Mozilla rolls out DNS over HTTPS for users in the US: on by default
Firefox users from the United States will have the web browser's DNS over HTTPS feature enabled by default in the coming weeks . Starting today, Mozilla is going to roll out the feature to users from the United States and making it available to users worldwide. The core difference is that DNS over HTTPS will be set to enabled for US users of the browser while it will default to off for everyone else.
DNS over HTTPS is currently tested or introduced in major desktop browsers and operating systems. Microsoft plans to integrate the feature natively into Windows 10, and companies like Google or Opera Software have started to test it in their web browsers.
It encrypts DNS traffic so that listeners cannot use the information anymore to determine the websites a user visits using DNS and malicious actors may no longer manipulate these lookups either.
We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.
Mozilla revealed plans in 2019 to roll out DNS over HTTPS to users from the US in that year. The roll out got delayed but Mozilla is finally ready to start the rollout of the feature.
Firefox users who want to change the DNS over HTTPS configuration in the web browser may consult our DNS over HTTPS guide for Firefox to do so.
If you just want a quick on/off guide, here it is:
- Load about:preferences#general in the web browser's address bar.
- Scroll down to Network Settings and activate the Settings button to open the network configuration.
- Scroll down on the page and check the "Enable DNS over HTTPS" option on it.
- Now you are able to select one of the trusted providers -- Cloudflare or NextDNS -- or select Custom if you want to use another provider and have the URL ready that you need to supply in that case.
- Click ok to complete the process.
Mozilla notes that it "explores enabling DoH in other regions" and that it is "working to add more providers as trusted resolvers" to the program.
Closing Words
DNS over HTTPS improves user privacy and security while using the Firefox web browser; that is a good thing. Mozilla launches the feature with two trusted providers -- Cloudflare and NextDNS -- and an option to add a custom provider as well if that is preferred.
While the introduction of the feature has been rocky, Mozilla was criticized for selecting Cloudflare as the sole provider in the beginning and for a Shield study, it is now at a point where users may select different providers right from the Settings.
Now You: What is your take on the rollout?
Big thumbs down to Mozilla.
My country uses DNS based blocking for stuff like gambling which is now easy to bypass for the few who need it. If everyone starts doing it they will switch to something harder.
Martin, I think you want to research this one better: DNS-over-HTTPS causes more problems than it solves -> https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
DNS-over-TLS is the way to go…
Entered this yesterday but I guess it never went through…
AnonGuy..Thanks, Go to the head of the class, Gold Star for you! That worked essentially, I get the login request (user/pword) but I have to fill it in (and remember it) manually as password manager automatically saves with https:// in front while bookmark saves as http:// both then with IP, not a big deal, biggest problem now is …do I wanna send all my secrets to Cloudflare ??? Thanks again.
DireWolf,
Try entering the IP address of the router interface in the address bar rather than the URL. On NetGear routers it’s usually either 192.168.1.1 or 192.168.0.1
countryfish…Thanks nice try, but no go for me, perhaps I’m not permitting something within my routers config (not browser’s) that you are, I’m pretty tight on what I permit, I do believe it’s possible just haven’t found the right combination…bet your routers not a Netgear or else it’s pretty new one,
Thanks for trying
This is a bit concerning about cloudflare: https://shkspr.mobi/blog/2019/11/can-you-trust-cloudflare-with-your-personal-data/
Direwolf,
Maybe a setting set unintentionally and interfering with that? I have no problem navigating to my routers http login page with the following settings;
network.security.esni.enabled true
network.trr.bootstrapAddress 1.1.1.1
network.trr.mode 3
network.trr.request_timeout_ms 3500
network.trr.wait-for-portal true
-and for a user.js file;
user_pref(“network.security.esni.enabled”, true);
user_pref(“network.trr.bootstrapAddress”, “1.1.1.1”);
user_pref(“network.trr.mode”, 3);
user_pref(“network.trr.request_timeout_ms”, 3500);
user_pref(“network.trr.wait-for-portal”, true);
You may find this useful: https://wiki.mozilla.org/Trusted_Recursive_Resolver.
Gives an explanation of each relevant setting.
Some more research indicates that it seems the “network.trr.wait-for-portal” preference I mentioned above would appear to not be an optimal setting at true, but rather, the opposite, i.e left at false (the default). Issue seems to be related to wireless privacy/security, particularly in public areas.
How does this affect the DNS server that ExpressVPN and NordVPN provide to their customers?
Either way, with network.trr.mode set to 0 or 5 and DoH enabled can’t connect to Netgear router login…stupid Netgear still uses http
Very Important – Must Enable ESNI with DoH or it’s largely pointless for hiding URLs from shifty ISPs. SNI transmits URLs in clear text.
https://en.wikipedia.org/wiki/Server_Name_Indication
Hey …if…If I disable it…
“disable it:
network.trr.mode 5 in about:config”
Doesn’t that disable DNS over HTTPS not just my problem, I’m asking if there’s a way to USE DNS over HTTPS and still be able to log into Netgear router which uses an http page? Thanks
Centralized DNS over HTTPS is harmful for users and society. And that added up with the fact that the provider is Cloudflare, makes Mozilla even more untrustworthy. #StopMozilla #SmashFirefox
https://labs.ripe.net/Members/bert_hubert/centralised-doh-is-bad-for-privacy-in-2019-and-beyond
https://git.openprivacy.ca/you/stop_cloudflare
What’s in it for CloudFare or the other third parties handling this traffic? What deal did Mozilla do with these companies that made it attractive to handle this traffic for DNS? Reading further into this from some experts who say it does little of what it implies to improve privacy.
That’s what I’d like to know, follow the money.
@ So criticizing MozCo is trolling, OK…..
I don’t trust Cloudflare as far as I can spit. And that’s literally the truth. I will be disabling this feature. Period.
Mozilla selected Cloudflare for their 2018 DOH study because it agreed to Mozilla’s terms of respecting users privacy (read it here- https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/). As the feature is now “on” for only USA users I personally don’t see any problem in that. It improves security for 90% average Firefox users of USA. The other 10% will know how to change it.
They should never active it for people of other countries though.
” Mozilla’s terms of respecting users privacy”
Ha ha ha ha, good one, LOL ! :)
I can no longer login to my Netgear router setup page after enabling DNS over HTTPS???
Disabled DNS over HTTPS and now I can access my NetGear router again.
Just disable it:
network.trr.mode 5 in about:config
source: https://www.ghacks.net/2019/09/07/mozilla-plans-to-roll-out-dns-over-https-to-us-users-in-late-september-2019/
..at the bottom of the article.
Its panic marketing, your isp can still see what domains you connect to, weakens ad blocking, bypasses vpn etc. People need to stop blindly doing what companies tell them :( sorry
After enabling DNS over https I can no longer login to my netgear router setup page
Users: You have control.
Mozilla: I have control.
https://www.youtube.com/watch?v=ns-osHeGKy0
I use Chrome beta with experimental flag set to use DoH in conjunction with Quad9 DNS. Looks like a good idea to me, but I do not pretend to understand this stuff….
I’m just a beginner when it comes to computer privacy. Can any one explain, what is the point of using DNS over HTTPS, if you are not using a VPN?
Finally, it’s happening. :)
The general roll out of DNS-over-HTTPS has begun!
Firefox is the best browser.
DNS-over-HTTPS is BASED.
Don’t forget to enable ESNI, then check your Firefox browser at the Cloudflare ESNI Checker. Here’s the link: https://www.cloudflare.com/ssl/encrypted-sni/
If you don’t know how to enable ESNI in Firefox, read about how to do it here: https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/
Why are you not using DNS-over-HTTPS + ESNI anon???
I wonder why a conservative individual like notanonFUD is such a fanboy of Mozilla, which is an ultra-SJW organization: https://foundation.mozilla.org/en/campaigns/youtube-regrets/
@Samanto Hermes, I’m moderate, but of course, to leftists & communists, I would seem to be conservative.
I support the Firefox browser.
I support the technology behind Firefox.
I don’t support Mozilla playing politics. I want Mozilla to be politically agnostic (as Martin has proclaimed he is), & concentrate on making the best browser currently available, better.
I don’t agree with Mozilla banning Dissenter, I support free speech & freedom.
@notanon
> I want Mozilla to be politically agnostic (as Martin has proclaimed he is), & concentrate on making the best browser currently available, better.
In how far does Mozilla contribute to the development of Ungoogled Chromium?
Sorry, I couldn’t resist.
https://foundation.mozilla.org/en/campaigns/youtube-regrets/
“But YouTube’s recommendations are now full of videos about […] anti-American propaganda.”
There we go, Mozilla drops the mask, they want “anti-American propaganda” censored. As assimilated with alien flying saucers or flat earth conspiracy theories. This one has nothing to do with fighting racism, with social justice or with leftism, quite the contrary. They are becoming a shameless tool of US imperialism. I said before that this is where their campaign against “fake news” and “conspiracy theories”, that they made jointly with their government friends, would lead us. This went slowly enough to be undetected. Disgusting.
Mozilla centralizing the world’s private data into the hands of big US companies like Google and Cloudflare makes even more sense now, it’s not just about surveillance capitalism influences on them, there’s politics involved. But not leftist politics here. The empire must prevail.
Omg, that page 👌😂 ahahahah
@notanonFUD
> The general roll out of DNS-over-HTTPS has begun!
LOL, yes:
https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/
> Firefox is the best browser.
Advertisement detected.
Should I use DNS over HTTPS if I use a vpn that provides dns ?
Absolutely not, DoH will bypass your VPN, your hosts blocks, network filters, pihole, company sysadmin protections..
see for yourself: ipleak.net
The negatives of DoH vastly outweigh any positives. Your isp can still see the domains visited with DoH as has been said countless times. What this does is capture browser data from users and companies across a diverse range of networks and providers and puts that data in one place. The majority of DoH providers are hostile to privacy, inc: google, cloudflare, cisco, quad9, + some unknowns.
people need to look past the marketing and actually weigh up the effects to see the actual intent.
In what way do you feel that Quad9 is hostile to privacy? Improving user security and privacy is, literally, its only purpose, so if it’s failing at that, there’s no reason for it to exist.
I think yes if you are using the VPN for your daily browsing too (mixing them is a very, very bad idea though).
Seems like an overall good thing and prevents entities like your ISP from snooping in on your internet usage. I’m sure someone will point out some negatives but it looks as though most browsers will at least offer it as a opt in if not on by default.
@JohnIL.
Is it ok for cloudflare to snoop on your internet usage.?.Your comment makes no sense.
This functionality is an “option”..if you want it then turn it on and if not then leave it.
Why would i trust cloudflare over my own chosen DNS provider more.?
The web has survived perfectly fine without this function so why the sudden urge for it now.?
HTTPS was never designed to improve privacy. In fact, HTTPS connections reliably identify the source of the request — not to mention that DNS over HTTPS does not even provide end-to-end encryption. And Cloudflare shares all the data with APNIC; and with all U.S. government agencies if requested. The latter applies to any other U.S. company.
Also, browser vendors forcing HTTPS everywhere is harmful for privacy, leading server administrators to handing over sensitive information to CDNs: https://forum.palemoon.org/viewtopic.php?f=26&t=8913
“In fact, HTTPS connections reliably identify the source of the request”
I suppose that you mean because of TLS session identifiers, that can link later HTTPS connections as coming from the same source as before. This is a real anti-privacy shame in the name of “speed”. Of course Firefox adopted those identifiers long ago.
And it’s funny that Cloudflare is involved in both the DNS data grab and the MITM CDN data grab. Let’s centralize everything “https” at a big US company for them to view in clear text, and also possibly censor. Victory.
What Is DNS Over HTTPS, and Does It Make Mozilla an “Internet Villain?â€
This helped simplify that matter for me.
https://www.maketecheasier.com/dns-over-https/
I’d like to see an advanced setting wherein the user can checkbox bootstraping. As of now, one must continue to configure network.trr.bootstrapAddress.
A brief warning (and maybe a “more info” link) would accompany the setting’s dialogue.
DNS over HTTPS is a convoluted way of communication. Moreover, if you don’t want to look at it with a purist eye that sees a weird retrograde jump for DNS to ping outside over HTTPS, the providers surely have some under-the-bench partnership with our so-long fabled ‘”privacy 1st!'” Mozilla CORP
A feat that may still be useful to some, but IMHO, a personal setup involving how to use DNS is a better choice, privacy-wise.
5 gold coins to pass this bridge, Adventurers.
Would it be recommended to disable this when using a VPN?
In order to only utilize the VPN providers DNS?
Better privacy?
@Bobs Yruncle
Yes, disable DoH if you use a VPN, also disable WebRTC, thats 2 things quietly sitting in the browser now weakening your use of VPN.
If you do not:
Your DNS queries will be redirected to cloudflare, outside of your VPN, Cloudflare AND your isp will get your data. Its bogus protection.
Your hosts file for ad blocking will be bypassed
Other countermeasures will be bypassed such as pihole, other network filtering
to disable:
network.trr.mode 5
to check:
ipleak.net
well since its baked into the browser now, its a soft request, and can be turned back on or used for telemetry or whatever at some point, who knows.
Read here: https://www.ghacks.net/2020/02/25/study-finds-brave-to-be-the-most-private-browser/
Firefox has a unique ID per installation, regardless of mozillians claiming otherwise. Mozilla has that ID, most likely shares it with CloudFlare too. Consider other browser while using a VPN (Ungoogled/Chromium, PaleMoon, Brave). You’ve got plenty of superior alternatives to choose from.
I think it’s better to rely on whatever your VPN provides, since you’re supposed to trust them; otherwise why pay them?
Check your VPN recommendations – or its users – as many have leaks with non-standard setups.
OFF TOPIC: I think I have fallen in love with Yuliya…
@John, don’t forget that most other users around the world won’t ever switch it on or even be aware of it. For example, in the UK, the government has exerted all the pressure it can muster to coerce Mozilla to leave it switched off. One reason for this, apart from their general very authoritarian stance on pretty much everything, is that it would affect their age verification plans, along with VPN, and they’ve already stalled many times on such plans.
This is a big subject, with pros and cons on both sides, but ultimately, stopping the “abuse” of the ancient and very open DNS system has to change.
You can always keep it switched off, or use a different browser. I think there are more positives than negatives.
@Sophie: “You can always keep it switched off, or use a different browser.”
Doing so does not mitigate the problem. Regardless of the browser settings (or even regardless of whether or not a browser is used at all), applications and web sites can engage in DoH lookups directly, without involving the browser’s support for DoH at all.
@Sophie,the UK didn’t like what Mozilla was offering in dns over https because it hurts their entire
site blocking regime.In those countries where website blocking is active,doh or dns crypt (not in Firefox) works beautifully to evade those blocks.
@Sophie, I believe the UK doesn’t want DNS-over-HTTPS, because it will stop it from SPYING on it’s own citizens.
The UK loves to prosecute people for violating their “hate speech” (translation, anti-free speech) laws that imprisons anyone who criticize their coddling of terrorist from Muslim countries, mocks Sadiq Khan for his hypocrisy, etc.
Thankfully, the UK became a nation again, by leaving the ultimate dictatorship, the European Union.
Maybe the citizens of the UK take back their freedom.
We, in America, are rooting for you.
It’s not up to the browser to do this, but to the OS !!
Mozilla tries to shill this as a move towards privacy, while it is a move away from privacy:
https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/
Read it. Understand it. And this alone…
> Microsoft plans to integrate the feature natively into Windows 10, and companies like Google or Opera Software have started to test it in their web browsers.
…should already make it clear that this will do nothing to improve user privacy. Look at the company names alone and tell me that this will improve privacy.
there is a news each day about mozilla, who’s got paid. and nothing about ublock origin new permissions
If you mean the “IP and DNS access” in the new Version 1.25.0 read this:
https://github.com/uBlockOrigin/uBlock-issues/issues/780
I didn’t actually read the article, but you can be sure I’m going to say something about how Mozilla can’t be trusted. And don’t call me a troll.
It may be a mistake to own up to this publicly, but FYI, the first post in this chain was by me. A bit of satire, lampooning what I see as some common themes in Yuliya’s comments on Mozilla stories. I thought it was obvious enough that there wouldn’t be any actual mistaken identity, but it appears I was mistaken.
@Martin, the new site owners are still censoring “some” of my posts from the comments.
You promised no changes when you sold the site, but your new overlords obviously believe otherwise.
This is NOT a safe space, it’s a tech site.
When Yuliya says he’s NOT a TROLL, but post nonsense against Firefox, while NOT reading the article … HE IS THE DEFINITION OF A TROLL.
All my posts have a 12 hour lag, & then the posts that the site owner’s censors don’t like are never posted at all.
Whereas, stupid & riduculous shills posts are NEVER deleted. Go to Reddit & see how they mock the comment section here.
When @Martin owned the site, my posts were delayed for half a day, but they posted it afterwards. My ENTIRE post was never discarded.
The moderation of the comments on this site is why it sucks.
The new owner suck.
And the moderation sucks.
@notanonFUD
> Whereas, stupid & riduculous shills posts are NEVER deleted.
You are contradicting yourself. If that were true, you wouldn’t complain about posts of yours supposedly not appearing. If Martin really published any shill posts, yours would be first in line.
> Go to Reddit & see how they mock the comment section here.
And by “Reddit” you specifically meant r/firefox, the fanboy snake pit that you crawled out from.
> The moderation of the comments on this site is why it sucks. The new owner suck. And the moderation sucks.
If you think so, then why don’t you leave? Any good reason other than having to shill Firefox here?
@Iron Heart
“If you think so, then why don’t you leave? Any good reason other than having to shill Firefox here?”.
Why don’t you leave ? Ghacks comments section would be a better place without you. Other posters would be able to have reasonable discussions and exchange ideas / tips about the articles without you calling them Shills and Firefox fanboys.
How you can talk about being other posters being shills, when ALL that you post is to denigrate Firefox users while “bigging up” what, in your mind are the best browsers Brave and Ungoogled Chrome. You are a shill for them.
I do not know what Firefox did to upset you and Yuliya but both of you NEVER stop trolling and flaming other posters.
Here’s an example from your comment above aimed at “notanon” :
“And by “Reddit†you specifically meant r/firefox, the fanboy snake pit that you crawled out from.”
You even added FUD to notanon’s posting name !!!!
For God’s sake, give it a rest and grow up !!!! Your posts are becoming tedious with your anti Firefox rhetoric.
NB If you reply please do not use the phrase “ad hominem”. You do so regularly but wrongly.
Browse the ‘Net to find out what it really means.
@T J
> Why don’t you leave ? Ghacks comments section would be a better place without you.
Freedom of opinion, I guess.
> Other posters would be able to have reasonable discussions and exchange ideas / tips about the articles without you calling them Shills and Firefox fanboys.
Judging by the quality of some posts here, I take your vision with a grain of salt. And maybe you haven’t noticed: I don’t call all people Firefox shills and / or fanboys here. Just those who behave as such verbally, particularly those who try to present Mozilla and Firefox as something they are obviously not.
> How you can talk about being other posters being shills, when ALL that you post is to denigrate Firefox users while “bigging up†what, in your mind are the best browsers Brave and Ungoogled Chrome. You are a shill for them.
It might have escaped your attention: In all of my posts, I maintain a degree of fairness towards Firefox. I have never said that it can’t be tweaked into something worthwhile, even into a privacy-respecting browser. Emphasis on “tweaked”, because its default settings suck. That’s why multiple user.js versions out there exist, that advise users on which settings need to be changed. And here lies my gripe with Mozilla: They advertise Firefox as privacy-respecting, but out of the box it is clearly not. They are anything but genuine, and users who don’t know much about Firefox continue to perpetrate the narrative. I also criticize Mozilla for being overall hypocrites, claiming to fight against Google while being funded by them (fake competition).
And honestly, the bar Mozilla Firefox sets for privacy is very low, it doesn’t exactly require me “bigging up” Brave or Ungoogled Chromium to jump over a bar so low. They are better out of the box, period. “Out of the box settings” is what most users use. Without knowing how to extensively tweak it, Firefox shouldn’t be recommended to anyone, and even then Mozilla must be shunned for falsely advertising Firefox as something it is not.
What I do is not shilling. Brave and Ungoogled Chromium are actually true to the statements their makers utter about them, while “shilling” is what the Firefox fanboys do here, they are trying to make Firefox look like something it is not (just like Mozilla does, they are just parroting their statements).
> I do not know what Firefox did to upset you and Yuliya but both of you NEVER stop trolling and flaming other posters.
Another thing that might have escaped your attention: When I say that Brave is better than Firefox out of the box in terms of privacy, the sea gets much rougher here. That is to say, do not pretend that the grass is much greener on the other side. I get flamed and trolled here as well, I just don’t whine about it as much. I also wish that the climate here would improve, but I don’t see it happening, because the FF fanboys strongly dislike it when I point at Mozilla’s (and by extension: their) extraordinary hypocrisy. Are the browsers I recommend perfect? Nope. But they are at least not falsely advertising themselves and do not betray user trust.
> You even added FUD to notanon’s posting name !!!!
Yes, and for good reason. He continues to perpetrate the lie that Brave (and other Chromium-based browsers with built-in adblockers) will be severely affected by Google crippling the webRequest API. I have explained to him countless times that this is not the case, and also cited my sources (the browser devs themselves), to no avail. He wants to –> shill For God’s sake, give it a rest and grow up !!!!
Once he drops the FUD and actually behaves like a grown up, he will lose his well-earned title and I will treat him like an adult. But not before, sorry. He gets the responses that his level of writing have earned him over a long period of time.
> Your posts are becoming tedious with your anti Firefox rhetoric.
If you think that I will stop calling out obvious Mozillian hypocrisy, you will be sorely disappointed. Whether you like it or not is not my concern. I maintain a degree of fairness towards Firefox, but if you want me to write nice things about it or to shut up entirely, Mozilla would have to change.
> NB If you reply please do not use the phrase “ad hominemâ€. You do so regularly but wrongly. Browse the ‘Net to find out what it really means.
You don’t hide being what is commonly called “butthurt” very well. But no, I won’t offend the language police as I didn’t intend to use it here anyway.
Just stay polite please. Comment moderation is done as quickly as possible but it is still a manual process and may be delayed because of that.
@Martin, thanks for the reply.
When you owned this site, comments were never entirely removed.
It’s not moderation if the entire post is deleted, it’s censorship.
Especially when I’m posting fact, I don’t really care if people’s feelings are hurt by comments. If you don’t want to be flamed, don’t post stupid comments.
As I mentioned above, a tech site shouldn’t be moderated like Twitter & Facebook, where comments are moderated to create “safe spaces” for snowflakes, who post nonsense & then are surprised when their nonsense is destroyed in the comments.
Moderation by the new owners suck.
If I wanted to be moderated by snowflakes, who want to create “safe spaces”, I would be visiting Ars Technica.
I understand your position but would like to ask you to just stay polite even if it may be difficult to avoid moderation.
Theres a lot of flaming, trolling and emotive baiting here saying very littleof merit,
Yuliya states his case however, you all may not like facts, but you need to deal with them instead of trolling.
Its a bit worrying that proponents and quite likely.. employees of a browser feel the need to go so low as to impersonate, flame and troll instead of putting right the browser itself. Says something :/
@ if
I have pasted one of Yuliya’s posts below.
You will find it in Martin’s article about the Brave browser on 25/02/2020.
“Noooo, my fellow mozillians, what are we going to do now? The Chromium Master Race humiliates us once more! Nooooo!!!!!!!11111eleven
Our browser cannot lose to them, we’re the privatest, the strongest, the diversest and speediest in the world!!
Oof, mu heartrate went through the skyroof!!.. or windshield.. or rooftop.. i don’t remember the exact idiom right now, that’s how tense i am upon reading these sad news :(”
Yuliya posted the above in order to take the p*ss out of Firefox users. Who is the Troll and or Flamer ? :(
Respectfully, you just came across an article about Mozilla and said you didn’t read the article, but that we can be sure that if you did read the article you would have wound up saying something about how in your view Mozilla can’t be trusted.
That’s almost the definition of a troll. You’ve basically just admitted that no matter what the content of any article posted about Mozilla or Firefox is, you’ll be there bashing them for whatever is covered in the article. If the article was about Mozilla giving money to a charity to benefit orphans and children, it sounds like you’d jump in to bash Mozilla for it.
Give it a rest already.
Respectfully, that is not me ;) DoH in of itself is rubbish, accomplishes nothing and gets in your way, regardless of browser. I think I’ve made this clear enough in the past.
In this case CloudFlare is the only winner. Hoarding all US mozillians data. Enjoy, I guess. . .
@ Yuliya
“Respectfully, that is not me”
Respectfully, I do not believe you.
But I use 1.1.1.1 already instead of the evil 8.8.8.8 https://en.wikipedia.org/wiki/1.1.1.1#Privacy_Policy.
Not to mention my $22000 of Cloudflare stock I bought during the IPO. Please use Cloudflare so I can get rich. :)
@Yuliya
“In this case CloudFlare is the only winner”
So all others lose?
Hmm.
That seems like a rather extreme perspective. Perhaps you’re an irrational extremist of some sort?
Well, at least you’re allowing us to “enjoy”, I guess. . .
Calling you a troll would be unfair to trolls. At least they are creative and sometimes even entertaining. You don’t have that.
“I didn’t actually read the article”
I knew that when I saw your name.
Is there something like Mozilla Derangement Syndrome — a Firefox version of Trum Derangement Version?
Orange Fox bad! Lives rent-free on my mind!
“And don’t call me a troll.”
Sounds insecure, yet it’s accurate. Trolls are immature people with too much time — who are occasionally funny and entertaining. Some of them are paid, so at least they have an income. I mean the normal trolls, not the anti-Russian rhetoric.
@Addy T.
Regardless to what a so-called troll is or isn’t, what’s clearly the worst to me are the ego-driven know-it-all lairs. Next to that are the paranoid crazies, and below that are the lazy/needy idiots. Mix that all together and you have “social”.
Oops. . lairs = liars
@ Yuliya
Maybe not a troll, but an anti-Mozilla fundamentalist for sure, I may not like them much anymore, but that doesn’t prevent me from remaining intellectually honest, not like you obviously.
@ Yuliya
“I didn’t actually read the article”
If your statement is correct why did you waste your time posting a response ??
Nothing better to do…..??
@Gary
Why isn’t it obvious?
“Orange Fox bad!
I do not read news! Totally not a troll… Respect my well-informed take plz!”
@Gary D
maybe it wasn’t the real “Yuliya”…………………
I believe that DoH is a rather serious mistake.
It does improve security in one area, but at the cost of reducing security in other areas. Since the goals of DoH can be accomplished in ways that don’t bring a security hit with it, this is an unnecessary security tradeoff and weakens security for everybody.
What are the alternatives? Honestly, while DoH is good, I would rather have it DNS over TLS as this is a wrong layer. But, that requires OS support anyways (like Android, which supports DNS over TLS) and it reuses the same HTTPS code, so it makes sense. There is also DNSCrypt, but it can still leak a lot of information unlike DoH or DoT.
Are there any other alternatives?
“Are there any other alternatives?”
The right alternative is to use encrypted DNS the way many including the EFF advised it, and the way Google or Microsoft are considering doing it for now: without overriding the operating system one, and the default action if the user does nothing should only be to upgrade the existing DNS provider to an encrypted version of the same if available. Otherwise the gate is opened for every software to choose its own DNS provider without asking of informing the user, and why not monetization then, with a market of DNS providers ready to pay software developers to be the chosen one to spy on queries.
Mozilla could not ignore that even if they were above suspicion of being evil themselves (and they’ve done enough dirty moves already not to be trusted as having only the best intents), this practice of hijacking the system DNS would be followed by evil others once they’ve helped making it an acceptable norm.
And if Google or a smaller shady software company had experimented on that sort of DNS hijacking first we would have had a bigger chance to kill it in the egg with backlash. This is why Mozilla came to their rescue. Mozilla can’t be evil, right ?
@John Fenderson, explain yourself.
DoH is manifestly better for security.
DNS was broken & Doh fixes it.
The vast majority of users don’t tweak anything on their browsers, so a general roll out (starting in America) is fantastic.
@notanon:
My problem with it is that it makes it impossible for me to monitor or control DNS lookups without engaging in extreme measures. This provides a method for marketers and other spies to evade attempts to block the spying.
Additionally, the problem is that mainstream DNS providers are beginning to support it. That means that I can just do something like block all access to DoH providers without causing too much unwanted breakage.
The problems with DoH have nothing to do with any particular implementation, but that the mechanism exists as a standard at all. That this is true means that I have been forced to install a MITM proxy to intercept and examine all HTTPS connections in my LAN so that I can filter DoH queries and drop unauthorized ones. I feel that Mozilla has thrown me under the bus a bit with this effort.
Further, DoH is unecessary — Mozilla pushed it because it was convenient. The proper thing to do would have been to work on the already existing standards for encrypted DNS lookups — those don’t bring the security problems that DoH does.
@John Fenderson,
DNS is broken, it’s unencrypted & anyone between you & the site you’re looking to reach can see when you going (spy on you), alter you traffic using a MITM attack (hack you), & you won’t realize it’s happening to you until there’s consequences like:
(1) someone steals you banking credentials & goes on a “shopping spree” on your dime
(2) your insurance increases after your insurance company buys data that shows you’re a high risk customer
(3) the police arrest you & confiscates your computer, because some pedo “hacker” decided to use your computer as their “cloud storage” for underaged images/videos).
This is why Firefox (& Chrome) are moving to DNS-over-HTTPS, to prevent your browser’s DNS lookups from being spied on, hacked, etc.
If you don’t care about getting arrested, having your money stolen, paying more for insurance, etc., then by all means, do whatever you like.
But if you know the dangers & still deny it, then don’t cry when you’re a victim.
Notanon… That’s madness…
(1) Not a DNS issue, but router/browser/OS vulnerabilities and/or misconfigured/compromised bank websites. https://www.bleepingcomputer.com/news/security/ncsc-issues-alert-about-active-dns-hijacking-attacks/
(2) Not a DNS issue, but browsers tracking vulnerabilities and no international laws against massive data gathering/sharing/commerce.
(3) Not a DNS issue, but browser/OS vulnerabilities and/or bad surfing habits.
“This is why Firefox (& Chrome) are moving to DNS-over-HTTPS, to prevent your browser’s DNS lookups from being spied on, hacked, etc.”
Mozz-Clouflare-Google what?! False.
spyFox and spyChrome probably want DoH mainly for circumvent “user choice” against web offenders, not only, since 3rdP internet protections are bypassed users are forced to enable spygoogle safecensorship to prevent visiting compromised websites.
https://www.welivesecurity.com/2020/02/19/what-dns-encryption-means-enterprise-threat-hunters/
“For SOC teams, the negative effect of DoH is that it blindsides them to malware communication that can more easily masquerade as normal HTTPS traffic in the network…Proofpoint researchers found a new sextortion module update of the PsiXBot malware that uses Google’s DoH service to fetch C&C IP addresses, which allows attackers to hide the DNS query behind HTTPS.”
DoH is safe?
https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/
> That means that I can just do something
This should have been “That means that I can’t just do something”
It might be helpful if you told us what you’re referring to re “reducing security in other areas”. You may be right or wrong — but you’re just making a bald statement, so I have no idea what you mean.
In what areas does it reduce security?
Agree completely. Overriding system level dns settings by default and sending all dns queries to a US company does not increase privacy.
If the goal is to “prevent data collection by third parties on the network that ties your computer to websites you visit” then why are they achieving that by sending your data to a third party.
This should not be a default, but an option people can use if they have need to.
@JF,
why, what is wrong with FF’s implementation?
@scoobydoo
I am not aware of anything wrong with FF’s implementation. The problem I have is with the entire mechanism.
Excellent!
Not all will agree, some users don’t like encrypted DNS for reasons that I appreciate, but in my view, this is a must. All around the world, freedom of speech and encrypted comms are seriously under threat.