1. 25
  1.  

  2. 24

    As far as I can tell at no point has it been suggested in Firefox’s plans for the future involve moving everything to Cloudflare. AIUI Cloudflare was the testbed, nothing more, and Mozilla has explicitly stated that they’re going to look into having a choice of providers.

    (I’m a bit annoyed by the amount of FUD on this coming from the PowerDNS folks, there’s been a bunch on Twitter too)

    1. 2

      I remember reading the blog posts when this was announced and I felt it really wasn’t clear. Maybe I should go read it again.

      I’m still a little concerned. Will there be a big list in Firefox of name servers, similar to SSL roots? Do the browser vendors then get to decide the list of authorized DNS providers?

      I wonder how viable it would be to add a layer of DNS-over-HTTP root servers? Companies who are serious about privacy could contribute to ICANN to see this happen.

    2. 10

      Finally, Mozilla should survey its users to find out their attitudes towards moving DNS from their current service provider to Cloudflare. To do so, those users must first be well informed about what such a move would mean. Based on the survey results, an honest consent page can be generated that makes sure users know what they are agreeing to.

      Well put!

      The title is a bit misleading though. Most recent blog post actually says the networking team will look for different settings per region.

      1. 6
        1. They want to move DNS to Cloudflare. I’m sure there’s still hot debates happening on mailing lists. This also means the plan isn’t final.
        2. They want to change the default behavior. People who care can opt-out. I’d say majority of their users (non tech savvy) don’t even know what DNS is and would benefit from using Cloudflare over their ISP for DNS (Comcast, ATT, Verison come to mind – I’d trust Cloudflare over them anyday).

        Maybe there’s been too many click-baity articles published already that’s saying Firefox is going to be shoving this down our throats. I see this largely as a net gain, if it happens to pass. But that said, there’s no reason to be outraged. If you’re upset, it means you care. And if you care, you can opt-out. Easy.

        1. 2

          You’re still replying from an overly US-centric view though.

          (disclaimer: I’m a PowerDNS employee)

          1. 1

            It’s a pretty common issue. Even outside the US.

            (disclaimer: I’m European)

        2. 4

          So there are large parts of this article that I can agree with - I’m all for avoiding a less centralized internet.

          But like, isn’t PowerDNS incentivized to publish this kinda FUD? I think things become a bit more clear looking at this mail to their users, directed at ISPs: https://mailman.powerdns.com/pipermail/pdns-users/2018-August/025500.html Their customers include ISPs, the entities that’d be hurt by such a move. Even though I agree on many points, not sure I’d trust a company so fiscally motivated to spread doubt about this change, especially given some of the points others have brought up.

          1. 4

            Its a bit of a tough choice. With the current state of things, most users would see a massive improvement from switching from ISP DNS servers that admit to collecting and selling your data and switching to cloudflare who has agreed to protect privacy.

            In the end, you have to trust someone for your DNS. Mozilla could probably host it themself but they also dont have the wide spread of server locations that a CDN company has.

            1. 5

              While I agree that, you need to trust someone to your DNS, it shouldn’t be a specific app making that choice for you. A household or even a user with multiple devices benefits from their router caching DNS results for multiple devices, every app on every device doing this independently is foolish. If Mozilla wants to help users then they can run an informational campaign, setting a precedent for apps each using their own DNS and circumventing what users have set for themselves is the worst solution.

              1. 1

                It isn’t ideal that firefox is doing DNS in app but it’s the most realistic solution. They could try and get microsoft, apple and all linux distros to change to DNS over HTTPS and maybe in 5 years we might all have it or they could just do it themself and we all have it in a few months. Once firefox has started proving it works really well then OS vendors will start adding it and firefox can remove their own version or distros will patch it to use the system DoH.

                1. 6

                  They could try and get microsoft, apple and all linux distros to change to DNS over HTTPS

                  I don’t WANT DNS over HTTPS. I especially don’t want DNS over HTTP/2.0. There’s a lot of value in having protocols that are easy to implement, debug, and understand at a low level, and none of those families of protocols are that.

                  Add TLS, maybe – it’s also a horrendous mess, but since DNSCURVE seems to be dead, it may get enough traction. Cloudflare, if they really want, can do protocol sniffing on port 443. But please, let’s not make the house of card protocol stack that is the internet even more complex.

                  1. 8

                    DNS is “easy to implement, debug, and understand”? That’s news to me.

                    1. 5

                      it’s for sure easier than when tunneled over HTTP2 > SSL > TCP, because that’s how DoH works. The payload of the data being transmitted over HTTP is actual binary DNS packets so all this does is adding complexity overhead.

                      I’m not a big fan of DoH because of that and also because this means that by default intranet and development sites won’t be available any more to users and developers, invalidating an age-old concept of having private DNS.

                      So either you now need to deploy customized browser packages, or tweak browser’s configs via group policy or equivalent functionality (if available), or expose your intranet names to public DNS which is a security downgrade from the status quo.

                      1. 3

                        It is when you have a decent library to encode/decode DNS packets and UDP is nearly trivial to deal with compared to TCP (much less TLS).

                      2. 0

                        Stacking protocols makes things more simple. Instead of having to understand a massive protocol that sits on its own, you now only have to understand the layer that you are interested in. I haven’t looked in to DNS but I can’t imagine it’s too simple. It’s incredibly trivial for me to experiment and develop with applications running on top of HTTP because all of the tools already exist for it and aren’t specific to DoH. You can also share software and libraries so you only need one http library for a lot of protocols instead of them all managing sending data over TCP.

                        1. 6

                          But the thing transmitted over HTTP is binary DNS packets. So when debugging you still need to know how DNS packets are built, but you now also have to deal with HTTP on top. Your HTTP libraries only give you a view into the HTTP part of the protocol stack but not into the DNS part, so when you need to debug that, you’re back to square one but also need your HTTP libraries

                          1. 6

                            And don’t forget that HTTP/2 is basically a binary version of HTTP, so now you have to do two translation steps! Also, because DoH is basically just the original DNS encoding, it only adds complexity. For instance, the spec itself points out that you have two levels of error handling: One of HTTP errors (let’s say a 502 because the server is overloaded) and one of DNS errors.

                            It makes more sense to just encode DNS over TLS (without the unnecessary HTTP/2 stuff), or to completely ditch the regular DNS spec and use a different wire format based on JSON or XML over HTTP.

                            1. 4

                              And don’t forget that HTTP/2 is basically a binary version of HTTP

                              If only it was that simple. There’s server push, multi-streaming, flow control, and a huge amount of other stuff on top of HTTP/2, which gives it a relatively huge attack surface compared to just using (potentially encrypted) UDP packets.

                              1. 3

                                Yeah, I forgot about all that extra stuff. It’s there (and thus can be exploited), even if it’s not strictly needed for DoH (I really like that acronym for this, BTW :P)

                    2. 1

                      it shouldn’t be a specific app making that choice for you

                      I think there is a disconnect here between what security researchers know to be true vs what most people / IT professionals think is true.

                      Security, in this case privacy and data integrity is best handled with the awareness of the application, not by trying to make it part of the network or infrastructure levels. That mostly doesn’t work.

                      You can’t get any reasonable security guarantees from the vast majority of local network equipment / CPE. To provide any kind of privacy the application is the right security barrier, not your local network or isp.

                      1. 3

                        I agree that sensible defaults will increase security for the majority of users, and there is something to be said for ones browser being the single most DNS hungry app for that same majority.

                        If its an option that one can simply override (which appears to be the case), then why not. It will improve things for lots of people, and those which choose to have the same type of security (dnscrypt/dnssec/future DNS improvements) on their host or router can do so.

                        But I can’t help thinking its a bit of a duct tape solution to bigger issues with DNS overall as a technolgy and the privacy concerns that it represents.

                  2. 3

                    Talking monocultures, most of us in U.S. have 1-3 ISP’s available that are all willing to profile, sell, and/or manipulate our data. One was just in the news for throttling firefighters communications not long ago. Moving services from any of them to Cloudfare might pose hypothetical risks but will reduce some real ones. Just like with HTTPS. I’d take Cloudfare over the others any day.

                    Of course, one of my old, project ideas for Mozilla was to develop their own CDN. They could use it to accelerate Firefox in key areas, esp on mobile. Opera did that. Focus on quality of service more than costs. As use went up, they’d have more money for servers in more places. Eventually, they might not need Cloudfare. This same division might also have VPS’s and dedicated servers that meet the needs of Mozilla and other FOSS projects. No-nonsense offerings.

                    1. 1

                      Talking monocultures, most of us in U.S. have 1-3 ISP’s available that are all willing to profile, sell, and/or manipulate our data. One was just in the news for throttling firefighters communications not long ago. Moving services from any of them to Cloudfare might pose hypothetical risks but will reduce some real ones. Just like with HTTPS. I’d take Cloudfare over the others any day.

                      I understand and agree with that bit, but how much of the technical design of the building blocks of the web as we know it should we base on the market landscape of one particular country at one particular point in time? I may be in the wrong here, but I can’t help but see this as a matter of setting precedence.

                      1. 1

                        Remember my comment said I prefer for them to roll their own some way, even if shared datacenters. It could become a point of trust on top of increasing performance or reducing costs of stuff. They’re not doing that. They want to go with a third-party provider. Cloudfare is the best right now even though there’s a good chance they’ll become evil later on. The alternatives in my country and a lot of countries are evil. You will also probably be able to change the DNS settings on whatever they deploy to use a different provider.

                        I don’t like the move. It will do more good than harm for something like several hundred million people.

                    2. 2

                      As long as the fundamental authoritative protocol remains the same, I don’t really see the problem with connecting to your resolver over HTTPS. Is Cloudflare baked in at the protocol level or just the only current large company with lots of servers willing to back this?

                      1. 7

                        DNS over HTTPS is an IETF draft and Cloudflare is, of course, not baked in.

                        1. 3

                          It’s not even the only company with a public DoH service; Google has one too.