will UXP support DNS-over-HTTPS?

Discussions about the development and maturation of the platform code (UXP).
Warning: may contain highly-technical topics.

Moderators: trava90, athenian200

roytam1

will UXP support DNS-over-HTTPS?

Unread post by roytam1 » 2018-03-22, 03:27

upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852

This will be good for people suffering DNS poisoning when browsing. And even better if current Pale Moon can support it.
Last edited by roytam1 on 2018-03-22, 09:05, edited 1 time in total.

New Tobin Paradigm

Re: will UXP support DNS-over-HTTPS?

Unread post by New Tobin Paradigm » 2018-03-22, 03:38

Sounds more like whitelist/blacklisting to me.. Moonchild?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread post by Moonchild » 2018-03-22, 17:25

There is no such thing as DNS-over-https.
They are entirely different protocols.

EDIT: well, looking over the IETF draft of this new "perform a host name lookup on a remote server over an https connection" mechanism (DOH), I can see this having been born from paranoia and/or the desire for people to try and cover their tracks. I shall henceforth call it "D'oh!" 8-)

I don't understand how Mozilla in their commit message can state it's more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don't trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to "work around using one protocol instead of multiple". If you suffer from DNS poisoning, then pick better resolvers to use.

I don't see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.
Last edited by Moonchild on 2018-03-22, 17:54, edited 4 times in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Paleist

Re: will UXP support DNS-over-HTTPS?

Unread post by Paleist » 2018-07-25, 18:09

Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: will UXP support DNS-over-HTTPS?

Unread post by Moonchild » 2018-07-26, 03:01

Paleist wrote:Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.
It won't prevent poisoning, because you're still using a resolver which you implicitly trust that is operated by someone else, that can just as easily be subject to poisoning attacks.
Same for spoofing.
Same for hijacking and censorship.
Also, if you do your own lookups instead of deferring, we have all these wonderful mitigation and verification technologies already in place on regular DNS traffic like DNSSEC, DANE, and what not.

And as for tracking? You're centralizing all of browsers' DNS traffic to one server. You want a tracking tap? That central server is a perfect location.

DNS is meant to be a decentralized protocol. Let's keep it that way.

D'Oh! doesn't solve anything except the situation where you're not trusting a local network that enforces its own DNS servers -- as said in that case you'd be better off tunneling out for all of your traffic anyway.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked