Firebox builder Mozilla has confirmed to UK Culture Secretary Nicky Morgan that Britons won't be getting DNS-over-HTTPS (DoH) by default once the feature is included in the next run of browser updates. In a letter to the Secretary of State for Digital, Culture, Media and Sport, Mozilla's global policy veep Alan Davidson said …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 24th September 2019 19:06 GMT elDog

I'm sure the russkis or sinos or 'merkans have a nice browser alternative

Firefox is not the only game in town.

The soon-to-be ex-EU brits may now want to jump on some solution from other authoritarian-oriented gummints that have learned how to ingest DNS queries and spit out something more state-pleasing.

Privacy is just fine. Just not for the lower classes.

9 11 Reply
Tuesday 24th September 2019 19:13 GMT Blockchain commentard

Can you run DoH over VPN's so the DNS providers can't track you (easily)?

6 0 Reply
1. Tuesday 24th September 2019 19:22 GMT Ben Tasker
  
  Yes, it's basically just a https request.
  
  You can channel it out via Tor if you don't trust exits to do resolution too (though this might actually serve to weaken your privacy)
  
  3 1 Reply
  1. Thursday 26th September 2019 12:25 GMT Anonymous Coward
    
    People could post their queries in a national newspaper and have the responses printed in the next edition.
    
    7 0 Reply
    1. Thursday 26th September 2019 13:45 GMT adam 40
      
      Do it over SMS
      
      You can do it over SMS - it's free and keeps the ISP's out of the picture, at least.
      
      2 0 Reply
2. Tuesday 24th September 2019 19:40 GMT jarfil
  
  You can run DoH over a VPN... or just plain old DNS over a VPN for a similar effect.
  
  In any case you need to trust someone, be it your ISP (*cough* don't *cough*), your VPN provider (hm, maybe), your DoH endpoint provider (hm), the website, and so on. If you want real privacy though, at some point you'll be better just using Tor, I2P or similar.
  
  4 1 Reply
  1. Tuesday 24th September 2019 20:51 GMT NetBlackOps
    
    Or set up for own DNS system.
    
    9 5 Reply
    1. Tuesday 24th September 2019 23:08 GMT Dazed and Confused
      
      If you setup your own DNS server then the requests between you and the root servers and the servers responsible for the domains you access will still be going over the wire in plain text so the ISP/Government/SnooperCharterWhatEver will still be able to watch what's flowing over port 53.
      
      8 0 Reply
      1. Wednesday 25th September 2019 04:36 GMT Nick Kew
        
        Needle, Haystack. Root servers in multiple jurisdictions. Your own DNS server's logs, on the other hand, will have all your data in one place if it gets seized.
        
        1 0 Reply
        
        Wednesday 25th September 2019 06:57 GMT Kabukiwookie
        
        Which DNS server logs?
        
        9 0 Reply
        
        Wednesday 25th September 2019 09:36 GMT CAPS LOCK
        
        "Which server logs"....
        
        ... "What server logs officer?"
        
        2 0 Reply
        
        Wednesday 25th September 2019 10:10 GMT Anonymous Coward
        
        I've always thought /dev/null was the proper folder for the logs
        
        12 0 Reply
        
        Wednesday 25th September 2019 10:23 GMT Tom Paine
        
        If you're responsible for the security of desktop users, you'll be wanting those logs: absolutely invaluable for after-the-event checks for other users who may have been compromised by the same bit of malware you just found. That being the case, why wouldn't you want the same for your home? (All things being equal, time & money permitting, etc)
        
        2 0 Reply
        
        Wednesday 25th September 2019 09:01 GMT Dazed and Confused
        
        My point was that when you run your own DNS server it needs to resolve queries for which it is not authoritative. So the queries from your DNS server are just as exposed to surveillance as if you run a normal resolver. All the tricks the ISP or GreatFirewallOfYourLand might play on clients works just as well against your server.
        
        The only benefit would be in the caching, where the watchers would only see your query once per TTL rather than every time you refresh the web page.
        
        Normally when you configure your own name server you seed it with the IP addresses of the root name servers. Try pinging some these and you might notice that some are damn suspicious, there ain't no way those packets are going beyond your ISP, this will of course vary with ISP, but I suspect all the big ones are playing games here. So while you might not being keeping request logs (bind doesn't by default) your ISP well might be and they're able to see what you're doing without even needing to go to the trouble of snooping port 53.
        
        5 0 Reply
        
        Wednesday 25th September 2019 10:13 GMT Sir Runcible Spoon
        
        Business opportunity for sale (£0.00)
        
        There is a business opportunity here for someone who can be bothered.
        
        Set up a distributed, cloud based, DoH server system and charge £1/month for access. All the onward lookups will be munged together and just don't track who asked for what.
        
        2 0 Reply
        
        Thursday 26th September 2019 09:48 GMT P. Lee
        
        Re: Business opportunity for sale (£0.00)
        
        You'll be competing with cloudflare and the free 1.1.1.1 mobile app.
        
        VPNs are required for bypassing Australian isp censorship on Apple devices.
        
        1 0 Reply
        
        Wednesday 25th September 2019 12:10 GMT hmv
        
        Not entirely.
        
        Send your DNS queries to an ISP's DNS server (or a DNS service provider's DNS server) and all your queries are in one place. Whilst queries are indeed in plain text (although read about QNAME minimisation), they're going all over the place.
        
        Yes if your ISP is intercepting udp/53 they can grab all your queries. Is there any evidence of this?
        
        And low ping times to the root nameservers isn't evidence of anything other than anycast working as intended.
        
        2 0 Reply
        
        Wednesday 25th September 2019 23:02 GMT Dazed and Confused
        
        > Yes if your ISP is intercepting udp/53 they can grab all your queries. Is there any evidence of this?
        
        Doesn't the snooper charter require the larger ISP to do this? They're required to log where you visit, so I'd always assumed that would mean they log your DNS requests.
        
        > And low ping times to the root nameservers isn't evidence of anything other than anycast working as intended.
        
        Yes, it shows that when you talk to some of the root name servers the anycast is directing you to a "root name server" at your ISP's site, which I presume they own and operate.
        
        2 0 Reply
        
        Thursday 26th September 2019 15:42 GMT Anonymous Coward
        
        I'm not disagreeing with you, but I've never seen evidence of this happening. Are you able to name names?
        
        1 0 Reply
        
        Wednesday 25th September 2019 12:05 GMT hmv
        
        Don't turn query log on then. It isn't the default (it's quite big).
        
        1 0 Reply
Tuesday 24th September 2019 19:41 GMT Paul Crawford

Who to trust?

Is the big question for me. I don't really trust my ISP or government to be honest, but I also distrust the likes of Google and cloudfair far more because I know they are competent at stalking, tracking, and screwing over my privacy. Something I have slightly less worry about with my own local lot, even if they ultimately have more legal power over me.

Currently I use a VPN that offers its own DNS, now I know that is simply pushing my trust to another organisation but at least it is one that has a lot to lose by being caught screwing over my privacy. Unlike practically every US company where the shares go up on the news they are screwing even more personal data out of their ~~customers~~ victims in order to push even more shit advertisement crap our way.

22 3 Reply
1. Wednesday 25th September 2019 04:44 GMT Nick Kew
  
  Re: Who to trust?
  
  Trust?
  
  I have an issue with spiked DNS: anyone using it for censorship without my opting in[1]. I don't have an issue with privacy. I accept that a few people might, but I think for most of us it's a red herring. Maybe even a dead cat that distracts us from more important questions: the use by governments for censorship, such as the IWF in Blighty.
  
  [1] I do opt in for the purposes of my mailserver, by using spamhaus.
  
  2 1 Reply
2. Wednesday 25th September 2019 06:55 GMT big_D
  
  Re: Who to trust?
  
  I use a local DNS server with DNSSec to Quad4 at the moment.
  
  2 0 Reply
Tuesday 24th September 2019 21:06 GMT Bendacious

This doesn't just affect government snoops, it's also employers. My company uses Cisco Umbrella to protect me from gambling and porn and streaming video. When I enabled this in Firefox that 'protection' instantly disappeared. On the downside though, for obvious reasons, this kills internal DNS. Anyone working in support might want to prepare for a few tickets regarding intranet addresses being unreachable.

8 0 Reply
1. Tuesday 24th September 2019 21:12 GMT Ben Tasker
  
  > On the downside though, for obvious reasons, this kills internal DNS.
  
  Check your settings in about:config. It _should_ fall back to your OS configured DNS for queries that fail to resolve over DoH.
  
  It's trr.mode that decides it - you want it to be 2, not 3.
  
  I thought that was the default, but maybe not
  
  5 0 Reply
  1. Tuesday 24th September 2019 22:07 GMT Bendacious
    
    trr.mode 2 is the default and also does not enable DoH in Firefox at the moment. At least that is my experience. If I leave it set it to 2 (by just clicking to enable DoH in the normal settings) and then browse a bit and then check about:networking, all of the trr results are false. When set to 3 the results are all true and I can browse the pirate bay at home or at work. I'm not sure what trr.mode 2 is supposed to do but it doesn't do it for me.
    
    1 0 Reply
  2. Wednesday 25th September 2019 16:25 GMT katrinab
    
    My internal domains will resolve from outside, to the external gateway IP address rather than the internal address, which means it won't route properly if I access from inside the LAN.
    
    1 0 Reply
  3. Thursday 26th September 2019 15:45 GMT Anonymous Coward
    
    >>> Check your settings in about:config. It _should_ fall back to your OS configured DNS for queries that fail to resolve over DoH. <<<
    
    That can still break if the same host name (e.g. www.mycompany.co.uk) resolves to an internal site for internal users. Yucky, but I've seen it!
    
    Do the current DoH implementations allow you to specify "*.mydomain.co.uk" to not use DoH?
    
    1 0 Reply
2. Wednesday 25th September 2019 06:27 GMT Anonymous Coward
  
  This doesn't just affect government snoops, it's also employers.
  
  It’s not even really about government, it’s about parental care, policing, protection of abused children, etc. The government is simply complaining on behalf of those interested in preserving the current capability against some pretty nasty stuff.
  
  As usual with the Internet those pushing a new technology aren’t necessarily doing so with users’ interests in mind. Google and Cloudfare no doubt will welcome the torrent of mineable data they’ll get if the whole world’s domain name lookups comes through their systems. Mozilla are being particularly naive at assuming they know best.
  
  3 9 Reply
3. Wednesday 25th September 2019 06:57 GMT big_D
  
  The biggest issue is that CloudFlare doesn't honour your DNS blacklists. I have around 2.5 million sites blocked (mainly tracking, gambling, porn etc.).
  
  3 0 Reply
  1. Wednesday 25th September 2019 09:15 GMT Anonymous Coward
    
    It's not Cloudflare... it's Firefox that doesn't respect your HOSTS file
    
    (I tried FF's DoH but turned it back off when I noticed those damned e-cig ads I'd blocked popping up again as soon as I strayed anywhere near NSFW territory)
    
    5 0 Reply
    1. Thursday 26th September 2019 10:09 GMT P. Lee
      
      I believe opnsense can add in a port53 to doh gateway if you want to do your LAN.
      
      I'd be curious to know if you could safely open it up to the internet. I might try it on a dmz. TCP stops client spoofing.
      
      1 0 Reply
4. Thursday 26th September 2019 10:00 GMT P. Lee
  
  I was evaluating Cisco Umbrella. It tries to break doh but that only works for known providers it's ip/port blocking.
  
  Any security based on promoting broken, insecure protocols is not something I'd go for.
  
  Combined with nextgen tls which hides the sni and prevents mitm and there's a whole stack of broken corporate security systems.
  
  0 0 Reply
Tuesday 24th September 2019 21:15 GMT mark l 2

If you are worried about privacy by all your DNS going to Cloudflare, Google or someone else you can roll your own DOH server, a low spec VPS should be enough for home users. There are a few tutorial on how to do it if you search online.

7 0 Reply
1. Tuesday 24th September 2019 22:05 GMT alain williams
  
  Own DNS server
  
  I have run my own DNS server at home for a couple of decades. Initially since it made for faster browsing - a local caching name server is much faster than having to push DNS over dial-up. Then I started to name internal machines, etc.
  
  Now: it helps my privacy.
  
  14 0 Reply
  1. Wednesday 25th September 2019 07:40 GMT Anonymous Coward
    
    Re: Own DNS server
    
    Me too. I'll disable DoH when I upgrade to the Firefox that uses it. Not because I particularly distrust Cloudflare (they can't be anywhere near as bad as Google) but because it isn't going to be faster than running a caching server on my router that will serve 99% of my DNS requests more quickly than any external server.
    
    Privacy wise a caching server doesn't buy you much though. You still have to forward somewhere. I figured out the three fastest servers and divide my requests among them, so each would only see a third of the sites I visit. Though for maximum privacy you should send them all to your ISP - since they're going to know what sites you visit regardless trying to hide your DNS requests from them is kind of stupid.
    
    5 0 Reply
    1. Thursday 26th September 2019 11:58 GMT Anonymous Coward
      
      Re: Own DNS server
      
      "[...] since they're going to know what sites you visit regardless trying to hide your DNS requests from them is kind of stupid."
      
      IIRC The ISP will only know the IP addresses to which you connect for web traffic. With large server farms that may be just a common portal address - front-ending many different domain names. The name of the actual domain you want is buried inside the HTTPS data - which is then used to get you to the desired web host instance on a shared server.
      
      2 0 Reply
      1. Thursday 26th September 2019 15:40 GMT Azerty
        
        Re: Own DNS server
        
        Is someone still doing shared hosting?? Yes I know some sites no-one visits from early 2000's but aside from those everyone is doing containers or at least VPS with it's own internet address.
        
        0 1 Reply
        
        Thursday 26th September 2019 15:53 GMT Anonymous Coward
        
        Re: Own DNS server
        
        "shared hosting" is everywhere, due to shortage of IP4 addresses.
        
        I run about 50 small websites (some mine, mostly friends) - They are either all set up on the same machine with a shared web server, or even if in a vps/jail/container, they are behind IP6 only or IP4 privated addresses, with an ip6/ip4 nginx forward proxy sitting on the perimeter.
        
        No way am I paying for individual addresses.
        
        And this is common. Remember, loads of webhosting design companies host sites for multiple clients, and will use the same IP4 address.
        
        Indeed, the push towards SNI shows that multiple-servers-per-ip is here to stay... In the IP4 world, at least.
        
        2 0 Reply
Tuesday 24th September 2019 21:56 GMT Anonymous Coward

Britons won't be getting DNS-over-HTTPS (DoH) by default

well, they might not be getting it by default, but I AM, default or not.

16 1 Reply
Wednesday 25th September 2019 03:45 GMT Yes Me

Shifting what where?

As we previously reported, DoH is all about shifting domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.
Not quite. It's about shifting domain-name queries from a DNS server that you or your ISP runs to one that some third party advertising site runs, incidentally encrypting the traffic. D'oh!, indeed.

5 1 Reply
1. Wednesday 25th September 2019 08:55 GMT Mike 125
  
  Re: Shifting what where?
  
  >incidentally encrypting the traffic
  
  DoH is about en-route privacy and protection from MITM spoofing, intercepting etc. As many people are commenting, endpoint privacy is no different.
  
  >some third party advertising site runs
  
  But I take your point...
  
  3 0 Reply
  1. Thursday 26th September 2019 15:56 GMT Anonymous Coward
    
    Re: Shifting what where?
    
    Of course, the dns server that the DoH uses is still open to spoofing and intecepting, albeit less personally targeted - my point is, hackers may still be able to cheat the results. Using DoH doesn't make the whole request tamper-proof unless DNSSEC is mandated.
    
    (I realise from your post that you know this - I'm just clarifying it for anyone who isn't sure)
    
    1 0 Reply
Wednesday 25th September 2019 05:39 GMT julian_n

But its for your own good - to protect you from terrorists, drug smugglers, tax evaders and paedophiles.

And the Scottish Food Standards Agency is at the forefront of such fights, hence why they can snoop on, oops - sorry that should be protect, you.

10 1 Reply
1. Wednesday 25th September 2019 10:43 GMT alain williams
  
  Parent up-voted
  
  Julian should really have added a sarcasm image; taken as a straight comment: yes you down-vote.
  
  For the short of memory the reference to the Scottish Food Standards Agency is about what IPA lets them do.
  
  1 0 Reply
  1. Wednesday 25th September 2019 12:36 GMT Yet Another Anonymous coward
    
    Re: Parent up-voted
    
    I always assumed the Scottish Food Standards Agency was a euphemism for some shadowy agency.
    
    I mean they can't really be responsible for the standards of Scottish Food
    
    3 0 Reply
    1. Thursday 26th September 2019 12:03 GMT Anonymous Coward
      
      Re: Parent up-voted
      
      "I mean they can't really be responsible for the standards of Scottish Food"
      
      A Scottish friend went to university in Glasgow. He said he developed scurvy on the typical student diet.
      
      3 0 Reply
Wednesday 25th September 2019 06:54 GMT big_D

Local DNS

At work we have local DNS servers, at home I have a local DNS server. A lot of requests are for local addresses, last time I looked, CloudFlare wasn't registering the addresses on my private network for translation.

Also, my local DNS server blocks around 2.5 million tracking domains. I'm guessing CloudFlare won't honour my blocklist either...

If I'm out and about, DoH would be useful, but at home or in the office, the last thing I want is my browser ignoring my DNS settings...

5 0 Reply
Wednesday 25th September 2019 11:31 GMT Roj Blake

Good For Catching Idiots Only

The argument that it's turned off by default to protect us from paedorists and terrorphiles doesn't really hold much water when one considers that any half-competent ne'er-do-well will just turn it on.

4 0 Reply
1. Wednesday 25th September 2019 12:37 GMT Yet Another Anonymous coward
  
  Re: Good For Catching Idiots Only
  
  But there will be a checkbox saying "I'm not a terrorist, paadophile or remain voter" before you are allowed to turn it on.
  
  5 0 Reply
Wednesday 25th September 2019 14:44 GMT anonynon

Pihole with cloudflared for upstream

If you run your own pihole you can use clooudflared to enable DOH for upstream queries: https://docs.pi-hole.net/guides/dns-over-https/

So you get adblocking, local DNS resolution (Firefox falls back to your local DNS anyway for those worrying) and all external DNS queries are using DOH.

5 minute setup too.

2 0 Reply
1. Thursday 26th September 2019 13:51 GMT adam 40
  
  Sounds great! I'll stick it up my
  
  PiHole...
  
  1 0 Reply
Thursday 26th September 2019 16:53 GMT arctic_haze

Default off in the UK but on in the US

So the solution seems as easy as downloading the en_US binary version (not to mention clicking one box in Options -> General -> Network Settings).

1 0 Reply
Thursday 26th September 2019 18:30 GMT gnarlymarley

Nonetheless, DoH is billed as helping stop third parties (ISPs, government agencies, police forces, any of the random handful of British state organs allowed by law to help themselves to your browsing history, etc) from viewing what you’re viewing – or, in the case of criminals looking to defraud you, hijacking your DNS requests.

Except, there is at least one third party involved in DoH and that will be whomever owns the IP that firefox points their first lookup to. Somebody other than the webhoster will need provide the ability to tie a name to an IP. This function is currently provided by ICANN and others via what is called root name servers.

So, the real quesiton should be, do we trust firefox or google as the "third party" that will track and sell our web browsing history?

1 0 Reply
Friday 27th September 2019 02:39 GMT JCitizen

I thought it was a joke...

When I saw the acronym DoH in the article! - Doh!!

1 0 Reply
Friday 27th September 2019 09:00 GMT Anonymous Coward

A question as you all seem to know about this. If the DNS look-up is secure to, say, somesite.com, the ISP won't know I queried for it. Great. Then my browser makes a connection to somesite.com's IP address... and the ISP is immediately aware of what IP I requested, as it has to route the request. Wouldn't they just reverse look-up the IP and deduce instantly that I was connecting to somesite.com? I struggle to understand why any government has a problem with DNS over HTTPS or similar when they can force the ISPs to record the IPs I visit and then reverse look up what sites they are? I imagine this is why avid users of somesite.com use VPNs and Tor. i.e. this entire thing is essentially fake news as at worst governments make minor changes to how they collect data and their real issue with with VPNs and Tor. Yes?

0 0 Reply
1. Friday 27th September 2019 11:57 GMT Carpet Deal 'em
  
  It's not that simple: somesite.com is very likely to share its IP with anothersite.net and numerous others with a server routing the requests based on the domain name in the packet. Encrypt the domain name and all anybody else sees is somesite.com's hosting provider(you may still be able to get something from the logs, but it's nowhere near as reliable).
  
  1 0 Reply
Friday 27th September 2019 15:21 GMT Lord of Fries

Why not just use Simple DnsCrypt?

Just look at the tittle, I've been using Simple DnsCrypt in my widows boxes for a while so no one sniffs my port 53 traffic, all of it, not just browser related traffic.

Simple DnsCript is just a windows wrapper for dnscrypt-proxy that can be used for linux boxes.

just saying, some problems have simple solutions :-)

I'll get my coat now.

1 0 Reply