1. 21

  2. 6

    It’s nice to see such tonally reasonable discussion of the DoH situation. I find myself in a similar situation: appreciating Mozilla’s efforts to improve privacy and security, but forced to disable the feature (in my case due to split-horizon DNS).

    I would particularly highlight these comments:

    The discussion around Firefox’s deployment of DoH has been remarkably bad-tempered. Part of the problem is that Firefox is removing a security mechanism without providing a replacement. Network providers and enterprises block malware and phishing on their DNS servers, and home users use software like Pi-Hole or custom hosts files to block malware and ads. Firefox’s DoH implementation will stop these blocks from working.


    To be honest, the DNS isn’t a particularly good place to implement a security policy. […]

    It would be better if your computer came with software that made it easy to subscribe to block lists, inspect them, edit them, and remove them if they are more annoying than useful. And if it were easy for network providers to publish block lists and make you aware of them. Then your anti-phishing / anti-malware / anti-spam protections would not depend on where you get your DNS from.

    Like lots of network-level controls, DNS seems like an attractive control mechanism to the network provider, but it’s not well suited for that purpose because it lacks a way to communicate with the user in terms the user can understand (short of a captive portal, a hack that is less and less functional as HTTPS and HSTS spread. It seems like we need, at minimum, the DNS equivalent of HTTP’s 451 status code. The article’s suggestion of a network-local policy distribution mechanism seems like a direction worth exploring.