Is Mozilla's new DNS feature really dangerous?

[Tomaso]

https://www.ghacks.net/2018/08/05/is-mo ... dangerous/

The author of the article identified two core issues with the implementation:
1. That the system is not opt-in but opt-out.
2. That a third-party, in the case of the current implementation Cloudflare, gets access to all DNS requests of all Firefox users (based on 1).

[Moonchild]

It is no more dangerous than any other implied, opt-out service Firefox users are using that leave a lot of data in Mozilla's hands.
To be honest I trust CloudFlare more than Mozilla with my data

Although I do agree that this feels very walled-garden-esque, ignoring system-set DNS servers by default in favor of "d'Oh!" ? The Internet is not the domain of Mozilla and its partners. it should be opt-in because it's ONLY useful in non-standard situations.

[snertev]

It is no more dangerous than any other implied, opt-out service Firefox users are using that leave a lot of data in Mozilla's hands.
To be honest I trust CloudFlare more than Mozilla with my data

Although I do agree that this feels very walled-garden-esque, ignoring system-set DNS servers by default in favor of "d'Oh!" ? The Internet is not the domain of Mozilla and its partners. it should be opt-in because it's ONLY useful in non-standard situations.

Indeed, they (FIrefox) may force people involuntary to do illegal stuff in my country by adding this new DNS stuff with the DNS ping stuff and circumventing DNS filtering without knowledge.

Sincerely, it's enough.

I've definitely uninstalled it.

[Moonchild]

I'm also wondering what it does if you have a recursive DNS server set up on your local machine (being completely independent)... I'm guessing it would prefer d'Oh! in that case as well? -- that's really bad.

And LAN-only corporate traffic won't work with a public DNS either. so it'll break intranets as a whole.

[snertev]

I'm also wondering what it does if you have a recursive DNS server set up on your local machine (being completely independent)... I'm guessing it would prefer d'Oh! in that case as well? -- that's really bad.

And LAN-only corporate traffic won't work with a public DNS either. so it'll break intranets as a whole.

I've read that there will be a fallback to the normal DNS server if D'Oh server cannot be reached. It seems illogical, if the main advertised purpose is security.

[Moonchild]

I've read that there will be a fallback to the normal DNS server if D'Oh server cannot be reached.

The problem is not that it can't be reached, the problem is that a public DNS server can never know about intranet hosts, and intranet lookups should never be sent outside of the intranet. So it can reach the server but the server won't know of private hosts.

[Latitude]

A bit off topic here.

Is DOH really a solution to circumvent Internet censorship (by government)?

My government (Indonesia) is so corrupt & hypocritical. They blocked Reddit, Vimeo, Tumblr for pornography. I guess it uses squidGuard.

[Moonchild]

Is DOH really a solution to circumvent Internet censorship (by government)?

No, it isn't. Not by itself.

[Latitude]

Is DOH really a solution to circumvent Internet censorship (by government)?

No, it isn't. Not by itself.

DNS over TLS?

[Moonchild]

You really want me to repeat myself, don't you?

[Tomaso]

How the mighty have fallen!:
https://www.ghacks.net/2018/08/07/firef ... -browsing/

Mozilla launched a new Test Pilot project for Firefox today called Advance that provides article recommendations based on your browsing.
The new experiment is a cooperation between Mozilla and Laserlike.
Laserlike is a startup that built a recommendation platform and the experiment taps into the data to provide recommendations.

It's a sad thing, to see Mozilla go like that.
And all these new spy features is probably just the start of it. :(

Mod Edit: off-Topic.

[Sob__]

Is DOH really a solution to circumvent Internet censorship (by government)?

No. All these technologies only protect DNS. But if we're talking about web browsing, they do nothing for privacy. Http connections contain hostname (and full URL) in plaintext, so anyone on the way (e.g. ISP) can see it. Even https connections contain readable hostname because of SNI (Server Name Indication). So if someone wants to do some filtering, they can, you can't hide what you're doing. At least not so easily. DOH can help only with DNS-based filtering.

DNS-based filtering is commonly used for soft censorship because it's cost-effective. It's not all that great, the main part is that it's really cheap. In simplest form, it needs hardly any extra resources. Censoring government just forces ISPs to do filtering on their own DNS resolvers. It's no problem for ISP, because it can be easily implemented and doesn't affect any other traffic. And it's surprisingly effective. Anyone can get around it just by switching to different resolvers, but many non-technical users don't know how to do it, so it does work on them. Next level is hijacking of all DNS traffic from users and forcing it to go to ISP's resolvers. It's a dick move, but Facebook still works (I mean, if it's not target of blocking), so not too many will complain. DOH will help you here.

The trouble is, if DOH or similar technology becomes available everywhere by default, DNS-based filtering will stop working even for non-technical users. And guess what, censors won't say "oh well, we tried, there's no point to continue now, let them have uncensored internet". No, they will move to other (worse) forms of filtering. For web browsing, it's very easy to block access to selected hostnames. It's much more resource intensive than DNS-based solution, but possible. A government that really likes censorship will happily pay for ISP's costs with own money. Well, not exactly "own", they will tax you to get it.

DOH can be useful on untrusted networks, where someone serves fake DNS responses for one reason or another. DOH can help here too (if you can trust DOH server operator). In theory, it shouldn't be necessary, that's what we already have DNSSEC for, to prevent tampering with DNS records. In practice, it's far from widespread, so you can't rely on it for most domains. And worse, nothing in common system actually cares about it. Web browsers, the OS itself, they couldn't care less about fake responses. Currently it's only configured resolver that possibly cares about DNSSEC and filters fake responses. But it has to be as close to you as possible, preferably within your own network. Public resolvers such as Google's care about DNSSEC too, but it doesn't help much, because between them and you, anyone (e.g. evil ISP) can still tamper with responses and nothing in your system will notice.

[roytam1]

Is DOH really a solution to circumvent Internet censorship (by government)?

No. All these technologies only protect DNS. But if we're talking about web browsing, they do nothing for privacy. Http connections contain hostname (and full URL) in plaintext, so anyone on the way (e.g. ISP) can see it. Even https connections contain readable hostname because of SNI (Server Name Indication). So if someone wants to do some filtering, they can, you can't hide what you're doing. At least not so easily. DOH can help only with DNS-based filtering.

DNS-based filtering is commonly used for soft censorship because it's cost-effective. It's not all that great, the main part is that it's really cheap. In simplest form, it needs hardly any extra resources. Censoring government just forces ISPs to do filtering on their own DNS resolvers. It's no problem for ISP, because it can be easily implemented and doesn't affect any other traffic. And it's surprisingly effective. Anyone can get around it just by switching to different resolvers, but many non-technical users don't know how to do it, so it does work on them. Next level is hijacking of all DNS traffic from users and forcing it to go to ISP's resolvers. It's a dick move, but Facebook still works (I mean, if it's not target of blocking), so not too many will complain. DOH will help you here.

The trouble is, if DOH or similar technology becomes available everywhere by default, DNS-based filtering will stop working even for non-technical users. And guess what, censors won't say "oh well, we tried, there's no point to continue now, let them have uncensored internet". No, they will move to other (worse) forms of filtering. For web browsing, it's very easy to block access to selected hostnames. It's much more resource intensive than DNS-based solution, but possible. A government that really likes censorship will happily pay for ISP's costs with own money. Well, not exactly "own", they will tax you to get it.

DOH can be useful on untrusted networks, where someone serves fake DNS responses for one reason or another. DOH can help here too (if you can trust DOH server operator). In theory, it shouldn't be necessary, that's what we already have DNSSEC for, to prevent tampering with DNS records. In practice, it's far from widespread, so you can't rely on it for most domains. And worse, nothing in common system actually cares about it. Web browsers, the OS itself, they couldn't care less about fake responses. Currently it's only configured resolver that possibly cares about DNSSEC and filters fake responses. But it has to be as close to you as possible, preferably within your own network. Public resolvers such as Google's care about DNSSEC too, but it doesn't help much, because between them and you, anyone (e.g. evil ISP) can still tamper with responses and nothing in your system will notice.

for SNI, people are working on encrypted SNI: https://stackshare.io/news/article/4247 ... rypted-sni

for non-secured HTTP, Google marks them as "non-secured" in Chrome since 68.

[Moonchild]

I have the distinct feeling that Mozilla is leaning much too heavily to the specific needs for the "TOR Browser".

Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations. Everything that is done here is specifically to eliminate any "leaks" to the local network and trying to make the browser stealth except for an outbound tunnel, if used. It's nonsense for any other workflow.

Once more, none of this is needed or useful if you use a VPN (or any other encapsulation protocol) tunnel to tunnel your way out of what you consider an untrusted local network. Even a web proxy over https will already completely bypass the need for any of these service-based encryptions/cloaking methods.

Also, from a censorship perspective, all these efforts can be thwarted with a few simple firewall/DNS rules (How will the browser connect to the TRR or ESNI server? it will have to look up the trr/esni host first... What will be used for that? The local DNS server. In fact, it will immediately give positive confirmation that you are bypassing/breaking regulations if your browser does this lookup to specialized servers only used for these services...)

Then, note the IETF draft disclaimer, everyone is jumping the gun.

DISCLAIMER: This is very early a work-in-progress design and has not
yet seen significant (or really any) security analysis. It should
not be used as a basis for building production systems.