempts at reassurance are wilfully disingenious or misguided. I'm going to go with Hanlon's razor. You still think DoH is a good idea, after all.
I do. I don't think its a perfect solution, but it's a good one that adds privacy and security improvements that will prevent real, documented abuses, and can be made functional on today's internet with reasonable tradeoffs.
PKI problems are a separate mess, which obviously impact DoH but more importantly everything else. There have been a lot of improvements there, too, over the past few years in policy and enforcement. For example, CAs are now required to publish certs in auditable CT logs, and errors a
Re: (Score:2)
Re: (Score:2)
Did they make that promise in a legal agreement with another company?
Ultimately for a free market to work someone has to hold companies to account for the claims and promises they make. We have a long history that shows a fair number of people are happy to rip customers off with whatever false promises they can get away with. If you're unhappy that companies are getting away with fraud you should demand that your representatives fix that.
Re: (Score:1)
So, Firefox is going to hijack my DNS and force me to use what *THEY* want rather than what *I* want.
This is just more of the same old bullshit. "In order to be free you must allow us to be in complete control".
Re: (Score:2)
They are not forcing anything. It can be turned off.
Re: (Score:1)
And the DNS request is made on the server you select in your router or IP settings, nothing to do with Firefox.
Re: (Score:2)
AFAIK, that is not true. about:config does contain settings for which server to use for DoH. And the whole point is to circumvent the DNS server e.g. the ISP's router set for you. So what you are saying would make zero sense against that.
Re:I'm not clear on how DNS over HTTPS helps priva (Score:4, Insightful)
Re: (Score:3)
> It should be opt-in, not opt-out.
Just ask the user on upgrade. There are too many pros and cons to pick a default.
Re: (Score:3)
Re: (Score:3)
Opt-out on such things is LITERALLY A CRIME in the EU.
Maybe, but we are talking about Canada.
Re: (Score:2)
Opt in is required for tracking.
DoH is not necessarily tracking.
Using your ISP's DNS server is not necessarily not tracking.
Re: (Score:1)
It's likely tracking in both cases, and we're being opted into tracking by american big tech instead of canadian medium/small tech tracking.
I for one would rather my data be harvested locally rather than feeding the data beasts to the south
Re: (Score:2)
Mozilla is small tech: fewer than 800 employees, compared to Google's 100,000 employees and 120,000 contractors (per a 2019 NYT article, probably more now) and similar sizes for other tech giants. And although our HQ is in America, 1/4 to 1/3 of our employees are based in Canada, including the executive director of the non-profit Mozilla Foundation that o
Re: (Score:3)
Re: (Score:2)
It appears that you can turn it on or off. And you can enter your preferred DoH provider. According to this: https://cleanbrowsing.org/guides/configure-dns-over-https-doh-firefox/ [cleanbrowsing.org] Although I am going to hold out for the dirtybrowsing.org option.
Re:I'm not clear on how DNS over HTTPS helps priva (Score:5, Informative)
If you are on a public hotspot, hotel or whatever, it means nobody between you and the DNS server will be able to sniff your DNS requests.
At home, or on a network you trust, the benefit is less clear. It depends if you trust Cloudflare/NextDNS/CIRA more or less than your ISP. You are free to select your own DoH provider.
If you do not trust your ISP, it make sense to encrypt as much stuff as possible, including DNS requests.
Re: (Score:2)
Not only sniff. The thing with DNS is that anyone can HIJACK it. Just redirect te request at router level, and boom - you're served a different website, unlesss the domain owner used HSTS.
Re: (Score:3)
I have a pi-hole that uses DoH for its upstream server. If Firefox were to talk to the DoH server directly, it would circumvent my pi-hole blocking.
Re: (Score:2)
if you can configure your own pi-hole surely you can configure firefox as well to use your DNS server.
Re: (Score:2)
Recent (>= ~2019) versions of Pi-Hole block the canary domain used by Firefox, thereby disabling Firefox's use of DoH.
Re: (Score:2)
If you are in a public hot spot that monetizes DNS then DoH will be blocked. You are the product. They can just test the IP you request for DoH and if they have a successful response they just block it.
Re: (Score:2)
If you are in a public hot spot that monetizes DNS then DoH will be blocked.
Maybe at some point, but the point is currently, we do not know if they are doing that, and if they do, DoH is a simple thing to enable and is worth it.
The other option is to use a full VPN, which is usually not free, not reliable, or not trusable, except if you run your own.
They can just test the IP you request for DoH and if they have a successful response they just block it.
Then I hope Google, Facebook, and other majors send a successful response. Good luck blocking half the Internet.
Re: (Score:2)
I'm unclear how DNS over HTTPS will help. Someone always gets the DNS request, and it must be read and serviced. This just means that the people running the servers at CIRA have access to that information, doesn't it?
It means you get to choose who sees your DNS requests instead of every router owner along the way.
Re: (Score:2)
Every router owner?
It's called DNS over TLS.
Going over HTTPS is batshit insane, and can only come from people who come up with bad wheel reinventions like WebSockets and entire OSes running as applications inside other OSes, aka "modern" browsers.
Why not go all the way, and do DNS over JSON over HTTPS over TCP over IP over webSockets over HTTPS over TCP over actual sockets? Maybe with JSLinux somewhere in-between. And put our pants on our hats and toot a funnel while jumping like we're in the house that sen
Re: (Score:3, Interesting)
Re: (Score:2)
The right way to do this - along with everything else like certificate checking, etc, is to delegate it to a separate application.
Firefox, the browser (all browsers), should have none of this, possibly not even HTTPS.
It should then talk to a "proxy" on the local box (this can be bundled with firefox and started by default)
That way there is a single place to configure all of these security settings and changing browser doesn't change how things are configured.
The "proxy" on the local box can then potentially
Re: (Score:2)
The problem with everything jumping on "use HTTPS because it's harder to block" is that all the bad stuff out there is doing the same thing.
If knowing who on your network was talking to what was designed into the system from the start then many of these apps that steal credentials would be found very quickly.
Re: (Score:3)
I'm unclear how DNS over HTTPS will help. Someone always gets the DNS request, and it must be read and serviced. This just means that the people running the servers at CIRA have access to that information, doesn't it?
Maybe Firefox (et al) need to implement a round-robin / random DNS query scheme that works with the user's DoH or regular DNS option selection. The browser can switch between a list of DNS servers so each only gets a part of your history...
Re: (Score:2)
Someone always gets every piece of information whenever you do anything. That doesn't automatically mean you trust *everyone* equally.
Alice trusts Bob, but not Eve.
Re: (Score:2)
Exactly. WTF is wrong with DNSSEC?
Re:I'm not clear on how DNS over HTTPS helps priva (Score:5, Informative)
Exactly. WTF is wrong with DNSSEC?
Nothing, but it addresses different aspects of DNS security than DoH.
From DNS Security: Threat Modeling DNSSEC, DoT, and DoH [netmeister.org]:
But DNSSEC doesn't protect against all of the threats noted above. Specifically, DNSSEC only addresses the question of data integrity and authenticity, but does not in any way concern itself with the aspects of confidentiality.
Presumably, the DoH servers could implement DNSSEC ...
I'm not supporting DoH, just commenting. I'm actually not in favor of my browser using a different DNS source than my OS -- you know, the old "Someone with one watch knows the time, someone with two is never sure" thing ...
Re: (Score:2)
My bad. I get it. DNSSEC is vulnerable to metadata attacks, since it's clearly a DNS request, while DoH appears to be innocent HTTPS traffic.
I thought, however that DNSSEC was encrypted, and so "they" can tell that you're DNS'ing, but not what you're DNS'ing.
Re: (Score:2)
DNSSEC is not about encryption.
DNSSEC is about digitally signing DNS records so that you can detect if they have been tampered with by the owner of whatever DNS server you are talking to.
Re: (Score:2)
Yes, and once I understood that, it made sense.
Someone needs to make DNSSS (DNSSEC over SSL).
Re: (Score:1)
And yes, I know DNS is UDP, so use DTLS instead.
Re: (Score:2)
Re: (Score:2)
It helps only in that man-in-the-middle monitoring becomes more difficult. It makes a wealth of data available to the managers of the DNS servers, who are very likely to harvest and sell that data.
Re: I'm not clear on how DNS over HTTPS helps priv (Score:1)
Re: (Score:2)
The overwhelming majority of people don't even know what DNS is, let alone "run" it. If you "run" your own DNS server then it's trivial to disable Firefox's use of DoH
Your American ISP can't be trusted: several have been caught abusing it. Up to now we've only enabled DoH for users in America. We've now added Canada. People in Europe seem to trust their ISPs a lot more and I haven't heard of any plans to enable it by default there.
I have no idea what the ne
fallacy of asserting the consequent (Score:2)
One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.
Let me handle my own damn DNS my way, I don't need a goodie-goodie company trying to cram their ignorant worldview and way of doing something down my throat.
Re: (Score:2)
Let me handle my own damn DNS my way
And what makes you think you can't do that with Firefox?
Not everybody likes the default option. You can still use your OS DNS server if you want.
Re: (Score:2)
One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.
Such as...?
Me? I know my way around a router configuration and I can't think of any.
Re: (Score:2)
Re: (Score:2)
this is a forced single provider of DNS. Single point of failure, single point of privacy breaching.
Re: (Score:2)
this is a forced single provider of DNS. Single point of failure, single point of privacy breaching.
Weird. My Firefox right now lets me choose a DNS provider in the settings.
(yes, mainstream Firefox already has this feature...you just need to configure it)
Re: (Score:2, Informative)
One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.
By offering the user the ability to use DNS over HTTPS in a completely optional way?
Let me handle my own damn DNS my way
You do you man. You have that power. Firefox is here for you with ample configuration options to do whatever you want. Don't want DoH, happy with your ISP harvesting every DNS request and selling it to anyone with a credit card, don't use it. Just don't spoil positive developments for the rest of us.
Re: (Score:2)
wrong, it's by default, and hard to charge for most, and might not even be a choice in future, depending on mood of Mozilla.
You're shilling for a bad thing that we don't want.
Re: (Score:2)
wrong, it's by default, and hard to charge for most
If you want to compare the nefarious world around you then "default and hard to charge [sic] for most" is to use your ISP's DNS resolver, and your ISPs if you are in the USA has flat out sold your data wholesale without at least anonymising it. They have admitted it multiple times.
I'll take my "wrong" over whatever you think is "right", as clearly "wrong" is better for privacy for most. Your entire post is predicated on "handling DNS your own way" so if someone is unable to manage the default here then the
Re: (Score:2)
Let me handle my own damn DNS my way, I don't need a goodie-goodie company trying to cram their ignorant worldview and way of doing something down my throat.
The problem though is you're not smart enough to configure your own DNS so firefox has to do it for you. If you were smart enough you'd know some of the many ways to configure it so firefox uses it.
Re: (Score:2)
You seem to be confused, I'm talking both about the annoyance firefox makes for expert like me and the risks for the common person. Dumb asses like you that just take it in the ass from Mozilla are the problem.
Re: (Score:2)
You seem to be confused, I'm talking both about the annoyance firefox makes for expert like me and the risks for the common person.
Did you fail to read your own post or something? You said:
Let me handle my own damn DNS my way,
They do. You can set it to always use the system resolver or Firefox's DOH resolver. You can easily make it default to DoH, but use the system resolver on your home network.
They do let you handle it your own way. So what you are complaining about literally does not exist. So I can only
So one (1) DNS provider will serve everyone? (Score:1)
-Don't put all your eggs in one basket, etc.
Re: (Score:2)
Wasn't DNS designed to be distributed?
Um, yes, many people have a copy of the DNS data, it's distributed.
OTOH you have to put a specific DNS server IP address in your IP settings. You always use the exact same address that's configured there. If that server goes down you're screwed.
(OK, normally you put a backup server address, too, but if both of them go down then you'll have no DNS)
Re: (Score:2)
Wasn't DNS designed to be distributed?
What about this isn't distributed? DoH works no differently than DNS in the way it's distributed. It has primary servers, and fallback servers, and if the servers don't have the information you requested they pass it up the chain. Heck the action is even more configurable and more distributed (look up Trusted Recursive Resolvers).
This is worse than
Let me stop you right there. Since you don't seem to understand how DoH works you have no basis for declaring it worse or better than anything. Do some research before your next co
Not Cool. (Score:2, Insightful)
That's actually bad news.
It doesn't increase privacy. What it does increase is dependency on a single entity.
They're redirecting queries to their partners while bypassing the local DNS configuration.
Mozilla centralizes the net. Not cool.
Re: (Score:2)
-This won't end well.
Re: (Score:3)
What it does increase is dependency on a single entity.
It does nothing of the sort. You're 100% allowed to set whatever server you want as your DoH resolver or you can disable it altogether. Or hell run your own DoH server. This is Slashdot. Linux that motherf***er, and prove to us you deserve to not have your geek card revoked after your post.
Use the OS-provided resolver. (Score:3)
Re: (Score:1)
as its only way to communicate with the world if it keeps second-guessing my OS setup.
Or just disable DoH if you're so hell bent on using your OS's resolver. The option is right there, no need to go all stupid with rage. The Windows 10 fast ring has support for OS level DoH. As does Linux via various clients.
You have the power. You have more options than ever. Instead of complaining, RTFM and embrace all the additional options you have at your fingertips.
Re: (Score:1)
The usual progression is:
1) add it to the browser but disable it,
2) create an UI option to enable it but leave it disabled by default,
3) switch it from default-off to default-on,
4) remove the UI option but leave the about:config option,
5) remove the choice altogether.
We are now at stage 3. I am well aware that I can still turn that usurpation of DNS resolution off, but it won't stay that way. And besides that, it sets a bad precedent. I absolutely do not want every "app" to come with its own DNS resol
Re: (Score:1)
Exactly. This will be a security nightmare for big organizations.
Every damn browser will circumvent their DNS.
Oh wait, Firefox already committed suicide!
Nevermind
Re: (Score:2)
Corporations will be running their own DNS server (usually) and can easily have that server return the valid canary domain record which will cause Firefox to disable DoH.
Oh and people running a pihole or other similar thing could also implement the canary domain and turn off DoH across all the machines on that network.
Re: (Score:2)
You can simply disable the feature if you're that upset about it.
As an alternative, you can set the DNS over HTTPS provider to 127.0.0.1 in about:preferences if it isn't too much of a problem for you.
Just another nail in Mozilla's/Firefox's (Score:2)
Re: (Score:2)
Selling the DNS data
I know. Everything went downhill when Linux went closed source and BSD implemented systemd. https://wiki.mozilla.org/Secur...
Be sane: Run your own DNS server. (Score:1)
It's quite easy on Linux. /etc/resolv.conf.
Install bind,
don't set it to forwarding or anything other than resolving things itself, which I think is the default,
set it so only localhost can access it (may be the default too),
enable the init script,
set your DHCP client to ignore any DNS servers it is given,
and put "nameserver 127.0.0.1" and nothing else into
If you run systemd, you need to switch to GNU first, of course.
Disable Remote Configuration (Score:3)
Of course, one can always (and should by default) disable remote configuration capabilities if you do not want "just any unwashed miscreant" changing your configuration without permission. There is an option in Firefox to disable "remote configuration" diddling, and it works quite well.
Data mining by telcos (Score:4, Insightful)
Judging from the comments, quite a few of you are skeptical about the usefulness. I have a different perspective based on my work experience.
I used to work for a large telco in the APAC region (100s millions of users in multiple countries) where I was part of the team that developed a system to mine as much data as possible from users: location data (triangulation), call records, web data. From this data individual profiles were created which were then (only) sold in an aggregated/anonymized way (things might have changed of course). The tools we developed were licensed to telcos all over the world.
Analyzing DNS requests was definitely part of the arsenal of tools used for HTTPS requests (other techniques are connecting to the server and analyzing the certificate presented).
In my opinion, Firefox's DNS over HTTPS will at least partially help against this type of unwarranted snooping by telcos.
Re: (Score:2)
I don't care if they snoop on me. Granted, I'm a security person; I have always known how insecure the internet is.
I take no special precautions to protect my privacy, because quite frankly, almost nothing I do online requires privacy. I do require *security*, _sometimes_, such as for completing financial transactions or submitting sensitive information (tax records, etc). But for 99% of what I do? I don't care who sees it or who's making money off it. The only risk there is to me is of potentially getting
Re: (Score:2)
almost nothing I do online requires privacy.
Until someone runs a fishing expedition that implicates you in a crime that you didn't commit. A hostile law enforcement agency can more easily establish guilt by association if you don't use basic privacy measures. Or an insurer can buy your interests, deem you a risk based on those interests, and give you a quote that's high enough to be considered a "go away" quote.
Re: (Score:2)
It's useless for the purpose of hiding DNS queries from unscrupulous ISPs.
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Is this a tech forum? Google also provides countless how-tos for the complete clueless. How hard would it be for you?
The true benefit for DoH has nothing to do with protecting the user. The true benefit is monetizing DNS requests.
Isn’t this going to break a lot of sh.. (Score:2)
I have a script on my pi-hole resolving random hosts to different DNS servers all day long. I block dns queries to hard-coded servers on my IoT vlan, and manage them on all other vlans. I like my system better than any of the other alternatives, and I imagine there are less paranoid reasons to keep from using dns-over-https.
Re: (Score:2)
It will only break shit for people who are ignorant. You can disable it for your whole network.
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
The same way that any ISP can. This is just a means to monetize DNS.
Re: (Score:2)
Following your link and supporting documents you come across this gem:
Re: (Score:2)
If your pi-hole is recent (newer than ~2019) it already blocks the canary domain and disables DoH on Firefox.
"Extending Privacy and Security" (Score:2)
by making it easier to capture and circumvent in a single place.
Yes, your ISP may be making money off of your traffic. But at least they aren't turning it into a vendor lock-in device for the whole Internet.
DNS over HTTPS lowers web performance, breaks compatibility with existing services (like CDNs), doesn't support private DNS records, doesn't do end-to-end integrity checking (ala DNSSEC), increases the likelihood of failure, and provides a much larger target for attackers to sniff or compromise the recor
Re: (Score:3)