> Our plan is to select a set of Trusted Recursive Resolvers (TRRs) that we will use for DoH resolution in Firefox. Those resolvers will be required to conform to a specific set of policies that put privacy first.
So can I manually set one myself to my local pi-hole instance? I have already been setting the TRR about:config values (ala [0]), will that remain?
I am wary of Mozilla becoming the arbiter of acceptable DNS providers for me, so I should be able to override it if I want.
It's not a nefarious plan to stop me from doing what I want in a FOSS browser on a PC where I can compile and run what I want. It will be used that way, however, on locked-down devices users pay for but don't actually own.
Then don't buy such a device which clearly doesn't meet your needs. Why should every personal computing device on the planet be tailored to your requirements, at the cost of safety for the majority of other users? Most people don't use PiHole, they use Adblock or uBlock which are not affected by this. It's not as though they are taking away your ability to use adblocking technology.
Macro-level view: The Mozilla Foundation may think that DNS-over-HTTPS is about "safety", but they're unwittingly furthering the agenda of those who would profit from the Internet not being decentralized. A decentralized Internet filled with devices that end users can control, should they choose, is a good thing for society, I'd argue. DNS-over-HTTPS is another piece of technology that can be used to eliminate that. It is not necessary to hand over freedom in exchange for "safety" or "security".
Micro-level view: I'm a sysadmin for my Customers, my family, and some of my friends. Inevitably I will have to deal with these awful devices. So will countless other sysadmins. I'm dreading having to deal with devices that invade my users' privacy, thwart my attempts at detecting bad actors on the network, and that just generally act like the person who paid for them doesn't actually own them.
This is what Mozilla has been doing for a while. They enable advertisers and bad actors to profile you without any sane safeguards to prevent websites from running JavaScript code that is used in a nefarious way. If they were actually focused on protecting users, they would be working with IPFS and building other tools to help hide user identities through a permission-based system. Chrome is just as guilty, but it's not like Mozilla is trying to define new web standards to prevent this type of activity. They may as well be working together.
Don't know why you are getting downvoted when you are completely correct.
There's so much that Mozilla could do structurally, but they are terrified of rocking the boat or disrupting their corporate underwriters.
Just like earlier today, with their anti malicious javascript features[1]; they could look into empowering the users and changing the structure of how js is run in the browser. But that might threaten advertisers, so instead they opted for a clumsly blacklisting solution instead.
If you want an accurate heuristic for predicting Mozilla's behavior, just ask "What would Google want?". It may not be Google in particular that these decisions benefit, but they absolutely benefit those entities that are locking down and siloing the internet.
Regarding your second point, this change will improve privacy for your clients and make it harder for bad actors to take advantage of your network. So what's not to like? Just because your old tooling won't work anymore doesn't mean that this change is a bad thing for clients.
and Only works on Enterprise Networks for devices owned by the enterprise because the Enterprise Installs their own Root Certs on all devices that "tricks" the browsers into believing they are "google.com" not the real google.com
Right, which is exactly how it should be. If you want to perform a purposeful man in the middle attack on your clients, then you SHOULD be required to install your root cert on their workstations. With unencrypted DNS, it just means that you can perform the same attack with NO specific approval by the client workstation. How is that better?
You get an HTTPS error if someone performs a DNS MITM and you’re not set up specifically to trust their certificate. It’s equivalent to performing an HTTPS MITM without the root cert installed.
Yes, it works, by software or devices that cooperate.
With desktop OSes, it is no problem.
With mobiles, traditionally, if you enrolled a custom CA root onto Android device, the user would be nagged ("You network may be monitored").
Malware can go further, and just use it's own root, without any ability to enroll your custom one. I see this as a default with any IoT or embedded devices, so that will make much more difficult to say "no custom CA, no internet access".
I don't understand your point. I'm certainly not solely focused on the unsophisticated ones, but those sorts are important too. And they're much more common as they include ad and other trackers.
If DNS-based access control is not sufficient on it's own, then is it really worth it to block DoH (which could have other significant security and privacy benefits) just to retain the possibility of using it? Why not focus on improving those other, already necessary access control technologies and forget about abusing DNS for this purpose, so we get the best of both worlds?
Because I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.
Also, I disagree that denying the lookup of certain domain names is abusing DNS. If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.
Also, I'm not aware of a method that can accomplish the sort of coverage that blocking DNS lookups can. If you have an alternative, I'd be genuinely interested in hearing about it.
> I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.
Agreed with you there, I'm not saying that multilayered security is a bad thing.
What I'm saying is that right now, in terms of easy and accessible DNS privacy, we have 0 layers. Don't you think it might be worth sacrificing this one partial, incomplete access control solution in favour of solving that?
> If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.
Without cooperation of the device, that is indistinguishable from that of a bad actor.
You can get what you want by owning the device and requiring it to cooperate (ie with controlled software or a certificate to allow monitoring / blocking).
Then Mozilla should make a crippled "safe" version of their browser that has a hard coded list of trusted servers then.
Because by making this the default, they are helping centralize the internet and greatly benefiting the entrenched powers while putting barriers to entry for the rest of us.
I don't know about you, but in the reality in which I live, privacy of the domain names I visit is a much bigger concern than being able to do access control with a technology that's not even made for access control.
It's not really equivalent. Our DNS servers know every single website we visit, and when we visit them.
There's no way we should take that information and centralise it into the hands of a few big providers. No matter how many pinky promises they make to not look at it.
There is a already a crisis of invasive surveillance, profiling and profiting from stalking users. There is also government surveillance that can't be thwarted with its own panopticon of secret orders, secret courts and secret processes.
Both of the above need to be urgently reined in to retain some sense of accountability and democracy. And these efforts including awareness are predominantly coming from outside the technical community.
When the problem is concentrated global monopolies and power how can centralizing more control be the solution? And yet these seem to be the only solutions from the community.
I replied sub-thread, but adding here to give some more visibility to some of the issues DoH is causing and will cause:
I work at a k12 school and I am involved on many k12 IT communities.
Some schools already removed Firefox from the students computers because it was being used as a "VPN" by some elementary students to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
There is a fine line between protecting yourself from your ISP and local network operators that NEED to apply some security policies to their traffic. Even Google offers "Safe Search" for schools and libraries that removes porn content.
Unfortunately, on our school network, we also allow BYOD (students with their own laptops and ipads), so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
The only other option is going to full HTTPS MITM, forcing a root SSL cert to all computers that use our network, which is the last thing that anyone wants to do.
Summary: This may lead to more HTTPS MITM or schools forbidding BYOD AND removing Firefox from their computers.
Don't worry. Soon Chrome will also implement DoH and ESNI, then you actually have to either forbid BYOD or actually start teaching students manners, how browsing porn is not okay in school context. I'm really quite annoyed by the connotation that kids should rather be helicopter-parented (by tech or by people) than actually taught what's okay and what's not.
The very least the new tech provides is that any silent helicopter parenting is becoming more visible and I'm grateful for that. Kids deserve internet privacy just as much as real-life privacy.
> Soon Chrome will also implement DoH and ESNI, then you actually have to either forbid BYOD or actually start teaching students manners...
If you think that this is how it will go, you're very naive. If schools and parents can't block porn anymore, prepare for more legislation that blocks porn by default at the ISP unless you pay some kind of fee - like what the UK has proposed. Also look for a return of "content standards" for sites that want to be kept off the "porn list", like the old broadcast TV content standards.
Thankfully I don't live in the USA where asinine things like that would work. Pretty sure there isn't a single school here try and enforce a web filter other than "Let's agree not to visit pages that are not allowed [OK]". I'm hope I'm not naive, maybe just not super-accustomed to the "tHinK oF tHE ChiLDRen"-narrative for pushing filters (or other things) trough.
> prepare for more legislation that blocks porn by default at the ISP
See you're missing something. If you as the local network operator can't block porn than neither can any intermediate ISP. It's not like they have any more power than you do.
I definitely don't want my six year old to be able to use their school-provided, Internet-connected iPad any way they please, with plenty of privacy.
And yeah the actual solution is "don't fucking give a six year old an Internet-connected device of any sort, obviously, you idiots" but they do, so monitoring and blocking are absolutely necessary.
The original commenter talked about BYOD though, maybe school-given devices are set-up so that they don't let kids do whatever they want.
In the case of BYOD, if you're not okay with your kid having an Internet-connected device and that they're going to use it responsibly then don't give him/her one or only allow it under parental supervision. If we're carefully watching and teaching kids kids when they're handling knives or matches, why not do so with internet connected devices?
If your child is supervised on the internet and doesn't have a tablet, and mine isn't and does, and my child showed your child stuff you disapproved of while in school, would you complain to the school?
Some parents complain about sex ed and vaccination, satisfying the lowest common denominator doesn't really work.
If some kid showed actually NSF-School images, such as nudity, to other kids and it was a first time offense a warning should suffice. If it's a repeated offense then maybe the kid needs psychological help.
Just as a hypothetical scenario, there's the possibility that a kid shows others a picture of for example Michelangelo's David (or similar art piece), do you think that kid should be punished for showing nudity to other kids?
What would removing Firefox accomplish? Why would students not just download one of the bazillion Chrome VPN addons? Or regular VPNs that they can just turn on and off? How is _removing Firefox_ a solution?
What these schools need is to set up sensible group policies. Managing BYOD on a school with kids (as opposed to grown-up people whose jobs are on the line) is simply impossible.
I think the poster was talking about two separate schools. One which doesn't allow BYOD and tackled the problem by removing Firefox, and a second where the poster works at which does allow BYOD and therefore removing Firefox is not an option.
To add to this issue from a personal level: for those who use a Pihole or operate other internal services from within their own home network will now have to change the settings for _every application_ using DoH on that network.
This could become a major hassle if the number of devices and owners become large. There's not even a work around for this because I do not directly manage family members' devices (nor would they want me to).
I really like Firefox for they are the only real option these days. I use it and I encourage all those around me to use it. This change will require me to do a lot more manual work and likely lead to confusion over whether a service is down or not.
How far off are we from DoH being supported by common operating systems, DHCP, etc?
It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Honestly, all these apps shouldn't even bother detecting for DoH or not. If people want to use DoH they can set up their own local resolver and configure their network for it (and for folks on Windows, that could even be packaged third-party).
The reason browsers are interested in including DoH is to protect users who don't even know this is a problem, and definitely aren't going to set up their own resolver.
> How far off are we from DoH being supported by common operating systems, DHCP, etc?
To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
Yeah. Good luck diagnosing that when something stops working as expected.
> To my knowledge none. Nobody is doing this, because it subverts how DNS is supposed to operate.
Huh? Of course people do this, it's a standard way to do DNS that improves over older DNS wire protocols by offering better security properties. It's unfortunate that we had to involve HTTP in this, but needs must.
For example you can drop in an NSS replacement that uses DoH instead of conventional DNS for all your glibc software, or you can get software from a variety of sources that runs on UDP port 53 of your local machine like a normal DNS relay but uses DoH to someone trustworthy to deliver.
> DNS should be a system-level setting, not an App-level setting.
I would go even further: Any app trying to bypass the system-level network settings (like with DoH) should be considered malicious and possibly malware.
This is what spam-bots used to do back in the days. Now let’s add Firefox to the list.
Having a pihole still doesn't prevent applications from using another resolver - for example dig example.com @8.8.8.8
You'd also need to block all other DNS traffic. And even after that, it's tricky, as applications that are not a browser might be doing this with a hardcoded DoH provider.
There’s a way to redirect any port 53 traffic back to your pihole if you have enough control over the gateway, but I don’t know if it’s worth doing. Breaks a bunch of things you’d normally do to debug whatever.
Been doing this a few years, after seeing lots of apps and devices using 8.8.8.8 despite being given my resolver back via DHCP (so obviously hard-coded into them and they’re ignoring os dns.)
No practical drawbacks so far, although I have found many “open resolvers” online from my home, only to realize it’s the redirection messing things up.
> It would be nice if these apps could detect whether the system is using DoH and only fall back to their own DoH resolver in the case they're using "legacy" DNS.
In which case these applications are either broken or malware.
The application needs to fix that by using DNS supplied by the OS, as everyone should do.
> Unfortunately, on our school network, we also allow BYOD (students with their own laptops and ipads), so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
How can you block DoH without doing MITM on all outgoing HTTPS? For that matter, how can you block HTTPS based VPNs like OpenVPN?
ETA: I understand you can block IP addresses of DNS resolvers that support DoH. I assumed that to make this work, Mozilla / Google / etc. would serve DoH from the same IPs as some big services, so you wouldn't be able to block DoH without blocking something like Google's homepage.
>How can you block DoH without doing MITM on all outgoing HTTPS? For that matter, how can you block HTTPS based VPNs like OpenVPN?
OpenVPN isn't HTTPS based. It has TLS support, but AFAIK it's implemented as TLS-over-OpenVPN rather than OpenVPN-over-TLS, so it's still very distiquishable from a HTTPS connection. There are workarounds like using TCP mode over stunnel, though.
IP-based and domain-based. We have a long list of domains/IPs used by VPN providers.
Won't prevent someone from setting up its own SSH-based proxy on port 443, but covers things that are accessible and easy to use by young students (talking about elementary school on our case).
Again, we are talking about a school network with young kids (under 12/13).
If DoH is backed by e.g. Google, won't they just end up exposing DoH on the same IP addresses serving www.google.com? Similarly, what if e.g. CloudFlare expose their DoH on all their addresses? This seems like the obvious next step for them.
And Cloudflare already does expose DoH on all addresses, as long as SNI/Host header is one of the vhost hostnames. You can currently make DoH requests to cloudflare-dns.com , the "mozilla" subdomain, one.one.one.one, 1.1.1.1, and 1.0.0.1 (there may be others that i'm not aware of ).
"Again, we are talking about a school network with young kids (under 12/13)"
As school network admin in another life I came to the conclusion that there is no limit to the ingenuity of pupils even at that age. And I'm just thinking that even big hitters like Netflix have problems properly filtering out VPN services and the likes. Anything-as-a-service makes it all the more accessible to anybody even for free.
Try to disable DOH if you can for now while you prepare something more permanent and resilient. Kids viewing pornographic material in school is a lawsuit waiting to happen I think.
Hopefully for BYOD parents will take a bit of the load off. At least tech savvy ones tend to make sure the device is properly "insulated". Plenty of lockdown options out there for this.
This would probably require new equipment (or just an update) but at that point, you could use an SNI whitelist, then drop port 443 traffic that isn't TLS. You could even drop the request when SNI is not present, in the case of encrypted SNI (if the network box has this feature).
Sounds like the bigger problem is that your porn filters can be circumvented with a DNS change. If you're banning DoH, you also need to ban custom hosts files.
DoH is different because it masquerades as HTTPS traffic. You can block DNS traffic sent to servers configured in custom hosts files, but you can't block DoH unless you either have a list of every DoH server in existance, or block all HTTPS traffic.
That's kind of the entire point of DoH. DNS-over-TLS (DoT) provides TLS encryption for DNS traffic, but runs over port 853 so network operators can control where queries go.
> You can block DNS traffic sent to servers configured in custom hosts files
You're thinking of configuring a custom DNS server, which is not related to the hosts file. The hosts file replaces DNS so there would be no network traffic to block.
Theoretically a kid who really wants his porn could manually add the name-to-IP entries for his favorite sites to his local hosts file, completely bypassing any DNS based filtering you might have on the network.
If you want to prevent anything like this you either have strong (centralized) controls on the client side - policies hardening the client to the point where no reasonable exploitation avenue is left (no hosts file, no running portable browser, no changing settings, etc.), or strong controls on the network - proxy and make sure no matter what the client wants it goes only where it's allowed (no VPN, no DNS filter bypass, etc.).
Maybe the occasional brilliant kids will find a way, good for them. But there's a limit to how much "ghetto administration" you can do without expending any resources on it and still have your measures hold after a few weeks of curious students probing at them.
Of course you can lock stuff via enterprise settings so that about:config entries can't be modified by local users, but that takes time to find out and test, while removing the weird non-Chrome browser that's still present mostly for inertia reasons but nowadays only gets used for evil porn is much easier.
Saving time by applying a non-solution 9like removing one browser instead of treating the root cause) is not actually saving anything. You just kick the problem further down the road. Firefox prefs are documented even if not in the most user friendly way [0][1][2][3]. For the most part performing some basic hardening and other useful config on the browser takes less than a day. A person with some IT background shouldn't have too much problems doing it and it's more or less a one time thing.
no, using the nuclear option of removing the browser outright when others work is the smart, efficient option that someone who actually works in IT with limited resources would (and should) use.
this stuff about finding all the right config files during "basic hardening" and having it just work is the stuff of armchair commenters and people who do IT/security on a well funded, sufficiently redundant team. assuming the latter would be the people in charge of school IT is hopelessly naive.
So tell me then, what exactly are you achieving with removing Firefox when the same bypass can easily be achieved with Chrome? Remove Chrome also? Call the well funded security team to configure whatever browser you’ll eventually have to use?
The problem with half assed work is that you still put in some effort but reap none of the rewards. You work to uninstall Firefox from dozens of computers but get exactly 0 results because now you’ll have to configure Chrome. Default installations of both browsers are perfect for home use but woefully inadequate for controlled networks.
And in the end you put in just about as much effort as changing some flags in any one of the dozens of example config files available on the internet and copying it on every machine.
the DNS filtering works on chrome. yes, people can bypass it, but it doesn't even work on firefox, so they remove firefox. this isn't rocket science, and you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is. this leads me to believe that you are hypothesizing about work you don't do, but feel perfectly qualified to talk about "half assing" things.
> you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is
Perhaps because he's describing 2 different situations. One where "some schools" are removing Firefox, and one where it's not an option for him because of BYOD. Uninstalling Firefox is exactly the solution he can't apply. So I still maintain that the other schools that fully control the clients could have applied a proper fix faster and cheaper than any uninstall. It's one line in a config file [0], already linked above.
All your replies are gratuitously aggressive and insulting. That's not a good way to contradict my solution that works, is simpler and more future proof than uninstalling browsers with DOH.
Eventually all browsers will have DOH, you can't uninstall them all. And leaving a browser unmanaged and at the mercy of a student is not an option since requiring 2 extra clicks to bypass the filtering isn't a solution. You need some form of management either way.
I already gave you a solution that's better than removing the browser and "cheaper" than having to manage Chrome with GPOs (not a high bar). Insults won't change that.
this is getting really boring and repetitive, but you didn't give a "cheaper" solution, you gave an administratively more expensive solution (change files on machines rather than bulk remove an app which is out of the box functionality for many products IT like this would use), along with moving the goal posts; the goal is "keep my DNS filtering working," not "make sure no one ever gets to the porn site."
of course, you would need to do more in chrome (and windows/osx/ubuntu generally) to stop traffic to a site if a student knows what they're doing. that's not the point. the point is: we have this control in place. we've agreed it's working well enough. people can bypass the control simply by using firefox. to avoid adding overhead, we ditch firefox (for now). it's that simple.
as for future-proofing, that's a luxury. ...and part of why it's a luxury is that some goals ("make all traffic to any porn sites impossible on our school network") just aren't going to be met by budget IT.
re: BYOD, for that i go over to the armchair tech purist side i'm afraid, and just say "well, you allow that, so you need to get over that they can use VPNs and stuff. you're not DOJ or some wealthy corporation with important IP assets and equally 'important' VIP execs that insist on bringing their OSX 10.6 MBP to work. you don't get to have all the cool controls that might allow BYOD. sorry."
You didn't understand OP's comment and realized only after I pointed out that HE is the one with the BYOD problem where uninstall can't fix anything. I'm not the one moving the goalposts. His only option is applied outside of the client, at network level. As for the other schools, the effort they put in today bought them a week or two at most. More than enough time for the students to have "workarounds" in place and access anything they want since as you said the admin has no resources to control what's happening on the machine. But you know, it's unwise to pay too much, but it's worse to pay too little; buy cheap, buy twice; poor man pays twice.
They were better off uninstalling Chrome. Firefox at least can be controlled with a config file and a script to do bulk copy, Chrome wants GPOs and without lockdown you have a ton of extensions in the store to make your DNS filtering redundant. I believe the latter is the better option but if a config file is beyond the possibilities of the school admin I expect their browsers to be fully unmanaged and at the mercy of the user. It can't be both ways.
I appreciate that you finally confirm what I said from the beginning: It is a half assed job (because doing it properly "is a luxury"). Uninstalling just kicks the problem down the road and lets "future you" deal with it a few days or weeks later.
> an app which is out of the box functionality
Begs the question why put in effort to install then uninstall it when there was no need for either. I'm not in their head but one thing's for sure, your explanation relies on conflicting argumentation. We're talking about a hypothetical Schrödinger's admin that at the same time both has and hasn't got the resources to do the work.
firefox messes up their DNS filtering, chrome doesn't. so they remove firefox and enforce chrome. if you see that as a slippery slope, you're imagining it. they probably 1) have a decent app like ninite to remove and install apps, 2) don't have anything but their production environment, 3) don't have a homogenous environment in terms of patching (maybe they do), 4) don't have people to go around and make sure the config changes they push (however they would push them) took, worked, etc. so they block the app. maybe eventually they reinstall it. welcome to IT.
...which reinforces my point about how people actually doing this and people speculating about it tend to respond to issues like this.
> firefox messes up their DNS filtering, chrome doesn't
I take it you assume students are not creative enough to get the exact same result with Chrome? Because it is perfectly possible to do it. Unless of course you take steps to prevent that in Chrome. One way or another you either put in the work or the users will end up doing whatever they please. After configuring the OS doing the same for the browser is a relatively small step.
of course it's possible to do so. but DNS filtering works for most users, and is much easier to centrally manage on a budget (in terms of time / people / money) than browser settings.
i'm belaboring this point now, but people who actually do this stuff know that you can't just throw up a GPO to fiddle with chrome settings and expect everything to work. this culture of "power users" thinking they know the best course of action for every situation in IT (and it's always "that thing i Put In The Work to do when i was tailoring my own system") is really silly.
> know that you can't just throw up a GPO to fiddle with chrome settings
I thought we were talking about how hard it is to fix Firefox. This can be done on a budget - part of an afternoon - since it can be very easily managed with a plain old config file copied to all machines (at least until a couple of versions ago). With this gone you're left with Chrome. How would you make sure no user can use any one of the multiple options to abuse a non-managed Chrome and bypass this? Remember that your target isn't to have a browser that doesn't mess up filtering, it's to prevent students from using any (creative) means to access restricted material. And with Chrome there's one sure way to prevent those creative means. So don't answer, it will be GPOs.
And since your fix for DOH and DNS filtering is to uninstall the browser (!) when Chrome eventually implements it will make for an interesting conversation ;).
as i replied in the comment below, the goal isn't "absolute porn free paradise," it's "keep our current control working." sound shortsighted to you? it is. it's also the easiest thing, and frees everyone up to do other, more important work than impressing people who are aghast that an organization would uninstall 1 of 2 browsers b/c it bypasses some control of theirs.
as for once chrome implements DOH, they'd cross that bridge when they came to it. it's an uphill battle, because really content filtering, of course, should not be done through browser settings (remotely managed or otherwise), nor solely through DNS. if whoever tells IT what to do in that school district is hellbent on it being impossible to browse to pornhub, they'll ultimately need a layer 7 firewall. but again, when you're on the budget, you do fastest / cheapest / most effective.
(and if we return to pure hypothetical, i would argue that dns filtering really is the best way in their case, because anyone who could bypass that--besides just using firefox--will be able to bypass better chrome config, or your firefox config change, etc, since they can just edit host file, etc etc etc)
I don't think there is a good solution. Yes, you own the network and think you should be technologically able to block access to certain websites (which the school has the right to do), but ISPs also "own" the network and would also be able to block access to certain websites if it were possible with DoH+eSNI.
I guess a solution is MDM, but that's still getting students to install something on their device.
Or you can have the local interface and the cellular interface up at the same time, have the default route through the local interface but have a route to your preferred DNS server through cellular. Then the only traffic you have to pay for over cellular is DNS, which is very small.
Kids are clever, if one of their classmates is known to be tech-literate and (s)he's saying the school is snooping on you the amount of shadow IT will rise. Vast majority will install, but also have some other device to bypass.
I was referring to the machines they were preventing the installation of Firefox on.
For BYOD, I don't know what you're gonna do. Many students have smartphones too (some with tethering), and you can't control what they look at on those either. Plus, even if the school could somehow magically lock everything down 100% within the confines of the school building, the students can still get access to whatever at home, or using coffeeshop WiFi, or whatever.
The point is not stopping them downloading this stuff.
The point is stopping them downloading this stuff using schools property or infrastructure. If they download it elsewhere, it is someone others problem then. If someone complains, its someone elses' fault, and the school can fingerpoint.
If they just bring it to the school, they can be disciplined, but no other steps need to be taken.
You can use special paint on the buildings that blocks RF. There are also cell phone jammers. They require a license and approval from the FCC and have legal implications / risks.
This use case wouldn't get approved. It's very hard getting an exception and this doesn't come close to meriting it.
Preventing cell phone calls could have dire consequences in an emergency, and stopping kids from looking at porn doesn't remotely merit taking that risk.
Blocking RF is illegal if it's done with the intent you describe. It's fine if your building gets terrible or no reception but if you purposely design it that way you're not protected.
There are a number of organizations and businesses that block RF. Their legal team review the local statutes and the employees sign acceptance in the AUP onboarding documentation.
To your point, there are certainly countries and jurisdictions that do not permit blocking RF or have strict exceptions.
In the US, local statutes and AUPs don't enter into it. This is federal law. You're right, there have been a number of organizations that have done this -- and enough of them have been fined for it that the number is much smaller than it used to be.
> I replied sub-thread, but adding here to give some more visibility
> to some of the issues DoH is causing and will cause:
>
> I work at a k12 school and I am involved on many k12 IT communities.
>
> Some schools already removed Firefox from the students computers
> because it was being used as a "VPN" by some elementary students
> to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
Firefox now has enterprise support where the administrator can force all desktops to use certain Firefox settings including enabling/disabling/configuring DoH.
Ultimately we cannot secure content without being able to look at it (encryption is the problem). We need to be able to look at what the kids are looking at if we want to control what information gets to them.
Palo Alto firewalls do decryption on the fly should you want to look at this. It can all be logged with short or long logging.
Worked in your arena for 5 years. Kids are creative and crafty. We had kids getting around the MDM/DNS blocks by changing the DNS/Proxy settings in their iPads. This is not easily overcome with existing MDM solutions AND letting the iPad be usable. BYoD is a whole different animal since you cannot legally "touch" their devices, you have to implement the federally-mandated blocks at the infrastructure level. Kids can use VPNs all day and there is nothing that can be done in reality.
At a previous job, believe it or not, I worked with a client with almost a zero budget who was having massive issues with malware/ads in their public space that offered free computer use. Being the budget was minimal (less and $100 to fix), I deployed two Pi-holes and taught the "admin" how to manage it. Cheap, effective, works. I set the whole thing up to fail back to the network's DNS should the Pi-holes fail. Still running almost two years later.
The Pi-hole can block about any content you would like it to block with almost zero-configuration. Easy to block a single domain or with a new rule set subscription.
Band-aid solution that worked pretty well. Very cheap to implement, widely supported and used by many schools.
Our student's data was still private (no emails or passwords being decrypted) and we did the filtering only based on the domain name. It also didn't require an expensive appliance that would be need if did the filtering based on SNI.
A student who really wants to see "the bad" on the internet isn't scared off by blocking some DNS/VPN/proxy traffic. This is wishful thinking.
The easiest work-around for students who want to show their mates some "cool porn" is to just save it at home. Or connect to the free wifi of <random shop> in reach.
When you allow BYOD you give up the ability to control the client, and you allow the mess of kids bringing their family computers to school, as well as this difference where other kids bring their own much-better computer.
There are plenty of ways to lockdown the ability to change DNS settings on your enterprise computers (you can also lockdown Firefox with the right deployment) and you can block port 53 traffic to outside your network, but you can't block DNS -> HTTPS w/o the interventions cited above.
So, it is bad that Firefox was removed? Are you saying that you think that Firefox needs to be crippled enough that school districts feel comfortable using it?
The fact that it is enabling students (or anyone) to bypass restrictions is a good thing.
Why don't you try looking at this from another point of view. Firefox is a powerful important tool, and I want it to continue to be so, even if it is not ideal for everyone.
Curious, how does your school solve this with students' phones? Have y'all considered requiring mandatory monitoring apps? Or cell phone data jammers and requiring them use y'all's wifi and require a CA cert install?
Reading these comments I'm more and more disgusted really, how is it okay (to even suggest) that personal devices of kids are so invasively monitored?
They deserve their internet privacy just as much as grown ups do even more so actually given their higher trust in others, if schools are scared of internet's dangers then schools should educate, not wrap kids into digital bubble wrap that will disappear when they leave school leaving them tech-illiterate and vulnerable.
It's entirely within the intentions of browser vendors to make blocking of content without consent of a user hard or even impossible.
If the school cannot be bothered to block content properly (ie, only via DNS block) then that is their own fault. The tools exist to block on an IP level.
For all computers the school owns, they SHOULD definitely do HTTPS MitM.
IP level is too coarse grained to block sites hosted on Cloudflare etc which host sites you also wish to allow access to.
SNI filtering is a reasonable middle ground - it has its flaws but nowhere near invasive as full MITM filtering yet achieves most of the filtering objectives of the organisation. Ie it is “good enough”. Sadly ESNI may be the end of usefulness of this approach.
I consider DoH too dangerous to allow on my own network, so here's what I did: if you want to use HTTPS from my network, you need to install my root cert. I then proxy all HTTPS traffic to detect and drop DoH exchanges.
I expect that we'll see this sort of thing more and more.
I’d consider you installing a root onto my device far more dangerous than DoH, because how do I know you’re only dropping DoH, and not actively logging everything? I have to assume you are evil.
As a consequence I would not use your network. This may also be considered success from your point-of-view.
That's totally fair. My network, my rules. You are not required to use my network.
However, I'm not completely heartless. I also run an open WiFi AP that, although limited, is available for guests who aren't comfortable with my security measures. You can't reach the rest of my network through it, but it's there and will get you internet access.
This is perhaps a stupid question without context, but doesn't every kid of the age where this kind of things is an issue carry their own smartphone nowadays? With mobile Internet?
Note that with DoH on Firefox, your intranet domains do not work. Had issues with it before and had to disable DoH just to access our company printer. Also causes issues with DC.
That goes into the argument that DNS (domain name lookup) should be a system and network-level setting, not an App-based setting.
I'm working on our DoH implementation. I'm guessing this is a split-horizon set up with a domain that resolves both internally and externally. If you are willing, we're very interested in these situations and coming up with heuristics to detect and disable DoH proactively. We're also looking into standards changes that could make these configurations more reliably detectable at the application level. I'm selena at mozilla.com.
As a sysadmin who rails against split-horizon DNS (usually around Active Directory implementations where brain-damaged people have named the AD domain the same as a public Internet domain name) I'm already getting a churning feeling in my stomach thinking about how software is going to mishandle this scenario in DNS-over-HTTPS.
It's going to be particularly god-awful for devices that roam between networks where the "internal" DNS is visible and networks where it isn't. Ugh...
My organization does this (AD domain appears to be the same as the public domain name), and I also had problems when I opted into the HTTPS DNS trial. As in, no internal servers resolved.
I had thought that internal networks these days would favor multicast resolution (LLMNR/mDNS), but that doesn't appear to be the case here. Admin work is not my wheelhouse, so I have no idea what standard practice is. What is the recommended setup for AD and name resolution configuration?
For now, we recommend having an enterprise policy for the browser configured. That is the best indication we have that the browser configuration is managed and this kind of issue might occur. We're also open to recommendations from admins on other things that might clue us in that we're in this situation. Finally, we're discussing the possibility of establishing a network standard that signals more strongly that "name shadowing" is occurring... like maybe there's some DNS response that can be configured locally that we can look to proactively and then disable DoH.
> usually around Active Directory implementations where brain-damaged people have named the AD domain the same as a public Internet domain name
I don't like this one either, but often it is inherited from the past from other people and it is not going to change.
On the other hand, split-horizon DNS is going to stay with us, even if the AD domain is a subdomain of the public one. Records in the internal zone are not going to become public anytime soon.
We're working on exceptions support, which would allow specific domains to be looked up via DNS instead of DoH. In that case, mirroring a blackhole list to the exceptions support would result in what you want (I mean, if I understand what you're asking).
So, when the user types in internal.mydomain.com, it gets sent to Cloudflare then they query my public domain server which doesn't have the entry so it falls back to checking the DNS the system has listed. Is Firefox going to cache the IP like the OS does?
* network.trr.mode can be set to 0 (disabled), 1 (race native vs TRR), 2 (TRR first, OS DNS as fallback), 3 (TRR only), 4 (run native and TRR in parallel but use native results, save TRR timings for telemetry), or 5 (off by choice)
* network.trr.uri configures which DoH endpoint is queried
Firefox does maintain a DNS cache, even if you use the native DNS resolver. You can view the cache at about:networking#dns.
If you insist on using a third party resolver for name resolution they will have knowledge of your queries no matter what the protocol. Doing it over tcp and http is not any better, or worse, than doing it over udp. This is something you have to opt in to.
Yes, the difference is that 0 is the default value right now, so if you set it in about:config all Gecko remembers is "it's the default" and stores nothing in user.js; if the default then changes the value changes.
5 is not the default, so if you set it it will get stored in user.js and then even if the default changes the value will remain 5.
> Note that with DoH on Firefox, your intranet domains do not work
That’s part of the plan. From now everything is cloud only, and everyone doing anything differently gets thrown under the bus, with less and less control left for the user.
I hadn't been paying much attention to DNS-over-HTTPS, but I recently listened to a talk that Dr. Paul Vixie (of BIND fame) gave that where DNS-over-HTTPS was discussed:
(full disclosure: I'm affiliated to Cloudflare, but opinions here are my own of course)
Thanks for posting this. I knew Paul is against DoH, but never understood his specific arguments. He has great comment about DoT (dns over TLS) couple of minutes before the linked youtube (I agree with him on that).
Personally I'm not an "owner" of the networks I'm connecting to. My home router is managed by my ISP, I don't run pi-hole. Network at work is managed by yet-someone-else. I often use my mobile carrier (LTE tethering), and often use WiFi at coffee shops.
For all of these cases I would prefer to not expose my DNS traffic. Heck, I'm 100% sure that my dns traffic today is being re-sold! I have couple of unique domain names that I have open in my browser which have unique and non-guessable DNS names, which are crawled by some bots today. Even though I never shared them in any way with anyone! The only way they could be exposed for crawling is by my DNS provider leaking the DNS traffic to some shady third-party.
Many DNS people are opposed DoH, but I think this train has passed. As a user of the internet I really do want encrypt everything these days.
https://tools.ietf.org/html/rfc8404
If my corporate boss, or my ISP can mine less data about the malware I'm running - so be it. For me this is an acceptable cost of measurably improved privacy.
> I have couple of unique domain names that I have open in my browser which have unique and non-guessable DNS names, which are crawled by some bots today. Even though I never shared them in any way with anyone! The only way they could be exposed for crawling is by my DNS provider leaking the DNS traffic to some shady third-party.
Not true.
They may be connecting directly by IP (it's typically not possible to determine if they did just from access logs). The web (or other application) server may also leak the name when connected to.
If you use TLS, which is likely, your domain names would leak through the certificate transparency logs.
...and there are surely more leak vectors than the above, so it's far from certain that the crawlers you see found their target by sniffing your DNS requests.
> The only way they could be exposed for crawling is by my DNS provider leaking the DNS traffic to some shady third-party.
There are a number of other, perhaps more likely, reasons your hostnames have leaked.
Have you got any certificates for any of those names? Then they are in the public CT database which numerous people constantly scan for interesting data.
Are any of your DNS zones enumerable for some reason? Same thing. Any reverse DNS set up? What protocols and public services do you run? Do any expose hostnames in the protocol handshake? Then you are in the public Internet scan datasets.
As soon as you run any kind of SSL on any of your protocols your hostname is in the SNI header.
Host names are visible in a number of ways. It is best to consider them public data. I have seen a number of ISPs from the inside, and none of them has had any interesting in wiretapping their customer's DNS data. I'm not saying it doesn't happen, but it can't be very common. They have much more interesting data available to them should they want to go down that road.
> Personally I'm not an "owner" of the networks I'm connecting to.
But I am the owner of my own network, and DoH reduces my ability to protect it. That is the main (but not only) reason why I strongly object to DoH.
> I think this train has passed.
I suspect the battle has just begun. For example, my response to DoH has been to implement a MITM packet inspection system on my network to regain control over this. This means that DoH will not work from my network. I expect that we're going to see this sort of thing more and more.
What exactly are the threats that you expect blocking DoH to protect you from?
If you are MitMing all encrypted traffic anyway, why not block whatever you want to block when someone actually tries to connect to it, rather than trying to prevent them from learning where it is?
> What exactly are the threats that you expect blocking DoH to protect you from?
I want to maintain the ability to block the resolution of certain domain names.
The threat model is malicious software or websites that want to phone home. This includes reaching out to command-and-control servers, ad tracking servers, data exfiltration points, etc.
> If you are MitMing all encrypted traffic anyway, why not block whatever you want to block when someone actually tries to connect to it
Because most of the malicious actors don't use raw IP addresses as they can change frequently and without notice. They resolve a domain name instead. Blocking the domain name lookup is therefor more effective and less likely to result in blocking the wrong things than working with raw IP addresses.
This is not a replacement for other security measures (including IP-based blocks), but is is, in my opinion, a critical measure in and of itself.
I work at a k12 school and I am involved with many IT admins from other schools.
Some schools already started to block Firefox from being installed because it was being used as a "VPN" by some elementary students to access porn - at school. Guess what this VPN was? Just DNS over HTTPS.
There is a fine line between your ISP and local network operators that NEED to apply some security policies to their traffic. Even Google offers "Safe Search" for schools and libraries that removes porn content.
Unfortunately, on our school network, we also allow BYOD, so we will have to have some strict rules to block DoH, the same way we block proxies and vpns.
Look I sympathize with all the k12 network operators that have to apply all these brain-dead content filtering policies -- I used to be one. But surely you recognize that someone external to my device that can inspect, modify, compromise the security of, or block my connection to any part of the public internet is the enemy right?
You're free to do whatever you like with devices that you own and you're also free to have an acceptable use policy on your network but breaking security and privacy to accomplish it is the exact wrong way to go about it.
In my ideal world school BYOD devices would either not be allowed at or be given a private single-device VLAN with a direct unfiltered connection upstream, and made clear in policy that the school doesn't own, support, or control any aspect of them. No different whatsoever than students using their cellular connection.
I'm mostly like you, except I've seen where DoH (or rather the equivalent DNS control) can go wrong on my local network. I have a NAS, and did not set up the manufacturer's optional global DNS routing (because why the heck should anything on the internet know anything about my NAS). Unfortunately that means my Chromecast doesn't stream files off it properly, because that hard codes to using Google's global DNS servers (8.8.8.8), which isn't going to know about my local hostnames (nas.lan). I've had to change things to use IP addresses instead.
If you don't trust your network why don't you install a DNS stub resolver that tunnels to some external resolver that you trust and then set the OS to use localhost?
Don't push things into applications and make things more difficult for everyone else when you can secure your own computer.
> install a DNS stub resolver that tunnels to some external resolver that you trust.
Because the we're dealing with computers as they actually exist and are configured. And within epsilon every personal computer on the planet is configured to trust DHCP and set their DNS servers to whatever is offered. So we're in a situation where these particular applications also don't really trust the OS to a certain extent.
You have that backwards. It's applications that are less than trustworthy. That's why we try to sandbox them.
As for the DHCP part, if you're on a public network you should only trust it as far as you need it to bootstrap your tunnel over which you can then finally contact a trusted resolver.
OS resolver -> a single thing you need to secure
every app uses its own resolver -> complete mess which makes it harder to ensure privacy of your traffic
Browsers don't trust the OS to provide secure private name resolution. And they really shouldn't when every OS just blindly takes whatever is offered via DHCP.
I absolutely agree that DNS should be a system-level concern rather than app-level. But today, right now, for computers as they are and will continue to be for the foreseeable future this is a huge improvement. Browsers being the app that handles basically all of our sensitive information I think have earned the exception.
I don't think this is the proper approach. Once it's in browsers it will also be in electron applications. And those may update less frequently. Now you have balkanized implementations of custom DNS stub resolvers using different remote endpoints. That makes security updates more difficult, network issues more difficult to debug and so on.
Doing it properly would involve securing the system, once. This could be easily done by installing a DoH stub resolver service and then pointing the system config to localhost.
Your ISP doesn't really need DNS traffic to know things about you, IP addresses alone leak a lot of information, add to that SNI, response sizes, active probing, clear text traffic, etc. and you should realize that the only thing DoH does is letting one extra party to know what you are doing in addition to your ISP. DoH is net negative for privacy. You need at least a VPN to get to net positive, so that your ISP can't get that much data.
If you can't trust your ISP, leaking all of your DNS traffic to another party still doesn't let you trust your ISP, but now you have to trust that other party too, hence net negative. To avoid trusting your ISP you need at least a VPN.
ISPs already don't have a good track record, so I would argue them NXDOMAIN advertising (like Spectrum does by redirecting you to a yahoo search page) won't make someone unsubscribe from their services. But if a service like 1^4, that specifically states they don't track you, lies about it, then that would be a huge issue for all of the customers that pay for the company's other products.
The person who wrote your application stood it up using that CDN though. There are two parties we're concerned about: you and the entity you're communicating with.
You trust your device and the entity, and the entity trusts the infrastructure and services they're using. Everything else is the enemy. So moving the barrier to a CDN which the entity trusts is actually an improvement over intermediate ISPs which neither of you trust.
They may simply not care and only "trust" the CDN in so far as it bypasses local resolvers. I.e. they might be using it for reasons not aligned with my interests and not vet the CDN at all.
Why not run a Pi-hole? You only stand to benefit. Whilst it doesn't address DoH, it does go a long way in preventing the tracking you mention. It also saves on bandwidth. And because it works at the DNS level, you benefit from the calls not even being made. The Pi-hole can be customized with an endless set of rules to block about any ads, beacons, trackers. Couple this with uBlock Origin, Privacy Badger, Decentraleys, Referer Block, and some creative browser settings (about:config) and you are largely safe from prying eyes. JS can be whitelisted, etc. You have nothing to lose.
My setup is similar. Pihole with dnssec and dnscrypt-proxy connected to cloudflare. Didn't see a reason to use the cloudflared package instead of dnscrypt-proxy.
Without a doubt, DNS-over-HTTPS introduces some major concerns from a network operator and security perspective. But I'm also very privacy focused, and am conflicted on the issue.
>[Mozilla] believe that they need to build technology that will accommodate a hostile network operator who is going to replace your DNS with things pointing to their advertising servers or is going to monitor what you do and send it off to some human rights violation team somewhere and so rather than tell you to use VPNs or tell you to use tor they decided to build DNS into the web
Requiring the average Joe to use a VPN service just so they can have some reasonable attempt at privacy isn't really an option, as we have seen. Privacy shouldn't be a luxury reserved only for those who can afford it. What I would really like to see is our lawmakers step up and make modern privacy laws with respect to technology and the data that results of it, but that clearly isn't happening. Unfortunately, DNS-over-HTTPS will very likely be used against the consumer in the long-run. Instead of using a pi-hole with port 53 blocked, I can see many devices will start using DNS-over-HTTPS to bypass those restrictions. Chromecast, rokus, and other devices already have hard-coded DNS addresses built-in, it won't be a very large step for them to switch to DNS-over-HTTPS to bypass my own network policies.
His main argument seems to be that the network operator should have control over DNS requests for safety reasons. Control and monitoring. This is the antithesis of privacy and encryption. I wouldn't be surprised if he was pro http over https either.
Think a corporate network. If I as a sysadmin set our DHCP options to give out our own resolvers, I expect that every machine on the domain to use ours.
DoH breaks that completely; and hence the network operator should have the final say.
As a sysadmin myself, if browsers are overriding the basic model of top down, and it hurts me, because when something is wrong, I cant just look on my machine, I have to check which browser they use... that is the antithesis of the problem, because when DoH doesn't work but normal DNS does, then I'm flat out of options.
This is why I choose not to use Firefox or any of the DoH mainline providers (Cloudflare,) and I go out of my way to make sure users cant do it.
The GP isn't arguing against TLS; he is arguing against random apps ignoring network-wide settings. When such app breaks, he cannot diagnose the problem, he has to diagnose first that the problem is caused by an app that ignores a setting it shouldn't ignore.
It is always the case that an app can break due to something in the app itself. An app may for example link with a different TLS implementation that breaks. Or an app may use the local DNS resolvers but do DNSSEC local validation.
With QUIC (HTTP3) a large part of the network stack will be part of the application. So you lose that visibility as well.
A corp network should set up their own DoH resolver anyway. And/or simply install a cert on their workstations and MITM every TLS connection.
Even better corps should only allow TLS that they can successfully MITM.
It's basic security. If the endpoint/host can do whatever due to lack of firewall/enforcement, then it doesn't really matter what the network operator wants.
> A corp network should set up their own DoH resolver anyway
What good is that is the browser uses their own list?
Literally that's what the article is saying. Firefox will force users to use ones that break the top-down approach on how software works. If I set a DHCP option for DoH, and setup my own DoH resolver, Firefox wont care, they will jsut use their list.
This also opens up possibilities for selling positions on the trusted list, because we've seen that happen before (adblock, or the firefox Mr Robot extension.)
Firefox itself, with plays like this are trying to make a decision about the whole, when they are completely forgetting the corporate side.
Are you going to change the settings manually after each connection in different network? Most people won't. We already have an automation for that, called DHCP, setting up network specific config system-wide... which Mozilla decided to ignore.
On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
But I want all the devices and apps to use whatever the local network tells them. I don't want to reconfigure the browser every time I connect at home/work/customer place/etc.
P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
> On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
Sure, if you have a router and know how to configure it. The second requirement excludes the vast majority of non-tech-savvy users, even though they are also harmed by lying or data-collecting DNS resolvers and likely would not consent to them if asked. (The first requirement additionally excludes phones and other devices directly connected to a mobile network; of course, you can generally configure the devices themselves to use a different DNS server, but it may be annoying if you have a lot of them. More convenient if devices already default to the option that protects your privacy, i.e. DoH.)
> P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
Even if it doesn’t lie, does it log requests and sell that data? Are you sure?
Anyway, in many locations including most of the US, there’s no meaningful choice available among wireline ISPs.
The point is that your router is a client of your ISPs network and you're overriding the servers provided by DHCP to your router.
In a crazy world where internally Firefox ran a small IP network for each tab and routed traffic between them for IPC would it suddenly be okay for Firefox to override DNS? Why or why not?
The difference is not in what is being done, but in who is in charge.
If you modify your router settings, it's you. You decided that you are not going to honor ISP suggested defaults, and it is up to you to assess costs/benefits and pick the right choice.
If Firefox overrides your settings, it means someone else does the decision about your tools. If that someone else makes it difficult to automate changing the default (e.g. ignoring DHCP; if you want, you can ignore DHCP at the system level, but this is not a decision an app should take), it means, that this someone else doesn't have good intentions towards you. Someone else decided what's "best" for you.
But right now within epsilon every computer will just blindly take what is given to it by DHCP making the local network operator, who is for almost everyone an untrusted party, the person who decides what's best for you.
I agree that DNS should be a system level concern rather than an app-level concern but in the real world browsers want to protect their users' privacy and the OS they run on doesn't do that. If every app went out and started using app-level DNS then it might get annoying but browsers are particularly privacy and security sensitive.
With this change almost everyone (i.e. people who don't mess with their OS setting and don't know or care what DNS is) are markedly better off.
I am no sysadmin but working closely with some. I have never seen any case where HTTPS-MITM helps. Yes, theoretically it does allow us to scan for malicious content in a secured connection. Brilliant, but that are not the attack vectors they are concerned about.
So what is left is that breaking up TLS just infringes on privacy and allows for tighter control. The security aspect is laughable.
Users are angry that their internet got slower, an it creates an enormous administrative cost, because you need countless exceptions to the rules.
Some of your best friends, eh? The point of MITMing HTTPS in an enterprise setting is not inbound content scanning (though that's pretty useful to), it's to prevent outbound transfer of secrets/HIPAA or PII data/financial data, and it's a regulatory requirement for some industries.
Besides, the point of DoH is to move DNS into the browser, which Google also controls, to prevent pihole-like DNS-based ad blocking. Cloudflare supports it because it allows them to lock down one of the few remaining actual distributed systems powering the internet. These companies are not your friends, and you should think harder about their incentives.
> it's a regulatory requirement for some industries.
It won't be when it's functionally impossible, which seems to be the point.
You do see the light at the end of the tunnel, right? Browsers shipping their own unmodifiable CA stores and disrespecting 3rd-party CAs signatures for public DNS names.
It seems you don't understand that there's Firefox ESR and other browsers too. The law very likely won't change just because consumer-friendly browsers by default are not enterprise-friendly. Big corps provision and manage their machines themselves, they modify the packages' built in configuration (they either create a new install package, or do it after install with scripts, or - if the application supports some kind of "group policy" then they use that).
Cost of compliance is a real thing, and making the workstations secure and compliant with their own policy is their responsibility in those industries. It's not fun, but it's perfectly doable.
Sysadmins should concentrate on managing and securing the devices and not the network. This is advantageous with todays mobile workforce where users expect the same experience at the office, coffee shop or home.
The argument that because encryption can be used for nefarious purposes it should not be offered by DNS providers at all does not add up. ISPs can block, redirect and sell DNS traffic and many are already doing some or all of these.
I’m specifically arguing that dns lookups should not be encrypted. Dns can be descriptive: ntp.example.com sounds like an Ntp server. Oh- this pcap shows an ntp flow afterwards. Probably synchronizing time.
Oh- adnetwork.example.com. Probably serving up ads.
I need to look at every protocol flow and sort by IP?
Who in their right mind blindly trusts all computers like this? If you ever want to troubleshoot your network, your job becomes way more tedious if dns requests are encrypted.
The issue comes from network operators wanting to control DNS from being a middleman in the connection, but there is no way to ensure the people acting as middlemen in the connection are authorized to be in the middle or authorized to change those DNS requests.
If a network operator can change DNS, then the ISP, network hops, or a malicious twin AP can as well.
ISPs also provide "their" DNS rr's. That does not mean you have to use ISPs' DNS RR to access the DNS.
> The DNS belongs to the network.
This is the question - should the network really be able to tell the client what IP corresponds with a DNS name? if no, then there's no good solution to blocking websites where you can't install things on the client's device. Meanwhile, if you say yes, then you must also say yes to ISPs being able to tell the client what IP corresponds to a DNS name. The only solution in an enterprise context is to buy new hardware (or install a software update if Cisco is feeling benevolent) that runs a DoH server. In a school-bocking-porn context, you could ban the biggest offenders via IP (mindgeek sites have a dedicated IP space I think, and you could cron your own DNS lookups for other non-CDN sites) and use SNI whitelist until eSNI is added to iOS.
The main argument should be that the OS controls what DNS is used.
The user of the OS can then set their own DNS. If applications just ignore this and use their own it takes away power from the user. Sure Firefox lets you turn it off, but a lot of people won’t bother.
After seeing every implementation of DoH giving a flying fuck about your actual network settings, I’ve decided it’s a technology I want nothing to do with.
I’ve actually actively blocked DoH for the major providers on my router, by writing some custom iptables rules.
Hopefully there will be a simple to use OpenWrt-package which you can install to do this automatically in the future.
I'll have to correct myself. It seems I gave up on the iptables-approach due to having some correctness errors.
Instead I ended up with these lines in /etc/config/firewall:
config rule
option target 'ACCEPT'
option name 'Allow router to perform DNS'
option family 'ipv4'
option src_ip '192.168.1.1'
option dest_port '53'
option src '*'
option dest '*'
config rule
option src 'lan'
option name 'Disallow Google DNS from LAN'
option family 'ipv4'
option dest_ip '8.8.8.8'
option target 'REJECT'
option dest 'wan'
config rule
option src 'lan'
option name 'Disallow Google DNS from LAN (2)'
option dest 'wan'
option family 'ipv4'
option dest_ip '8.8.4.4'
option target 'REJECT'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN'
option dest_ip '1.1.1.1'
option dest_port '443'
option target 'REJECT'
option proto 'tcp'
option family 'ipv4'
option dest 'wan'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN (2)'
option proto 'tcp'
option dest 'wan'
option dest_ip '1.0.0.1'
option dest_port '443'
option family 'ipv4'
option target 'REJECT'
config rule
option src 'lan'
option name 'Disallow Cloudflare DOH from LAN (3)'
option dest_ip '104.16.249.249'
option family 'ipv4'
option dest 'wan'
option target 'REJECT'
Pretty much as basic as you'd think.
Router itself acts as a DNS-server via dnsmasq, and is allowed to do anything I decide I want.
On my network I have a pi-hole instance which then forwards queries to the router, so it also intercepts/looks up local LAN names correctly.
All clients on the network are provided the pi-hole as the canonical DNS-server to use via DHCP options.
I’ve begun to think that differences of opinion on the benefits and/or negatives of DoH come from two different perspectives on what DNS is for.
What I perceive from the debate is generally that people who dislike DoH tend to perceive it as a network plane protocol, one that is designed for network operations and nothing more (layer 3/4 if you will).
Whereas people who tend to want privacy and the other features of DoH, perceive it as an application level concern (layer 7). In this context connectivity and discoverability of services is the aim, and knowing that the information for establishing connections to those services is correct is important to the foundations and guarantees of applications being built to utilize DNS.
In the application and services context, you may not even want a single set of recursive resolves or authorities for the system. And the reasons are to help ensure the data is focused on what you need in different contexts.
I believe that the network level concerns over DoH are a little disingenuous, and this is because there are many ways to circumvent DNS, DoH isn’t necessary, you don’t even need DNS to establish layer3/4 connections. Fighting over DoH for security that can’t truly be enforced in DNS, seems misguided.
I want privacy and consider DNS an operational issue. I run my own stub and recursive resolvers in my networks to avoid relying on centralized entities on the system level and don't want random applications to bypass it and funnel even more information to google or cloudflare than they already get anyway. Today it's firefox, tomorrow it's shady phone apps that want to bypass content filters and ping their trackers.
DoH gains me nothing since I already tunnel the traffic to my resolver. What I really want is something like dnscurve.
Securely contacting the authoritative servers from a recursive resolver under my control instead of relying on some big corporation.
Currently DoH or DoT are only used and designed with the goal[0] to secure stub resolver <-> recursive resolver traffic. Someone has to operate that recursive resolver and you have to trust them. So you only shift the problem from having to trust your ISP to having to trust cloudflare/google/etc.
Dnscurve is intended to secure the recursive resolver <-> authoritative traffic, which means you don't have to rely on another party to secure your traffic. I guess dns over dtls could in principle fill the same role, albeit with more overhead.
Maybe I'm misunderstanding something, but aren't you talking about running a stub/recursive resolver with DNSCurve? You could do the same with DoT, or DoH.
It sounds like DNSCurve might be easier to configure and setup from your perspective?
No, the traffic from individual machines to my recursive resolver is already secured or trusted, either because it's a trusted network or going through a tunnel.
What I am missing is a way to secure the traffic from the recursive resolver to all the authoritative name servers in the world, i.e. to achieve end-to-end encryption for lookups.
Yes I am aware that this would require dnscurve support in most authoritative servers around the world and that the rollout would take many years. But DoH provides a false sense of security, to me it's a distraction that just shifts us from ISPs saying "trust us" to google&co doing it.
I think we're coming to DNSSEC + TLS vs. DNSCurve at this point.
I'm not so convinced that the authenticity of the data you're conferring to the DNSCurve network is conferring greater security than DNSSEC and TLS. I'm not arguing one is better than the other, but I kinda see it as a wash.
TLS DNS and DNSCurve perform essentially the same function, so it doesn't make much sense to compare one with DNSSEC and one without. What blurs the line a little is that DNSCurve is explicit about its goal of providing bottom-up DNS security --- in a world with near-universal DNSCurve deployment, the need for DNSSEC would be minimized. But that's in fact true of TLS DNS, as well --- it's just not something the IETF is explicit about.
Both DNSSEC and DNSCurve are basically dead-letter standards at this point; interestingly, the stake through both their hearts is DNS over TLS or HTTPS, but for different reasons: DNSCurve, because DoTLS essentially replaces the entire protocol, and DNSSEC because DoTLS reveals (through its rapid adoption, among other things) how marginal DNSSEC's contribution actually is.
DNS-over-(d)TLS approaches don't aim to secure the traffic between recursive resolvers and authoritative servers[0][1]. Is there any newer work going in that direction?
I can think of 3 main use-cases for DNS blocking on a network level:
1. content policies: blocking porn, censorship, etc (already easily circumvented by changing DNS or using a VPN)
2. preventing malware command and control: blocking domains that malware phones home to (already easily circumvented by including their own resolver, etc)
3. preventing malware infection: blocking domains serving malware (you might lump "ads" in this category too, e.x. Pi-hole)
IMHO the 3rd is the only use-case worth trying to solve with DNS blocking, because the user isn't actively trying to circumvent it.
Applications using their own resolvers do make that difficult to do. It seems like it would be best if operating systems implemented DoH at the system level, including DHCP support, so devices could use the network's DoH resolver which might do malware blocking.
Applications like Firefox could fall back to their own DoH resolver if they had a way to detect the system was not using DoH. This would also encourage network operators to support DoH.
> It seems like it would be best if operating systems implemented DoH at the system level, including DHCP support, so devices could use the network's DoH resolver which might do malware blocking.
3 is reasonable. I think you stated that well, "the user isn't actively trying to circumvent it", though I might expand that to include the application isn't actively trying to circumvent it. For passive mitigation of standard browsing as a means of helping protect yourself, yes, but even there, it won't take long for systems to figure out a way to circumvent that.
Using and embedded resolver or switching to a third-party DNS server, at least within many corporate networks, isn't viable because outbound DNS traffic is allowed only from the "blessed" stub resolvers. That doesn't change scenario 1, however scenarios 2 and 3 are rendered moot.
> I believe that the network level concerns over DoH are a little disingenuous
I disagree. The problem with DoH is that it masquerades DNS lookups as web traffic. Other means of doing DNS lookups, encrypted or not, can be easily determined to be DNS lookups and handled according to the network policies.
By disguising the lookups as web traffic, it means that I can no longer leave web traffic alone. I have to MITM HTTPS now. If they were happening on their own ports, I would have less invasive methods available, such as running my own resolver.
Can you describe the threat model your trying to account for?
The reason I made that statement has to do with the means by which DNS can easily be circumvented and direct encrypted connections used instead. This means using DNS introspection as a means for security doesn't buy you much, DoH just makes that more apparent.
The threat model is anything that is trying to phone home without approval. This includes calling command-and-control servers, trackers for ads, data exfiltrators, etc.
All of these use domain names to set up the communications, for obvious reasons, so being able to thwart those lookups is of great value.
You're right, that all by itself is insufficient, but it's still very important.
"To that end, today we are releasing a list of DOH requirements, available on the Mozilla wiki, that we will use to vet potential resolvers for Firefox. The requirements focus on three areas: 1) limiting data collection and retention from the resolver, 2) ensuring transparency for any data retention that does occur, and 3) limiting any potential use of the resolver to block access or modify content."
I sometimes use a local resolver bound to localhost that blocks ads by pointing to a custom root.
If someone aiming to be on the TRR list sets up a remote resolver that blocks ads (or replaces them with blank images) perhaps using the same technique, it could allow Firefox users to get ad blocking by default, by using DOH.
I wonder if that would violate Mozilla's requirements?
Are ads considered "content"?
There is of course precedent for blocking undesirable content via DNS as a "service".
Third party DNS service, for example the famous one that starts with "O", has been used to block certain content, e,g, at schools.
This was offered as a fee-based service.
If I remember correctly they also offered "free" service which was subject to redirection of NXDOMAIN to paid placement "search" results/ads.
This is talking about requirements for resolvers that will be included by default:
We have implemented DNS over HTTPS [RFC8484] and would like to
deploy it by default for our users. We intend to select a set of
Trusted Recursive Resolvers (TRRs) that we will use for DoH
resolution.
> I wonder if that would violate Mozilla's requirements?
The real question is if you're allowed to use your own resolver that conforms to your requirements if they differ from Mozilla's, even if a bit buried from the default list,
This has negative implications for security. For instance, one reason why DNS resolvers might block or modify requests is to blacklist domains used for malware operation (botnet C&C domains). Other things like DNS sinkholing and poisoning are also frequently used as tools to disrupt malware communication.
In addition, collection and analysis of below-the-recursive DNS traffic is one of the primary ways in which security researchers discover the infrastructure of botnet networks.
Overall DoH is probably a net positive, but I don't see downsides like this being discussed.
DNSCrypt and other solutions typically involve changes to the DNS resolver in the underlying operating system. That's a lot harder to get changed and deployment can take a long time.
DOH can be implemented directly inside of the web browser application, since those browsers are obviously already doing everything over HTTPS. So the browser developers just have to build in a DNS client. From their perspective, I would see that being much simpler. And deployment is as easy as the next browser application update.
DoH has already more adoption than all previous approaches combined. (Note: I don't think DNS-over-QUIC is really any different from DoH. QUIC is just another way of transmitting HTTPS, so you can just do DoH over QUIC.)
(It's been a long time since I've actually set up a DNS server and am pretty fuzzy on some details - so I'm going to state this like a real nooby to hopefully get an ELI5 answer)
If I were to set up my own DoH server, would its queries to upstream (root??) servers (and subsequent recursed servers) be encrypted? (Simpler: does running a DNS server "on-premise", or even in the cloud, actually protect you from anything?)
No, DoH only deals with client to resolver encryption.
Recursive lookups from the resolver to authoritative DNS servers from the root down are not encrypted.
Really what you are doing is switching between telling your ISP all the domains you look up to telling Google/Cloudflare. Except your ISP can still see SNIs so you’re really just telling Google/Cloudflare in addition to your ISP.
What is the justification for an app to resolve domain names differently than the services the operating system provides? I am really curious why this is a thing.
Windows doesn't provide privacy when it comes to DNS queries. It still uses old fashion, plain text DNS. Firefox is trying to protect its users from prying eyes.
Then complain to Microsoft, ship VPN software like Cloud Flare, and quit doing things in the browser that aren't browsing. This attitude that "I can suck functions into the browser" that do not take into account all the scenarios that OS vendors already have to deal with is a pain in the butt.
Glad that they allowed resolvers that filter content based on the user request in there. So good news that Quad9 and CleanBrowsing will be able to make the list.
I have two reason to like DoH: public wifi blocking sites and ISPs blocking sites. I understand that it is "wrong" from the perspective of a network stack, but for my use case that is far from being even a weak issue.
The article talks about Firefox behavior when DoH is enabled. It's not enabled by default. The article doesn't say it's getting enabled by default, or under what conditions it might get enabled by default.
At the very start of the linked article, it says this:
"Over the past few months, we’ve been experimenting with DNS-over-HTTPS (DoH), a protocol which uses encryption to protect DNS requests and responses, with the goal of deploying DoH by default for our users."
“4. The user will be informed that we have enabled use of a TRR and have the opportunity to turn it off at that time, but will not be required to opt-in to get DoH with a TRR.”
Yes, I'm aware. Again, the conditions that need to be met for this to happen are still being determined, including the timeframe and the exact behavior.
So can I manually set one myself to my local pi-hole instance? I have already been setting the TRR about:config values (ala [0]), will that remain?
I am wary of Mozilla becoming the arbiter of acceptable DNS providers for me, so I should be able to override it if I want.
0 - https://blog.stackpath.com/serverless-dns-over-https-at-the-...