Firefox turns on DNS encryption

Originally published at: https://boingboing.net/2020/02/25/firefox-turns-on-dns-encryptio.html

…

This limits one method of collecting data about what people do online

No. This limits the corporations collecting data about what people do online to excactly one: Clowdflare who will now be able to track all you are doing.
Everybody’s browsing history collected in one single place. Great idea. What could possibly go wrong?

Yeah, I was wondering the same. So instead of your data being siphoned by multiple actors it’s all funneling into one place. The Wired piece acknowledging this fact but, does not make me feel like this actually solves anything. Bad actors will find a way.

From the explainer that’s linked in the blog post (but not in the excerpt here):

Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.

Well, if it’s okay with “The Hawk”…

There are workarounds. My router forwards all traditional DNS queries and round-robins DNS-over-TLS between google, cloudflare, quad9. So everything at home uses DoT.

DNS-over-TLS/DNS-over-HTTPS is great but until everyone supports it, you’ll have to use one of the few servers that do, and they’ll see your activity. Of course, once you have support down to the ISP level, don’t be surprised if 8.8.8.8, 1.1.1.1, and 9.9.9.9 become inaccessible, forcing you back to ISP-monitored servers.

My workplace keeps turning DoH (and “always use private browsing”, and a whole bunch of other stuff) off every time they update Firefox. I’ve saved my settings as a user.js and when they reset it, I just drop that in my profile dir and everything is back on.

On a related note, I’ve discovered they block Cloudflare’s 1.1.1.1, but they can’t block Google DNS at 8.8.8.8 because things unexpectedly break if they do. Seems a lot of stuff is hard-coded to check 8.8.8.8 to determine if it is online.

I feel tempted to bet on when they’ll present some weasle-worded statement declaring that they’ll sell “certain, anonymized or partially anonymized” data to “our partners”. My guess is three months max. I also remind you that certain agencies will simply take the data they want and prohibit everyone involved to tell a word about it.

It’s Cloudflare. One of the biggest site availability and CDN providers around. If they really wanted to perform mass-surveillance of not only what domains are being resolved, but what HTTPS-protected content is being served from them, they’re already in the perfect place to do it. They don’t need to snoop their DNS server when they are serving the actual websites.

From what I’ve observed over the past years, Cloudflare thus far has been one of the handful of responsible actors in the Internet infrastructure space. They seem to understand that the company’s current business model can be profitable and continue to grow without partnering with third-party companies in the way the advertising/engagement model companies have.

Whether or not they continue on that course is not guaranteed, especially since they’ve now gone public. It would be nice to see other players offering DNS encryption.

No guarantees, of course. But Cloudflare seems to want to position themselves as a privacy-friendly provider, and as CoyoteDen points out, they’re already huge. I’d like to think they want to keep what good will they have in that arena.

And while the vast majority of users won’t change defaults, it is an option to use a custom DoT DNS over HTTPS provider.

Edit: Apparently DNS over HTTPS and DNS over TLS are not the same.

Why do they need to keep it for more than a few seconds? Why log it at all?

The only thing “personally identifiable” about a DoH query would be client IP and the actual query, same as cleartext DNS. Being an anti-DDoS service, I’d imagine cloudflare wants to know if someone is either trying to DDoS them, or use their DNS as part of a DDoS.

Logs are important in the short term for system management and troubleshooting. When things go sideways, a network/system admin needs to be able to see what happened in the immediate past.

I am well aware who Clowdflare are and I definitively don’t trust them. And why should I use a custom DNS over HTTPS provider when I already can chose from truckloads of DNS(S) providers - or simply run my own DNS.

It’s Cloudflare. One of the biggest site availability and CDN providers around.

Exactly. That’s the problem. They don’t want to do mass-surveillance, they already do - or why do you think anyone would provide CDN services for free?

They don’t do CDN entirely for free, at least as far as the video and audio streaming product goes. The original CDN for lightweight stuff like pages and images doesn’t cost them any significant amount to provide, and came about mainly as a side benefit and supportive element of the anti-DDOS and performance- and availability enhancement services that are currently their main sources of revenue.

Again, that doesn’t mean they’ll never do mass surveillance (although the NSA can probably grab it anyhow) or that they’ll never sell data to third parties, but for the moment their business model allows them to do without both.

You mean this cloudflare?

CDNs base their business on a BGP hack called anycast that allows them centralized control of spoofing IP addresses to be geographically closer for less latency.

Is it truly more secure to put all your eggs in one basket and hand them complete control over all DNS resolution as well?

I do mean that Cloudflare. I agree with Tor’s assessment that that 94% figure is based on the flawed methodology they describe, and that some allowance has to be made by Cloudflare for the many Tor IP addresses that aren’t used by spammers and black-hats. The only way that’s going to happen if Cloudflare’s customers start complaining to them that they’re losing traffic from legitimate Tor users trying to visit their sites.

As noted very clearly above, I’d also like to see other vendors offering encrypted DNS resolution. It looks like Google/Alphabet is poised to get in on that action, for its own reasons.