Firefox turns on DNS encryption

I guess I can see keeping logs when you first start a service, or turn it on when things start going sideways, but once things work and seem to keep working, if privacy is paramount, they should turn them off.

The analysis is a dynamic and (log-)rolling process, due to changing conditions. Keeping logs for 12 or 24 hours is standard practise even in privacy-sensitive situations.

4 Likes

Normally I’d say this is good. But it bypasses Pi-Hole.

That is a valid tradeoff, but things that have been working for years sometimes fail. Having logs at the time of failure that span the transition from “working” to “not working” can help you do a root cause failure analysis, and even if you aren’t looking for a root cause they are frequently useful in just finding out how to fix it Right Now. If you don’t need to see that transition to diagnose things enough to fix them you still likely need to see some logs to figure out the current state, so to get a mere 10 minutes of context having no logs needs a 10 minute delay.

I think 24 hours is already a decent tradeoff.

…but very much because it is a tradeoff there are valid arguments to pick other numbers (an hour, 48 hours, 10 minutes…).

Plus if some governmental force decides to make them start turning over logs I expect the same force might be able to mandate they they start keeping logs even if they hadn’t been doing so before.

5 Likes

As long as Jen keeps being very careful with the internet in the picture we are ok

1 Like

I’m sticking with UUCP bang paths.

5 Likes

Um what?

Select either Cloudflare (Firefox’s default provider) or Custom, which lets you use another provider like Quad9 or Google Public DNS.

It’s an open standard, go run your own!

https://tools.ietf.org/html/rfc8484

5 Likes

We keep logs for 72 hours for Boing Boing for diagnostic purposes, and that’s it. Without those we would have never figured out how we were hacked a few weeks back, so I can confirm they are vital if you run any sort of service that could potentially be a target, and that 72 hours is a useful retention period.

9 Likes

I didn’t even read the post, I just love the choice of illustration photo :joy:

6 Likes

This seems to be the best option outside manually turning it off on every instance. Further research required.

https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson

1 Like

Yeah, I need to switch to Firefox. I just need to move all of my favorites. And I´m lazy.

If anyone needs any proof that DoH is bullsh*t, take it from one of the experts on DNS:


The talk is a little lengthy and technical, but the slide at about 33 min summarizes the main problems with DoH very nicely.
4 Likes

There’s no reason you couldn’t have your local network continue to use standard DNS to resolve via your pi-hole, then have the pi use DoH to resolve addresses. That way you’d keep all the benefits of pi-holing the scammy sites, while externally hiding all lookups from your network

1 Like

If you hand your traffic over to CF you don’t even get data for logging anymore. They’ll “do it for you” and maybe let you peek if you ask (and pay). If the consolidation of server logs is not mass surveillance, what else is? Now guess why Google and FB are already standing in line to “help” with DNS over HTTPS.
The whole thing might be some sort of improvement if you’re in the US - it might, actually you are just winning a way to choose who’s going to spy on you. Everywhere else, where it is illegal for ISPs to sell their subscribers’ DNS data it is a massive privacy leak.

2 Likes

That’s what I do. Pi-hole is using DoH and DNSSEC. Because of the “smartTV”, I’m averageing over 41% of queries blocked. It’s closer to 20-30% for other systems. But not all devices stay on this network.

Laptops and phones benefit from browser DoH when outside the home. But browser DoH will bypass the Pi-Hole when at home. Turning it on and off gets tedious.

1 Like

Does this help? From the Mozilla support page:
In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users’ queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

3 Likes

I don’t get the hate. So you’re OK with Google collecting it, because they run 8.8.8.8 anyway, and you don’t worry about them cross referencing your DNS lookups with everything else about your web-browsing via google-analytics? How about AT&T, who watches it as it passes through their network to Google’s servers? What about AT&T’s secret backbone network rooms, operated by your favorite TLA? Or how about Comcast/Verizon/CenturyLink/etc. who provide ISP services to your favorite coffee shop, and would never replace a “DNS name not found” response with the address of an ad-laden server delivering a “gee, sorry, we couldn’t resolve voingvoing.net, but click here for some fine links to our sponsors” page? What about the coffee shop’s router/firewall, where they’ve checked the boxes for “malware detection” and “parental supervision”, sending duplicates of all your DNS requests to Trend Micro and/or some net-nanny company? For that matter, what about the coffee shop owner, who’s enough of a nerd to run a bro sensor just to creep on his clients? And that’s all assuming you’ve connected to the actual coffee shop’s WiFi, and you aren’t being proxied by some WiFi Pineapple hidden in some hacker’s backpack. Regardless, I’ve got good news for you because right now all of them sniff your DNS requests. That’s right, that evil Cloudflare won’t get to consolidate all of your requests, no sir. Nothing could possibly go wrong when your secrets are safely spread across a dozen hands.

The cure may not seem like the best idea today, but any fix must start with replacing the old, insecure protocols. Until hardened DNS requests become ubiquitous, your browsing habits are on display to a wide variety of people who have no business watching your business.

Even if you don’t trust them today, Cloudflare won’t remain the only DoH provider for long. And once a GDPR compliant service exists, you can hook to them, if you don’t trust any US providers (which is why everyone is longing for a German DoH resolver.)

4 Likes

Thanks for that.
Went in knowing the bare minimum about DNS, left knowing “fuck DoH” haha.

Exactly.

I trust my isp dns services slightly more than clowdflares offering.

A bad move on Firefox’ side, though one that maybe, just maaaaybe, wakes up people to one of the biggest flaws of the current www system.

edit:
Though it might be preferable on mobile, which often uses the allmighty google for everything(8.8.8.8).

I have been running public and private DNS, SMTP, NTP and whatnot servers for 15 years. Thank you. And please keep your "Um what"s for yourself. Not everyone’s living under a rock.