If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Firefox secure DNS?
https://support.mozilla.org/en-US/kb...dns-over-https
Would you trust this? It seems like it's just randomly ignoring your own DNS server and choosing its own! Yousuf Khan |
Ads |
#2
|
|||
|
|||
Firefox secure DNS?
On 6/2/2020 8:11 AM, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https Would you trust this? It seems like it's just randomly ignoring your own DNS server and choosing its own! Â*Â*Â*Â*Yousuf Khan I'm not sure what you mean by "...your own DNS server...", but there is not much of a way that one can evaluate the "security" of a DNS server anyway. Most users don't change the DNS server that is "chosen" by their ISP, and the relatively few that select a different DNS server aren't likely choosing it on the basis of security. All that said, Mozilla has to be careful what they provide to their customers like any other business, because the consequences are significant. -- best regards, Neil |
#3
|
|||
|
|||
Firefox secure DNS?
"Yousuf Khan" wrote
| https://support.mozilla.org/en-US/kb...dns-over-https | | Would you trust this? It seems like it's just randomly ignoring your own | DNS server and choosing its own! | To me it seems like a potential improvement. On the other hand, why let your browser do the DNS calls? Why trust Mozilla, in the pocket of Google? There are other options. I'm using Unbound. The authors call it a "recursive DNS server". It could also be regarded as a proxy. It runs as a service, taking over DNS queries from Windows, and can be set up with either a default DNS server or a top-down search. I'm not an expert on this, but apparently there's a hierarchy. A DNS server calls "root" servers that return the server handling the IP in question. The server is then queried. Unbound handles all of that and seems to be highly regarded. A plain DNS proxy would query your pre-selected choice of servers. So Windows doesn't get your web traffic history. Nor does your browser. And Unbound can also be used with a wildcard-supporting HOSTS file. Also, with the DNS being done independently I don't have to update to Mozilla's latest travesty and I can use it on XP. Downsides: Like so much OSS, Unbound lacks docs and is devilishly tricky to set up. Also, their version of a HOSTS file is inexplicably convoluted. I had to write a VBScript to convert my HOSTS file to the Unbound version. Example: 127.0.0.1 www.mozilla.com local-zone: "mozilla.com" redirect local-data: "mozilla.com A 0.0.0.0" The Unbound version allows me to block all of mozilla.com, not just www, but it's sesnselssly complicated and not compatible with normal HOSTS. Fo a long time I was using Acrylic DNS proxy, which is much easier to set up and works well. It also has a normal HOSTS file that supports wildcards. However, it has limited support for DNS over HTTPS. I don't emember the details offhand, but I seem to remember that it only supports a method that most DNS servers do not support. |
#4
|
|||
|
|||
Firefox secure DNS?
In article , Neil
wrote: On 6/2/2020 8:11 AM, Yousuf Khan wrote: https://support.mozilla.org/en-US/kb...dns-over-https Would you trust this? It seems like it's just randomly ignoring your own DNS server and choosing its own! I'm not sure what you mean by "...your own DNS server...", but there is not much of a way that one can evaluate the "security" of a DNS server anyway. Most users don't change the DNS server that is "chosen" by their ISP, and the relatively few that select a different DNS server aren't likely choosing it on the basis of security. just about everyone who changes dns servers does so for security, mostly because they don't want their isp monitoring and tracking them as well as be stuck using a dns server that is non-compliant and shows ads. All that said, Mozilla has to be careful what they provide to their customers like any other business, because the consequences are significant. no different than any other company. |
#5
|
|||
|
|||
Firefox secure DNS?
On 02/06/2020 13:11, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https Would you trust this? It seems like it's just randomly ignoring your own DNS server and choosing its own! If you look further down that page it does imply that they will try to detect cases where it would be inappropriate to change to a different DNS server. (I think mainly if you use a DNS server that doesn't resolve some malware or adult domains). But I'd say it's still I good idea for admins of networks that use such DNS based protection to set network.trr.mode to 5. -- Brian Gregory (in England). |
#6
|
|||
|
|||
Firefox secure DNS?
On 6/2/2020 8:39 AM, Neil wrote:
I'm not sure what you mean by "...your own DNS server...", but there is not much of a way that one can evaluate the "security" of a DNS server anyway. Most users don't change the DNS server that is "chosen" by their ISP, and the relatively few that select a different DNS server aren't likely choosing it on the basis of security. Well, I have changed mine to Google's and the 1.1.1.1 public DNS services long time ago, already. Plus I'm using a VPN, which does encrypt DNS requests upto the point of VPN server. Beyond the point of the VPN, I don't really care if it's encrypted or not, as at that point nobody can tell where it's coming from. All that said, Mozilla has to be careful what they provide to their customers like any other business, because the consequences are significant. My worry is that Mozilla will at some point sell these DNS requests to commercial interests, doing exactly the opposite of what they say they are doing. Yousuf Khan |
#7
|
|||
|
|||
Firefox secure DNS?
"Yousuf Khan" wrote
| Well, I have changed mine to Google's and the 1.1.1.1 public DNS | services long time ago, already. Plus I'm using a VPN, which does | encrypt DNS requests upto the point of VPN server. I don't know much about VPN, but I wouldn't assume it's also handling DNS. Typically, Windows handles DNS resolution. I'm not sure of details, but I think the program would call something like gethostbyname in the winsock library. Presumably if a 3rd-party program has its own functions it would still respect your choice of DNS server in the network settings, but there's no reason they'd have to, just as Mozilla are now doing. I guess it depends on how you connect to the VPN. |
#8
|
|||
|
|||
Firefox secure DNS?
Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https Would you trust this? It seems like it's just randomly ignoring your own DNS server and choosing its own! It doesn't ignore your choice of DNS server (configured as part of your IPv4/IPv6 configuration unless you leave it to use DHCP which then uses whatever DNS server your ISP wants you to use). DoH (DNS over HTTPS) doesn't use your DNS server at all. It uses the one you specify in the config of Firefox. Have you researched DoH at all? DNS requests are sent in the clear. Anyone, including your ISP, that can intercept your network traffic can see to where you are visiting by interrogating the DNS traffic. Rare few sites use IP addresses for lookup. They use hostnames. Humans like names. Computers demand IP addresses hence the need for DNS. Some users don't like their ISP can track their web surfing. Some will use VPNs. Some use Tor. However, both means you are shifting trust from your ISP to some unknown operator of the entry and exit nodes. With VPNs, the same operator owns both the entry and exit nodes. With Tor, you don't know who is operating the entry and entry nodes, so you can only hope they aren't managed by the same operator. The FBI operates many of their own Tor nodes. Because DoH works using encryption for the DNS traffic, anyone snooping on your network traffic cannot see to which hostnames you are getting their IP addresses. Of course, anyone snooping on you can still see the subsequent traffic and their IP addresses. Yes, you can use encryption with VPN or Tor, but you're merely moving the trust (or distrust) to yet another entity. You can specify whosever DoH server you want. You can use the default in Firefox of using Cloudflare (not Mozilla, but a CDN that also operates a DNS service). To use DoH requires both your client and the DNS server support DoH. If you know of some other DoH server you want to use then go ahead and specify that one. Of course, just like with VPN and Tor, you are trusting someone else with your DNS queries. After all, unless you are planning to be your own ISP and contract with the backbones for Internet traffic or, for this issue, operate your own DNS server, you will always be trusting someone else with your traffic either as to where you go or what it contains. I already have 3 DNS providers configured for my IPv4 and IPv6 configurations: Cloudflare first, Google second, and my router third (which uses DHCP to have my ISP tell it what DNS server to use). So, configuring Firefox to switch from normal DNS to DoH was an easy choice because I was already using Cloudflare as my primary DNS provider. There is nothing random about using a DoH server. Either you are using one or your aren't, not some mix of sometimes. Once Firefox is configured to use a DoH server, all DNS requests it issues (like all those resources in the web pages you visit that specify hostnames instead of hardcoding in IP addresses), that's the only DNS server it uses thereafter except its DNS traffic is encrypted. You obviously already trust a DNS server whether it is whatever one your ISP gave you via DHCP or the one you configured in your IPv4/v6 configuration. So, why not trust the same DNS providers again with your DNS traffic but use those that can encrypt your DNS traffic? I've experience no slowdown with the overhead of encryption atop of the DNS traffic. You can view one person's compilation of DoH servers to see which you want to use. Alas, unlike IPv4/IPv6 configuration where you can specify up to 4 DNS servers in order of priority to overcome routing or server outages, Firefox lets you configure only one DoH server. I've yet encountered an outage of Cloudflare's DNS servers or getting a route to them with a bad host as a hop from me to them. https://dnsprivacy.org/wiki/display/...blic+Resolvers While I am on Google Chrome v83 which is the first version where Google is offering a DoH config option, only some users are getting that option. I'm not yet one of them. In chrome:flags, search on "dns", I don't yet have the experimental "Secure DNS lookups" option. I tend to shy away from using flags in Chrome, because Google giveth and taketh away. You get to rely on a flag and then it either disappears (that you wanted to use) or becomes a permanent feature (which you may not want). https://www.howtogeek.com/660088/how...google-chrome/ When Google gets around to adding DNS over HTTPS as a standard user configurable option then I'll configure Chrome to use Cloudflare. I would still like the old feature of specifying multiple DNS servers for recovery in case of outage or unreachability. Dns Over HTTPS isn't just available in Firefox. All the major web browser vendors have it or are planning to have it. See: https://www.zdnet.com/article/dns-ov...sp-opposition/ I can see some companies that censor their employees traffic, like to where they can connect, won't like DoH. The DNS traffic is encrypted, so the company cannot see the DNS request the user is issuing to the DNS server. However, if companies are throttling their employees traffic, they should be enforcing their workstations to use the company's DNS server. All other DNS traffic passing across their network to reach an outside DNS server should get blocked. With the DNS request is wrapped in an encrypted HTTPS connection, the company can still to where (by IP address) the traffic is going. If it goes to an outside DNS service (which are well known), they could block it. When employees complain they cannot connect to any sites, the IT folks should push the client's config to use the company's DNS server (which is probably done anyway via domain policies when the user logs into the company's PDC). Mozilla got nominated as the "2019 villian of the year". See https://www.theregister.com/2020/05/...gle_chrome_83/. Yeah, that's because those who want to monitor and throttle network traffic, like at companies that want to ensure they don't get compromized by their employees (by reputation or visiting "bad" sites) or otherwise want some oversight over where their employees connect, are bitching because DoH means more work for them (although a simple block-all-DoH would work). If they censor, like using Websense, DoH has no effect. DNS just gives the user the IP address for a site, and Websense can still censor by where the employee intends to connect. For individuals, DoH adds more privacy. For companies, it's a headache. Are you an IT sysadmin that needs to figure out how to pry on where the employees are connecting (well, actually to where they intend to connect since the DNS response returns an IP address which is what the web client actually uses to make a connection)? |
#9
|
|||
|
|||
Firefox secure DNS?
Mayayana wrote:
"Yousuf Khan" wrote | https://support.mozilla.org/en-US/kb...dns-over-https | | Would you trust this? It seems like it's just randomly ignoring your own | DNS server and choosing its own! | To me it seems like a potential improvement. On the other hand, why let your browser do the DNS calls? Why trust Mozilla, in the pocket of Google? Mozilla nor Google aren't involved in the DNS traffic unless *you* specify their DNS servers in your IPv4/IPv6 configuration. Even if you don't specify static DNS assignments to the servers you want to use, your ISP with its DHCP server is going to point you at their DNS server, not at one operated by Mozilla or Google. The DNS request goes direct from web client to DNS server. There is no middleman involved. Mozilla nor Google is getting your DNS traffic. However, since DNS requests are sent in the clear (they are not encrypted), a MITM attack could substitute the DNS response with one from the hacker to send you elsewhere. DoH encrypts the DNS traffic making it very difficult for a MITM attack to substitute (poison) the DNS traffic between you and your choice of DNS server. Not sure why you thought Mozilla or Google ever got any of your DNS traffic. The client issues the DNS request, connects to the specified DNS server, and the DNS traffic with the response (hostname converted to IP address) comes back to you. The encryption with DoH means your ISP or any hop in the route between you and the DNS server nor a hacker can intercept nor corrode the DNS traffic. Whatever DNS server *you* configure the OS or web client to use will obviously be an entity you are trusting with where you web surf. Seems you were already trusting your ISP with your DNS requests, or whomever you specified for DNS assignment in your IPv4/IPv6 configurations. DoH just makes your DNS traffic more secure and more private (which is why companies that want to oversee their employees traffic don't like DoH, but then that is still just DNS and the user still uses an IP address to connect to the other endpoint, so censoring will still work). |
#10
|
|||
|
|||
Firefox secure DNS?
"VanguardLH" wrote
| Mozilla nor Google aren't involved in the DNS traffic unless *you* | specify their DNS servers in your IPv4/IPv6 configuration. Even if you | don't specify static DNS assignments to the servers you want to use, | your ISP with its DHCP server is going to point you at their DNS server, | not at one operated by Mozilla or Google. | That's what this discussion is all about. Mozilla is introducing DNS over HTTPS for Firefox. In that scenario they pick the DNS server or give you some to choose from. When you type in acme.com, FF will encrypt it and perform the DNS lookup. The idea of DNS over HTTPS makes sense. It means no entity online can see the sites you go to, since most sites are also encrypted. so your Web traffic is all encrypted. The question that Yousuf Khan has is whether it's a good idea to hand that functionality over to Mozilla. (Or Microsoft Edge, for that matter.) Personally I block most of the Mozilla domains and remove their URLs from about:config. I think they're altogether too intrusive. But the average person is letting them track in numerous ways. |
#11
|
|||
|
|||
Firefox secure DNS?
Mayayana wrote:
That's what this discussion is all about. Mozilla is introducing DNS over HTTPS for Firefox. In that scenario they pick the DNS server or give you some to choose from. When you type in acme.com, FF will encrypt it and perform the DNS lookup. Actually DoH has been in Firefox for a couple months. As I recall, I enabled it before the Covid pandemic. Firefox's config has the following choices: Cloudflare NextDNS Custom None of those are operated by Mozilla, especially the custom choice. Having the option to use a DoH server is not Mozilla making you use their server. Your statement "Why trust Mozilla, in the pocket of Google?" infers that Mozilla is somehow involved in the DNS requests from Firefox. Since Mozilla discontinued getting revenue from searches, and since Mozilla still refuses to switch to Google's Blink engine (while Microsoft has), just how is Mozilla in Google's pocket? The idea of DNS over HTTPS makes sense. It means no entity online can see the sites you go to, since most sites are also encrypted. so your Web traffic is all encrypted. Actually no one can see your DNS traffic which has your end asking for a lookup on a hostname to get back an IP address, but then your client is going to use that IP address to connect somewhere. So, anyone hacking or logging your traffic can still see to where you go (after the DNS request is completed). Encrypting your DNS traffic doesn't hide to where you connect. The question that Yousuf Khan has is whether it's a good idea to hand that functionality over to Mozilla. None of the "functionality" (DNS lookups) is getting handed to Mozilla. Mozilla doesn't get to track any of your DNS requests. Those go to whomever *you* chose as your DoH server. Mozilla is not operating some type of interceding proxy to look at your DNS traffic (unlike Opera that still sends some searches through their own proxy even if you disable that VPN-like function). |
#12
|
|||
|
|||
Firefox secure DNS?
On 6/2/2020 5:46 PM, Mayayana wrote:
"Yousuf Khan" wrote | Well, I have changed mine to Google's and the 1.1.1.1 public DNS | services long time ago, already. Plus I'm using a VPN, which does | encrypt DNS requests upto the point of VPN server. I don't know much about VPN, but I wouldn't assume it's also handling DNS. Typically, Windows handles DNS resolution. I'm not sure of details, but I think the program would call something like gethostbyname in the winsock library. Presumably if a 3rd-party program has its own functions it would still respect your choice of DNS server in the network settings, but there's no reason they'd have to, just as Mozilla are now doing. I guess it depends on how you connect to the VPN. Once, you have a VPN, everything goes through the VPN. The VPN becomes your default router. Just like everything goes through a regular default router, including DNS, a VPN default router will also route DNS calls. Yousuf Khan |
#13
|
|||
|
|||
Firefox secure DNS?
On 6/2/2020 4:32 PM, Yousuf Khan wrote:
On 6/2/2020 8:39 AM, Neil wrote: I'm not sure what you mean by "...your own DNS server...", but there is not much of a way that one can evaluate the "security" of a DNS server anyway. Most users don't change the DNS server that is "chosen" by their ISP, and the relatively few that select a different DNS server aren't likely choosing it on the basis of security. Well, I have changed mine to Google's and the 1.1.1.1 public DNS services long time ago, already. Plus I'm using a VPN, which does encrypt DNS requests upto the point of VPN server. Beyond the point of the VPN, I don't really care if it's encrypted or not, as at that point nobody can tell where it's coming from. All that said, Mozilla has to be careful what they provide to their customers like any other business, because the consequences are significant. My worry is that Mozilla will at some point sell these DNS requests to commercial interests, doing exactly the opposite of what they say they are doing. Â*Â*Â*Â*Yousuf Khan Your VPN is unrelated to the DNS question you raised because a VPN still uses the same DNS. There is no way for the end user to know whether a DNS provider will track and sell your usage, but I can't imagine a more likely organization to do such a thing than Google. If you're comfortable with their DNS, don't worry about others! ;-) -- best regards, Neil |
#14
|
|||
|
|||
Firefox secure DNS?
In article , Yousuf Khan
wrote: On 6/2/2020 5:46 PM, Mayayana wrote: I don't know much about VPN, but I wouldn't assume it's also handling DNS. Typically, Windows handles DNS resolution. I'm not sure of details, but I think the program would call something like gethostbyname in the winsock library. Presumably if a 3rd-party program has its own functions it would still respect your choice of DNS server in the network settings, but there's no reason they'd have to, just as Mozilla are now doing. I guess it depends on how you connect to the VPN. Once, you have a VPN, everything goes through the VPN. The VPN becomes your default router. Just like everything goes through a regular default router, including DNS, a VPN default router will also route DNS calls. not always. dns can sometimes leak, or the vpn can be set up for split tunneling. |
#15
|
|||
|
|||
Firefox secure DNS?
On 6/3/2020 8:23 AM, nospam wrote:
In , Yousuf Khan wrote: Once, you have a VPN, everything goes through the VPN. The VPN becomes your default router. Just like everything goes through a regular default router, including DNS, a VPN default router will also route DNS calls. not always. dns can sometimes leak, or the vpn can be set up for split tunneling. Well, split routing is for internal VPN setups, for example when you use a VPN to access resources at your office from home. External VPN's are just default routers. As for DNS leaking, I suppose certain ISP's can setup a special private LAN for all of its customers, through which they can access their DNS through a non-routeable private IP. The private IP LAN is a special route which can't be rerouted by the VPN default routes. But I've never seen any ISP using a private IP to access their DNS servers, they always provide externally routeable IP's for their DNS. Yousuf Khan |
Thread Tools | |
Display Modes | Rate This Thread |
|
|