The author of the article identified two core issues with the implementation:
1. That the system is not opt-in but opt-out.
2. That a third-party, in the case of the current implementation Cloudflare, gets access to all DNS requests of all Firefox users (based on 1).
Is Mozilla's new DNS feature really dangerous?
Is Mozilla's new DNS feature really dangerous?
https://www.ghacks.net/2018/08/05/is-mo ... dangerous/
Re: Is Mozilla's new DNS feature really dangerous?
It is no more dangerous than any other implied, opt-out service Firefox users are using that leave a lot of data in Mozilla's hands.
To be honest I trust CloudFlare more than Mozilla with my data
Although I do agree that this feels very walled-garden-esque, ignoring system-set DNS servers by default in favor of "d'Oh!" ? The Internet is not the domain of Mozilla and its partners. it should be opt-in because it's ONLY useful in non-standard situations.
To be honest I trust CloudFlare more than Mozilla with my data
Although I do agree that this feels very walled-garden-esque, ignoring system-set DNS servers by default in favor of "d'Oh!" ? The Internet is not the domain of Mozilla and its partners. it should be opt-in because it's ONLY useful in non-standard situations.
Last edited by Moonchild on 2018-08-06, 06:47, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Is Mozilla's new DNS feature really dangerous?
Indeed, they (FIrefox) may force people involuntary to do illegal stuff in my country by adding this new DNS stuff with the DNS ping stuff and circumventing DNS filtering without knowledge.Moonchild wrote:It is no more dangerous than any other implied, opt-out service Firefox users are using that leave a lot of data in Mozilla's hands.
To be honest I trust CloudFlare more than Mozilla with my data
Although I do agree that this feels very walled-garden-esque, ignoring system-set DNS servers by default in favor of "d'Oh!" ? The Internet is not the domain of Mozilla and its partners. it should be opt-in because it's ONLY useful in non-standard situations.
Sincerely, it's enough.
I've definitely uninstalled it.
Re: Is Mozilla's new DNS feature really dangerous?
I'm also wondering what it does if you have a recursive DNS server set up on your local machine (being completely independent)... I'm guessing it would prefer d'Oh! in that case as well? -- that's really bad.
And LAN-only corporate traffic won't work with a public DNS either. so it'll break intranets as a whole.
And LAN-only corporate traffic won't work with a public DNS either. so it'll break intranets as a whole.
Last edited by Moonchild on 2018-08-06, 08:55, edited 1 time in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Is Mozilla's new DNS feature really dangerous?
I've read that there will be a fallback to the normal DNS server if D'Oh server cannot be reached. It seems illogical, if the main advertised purpose is security.Moonchild wrote:I'm also wondering what it does if you have a recursive DNS server set up on your local machine (being completely independent)... I'm guessing it would prefer d'Oh! in that case as well? -- that's really bad.
And LAN-only corporate traffic won't work with a public DNS either. so it'll break intranets as a whole.
Re: Is Mozilla's new DNS feature really dangerous?
The problem is not that it can't be reached, the problem is that a public DNS server can never know about intranet hosts, and intranet lookups should never be sent outside of the intranet. So it can reach the server but the server won't know of private hosts.snertev wrote:I've read that there will be a fallback to the normal DNS server if D'Oh server cannot be reached.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Is Mozilla's new DNS feature really dangerous?
A bit off topic here.
Is DOH really a solution to circumvent Internet censorship (by government)?
My government (Indonesia) is so corrupt & hypocritical. They blocked Reddit, Vimeo, Tumblr for pornography. I guess it uses squidGuard.
Is DOH really a solution to circumvent Internet censorship (by government)?
My government (Indonesia) is so corrupt & hypocritical. They blocked Reddit, Vimeo, Tumblr for pornography. I guess it uses squidGuard.
Last edited by Latitude on 2018-08-07, 11:01, edited 2 times in total.
Re: Is Mozilla's new DNS feature really dangerous?
No, it isn't. Not by itself.Latitude wrote:Is DOH really a solution to circumvent Internet censorship (by government)?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Is Mozilla's new DNS feature really dangerous?
DNS over TLS?Moonchild wrote:No, it isn't. Not by itself.Latitude wrote:Is DOH really a solution to circumvent Internet censorship (by government)?
Re: Is Mozilla's new DNS feature really dangerous?
You really want me to repeat myself, don't you?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Is Mozilla's new DNS feature really dangerous?
Last edited by satrow on 2018-08-07, 17:00, edited 3 times in total.
Reason: Off-Topic, PMed.
Reason: Off-Topic, PMed.
Re: Is Mozilla's new DNS feature really dangerous?
No. All these technologies only protect DNS. But if we're talking about web browsing, they do nothing for privacy. Http connections contain hostname (and full URL) in plaintext, so anyone on the way (e.g. ISP) can see it. Even https connections contain readable hostname because of SNI (Server Name Indication). So if someone wants to do some filtering, they can, you can't hide what you're doing. At least not so easily. DOH can help only with DNS-based filtering.Latitude wrote:Is DOH really a solution to circumvent Internet censorship (by government)?
DNS-based filtering is commonly used for soft censorship because it's cost-effective. It's not all that great, the main part is that it's really cheap. In simplest form, it needs hardly any extra resources. Censoring government just forces ISPs to do filtering on their own DNS resolvers. It's no problem for ISP, because it can be easily implemented and doesn't affect any other traffic. And it's surprisingly effective. Anyone can get around it just by switching to different resolvers, but many non-technical users don't know how to do it, so it does work on them. Next level is hijacking of all DNS traffic from users and forcing it to go to ISP's resolvers. It's a dick move, but Facebook still works (I mean, if it's not target of blocking), so not too many will complain. DOH will help you here.
The trouble is, if DOH or similar technology becomes available everywhere by default, DNS-based filtering will stop working even for non-technical users. And guess what, censors won't say "oh well, we tried, there's no point to continue now, let them have uncensored internet". No, they will move to other (worse) forms of filtering. For web browsing, it's very easy to block access to selected hostnames. It's much more resource intensive than DNS-based solution, but possible. A government that really likes censorship will happily pay for ISP's costs with own money. Well, not exactly "own", they will tax you to get it.
DOH can be useful on untrusted networks, where someone serves fake DNS responses for one reason or another. DOH can help here too (if you can trust DOH server operator). In theory, it shouldn't be necessary, that's what we already have DNSSEC for, to prevent tampering with DNS records. In practice, it's far from widespread, so you can't rely on it for most domains. And worse, nothing in common system actually cares about it. Web browsers, the OS itself, they couldn't care less about fake responses. Currently it's only configured resolver that possibly cares about DNSSEC and filters fake responses. But it has to be as close to you as possible, preferably within your own network. Public resolvers such as Google's care about DNSSEC too, but it doesn't help much, because between them and you, anyone (e.g. evil ISP) can still tamper with responses and nothing in your system will notice.
Re: Is Mozilla's new DNS feature really dangerous?
for SNI, people are working on encrypted SNI: https://stackshare.io/news/article/4247 ... rypted-sniSob__ wrote:No. All these technologies only protect DNS. But if we're talking about web browsing, they do nothing for privacy. Http connections contain hostname (and full URL) in plaintext, so anyone on the way (e.g. ISP) can see it. Even https connections contain readable hostname because of SNI (Server Name Indication). So if someone wants to do some filtering, they can, you can't hide what you're doing. At least not so easily. DOH can help only with DNS-based filtering.Latitude wrote:Is DOH really a solution to circumvent Internet censorship (by government)?
DNS-based filtering is commonly used for soft censorship because it's cost-effective. It's not all that great, the main part is that it's really cheap. In simplest form, it needs hardly any extra resources. Censoring government just forces ISPs to do filtering on their own DNS resolvers. It's no problem for ISP, because it can be easily implemented and doesn't affect any other traffic. And it's surprisingly effective. Anyone can get around it just by switching to different resolvers, but many non-technical users don't know how to do it, so it does work on them. Next level is hijacking of all DNS traffic from users and forcing it to go to ISP's resolvers. It's a dick move, but Facebook still works (I mean, if it's not target of blocking), so not too many will complain. DOH will help you here.
The trouble is, if DOH or similar technology becomes available everywhere by default, DNS-based filtering will stop working even for non-technical users. And guess what, censors won't say "oh well, we tried, there's no point to continue now, let them have uncensored internet". No, they will move to other (worse) forms of filtering. For web browsing, it's very easy to block access to selected hostnames. It's much more resource intensive than DNS-based solution, but possible. A government that really likes censorship will happily pay for ISP's costs with own money. Well, not exactly "own", they will tax you to get it.
DOH can be useful on untrusted networks, where someone serves fake DNS responses for one reason or another. DOH can help here too (if you can trust DOH server operator). In theory, it shouldn't be necessary, that's what we already have DNSSEC for, to prevent tampering with DNS records. In practice, it's far from widespread, so you can't rely on it for most domains. And worse, nothing in common system actually cares about it. Web browsers, the OS itself, they couldn't care less about fake responses. Currently it's only configured resolver that possibly cares about DNSSEC and filters fake responses. But it has to be as close to you as possible, preferably within your own network. Public resolvers such as Google's care about DNSSEC too, but it doesn't help much, because between them and you, anyone (e.g. evil ISP) can still tamper with responses and nothing in your system will notice.
for non-secured HTTP, Google marks them as "non-secured" in Chrome since 68.
Re: Is Mozilla's new DNS feature really dangerous?
I have the distinct feeling that Mozilla is leaning much too heavily to the specific needs for the "TOR Browser".
Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations. Everything that is done here is specifically to eliminate any "leaks" to the local network and trying to make the browser stealth except for an outbound tunnel, if used. It's nonsense for any other workflow.
Once more, none of this is needed or useful if you use a VPN (or any other encapsulation protocol) tunnel to tunnel your way out of what you consider an untrusted local network. Even a web proxy over https will already completely bypass the need for any of these service-based encryptions/cloaking methods.
Also, from a censorship perspective, all these efforts can be thwarted with a few simple firewall/DNS rules (How will the browser connect to the TRR or ESNI server? it will have to look up the trr/esni host first... What will be used for that? The local DNS server. In fact, it will immediately give positive confirmation that you are bypassing/breaking regulations if your browser does this lookup to specialized servers only used for these services...)
Then, note the IETF draft disclaimer, everyone is jumping the gun.
Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations. Everything that is done here is specifically to eliminate any "leaks" to the local network and trying to make the browser stealth except for an outbound tunnel, if used. It's nonsense for any other workflow.
Once more, none of this is needed or useful if you use a VPN (or any other encapsulation protocol) tunnel to tunnel your way out of what you consider an untrusted local network. Even a web proxy over https will already completely bypass the need for any of these service-based encryptions/cloaking methods.
Also, from a censorship perspective, all these efforts can be thwarted with a few simple firewall/DNS rules (How will the browser connect to the TRR or ESNI server? it will have to look up the trr/esni host first... What will be used for that? The local DNS server. In fact, it will immediately give positive confirmation that you are bypassing/breaking regulations if your browser does this lookup to specialized servers only used for these services...)
Then, note the IETF draft disclaimer, everyone is jumping the gun.
DISCLAIMER: This is very early a work-in-progress design and has not
yet seen significant (or really any) security analysis. It should
not be used as a basis for building production systems.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite