Firefox secure DNS?

https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!

Yousuf Khan

On 6/2/2020 8:11 AM, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!

Â*Â*Â*Â*Yousuf Khan

I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

All that said, Mozilla has to be careful what they provide to their
customers like any other business, because the consequences are significant.

--
best regards,

Neil

"Yousuf Khan" wrote

| https://support.mozilla.org/en-US/kb...dns-over-https
|
| Would you trust this? It seems like it's just randomly ignoring your own
| DNS server and choosing its own!
|

To me it seems like a potential improvement. On the
other hand, why let your browser do the DNS calls?
Why trust Mozilla, in the pocket of Google? There are
other options. I'm using Unbound. The authors call it
a "recursive DNS server". It could also be regarded as
a proxy. It runs as a service, taking over DNS queries
from Windows, and can be set up with either a default
DNS server or a top-down search. I'm not an expert
on this, but apparently there's a hierarchy. A DNS server
calls "root" servers that return the server handling
the IP in question. The server is then queried. Unbound
handles all of that and seems to be highly regarded. A
plain DNS proxy would query your pre-selected choice of
servers.

So Windows doesn't get your web traffic history. Nor
does your browser. And Unbound can also be used with
a wildcard-supporting HOSTS file. Also, with the DNS
being done independently I don't have to update to
Mozilla's latest travesty and I can use it on XP.

Downsides: Like so much OSS, Unbound lacks docs and
is devilishly tricky to set up. Also, their version of a
HOSTS file is inexplicably convoluted. I had to write a
VBScript to convert my HOSTS file to the Unbound version.
Example:

127.0.0.1 www.mozilla.com

local-zone: "mozilla.com" redirect
local-data: "mozilla.com A 0.0.0.0"

The Unbound version allows me to block all of mozilla.com,
not just www, but it's sesnselssly complicated and not
compatible with normal HOSTS.

Fo a long time I was using Acrylic DNS proxy, which is much
easier to set up and works well. It also has a normal HOSTS
file that supports wildcards. However, it has limited support
for DNS over HTTPS. I don't emember the details offhand, but
I seem to remember that it only supports a method that most
DNS servers do not support.

In article , Neil
wrote:

On 6/2/2020 8:11 AM, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!


I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

All that said, Mozilla has to be careful what they provide to their
customers like any other business, because the consequences are significant.

no different than any other company.

On 02/06/2020 13:11, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!


If you look further down that page it does imply that they will try to
detect cases where it would be inappropriate to change to a different
DNS server. (I think mainly if you use a DNS server that doesn't resolve
some malware or adult domains).

But I'd say it's still I good idea for admins of networks that use such
DNS based protection to set network.trr.mode to 5.

--
Brian Gregory (in England).

On 6/2/2020 8:39 AM, Neil wrote:
I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

Well, I have changed mine to Google's and the 1.1.1.1 public DNS
services long time ago, already. Plus I'm using a VPN, which does
encrypt DNS requests upto the point of VPN server. Beyond the point of
the VPN, I don't really care if it's encrypted or not, as at that point
nobody can tell where it's coming from.

All that said, Mozilla has to be careful what they provide to their
customers like any other business, because the consequences are
significant.

My worry is that Mozilla will at some point sell these DNS requests to
commercial interests, doing exactly the opposite of what they say they
are doing.

Yousuf Khan

"Yousuf Khan" wrote

| Well, I have changed mine to Google's and the 1.1.1.1 public DNS
| services long time ago, already. Plus I'm using a VPN, which does
| encrypt DNS requests upto the point of VPN server.

I don't know much about VPN, but I wouldn't assume
it's also handling DNS. Typically, Windows handles DNS
resolution. I'm not sure of details, but I think the program
would call something like gethostbyname in the winsock
library. Presumably if a 3rd-party program has its own
functions it would still respect your choice of DNS server
in the network settings, but there's no reason they'd have
to, just as Mozilla are now doing.

I guess it depends on how you connect to the VPN.

Yousuf Khan wrote:

https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!

It doesn't ignore your choice of DNS server (configured as part of your
IPv4/IPv6 configuration unless you leave it to use DHCP which then uses
whatever DNS server your ISP wants you to use). DoH (DNS over HTTPS)
doesn't use your DNS server at all. It uses the one you specify in the
config of Firefox.

Have you researched DoH at all? DNS requests are sent in the clear.
Anyone, including your ISP, that can intercept your network traffic can
see to where you are visiting by interrogating the DNS traffic. Rare
few sites use IP addresses for lookup. They use hostnames. Humans like
names. Computers demand IP addresses hence the need for DNS.

Some users don't like their ISP can track their web surfing. Some will
use VPNs. Some use Tor. However, both means you are shifting trust
from your ISP to some unknown operator of the entry and exit nodes.
With VPNs, the same operator owns both the entry and exit nodes. With
Tor, you don't know who is operating the entry and entry nodes, so you
can only hope they aren't managed by the same operator. The FBI
operates many of their own Tor nodes.

Because DoH works using encryption for the DNS traffic, anyone snooping
on your network traffic cannot see to which hostnames you are getting
their IP addresses. Of course, anyone snooping on you can still see the
subsequent traffic and their IP addresses. Yes, you can use encryption
with VPN or Tor, but you're merely moving the trust (or distrust) to yet
another entity.

You can specify whosever DoH server you want. You can use the default
in Firefox of using Cloudflare (not Mozilla, but a CDN that also
operates a DNS service). To use DoH requires both your client and the
DNS server support DoH. If you know of some other DoH server you want
to use then go ahead and specify that one. Of course, just like with
VPN and Tor, you are trusting someone else with your DNS queries. After
all, unless you are planning to be your own ISP and contract with the
backbones for Internet traffic or, for this issue, operate your own DNS
server, you will always be trusting someone else with your traffic
either as to where you go or what it contains.

I already have 3 DNS providers configured for my IPv4 and IPv6
configurations: Cloudflare first, Google second, and my router third
(which uses DHCP to have my ISP tell it what DNS server to use). So,
configuring Firefox to switch from normal DNS to DoH was an easy choice
because I was already using Cloudflare as my primary DNS provider.

There is nothing random about using a DoH server. Either you are using
one or your aren't, not some mix of sometimes. Once Firefox is
configured to use a DoH server, all DNS requests it issues (like all
those resources in the web pages you visit that specify hostnames
instead of hardcoding in IP addresses), that's the only DNS server it
uses thereafter except its DNS traffic is encrypted. You obviously
already trust a DNS server whether it is whatever one your ISP gave you
via DHCP or the one you configured in your IPv4/v6 configuration. So,
why not trust the same DNS providers again with your DNS traffic but use
those that can encrypt your DNS traffic?

I've experience no slowdown with the overhead of encryption atop of the
DNS traffic. You can view one person's compilation of DoH servers to
see which you want to use. Alas, unlike IPv4/IPv6 configuration where
you can specify up to 4 DNS servers in order of priority to overcome
routing or server outages, Firefox lets you configure only one DoH
server. I've yet encountered an outage of Cloudflare's DNS servers or
getting a route to them with a bad host as a hop from me to them.

https://dnsprivacy.org/wiki/display/...blic+Resolvers

While I am on Google Chrome v83 which is the first version where Google
is offering a DoH config option, only some users are getting that
option. I'm not yet one of them. In chrome:flags, search on "dns", I
don't yet have the experimental "Secure DNS lookups" option. I tend to
shy away from using flags in Chrome, because Google giveth and taketh
away. You get to rely on a flag and then it either disappears (that you
wanted to use) or becomes a permanent feature (which you may not want).

https://www.howtogeek.com/660088/how...google-chrome/

When Google gets around to adding DNS over HTTPS as a standard user
configurable option then I'll configure Chrome to use Cloudflare. I
would still like the old feature of specifying multiple DNS servers for
recovery in case of outage or unreachability.

Dns Over HTTPS isn't just available in Firefox. All the major web
browser vendors have it or are planning to have it. See:

https://www.zdnet.com/article/dns-ov...sp-opposition/

I can see some companies that censor their employees traffic, like to
where they can connect, won't like DoH. The DNS traffic is encrypted,
so the company cannot see the DNS request the user is issuing to the DNS
server. However, if companies are throttling their employees traffic,
they should be enforcing their workstations to use the company's DNS
server. All other DNS traffic passing across their network to reach an
outside DNS server should get blocked. With the DNS request is wrapped
in an encrypted HTTPS connection, the company can still to where (by IP
address) the traffic is going. If it goes to an outside DNS service
(which are well known), they could block it. When employees complain
they cannot connect to any sites, the IT folks should push the client's
config to use the company's DNS server (which is probably done anyway
via domain policies when the user logs into the company's PDC).

Mozilla got nominated as the "2019 villian of the year". See
https://www.theregister.com/2020/05/...gle_chrome_83/. Yeah, that's
because those who want to monitor and throttle network traffic, like at
companies that want to ensure they don't get compromized by their
employees (by reputation or visiting "bad" sites) or otherwise want some
oversight over where their employees connect, are bitching because DoH
means more work for them (although a simple block-all-DoH would work).
If they censor, like using Websense, DoH has no effect. DNS just gives
the user the IP address for a site, and Websense can still censor by
where the employee intends to connect.

For individuals, DoH adds more privacy. For companies, it's a headache.
Are you an IT sysadmin that needs to figure out how to pry on where the
employees are connecting (well, actually to where they intend to connect
since the DNS response returns an IP address which is what the web
client actually uses to make a connection)?

Mayayana wrote:

"Yousuf Khan" wrote

| https://support.mozilla.org/en-US/kb...dns-over-https
|
| Would you trust this? It seems like it's just randomly ignoring your own
| DNS server and choosing its own!
|

To me it seems like a potential improvement. On the
other hand, why let your browser do the DNS calls?
Why trust Mozilla, in the pocket of Google?

Mozilla nor Google aren't involved in the DNS traffic unless *you*
specify their DNS servers in your IPv4/IPv6 configuration. Even if you
don't specify static DNS assignments to the servers you want to use,
your ISP with its DHCP server is going to point you at their DNS server,
not at one operated by Mozilla or Google.

The DNS request goes direct from web client to DNS server. There is no
middleman involved. Mozilla nor Google is getting your DNS traffic.
However, since DNS requests are sent in the clear (they are not
encrypted), a MITM attack could substitute the DNS response with one
from the hacker to send you elsewhere. DoH encrypts the DNS traffic
making it very difficult for a MITM attack to substitute (poison) the
DNS traffic between you and your choice of DNS server.

Not sure why you thought Mozilla or Google ever got any of your DNS
traffic. The client issues the DNS request, connects to the specified
DNS server, and the DNS traffic with the response (hostname converted to
IP address) comes back to you. The encryption with DoH means your ISP
or any hop in the route between you and the DNS server nor a hacker can
intercept nor corrode the DNS traffic.

Whatever DNS server *you* configure the OS or web client to use will
obviously be an entity you are trusting with where you web surf. Seems
you were already trusting your ISP with your DNS requests, or whomever
you specified for DNS assignment in your IPv4/IPv6 configurations. DoH
just makes your DNS traffic more secure and more private (which is why
companies that want to oversee their employees traffic don't like DoH,
but then that is still just DNS and the user still uses an IP address to
connect to the other endpoint, so censoring will still work).

"VanguardLH" wrote

| Mozilla nor Google aren't involved in the DNS traffic unless *you*
| specify their DNS servers in your IPv4/IPv6 configuration. Even if you
| don't specify static DNS assignments to the servers you want to use,
| your ISP with its DHCP server is going to point you at their DNS server,
| not at one operated by Mozilla or Google.
|

That's what this discussion is all about. Mozilla
is introducing DNS over HTTPS for Firefox. In that
scenario they pick the DNS server or give you some
to choose from. When you type in acme.com, FF will
encrypt it and perform the DNS lookup.

The idea of DNS over HTTPS makes sense. It means
no entity online can see the sites you go to, since
most sites are also encrypted. so your Web traffic
is all encrypted.

The question that Yousuf Khan
has is whether it's a good idea to hand that
functionality over to Mozilla. (Or Microsoft Edge,
for that matter.) Personally I block most
of the Mozilla domains and remove their URLs from
about:config. I think they're altogether too
intrusive. But the average person is letting them
track in numerous ways.

Mayayana wrote:

That's what this discussion is all about. Mozilla is introducing DNS
over HTTPS for Firefox. In that scenario they pick the DNS server or
give you some to choose from. When you type in acme.com, FF will
encrypt it and perform the DNS lookup.

Actually DoH has been in Firefox for a couple months. As I recall, I
enabled it before the Covid pandemic. Firefox's config has the
following choices:

Cloudflare
NextDNS
Custom

None of those are operated by Mozilla, especially the custom choice.
Having the option to use a DoH server is not Mozilla making you use
their server. Your statement "Why trust Mozilla, in the pocket of
Google?" infers that Mozilla is somehow involved in the DNS requests
from Firefox.

Since Mozilla discontinued getting revenue from searches, and since
Mozilla still refuses to switch to Google's Blink engine (while
Microsoft has), just how is Mozilla in Google's pocket?

The idea of DNS over HTTPS makes sense. It means no entity online can
see the sites you go to, since most sites are also encrypted. so your
Web traffic is all encrypted.

Actually no one can see your DNS traffic which has your end asking for a
lookup on a hostname to get back an IP address, but then your client is
going to use that IP address to connect somewhere. So, anyone hacking
or logging your traffic can still see to where you go (after the DNS
request is completed). Encrypting your DNS traffic doesn't hide to
where you connect.

The question that Yousuf Khan has is whether it's a good idea to hand
that functionality over to Mozilla.

None of the "functionality" (DNS lookups) is getting handed to Mozilla.
Mozilla doesn't get to track any of your DNS requests. Those go to
whomever *you* chose as your DoH server. Mozilla is not operating some
type of interceding proxy to look at your DNS traffic (unlike Opera that
still sends some searches through their own proxy even if you disable
that VPN-like function).

On 6/2/2020 5:46 PM, Mayayana wrote:
"Yousuf Khan" wrote

| Well, I have changed mine to Google's and the 1.1.1.1 public DNS
| services long time ago, already. Plus I'm using a VPN, which does
| encrypt DNS requests upto the point of VPN server.

I don't know much about VPN, but I wouldn't assume
it's also handling DNS. Typically, Windows handles DNS
resolution. I'm not sure of details, but I think the program
would call something like gethostbyname in the winsock
library. Presumably if a 3rd-party program has its own
functions it would still respect your choice of DNS server
in the network settings, but there's no reason they'd have
to, just as Mozilla are now doing.

I guess it depends on how you connect to the VPN.

Once, you have a VPN, everything goes through the VPN. The VPN becomes
your default router. Just like everything goes through a regular default
router, including DNS, a VPN default router will also route DNS calls.

Yousuf Khan

On 6/2/2020 4:32 PM, Yousuf Khan wrote:
On 6/2/2020 8:39 AM, Neil wrote:
I'm not sure what you mean by "...your own DNS server...", but there
is not much of a way that one can evaluate the "security" of a DNS
server anyway. Most users don't change the DNS server that is "chosen"
by their ISP, and the relatively few that select a different DNS
server aren't likely choosing it on the basis of security.

Well, I have changed mine to Google's and the 1.1.1.1 public DNS
services long time ago, already. Plus I'm using a VPN, which does
encrypt DNS requests upto the point of VPN server. Beyond the point of
the VPN, I don't really care if it's encrypted or not, as at that point
nobody can tell where it's coming from.

All that said, Mozilla has to be careful what they provide to their
customers like any other business, because the consequences are
significant.

My worry is that Mozilla will at some point sell these DNS requests to
commercial interests, doing exactly the opposite of what they say they
are doing.

Â*Â*Â*Â*Yousuf Khan

Your VPN is unrelated to the DNS question you raised because a VPN still
uses the same DNS.

There is no way for the end user to know whether a DNS provider will
track and sell your usage, but I can't imagine a more likely
organization to do such a thing than Google. If you're comfortable with
their DNS, don't worry about others! ;-)

--
best regards,

Neil

In article , Yousuf Khan
wrote:

On 6/2/2020 5:46 PM, Mayayana wrote:
I don't know much about VPN, but I wouldn't assume
it's also handling DNS. Typically, Windows handles DNS
resolution. I'm not sure of details, but I think the program
would call something like gethostbyname in the winsock
library. Presumably if a 3rd-party program has its own
functions it would still respect your choice of DNS server
in the network settings, but there's no reason they'd have
to, just as Mozilla are now doing.

I guess it depends on how you connect to the VPN.

Once, you have a VPN, everything goes through the VPN. The VPN becomes
your default router. Just like everything goes through a regular default
router, including DNS, a VPN default router will also route DNS calls.

not always. dns can sometimes leak, or the vpn can be set up for split
tunneling.

On 6/3/2020 8:23 AM, nospam wrote:
In , Yousuf Khan
wrote:
Once, you have a VPN, everything goes through the VPN. The VPN becomes
your default router. Just like everything goes through a regular default
router, including DNS, a VPN default router will also route DNS calls.
not always. dns can sometimes leak, or the vpn can be set up for split
tunneling.

Well, split routing is for internal VPN setups, for example when you use
a VPN to access resources at your office from home. External VPN's are
just default routers.

As for DNS leaking, I suppose certain ISP's can setup a special private
LAN for all of its customers, through which they can access their DNS
through a non-routeable private IP. The private IP LAN is a special
route which can't be rerouted by the VPN default routes. But I've never
seen any ISP using a private IP to access their DNS servers, they always
provide externally routeable IP's for their DNS.

Yousuf Khan