1. 29
    1. 27

      I wish they’d at least prompt to turn this on, instead of do it automatically. I don’t really trust cloudflare either, and have a different encrypted dns provider. I’m glad they at least allow you to disable this or change the provider, I just don’t like that out of the box firefox starts sending DNS traffic straight to cloudflare.

      1. 3

        I disabled it when the popup appeared for this reason. What’s the provider you use?

        1. 7

          I run a VPS that provides encrypted DNS. It gets DNS from running unbound querying root DNS servers directly.

          I wish that one day the root DNS servers themselves would support encrypted queries..

      2. 1

        I wish they’d at least prompt to turn this on

        That would be the worst possible choice out of all possible choices I can think of. I would prefer DoH to be off-by-default, but I prefer on-by-default over a prompt.

        For one thing, encrypted DNS is a small, incremental improvement. It’s only really worthwhile because of a bunch of other improvements, like eSNI, tracker blocking, user-agent string size reduction, and all the Private Browsing hardening tricks that Tor has upstreamed. You prompting for all of the tweaks that have some sort of trade-off would just suck.

        Worse than that, though, is that most people would not be able to make an informed decision about a prompt like this. Warning fatigue is a real problem, and Firefox is frankly bad about this already. I wish they’d just turn address bar suggestions on or off by default instead of prompting for it.

    2. 19

      I’ve already configured my own DNS settings, and I resent Firefox overriding that without asking me. Furthermore, I trust my ISP more than I trust Firefox, Mozilla, or CloudFlare.

      This is the type of thing that will eventually make me stop using Firefox (again).

      1. 8

        Do you mind if I ask which ISP you trust more than Mozilla?

        1. 3

          I too already configured my own DoH settings (because I saw the writing on the wall) and I hope Firefox doesn’t overwrite them. I set up my own DoH server at home (yes, I run DNS, but I’ve been doing that for nearly twenty years now).

          1. 4

            Hope you don’t mind me asking, but how does running your own DoH server help? All the underlying DNS queries from it could be mapped to you with very high probability. Or is there some mechanism to tunnel underlying DNS to an upstream to mask that?

            1. 2

              You can just cache entries. So even if you visit some page later the request was already made, so you will leak less information about yourself.

              1. 6

                Isn’t that also true when not using DoH at all?

                1. 1

                  Yup. It’s amusing to see just how many DNS queries a web browser makes.

            2. 2

              It all comes back to me. But given that TLS still leaks the server name (TLS 1.3 fixes that, but it’s not everywhere yet) it’s not that big of an issue with me. I’ve been of the opinion (since 1989 when I first came across the Internet) that anything done on the Internet is public by it’s very nature—even encryption still leaks the IP address you are connecting to [1]. Yes, there’s TOR, but that’s still vulnerable to privacy attacks.

              [1] One the one hand, you have the crowd that decries the every increasing centralization of the Internet. On the other hand you have the crowd that decries the PII that leaks out (like an IP address). It’s like people want decentralization with total privacy. I’ll just say “Good luck with that.”

              1. 2

                Centralization makes it so that one party can see everything and the rest can see near to nothing. Decentralization makes it so that many parties can see some things each, but it takes a lot of effort to see everything.

                A privacy model based on centralizing is doomed from the start, because there’s only a single line of defence. It is easier to hack/bribe/subpoena one very strong party than it is to hack/bribe/subpoena many weaker parties.

    3. 10

      I don’t trust Cloudflare particularly more or less than any other DNS provider. But I don’t like the increased centralization of data.

      …has anyone yet made a “local” DoH provider that goes to Cloudflare over Tor?

      1. 5

        Wouldn’t that present a captcha for every DNS lookup?

    4. 24

      Shame on Mozilla Firefox for bringing a fake solution to a very real problem.

      Selling this as a privacy solution is basically a lie. I hope they fix this fast. It isn’t their place to decide that all of their US users’ traffic now gets sent to CloudFlare.

      Furthermore, the fact that they’re doing this for “US users” means they are tracking their users and determining their location, something they also shouldn’t be doing. What bs.

      1. 1

        While I don’t know one way or another how they determine “US” for this, it doesn’t necessarily mean geoip calculation – the initial Firefox download is generally both language- and region-targeted (this is used to set region-specific default search engines, for example), and a given copy of Firefox can know what language/region it’s built for. So one easy way to turn on for “US users” would be to toggle the DoH setting in an update pushed to everyone on an en-US build.

        1. 3

          I’m living in a country where English is not the primary language, but a lot of users (especially power users) prefer to use an en-US or en-GB build because they are proficient in English and the translations to the local language are awkward and hard to understand sometimes.

          This is rather common for users in Northern and Western Europe.

    5. 27

      A very bad day for privacy and internet freedom everywhere, great victory for the NSA. All your DNS traffic will now go to a single monopoly under US jurisdiction — Cloudflare.

      Here’s a useful comment showing the way to block this malignant traffic from leaving your network:

      Here’s the prior discussions for the issues with DoH in general and with Cloudflare in particular:

      It’s especially ironic that Mozilla is turning it on first in the US of A — literally a country comprised of collection of independent states, now all tracked under a single monopoly DoH provider. The only hope is that someone in the government will eventually wake up and see the issue where a single entity controls so much of consumer and business traffic that AT&T could only dream of; in an ideal world, Cloudflare should be the prime target of the antitrust legislation in the next decade.

      1. 12

        Mozilla advertises ‘privacy’ on literally the second sentence of the Firefox download page

        And yet they continue to depend on proprietary google tracking bits in order to generate a UUID (lol), and now this. Mozilla needs a major change in direction if they’re going to actually provide a product that respects user privacy.

        1. 7

          This feels like the typical response from the geek world where if Firefox only gets 99.99% of things right instead of exactly 100%, they will be portrayed and talked about as if they actually managed 0%.

          The threats involved in using your ISP’s DNS are pretty clear, and pretty clearly are attacks on your privacy. DoH is a significant upgrade over that, and the provider they chose to go with has taken steps to try to make it verifiable that they will not present the same kind of threat as your ISP.

          But because it only gets part of the way to where certain people would like to be, we get threads like this one, where the perfect is not just the enemy of the good, but is actively seeking to hinder and impair the good by any means available.

          1. 3

            The threats involved in using your ISP’s DNS are pretty clear, and pretty clearly are attacks on your privacy.

            The threats involving the world’s largest ad company and the threats involving a leading collector of internet traffic are pretty clear, and clearly are attacks on your privacy. So by your standards, ‘good’ is choosing one bad actor over another bad actor, when ‘good’ should really be avoiding all bad actors. ‘Perfect’ would be something like seemlessly integrating Tor, etc (which no one here is asking for).

            1. 2

              I don’t much like Cloudflare, but Mozilla seems to have used their leverage to enforce terms which are far more favorable to your privacy than anything a widely-available consumer ISP is going to offer. So, again, this seems to be a “they only got to 99.99% of what I want, not 100%”, and from there is being spun as complete failure.

              If you have actual demonstrable proof that Cloudflare is not abiding by those terms, feel free to bring it up.

    6. 9

      This is so great! A huge win. Here’s Schneier being stoked about it https://www.schneier.com/blog/archives/2020/02/firefox_enables.html

    7. 5

      I guess this is a bit off-topic, but here we go:

      This isn’t the first time Mozilla has gone over its users and overrode settings without asking. This makes me uncomfortable, so I’m considering alternatives. Which browser have you been using?

      1. 7

        The problem is that Firefox is the best browser, but the best isn’t good enough.

    8. 4

      Funny thing that the DNS queries are less of the problem, because you could run local cache (I believe that most OSes already does that) and you will become less “trackable”. On the other hand you still send unencrypted information about all your traffic via SNI, so any interested party still can get all data they need.

      So this only increase the amount of things the sysadmins need to remember to configure when they want to properly handle DNS resolution.

      1. 2

        Firefox supports eSNI.

        Having two things that are broken has been the reason why they both stayed broken for so long:

        • There’s no point fixing A, because B is broken.
        • There’s no point fixing B, because A is broken.
        1. 1

          Still, DoH isn’t IMHO a solution as we could use, well, DNS over DTLS or DNS over TLS as well. Why “hide” DNS queries as HTTP ones?

          1. 1

            They are functionally equivalent from user perspective, but from ISP perspective DoT is trivial to block (runs on a dedicated port), which helps keeping users on unencrypted DNS.

            I’m not a big fan of DNS over HTTP/2, but HTTP/2 has a clear migration path to QUIC. DNS over QUIC will be UDP again, but with modern crypto, a few protocol upgrades, and share implementation with HTTP/3.

    9. 4

      On Linux (equivalents exist for other platforms):

      sudo ${EDITOR:-vi} /etc/firefox/syspref.js
      

      Add a line like:

      pref("network.trr.mode", 5, locked);
      

      Per https://wiki.mozilla.org/Trusted_Recursive_Resolver the value 5 is “Off by choice. This is the same as 0 but marks it as done by choice and not done by default.”

      Making it a locked pref keeps you from accidentally turning it on again, but more importantly here, when on a version which hasn’t made the change yet, gives you a visual indication that the change has taken effect and you haven’t edited the wrong thing. You might use locked until you’re happy you’ve made the change in the right place, then remove that keyword if you think you might at least want to explore the feature.

      1. 3

        Why sudo ${EDITOR:-vi}? Just use sudo -e. Your command launches an editor with root privileges, while sudo -e does not, and works in situations where the system is administered competently.

        1. 1

          Thanks, I couldn’t remember the option to do that. I’m usually either editing as myself inside config management checkouts (not editing random files on random machines in prod), or working as root on something locally and needing to read other root-owned files while I’m at it, so running the editor as me doesn’t help.

          Also, this was an illustrative example. My phrasing is readable without a man-page, for folks using systems which use commands other than sudo (eg, op).

    10. 3

      Is there some trustworthy entity to provide DoH until it is more common place at ISPs and others?

      With trustworthy I mean preferably a non-profit, privacy focused, with know-how, fund, resources, etc. I am thinking about maybe Mozilla themselves, the Chaos Computer Club, EFF or something like Let’s Encrypt where institutions come together. In a best case scenario it also wouldn’t be yet another case of centralization in the US.

      This is a list of public providers: https://github.com/curl/curl/wiki/DNS-over-HTTPS

      1. 4

        Is there some trustworthy entity to provide DoH until it is more common place at ISPs and others?

        I really like your question, because it shows the profound issue with the whole idea of DoH.

        If you trust your ISP — and there’s no good reason you should trust the centralised too-big-to-fail NSA-dream Cloudflare more than you’d trust your local ISP subject to the oversight of your local community — then you basically don’t gain much from DoH, because the likelihood that someone can tap into your traffic between your secure WPA2 WiFi at home and your ISP is rather small.

        The alternative, of course, is using a national provider, which will then be capable of tracking your activities across all of your upstreams at home, work and coffee shops, and quietly delivering all said content to the intelligence agencies, through the secret court orders and such.


        I think folks get too tied up with the idea of encrypting everything at all costs, and ignore the long-term opportunity costs associated with all these actions:

        • HTTPS-Everywhere eliminates a whole class of Internet firewalls and malware scanners capable of filtering out ads and malware outside of having to enlist the help of your browser, and ensuring your browser doesn’t do any funky stuff, because now with ubiquitous HTTPS everywhere you can’t easily see what sort of traffic is going out of your network, or which page is making a request to which other page through examining the Referer headers in tcpdump without having to enlist the support of your browser, or which headers and what metadata is being sent back to the mothership.

        • DoH is likewise acting in the same way by leaving you with less choice to filter out and examine your own traffic, especially if DoH is implemented not in the operating system or home router, but on the application layer in your browser. Does this mean that now with a new Firefox, I’ll be back to seeing all those useless GDPR notices from their-party megabyte-sized JavaScript that are blocked in my /etc/hosts, as well as all the experience trackers and megabyte-sized A/B testing scripts from Optimizely that have likewise been blocked in my /etc/hosts as well? What’s so great about that? Why is eliminating my choice to block these things in /etc/hosts is a good thing?

        Keep in mind that even if you’re using both HTTPS-Everywhere and DoH, where all your traffic is encrypted, it’s still possible to figure out that you’ve visited Wikipedia (due to IP address correlations that are impossible to hide without centralising the web behind someone like Cloudflare (gosh, I wonder why they’re pushing for all these things!)) and viewed a page named Censorship in the United States (due to the unique sizing of the content, as well as timing-based attacks, where the timing-based attacks are likewise near-impossible to fully mitigate, if the continued emergence of the various Meltdown upon Meltdown bugs and research is to teach us anything).

        1. 1

          no good reason you should trust […] more than you’d trust your local ISP subject to the oversight of your local community

          How about when “local community” means “relatively authoritarian government”. (Really in any situation the word “community” feels very dishonest here lol)

          I trust any U.S. company way more, because the U.S. does not have power over me.

          HTTPS-Everywhere eliminates a whole class of Internet firewalls and malware scanners

          Yeah, and prevents ISPs from injecting their damn ads and prevents e.g. your employer from reading all the content you see in plaintext.

          Any filtering should happen in the browser because of the end-to-end principle. Any kind of tampering in between the servers and the browser is fundamentally broken and stupid.

    11. 3

      Because many corporations need extensive control Mozilla has created a something called “policy support” which can be implemented using a JSON file called policies.json. This file is a cross-platform compatible file that makes it the preferred method for enterprise environments to control Firefox in different environments. By using the policies.json file you can control a great amount of how Firefox works, including the DNS over HTTPS feature.

      Create the file before you start using Firefox in order to avoid initial data going through Cloudflare.

      Find out where Firefox is installed. On Arch Linux Firefox gets installed in /usr/lib/firefox/. On FreeBSD it gets installed in /usr/local/lib/firefox/. If a subdirectory called distribution doesn’t exist you need to manually create it. Then create the policies.json file in that directory.

      On the README for the policies templates you can find a list of options to control.

      I have created a policies.json that looks like this:

      {
        "policies": {
          "DisableAppUpdate": true,
          "DisableFirefoxAccounts": true,
          "DisableTelemetry": true,
          "DNSOverHTTPS": {
            "Enabled": false,
            "Locked": true        
          },
          "DontCheckDefaultBrowser": true,
          "NetworkPrediction": false,
          "PromptForDownloadLocation": true,
          "SearchEngines": {
            "PreventInstalls": true
          },
          "SearchSuggestEnabled": false
        }
      }
      

      You can view your settings by typing about:policies in the address bar.

      If you want to block Cloudflare and other known companies that supply DoH at good list with both domain names (for DNS blocking) and IP addresses (for firewall blocking) is available at: https://github.com/oneoffdallas/dohservers

      1. 2

        An easier way to do this, if you’re already running your own custom DNS resolver, is to block the canary domain

        I’m figuring that we’re going to have ISPs blocking the canary domain, and the arms race will continue onward, but at least for now that’s how it is.

        1. 2

          I forgot to mention the canary domain.

          I’m blocking the canary domain on my DNS server already, but since we will most likely begin to see fallback options, like systemd did with systemd-resolved, I think it’s good to have a list that we can work on and add domains and IP addresses as they go public.

    12. 2

      I’m not sure if I understand the implications correctly. If I run a local DNS provider, like Pi-hole, then Firefox receives this settings via DHCP. With the change to DoH, Firefox at some random update ignores that setting and resolves via Cloudflare instead. This implies the host-blocking via Pi-hole stops working. Correct?

      1. 3

        Correct. However, Firefox is supposed to lookup a canary domain using the DHCP-provided resolver, and if it does not return any A/AAAA records for this domain, Firefox will not enable DoH by default. This behaviour may change in the future.

    13. 2

      I’ve configured dnscrypt-proxy with DOH [1] to proxy nextdns.io from a DO droplet.

      1: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Local-DoH

    14. 1

      Set your DoH endpoint to “custom” and add https://doh.libredns.gr/dns-query (For more info, https://libredns.gr/) :)

      1. 3

        Thank you @gerikson, @cnst.

        I’ve merged story towcaw in to story h2t3qa, the opposite direction of what you requested gerikson. cnst observed story h2t3qa is the primary source with story towcaw responding to it. The stories were submitted so close in time (1-2 hours) to each other that I’m persuaded by the primary source claim.

      2. 2

        The opposite — the other article has a title that’s very one-sided and misleading, plus, this one is the original source.

    15. 0

      Firefox seems to either be moving really fast these days or simply not communicating well. Anyone know what that’s about? In the Firefox announcement, they say they’ve been working on / considering this for a year, but to me this seems to have come out of nowhere - especially when there was still a large debate around this topic.

      1. 2

        this has been discussed for a long time and even though DoH is a good thing in general, I’d only be OK with they transitioning all users to it if it was a big opt-in dialog.