will UXP support DNS-over-HTTPS?

Discussions about the development and maturation of the Unified XUL Platform (UXP).
Warning: may contain highly-technical topics.

Moderators: trava90, satrow

roytam1
Fanatic
Fanatic
Posts: 155
Joined: 2015-03-11, 07:01
Location: Hong Kong

will UXP support DNS-over-HTTPS?

Unread post by roytam1 » 2018-03-22, 03:27

upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852

This will be good for people suffering DNS poisoning when browsing. And even better if current Pale Moon can support it.
Last edited by roytam1 on 2018-03-22, 09:05, edited 1 time in total.

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 5456
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: will UXP support DNS-over-HTTPS?

Unread post by New Tobin Paradigm » 2018-03-22, 03:38

Sounds more like whitelist/blacklisting to me.. Moonchild?
Image

- So then, "mono" means one, and "rail" means rail! -
And that concludes our intensive three-week course.
http://binaryoutcast.com/ | http://thereisonlyxul.org/

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23699
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread post by Moonchild » 2018-03-22, 17:25

There is no such thing as DNS-over-https.
They are entirely different protocols.

EDIT: well, looking over the IETF draft of this new "perform a host name lookup on a remote server over an https connection" mechanism (DOH), I can see this having been born from paranoia and/or the desire for people to try and cover their tracks. I shall henceforth call it "D'oh!" 8-)

I don't understand how Mozilla in their commit message can state it's more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don't trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to "work around using one protocol instead of multiple". If you suffer from DNS poisoning, then pick better resolvers to use.

I don't see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.
Last edited by Moonchild on 2018-03-22, 17:54, edited 4 times in total.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it: Image

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

User avatar
Paleist
Hobby Astronomer
Hobby Astronomer
Posts: 20
Joined: 2017-08-23, 09:44

Re: will UXP support DNS-over-HTTPS?

Unread post by Paleist » 2018-07-25, 18:09

Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23699
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread post by Moonchild » 2018-07-26, 03:01

Paleist wrote:Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.
It won't prevent poisoning, because you're still using a resolver which you implicitly trust that is operated by someone else, that can just as easily be subject to poisoning attacks.
Same for spoofing.
Same for hijacking and censorship.
Also, if you do your own lookups instead of deferring, we have all these wonderful mitigation and verification technologies already in place on regular DNS traffic like DNSSEC, DANE, and what not.

And as for tracking? You're centralizing all of browsers' DNS traffic to one server. You want a tracking tap? That central server is a perfect location.

DNS is meant to be a decentralized protocol. Let's keep it that way.

D'Oh! doesn't solve anything except the situation where you're not trusting a local network that enforces its own DNS servers -- as said in that case you'd be better off tunneling out for all of your traffic anyway.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it: Image

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
"I'm afraid you have me mistaken for someone who can be shamed by a child." -- Quillspawn

Locked