If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
Firefox to enable DNS-over-HTTPS by default to US users
https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/ Firefox turns encrypted DNS on by default to thwart snooping ISPs https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/ I never really understood DNS' impact on privacy, where, I hope others can explain why this is a "good thing" for users of the Firefox browser on Windows and what we can do with our "other" web browsers... |
Ads |
#2
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On Wed, 26 Feb 2020 02:40:27 -0000 (UTC), Arlen Holder wrote:
Firefox to enable DNS-over-HTTPS by default to US users https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/ Firefox turns encrypted DNS on by default to thwart snooping ISPs https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/ I never really understood DNS' impact on privacy, where, I hope others can explain why this is a "good thing" for users of the Firefox browser on Windows and what we can do with our "other" web browsers... Common DNS protocl doesn't encrypt DNS queries, so ISPs can monitor what sites users are trying to resolve (from host name to IP address), in order to connect to a site. This also means that ISPs can block connection to sites based on host names. With DNS over HTTPS, DNS queries are passed through a secure HTTP protocol - where all data are encrypted. ISPs won't be able to know what host names is being queried. |
#3
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
"JJ" wrote
| With DNS over HTTPS, DNS queries are passed through a secure HTTP protocol - | where all data are encrypted. ISPs won't be able to know what host names is | being queried. Then the question is, do we trust Mozilla? Will Google want that data in exchange for their funding? And do we trust Cloudflare, the DNS server they're using? I recently set up Unbound, which is a DNS resolver. It's a pain to set up. (OSS, no docs, the typical problems.) But it takes care of DNS over HTTPS. No need to trust Firefox. DNS is a system function that Firefox is offering to take over. Unbound can also be set up to go to the top: Instead of always going to one DNS server it goes to the servers that hold the lists of servers. So it goes to server A and asks for the address of whatever server handles acme.com, then it goes to that server to get the Acme IP address. (I confess I'm not an expert on this. I don't know the term for the top-level servers.) DNS over HTTPS is political protection in restricted countries like Iran or Russia or China. But in the US it's still relevant. Many ISPs will set their own servers as DNS. If they don't sell the data now, they may in the future. Net neutrality, so far, is not being supported. There's little support for limiting company spying to the expectations of common decency. And most in Congress don't even understand these issues. Of the ones who do, the majority favor allowing the rich to exploit the system. So it's up to us to enforce privacy to the extent that we can. (I recently sent a letter to my senators about privacy issues. One is Ed Markey, who's among the most active and literate in terms of online issues. The other is Elizabeth Warren. I sent her a typed letter via postal mail, attempting to outline the growing risks of corporate surveillance, using simple examples like grocery store loyalty cards. I got back a generic response that began, "Thank you for your interest in gun control!" Meanwhile, Markey is being threatened by a young Kennedy who thinks he deserves a crown for simply being a Kennedy, and Elizabeth Warren wants to be President. What's wrong with this picture? This is not fat cat plutocrats threatening the Web. It's Democrats, lying to us and battling each other!) |
#4
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On 2020-2-26 10:40, Arlen Holder wrote:
Firefox to enable DNS-over-HTTPS by default to US users https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/ Firefox turns encrypted DNS on by default to thwart snooping ISPs https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/ I never really understood DNS' impact on privacy, where, I hope others can explain why this is a "good thing" for users of the Firefox browser on Windows and what we can do with our "other" web browsers... Firefox has abandoned XP. Aside from that, enabling DNS-over-HTTPS by default to US users, not chinese users instead, is rather strange. It makes me think of once a time Gtalk enabling encryption in English version while doing plain text communication in chinese version. What could that be for? -- Regards, Lu Wei IM: PGP: 0xA12FEF7592CCE1EA |
#5
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
Lu Wei wrote:
On 2020-2-26 10:40, Arlen Holder wrote: Firefox to enable DNS-over-HTTPS by default to US users https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/ Firefox turns encrypted DNS on by default to thwart snooping ISPs https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/ I never really understood DNS' impact on privacy, where, I hope others can explain why this is a "good thing" for users of the Firefox browser on Windows and what we can do with our "other" web browsers... Firefox has abandoned XP. Aside from that, enabling DNS-over-HTTPS by default to US users, not chinese users instead, is rather strange. It makes me think of once a time Gtalk enabling encryption in English version while doing plain text communication in chinese version. What could that be for? The Great Firewall will block access to the CloudFlare server. The DNS address for the feature, should be easy to block. Then the scheme won't work. Turning it on by default, would mean the browser "would not work out of the box". This is hardly a desirable result, however well intentioned. Paul |
#6
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On Wed, 26 Feb 2020 08:08:51 -0500, Mayayana wrote:
Then the question is, do we trust Mozilla? Will Google want that data in exchange for their funding? And do we trust Cloudflare, the DNS server they're using? Personally, I don't trust anything. But it's still better than Google's. And I have to use one, at least. I recently set up Unbound, which is a DNS resolver. It's a pain to set up. (OSS, no docs, the typical problems.) But it takes care of DNS over HTTPS. No need to trust Firefox. DNS is a system function that Firefox is offering to take over. Unbound doesn't seem to support DoH accoring to its description on its official "About" web page, as well as Wikipedia; or may be they don't mentioned it. But it's an encryption-only DNS resolver, so it's a good alternative for DoH. It also support DNSCrypt, which I'm currently using. Worth a look. |
#7
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On Wed, 26 Feb 2020 10:45:29 -0500, Paul wrote:
The Great Firewall will block access to the CloudFlare server. Ugh. A lot of sites would be broken because of that. That... makes me wonder how it would be like browsing the net behind that Great Firewall. Is there any Chinese proxy I could use? |
#8
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
"JJ" wrote
| Unbound doesn't seem to support DoH accoring to its description I had to look that up. Turns out you're not referring to the Phillipine Dept. of Health. https://en.wikipedia.org/wiki/DNS_over_HTTPS I don't understand their description, but I don't see anything there that seems to make DoH desirable. And they describe it as being generally unsupported at this point. But I'm no expert on this. I'd be happy to be educated. You may have seen my exchange with Obiwan about Unbound. I had a hard time setting it up until he provided a template conf file. The docs for Unbound are pretty much non-existent for beginners. The config file is poorly designed. It's a typical OSS mess. But since I got it set up it's been flawless. It seems to be very highly regarded in institutional circles where it's used. And I tested with Smart Sniffer to make sure it's working. Yes. It works fine. all DNS is going over port 443, so there's no way to even identify it as a DNS call. Obiwan was using the top level resolver, which I meant to set up but haven't as yet. With that your requests are at least spread around to different servers. I don't entirely understand it, but it seems to be something like if there were international servers to tell you what your friend's phone company is. So instead of calling Verizon, say, every time you need a number, you'd call a top-level server to find out what company your friend is with. Then the next step would be to call that company's information service. So you're not always calling the same source. Presumably, if you set up a primary DNS server then they end up doing those steps. So it sounds more complex, but is probably cutting out a middleman. The other nice thing with Unbound is a kind of HOSTS file. On the down side, like the rest of Unbound, it's unnecessarily awkward and convoluted. You can't use regular HOSTS syntax. On the up side, you can use wildcards and block top-level domains. So something like doubleclick.net and doubleclick.com pretty much takes care of doubleclick. |
#9
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On 2020-2-26 23:45, Paul wrote:
Firefox has abandoned XP.Â* Aside from that, enabling DNS-over-HTTPS by default to US users, not chinese users instead, is rather strange. It makes me think of once a time Gtalk enabling encryption in English version while doing plain text communication in chinese version. What could that be for? The Great Firewall will block access to the CloudFlare server. The DNS address for the feature, should be easy to block. Then the scheme won't work. Turning it on by default, would mean the browser "would not work out of the box". This is hardly a desirable result, however well intentioned. That seems a reasonable point, yet apart from CloudFlare there are quite a lot of DoH servers. I use dnscrypt-proxy to act as a local DoH server, which incorporates a list of hundreds of servers. Even they were all blocked, Firefox could use normal DNS as fall-back option (and give out a warning of course). -- Regards, Lu Wei IM: PGP: 0xA12FEF7592CCE1EA |
#10
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
On 2020-2-27 17:57, JJ wrote:
On Wed, 26 Feb 2020 10:45:29 -0500, Paul wrote: The Great Firewall will block access to the CloudFlare server. Ugh. A lot of sites would be broken because of that. That... makes me wonder how it would be like browsing the net behind that Great Firewall. Is there any Chinese proxy I could use? Slow, broken, frustrating. You won't like that. -- Regards, Lu Wei IM: PGP: 0xA12FEF7592CCE1EA |
#11
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
In message , Mayayana
writes: "JJ" wrote | Unbound doesn't seem to support DoH accoring to its description I had to look that up. Turns out you're not referring to the Phillipine Dept. of Health. It had been mentioned three lines earlier - in text quoted by JJ from, let me see ... ah yes ... (-: [] (OK, I'll admit I too wondered, when I saw it in JJ's post. But I found what it referred to, as I've said, in the same post three lines earlier.) -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf You can believe it if it helps you to sleep. - Quoted by Tom Lehrer (on religion, in passing), April 2013. |
#12
|
|||
|
|||
Firefox to enable DNS-over-HTTPS by default to US users
John,
However, the _address_ (URL) of the website is sent to the DNS in the clear, Normally the domain name is also send in the clear in the first datablock of an (attempted) SSL handshake ... Afaik it /can/ be switched off*, but don't ask me how I would do that on my FireFox v52 browser (if anyone knows feel free to tell me). *but that could create problems when, IIRC, the actual domain is on a shared hosting, or simply behind load-balancers and the like. In other words, its not only the DNS request that needs to be updated. Regards, Rudy Wieser |
Thread Tools | |
Display Modes | |
|
|