will UXP support DNS-over-HTTPS?

Discussions about the development and maturation of the Unified XUL Platform (UXP).
Warning: may contain highly-technical topics.

Moderators: trava90, satrow

roytam1
Fanatic
Fanatic
Posts: 130
Joined: Wed, 11 Mar 2015, 07:01
Location: Hong Kong

will UXP support DNS-over-HTTPS?

Unread postby roytam1 » Thu, 22 Mar 2018, 03:27

upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852

This will be good for people suffering DNS poisoning when browsing. And even better if current Pale Moon can support it.
Last edited by roytam1 on Thu, 22 Mar 2018, 09:05, edited 1 time in total.

User avatar
New Tobin Paradigm
Knows the dark side
Knows the dark side
Posts: 4430
Joined: Tue, 09 Oct 2012, 19:37

Re: will UXP support DNS-over-HTTPS?

Unread postby New Tobin Paradigm » Thu, 22 Mar 2018, 03:38

Sounds more like whitelist/blacklisting to me.. Moonchild?

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21665
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread postby Moonchild » Thu, 22 Mar 2018, 17:25

There is no such thing as DNS-over-https.
They are entirely different protocols.

EDIT: well, looking over the IETF draft of this new "perform a host name lookup on a remote server over an https connection" mechanism (DOH), I can see this having been born from paranoia and/or the desire for people to try and cover their tracks. I shall henceforth call it "D'oh!" 8-)

I don't understand how Mozilla in their commit message can state it's more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don't trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to "work around using one protocol instead of multiple". If you suffer from DNS poisoning, then pick better resolvers to use.

I don't see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.
Last edited by Moonchild on Thu, 22 Mar 2018, 17:54, edited 4 times in total.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

User avatar
Paleist
Moongazer
Moongazer
Posts: 8
Joined: Wed, 23 Aug 2017, 09:44

Re: will UXP support DNS-over-HTTPS?

Unread postby Paleist » Wed, 25 Jul 2018, 18:09

Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 21665
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread postby Moonchild » Thu, 26 Jul 2018, 03:01

Paleist wrote:Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

It won't prevent poisoning, because you're still using a resolver which you implicitly trust that is operated by someone else, that can just as easily be subject to poisoning attacks.
Same for spoofing.
Same for hijacking and censorship.
Also, if you do your own lookups instead of deferring, we have all these wonderful mitigation and verification technologies already in place on regular DNS traffic like DNSSEC, DANE, and what not.

And as for tracking? You're centralizing all of browsers' DNS traffic to one server. You want a tracking tap? That central server is a perfect location.

DNS is meant to be a decentralized protocol. Let's keep it that way.

D'Oh! doesn't solve anything except the situation where you're not trusting a local network that enforces its own DNS servers -- as said in that case you'd be better off tunneling out for all of your traffic anyway.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne


Return to “UXP development”

Who is online

Users browsing this forum: No registered users and 2 guests