back to article DoH! Mozilla assures UK minister that DNS-over-HTTPS won't be default in Firefox for Britons

Firebox builder Mozilla has confirmed to UK Culture Secretary Nicky Morgan that Britons won't be getting DNS-over-HTTPS (DoH) by default once the feature is included in the next run of browser updates. In a letter to the Secretary of State for Digital, Culture, Media and Sport, Mozilla's global policy veep Alan Davidson said …

  1. elDog

    I'm sure the russkis or sinos or 'merkans have a nice browser alternative

    Firefox is not the only game in town.

    The soon-to-be ex-EU brits may now want to jump on some solution from other authoritarian-oriented gummints that have learned how to ingest DNS queries and spit out something more state-pleasing.

    Privacy is just fine. Just not for the lower classes.

  2. Blockchain commentard Silver badge
    Boffin

    Can you run DoH over VPN's so the DNS providers can't track you (easily)?

    1. Ben Tasker Silver badge

      Yes, it's basically just a https request.

      You can channel it out via Tor if you don't trust exits to do resolution too (though this might actually serve to weaken your privacy)

      1. Anonymous Coward
        Anonymous Coward

        People could post their queries in a national newspaper and have the responses printed in the next edition.

        1. adam 40 Bronze badge

          Do it over SMS

          You can do it over SMS - it's free and keeps the ISP's out of the picture, at least.

    2. jarfil

      You can run DoH over a VPN... or just plain old DNS over a VPN for a similar effect.

      In any case you need to trust someone, be it your ISP (*cough* don't *cough*), your VPN provider (hm, maybe), your DoH endpoint provider (hm), the website, and so on. If you want real privacy though, at some point you'll be better just using Tor, I2P or similar.

      1. NetBlackOps

        Or set up for own DNS system.

        1. Dazed and Confused

          If you setup your own DNS server then the requests between you and the root servers and the servers responsible for the domains you access will still be going over the wire in plain text so the ISP/Government/SnooperCharterWhatEver will still be able to watch what's flowing over port 53.

          1. Nick Kew

            Needle, Haystack. Root servers in multiple jurisdictions. Your own DNS server's logs, on the other hand, will have all your data in one place if it gets seized.

            1. Kabukiwookie Silver badge

              Which DNS server logs?

              1. CAPS LOCK Silver badge

                "Which server logs"....

                ... "What server logs officer?"

              2. Anonymous Coward
                Anonymous Coward

                I've always thought /dev/null was the proper folder for the logs

                1. Tom Paine Silver badge

                  If you're responsible for the security of desktop users, you'll be wanting those logs: absolutely invaluable for after-the-event checks for other users who may have been compromised by the same bit of malware you just found. That being the case, why wouldn't you want the same for your home? (All things being equal, time & money permitting, etc)

            2. Dazed and Confused

              My point was that when you run your own DNS server it needs to resolve queries for which it is not authoritative. So the queries from your DNS server are just as exposed to surveillance as if you run a normal resolver. All the tricks the ISP or GreatFirewallOfYourLand might play on clients works just as well against your server.

              The only benefit would be in the caching, where the watchers would only see your query once per TTL rather than every time you refresh the web page.

              Normally when you configure your own name server you seed it with the IP addresses of the root name servers. Try pinging some these and you might notice that some are damn suspicious, there ain't no way those packets are going beyond your ISP, this will of course vary with ISP, but I suspect all the big ones are playing games here. So while you might not being keeping request logs (bind doesn't by default) your ISP well might be and they're able to see what you're doing without even needing to go to the trouble of snooping port 53.

              1. Sir Runcible Spoon Silver badge
                Holmes

                Business opportunity for sale (£0.00)

                There is a business opportunity here for someone who can be bothered.

                Set up a distributed, cloud based, DoH server system and charge £1/month for access. All the onward lookups will be munged together and just don't track who asked for what.

                1. P. Lee Silver badge

                  Re: Business opportunity for sale (£0.00)

                  You'll be competing with cloudflare and the free 1.1.1.1 mobile app.

                  VPNs are required for bypassing Australian isp censorship on Apple devices.

              2. hmv Bronze badge

                Not entirely.

                Send your DNS queries to an ISP's DNS server (or a DNS service provider's DNS server) and all your queries are in one place. Whilst queries are indeed in plain text (although read about QNAME minimisation), they're going all over the place.

                Yes if your ISP is intercepting udp/53 they can grab all your queries. Is there any evidence of this?

                And low ping times to the root nameservers isn't evidence of anything other than anycast working as intended.

                1. Dazed and Confused

                  > Yes if your ISP is intercepting udp/53 they can grab all your queries. Is there any evidence of this?

                  Doesn't the snooper charter require the larger ISP to do this? They're required to log where you visit, so I'd always assumed that would mean they log your DNS requests.

                  > And low ping times to the root nameservers isn't evidence of anything other than anycast working as intended.

                  Yes, it shows that when you talk to some of the root name servers the anycast is directing you to a "root name server" at your ISP's site, which I presume they own and operate.

                  1. Anonymous Coward
                    Anonymous Coward

                    I'm not disagreeing with you, but I've never seen evidence of this happening. Are you able to name names?

            3. hmv Bronze badge

              Don't turn query log on then. It isn't the default (it's quite big).

  3. Paul Crawford Silver badge

    Who to trust?

    Is the big question for me. I don't really trust my ISP or government to be honest, but I also distrust the likes of Google and cloudfair far more because I know they are competent at stalking, tracking, and screwing over my privacy. Something I have slightly less worry about with my own local lot, even if they ultimately have more legal power over me.

    Currently I use a VPN that offers its own DNS, now I know that is simply pushing my trust to another organisation but at least it is one that has a lot to lose by being caught screwing over my privacy. Unlike practically every US company where the shares go up on the news they are screwing even more personal data out of their customers victims in order to push even more shit advertisement crap our way.

    1. Nick Kew

      Re: Who to trust?

      Trust?

      I have an issue with spiked DNS: anyone using it for censorship without my opting in[1]. I don't have an issue with privacy. I accept that a few people might, but I think for most of us it's a red herring. Maybe even a dead cat that distracts us from more important questions: the use by governments for censorship, such as the IWF in Blighty.

      [1] I do opt in for the purposes of my mailserver, by using spamhaus.

    2. big_D Silver badge

      Re: Who to trust?

      I use a local DNS server with DNSSec to Quad4 at the moment.

  4. Bendacious

    This doesn't just affect government snoops, it's also employers. My company uses Cisco Umbrella to protect me from gambling and porn and streaming video. When I enabled this in Firefox that 'protection' instantly disappeared. On the downside though, for obvious reasons, this kills internal DNS. Anyone working in support might want to prepare for a few tickets regarding intranet addresses being unreachable.

    1. Ben Tasker Silver badge

      > On the downside though, for obvious reasons, this kills internal DNS.

      Check your settings in about:config. It _should_ fall back to your OS configured DNS for queries that fail to resolve over DoH.

      It's trr.mode that decides it - you want it to be 2, not 3.

      I thought that was the default, but maybe not

      1. Bendacious

        trr.mode 2 is the default and also does not enable DoH in Firefox at the moment. At least that is my experience. If I leave it set it to 2 (by just clicking to enable DoH in the normal settings) and then browse a bit and then check about:networking, all of the trr results are false. When set to 3 the results are all true and I can browse the pirate bay at home or at work. I'm not sure what trr.mode 2 is supposed to do but it doesn't do it for me.

      2. katrinab Silver badge

        My internal domains will resolve from outside, to the external gateway IP address rather than the internal address, which means it won't route properly if I access from inside the LAN.

      3. Anonymous Coward
        Anonymous Coward

        >>> Check your settings in about:config. It _should_ fall back to your OS configured DNS for queries that fail to resolve over DoH. <<<

        That can still break if the same host name (e.g. www.mycompany.co.uk) resolves to an internal site for internal users. Yucky, but I've seen it!

        Do the current DoH implementations allow you to specify "*.mydomain.co.uk" to not use DoH?

    2. Anonymous Coward
      Anonymous Coward

      This doesn't just affect government snoops, it's also employers.

      It’s not even really about government, it’s about parental care, policing, protection of abused children, etc. The government is simply complaining on behalf of those interested in preserving the current capability against some pretty nasty stuff.

      As usual with the Internet those pushing a new technology aren’t necessarily doing so with users’ interests in mind. Google and Cloudfare no doubt will welcome the torrent of mineable data they’ll get if the whole world’s domain name lookups comes through their systems. Mozilla are being particularly naive at assuming they know best.

    3. big_D Silver badge

      The biggest issue is that CloudFlare doesn't honour your DNS blacklists. I have around 2.5 million sites blocked (mainly tracking, gambling, porn etc.).

      1. Anonymous Coward
        Anonymous Coward

        It's not Cloudflare... it's Firefox that doesn't respect your HOSTS file

        (I tried FF's DoH but turned it back off when I noticed those damned e-cig ads I'd blocked popping up again as soon as I strayed anywhere near NSFW territory)

        1. P. Lee Silver badge

          I believe opnsense can add in a port53 to doh gateway if you want to do your LAN.

          I'd be curious to know if you could safely open it up to the internet. I might try it on a dmz. TCP stops client spoofing.

    4. P. Lee Silver badge

      I was evaluating Cisco Umbrella. It tries to break doh but that only works for known providers it's ip/port blocking.

      Any security based on promoting broken, insecure protocols is not something I'd go for.

      Combined with nextgen tls which hides the sni and prevents mitm and there's a whole stack of broken corporate security systems.

  5. mark l 2 Silver badge

    If you are worried about privacy by all your DNS going to Cloudflare, Google or someone else you can roll your own DOH server, a low spec VPS should be enough for home users. There are a few tutorial on how to do it if you search online.

    1. alain williams Silver badge

      Own DNS server

      I have run my own DNS server at home for a couple of decades. Initially since it made for faster browsing - a local caching name server is much faster than having to push DNS over dial-up. Then I started to name internal machines, etc.

      Now: it helps my privacy.

      1. DougS Silver badge

        Re: Own DNS server

        Me too. I'll disable DoH when I upgrade to the Firefox that uses it. Not because I particularly distrust Cloudflare (they can't be anywhere near as bad as Google) but because it isn't going to be faster than running a caching server on my router that will serve 99% of my DNS requests more quickly than any external server.

        Privacy wise a caching server doesn't buy you much though. You still have to forward somewhere. I figured out the three fastest servers and divide my requests among them, so each would only see a third of the sites I visit. Though for maximum privacy you should send them all to your ISP - since they're going to know what sites you visit regardless trying to hide your DNS requests from them is kind of stupid.

        1. Anonymous Coward
          Anonymous Coward

          Re: Own DNS server

          "[...] since they're going to know what sites you visit regardless trying to hide your DNS requests from them is kind of stupid."

          IIRC The ISP will only know the IP addresses to which you connect for web traffic. With large server farms that may be just a common portal address - front-ending many different domain names. The name of the actual domain you want is buried inside the HTTPS data - which is then used to get you to the desired web host instance on a shared server.

          1. Azerty

            Re: Own DNS server

            Is someone still doing shared hosting?? Yes I know some sites no-one visits from early 2000's but aside from those everyone is doing containers or at least VPS with it's own internet address.

            1. Anonymous Coward
              Anonymous Coward

              Re: Own DNS server

              "shared hosting" is everywhere, due to shortage of IP4 addresses.

              I run about 50 small websites (some mine, mostly friends) - They are either all set up on the same machine with a shared web server, or even if in a vps/jail/container, they are behind IP6 only or IP4 privated addresses, with an ip6/ip4 nginx forward proxy sitting on the perimeter.

              No way am I paying for individual addresses.

              And this is common. Remember, loads of webhosting design companies host sites for multiple clients, and will use the same IP4 address.

              Indeed, the push towards SNI shows that multiple-servers-per-ip is here to stay... In the IP4 world, at least.

  6. Anonymous Coward
    Anonymous Coward

    Britons won't be getting DNS-over-HTTPS (DoH) by default

    well, they might not be getting it by default, but I AM, default or not.

  7. Yes Me Silver badge
    Facepalm

    Shifting what where?

    As we previously reported, DoH is all about shifting domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.
    Not quite. It's about shifting domain-name queries from a DNS server that you or your ISP runs to one that some third party advertising site runs, incidentally encrypting the traffic. D'oh!, indeed.

    1. Mike 125

      Re: Shifting what where?

      >incidentally encrypting the traffic

      DoH is about en-route privacy and protection from MITM spoofing, intercepting etc. As many people are commenting, endpoint privacy is no different.

      >some third party advertising site runs

      But I take your point...

      1. Anonymous Coward
        Anonymous Coward

        Re: Shifting what where?

        Of course, the dns server that the DoH uses is still open to spoofing and intecepting, albeit less personally targeted - my point is, hackers may still be able to cheat the results. Using DoH doesn't make the whole request tamper-proof unless DNSSEC is mandated.

        (I realise from your post that you know this - I'm just clarifying it for anyone who isn't sure)

  8. julian_n

    But its for your own good - to protect you from terrorists, drug smugglers, tax evaders and paedophiles.

    And the Scottish Food Standards Agency is at the forefront of such fights, hence why they can snoop on, oops - sorry that should be protect, you.

    1. alain williams Silver badge

      Parent up-voted

      Julian should really have added a sarcasm image; taken as a straight comment: yes you down-vote.

      For the short of memory the reference to the Scottish Food Standards Agency is about what IPA lets them do.

      1. Yet Another Anonymous coward Silver badge

        Re: Parent up-voted

        I always assumed the Scottish Food Standards Agency was a euphemism for some shadowy agency.

        I mean they can't really be responsible for the standards of Scottish Food

        1. Anonymous Coward
          Anonymous Coward

          Re: Parent up-voted

          "I mean they can't really be responsible for the standards of Scottish Food"

          A Scottish friend went to university in Glasgow. He said he developed scurvy on the typical student diet.

  9. big_D Silver badge

    Local DNS

    At work we have local DNS servers, at home I have a local DNS server. A lot of requests are for local addresses, last time I looked, CloudFlare wasn't registering the addresses on my private network for translation.

    Also, my local DNS server blocks around 2.5 million tracking domains. I'm guessing CloudFlare won't honour my blocklist either...

    If I'm out and about, DoH would be useful, but at home or in the office, the last thing I want is my browser ignoring my DNS settings...

  10. Roj Blake Silver badge

    Good For Catching Idiots Only

    The argument that it's turned off by default to protect us from paedorists and terrorphiles doesn't really hold much water when one considers that any half-competent ne'er-do-well will just turn it on.

    1. Yet Another Anonymous coward Silver badge

      Re: Good For Catching Idiots Only

      But there will be a checkbox saying "I'm not a terrorist, paadophile or remain voter" before you are allowed to turn it on.

  11. anonynon

    Pihole with cloudflared for upstream

    If you run your own pihole you can use clooudflared to enable DOH for upstream queries: https://docs.pi-hole.net/guides/dns-over-https/

    So you get adblocking, local DNS resolution (Firefox falls back to your local DNS anyway for those worrying) and all external DNS queries are using DOH.

    5 minute setup too.

    1. adam 40 Bronze badge
      Happy

      Sounds great! I'll stick it up my

      PiHole...

  12. arctic_haze Silver badge

    Default off in the UK but on in the US

    So the solution seems as easy as downloading the en_US binary version (not to mention clicking one box in Options -> General -> Network Settings).

  13. gnarlymarley Bronze badge

    Nonetheless, DoH is billed as helping stop third parties (ISPs, government agencies, police forces, any of the random handful of British state organs allowed by law to help themselves to your browsing history, etc) from viewing what you’re viewing – or, in the case of criminals looking to defraud you, hijacking your DNS requests.

    Except, there is at least one third party involved in DoH and that will be whomever owns the IP that firefox points their first lookup to. Somebody other than the webhoster will need provide the ability to tie a name to an IP. This function is currently provided by ICANN and others via what is called root name servers.

    So, the real quesiton should be, do we trust firefox or google as the "third party" that will track and sell our web browsing history?

  14. JCitizen
    Devil

    I thought it was a joke...

    When I saw the acronym DoH in the article! - Doh!!

  15. skelly1967

    A question as you all seem to know about this. If the DNS look-up is secure to, say, somesite.com, the ISP won't know I queried for it. Great. Then my browser makes a connection to somesite.com's IP address... and the ISP is immediately aware of what IP I requested, as it has to route the request. Wouldn't they just reverse look-up the IP and deduce instantly that I was connecting to somesite.com? I struggle to understand why any government has a problem with DNS over HTTPS or similar when they can force the ISPs to record the IPs I visit and then reverse look up what sites they are? I imagine this is why avid users of somesite.com use VPNs and Tor. i.e. this entire thing is essentially fake news as at worst governments make minor changes to how they collect data and their real issue with with VPNs and Tor. Yes?

    1. Carpet Deal 'em Bronze badge
      Holmes

      It's not that simple: somesite.com is very likely to share its IP with anothersite.net and numerous others with a server routing the requests based on the domain name in the packet. Encrypt the domain name and all anybody else sees is somesite.com's hosting provider(you may still be able to get something from the logs, but it's nowhere near as reliable).

  16. Lord of Fries
    Coat

    Why not just use Simple DnsCrypt?

    Just look at the tittle, I've been using Simple DnsCrypt in my widows boxes for a while so no one sniffs my port 53 traffic, all of it, not just browser related traffic.

    Simple DnsCript is just a windows wrapper for dnscrypt-proxy that can be used for linux boxes.

    just saying, some problems have simple solutions :-)

    I'll get my coat now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019