His main argument seems to be that the network operator should have control over DNS requests for safety reasons. Control and monitoring. This is the antithesis of privacy and encryption. I wouldn't be surprised if he was pro http over https either.
Think a corporate network. If I as a sysadmin set our DHCP options to give out our own resolvers, I expect that every machine on the domain to use ours.
DoH breaks that completely; and hence the network operator should have the final say.
As a sysadmin myself, if browsers are overriding the basic model of top down, and it hurts me, because when something is wrong, I cant just look on my machine, I have to check which browser they use... that is the antithesis of the problem, because when DoH doesn't work but normal DNS does, then I'm flat out of options.
This is why I choose not to use Firefox or any of the DoH mainline providers (Cloudflare,) and I go out of my way to make sure users cant do it.
The GP isn't arguing against TLS; he is arguing against random apps ignoring network-wide settings. When such app breaks, he cannot diagnose the problem, he has to diagnose first that the problem is caused by an app that ignores a setting it shouldn't ignore.
It is always the case that an app can break due to something in the app itself. An app may for example link with a different TLS implementation that breaks. Or an app may use the local DNS resolvers but do DNSSEC local validation.
With QUIC (HTTP3) a large part of the network stack will be part of the application. So you lose that visibility as well.
A corp network should set up their own DoH resolver anyway. And/or simply install a cert on their workstations and MITM every TLS connection.
Even better corps should only allow TLS that they can successfully MITM.
It's basic security. If the endpoint/host can do whatever due to lack of firewall/enforcement, then it doesn't really matter what the network operator wants.
> A corp network should set up their own DoH resolver anyway
What good is that is the browser uses their own list?
Literally that's what the article is saying. Firefox will force users to use ones that break the top-down approach on how software works. If I set a DHCP option for DoH, and setup my own DoH resolver, Firefox wont care, they will jsut use their list.
This also opens up possibilities for selling positions on the trusted list, because we've seen that happen before (adblock, or the firefox Mr Robot extension.)
Firefox itself, with plays like this are trying to make a decision about the whole, when they are completely forgetting the corporate side.
Are you going to change the settings manually after each connection in different network? Most people won't. We already have an automation for that, called DHCP, setting up network specific config system-wide... which Mozilla decided to ignore.
On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
But I want all the devices and apps to use whatever the local network tells them. I don't want to reconfigure the browser every time I connect at home/work/customer place/etc.
P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
> On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
Sure, if you have a router and know how to configure it. The second requirement excludes the vast majority of non-tech-savvy users, even though they are also harmed by lying or data-collecting DNS resolvers and likely would not consent to them if asked. (The first requirement additionally excludes phones and other devices directly connected to a mobile network; of course, you can generally configure the devices themselves to use a different DNS server, but it may be annoying if you have a lot of them. More convenient if devices already default to the option that protects your privacy, i.e. DoH.)
> P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
Even if it doesn’t lie, does it log requests and sell that data? Are you sure?
Anyway, in many locations including most of the US, there’s no meaningful choice available among wireline ISPs.
The point is that your router is a client of your ISPs network and you're overriding the servers provided by DHCP to your router.
In a crazy world where internally Firefox ran a small IP network for each tab and routed traffic between them for IPC would it suddenly be okay for Firefox to override DNS? Why or why not?
The difference is not in what is being done, but in who is in charge.
If you modify your router settings, it's you. You decided that you are not going to honor ISP suggested defaults, and it is up to you to assess costs/benefits and pick the right choice.
If Firefox overrides your settings, it means someone else does the decision about your tools. If that someone else makes it difficult to automate changing the default (e.g. ignoring DHCP; if you want, you can ignore DHCP at the system level, but this is not a decision an app should take), it means, that this someone else doesn't have good intentions towards you. Someone else decided what's "best" for you.
But right now within epsilon every computer will just blindly take what is given to it by DHCP making the local network operator, who is for almost everyone an untrusted party, the person who decides what's best for you.
I agree that DNS should be a system level concern rather than an app-level concern but in the real world browsers want to protect their users' privacy and the OS they run on doesn't do that. If every app went out and started using app-level DNS then it might get annoying but browsers are particularly privacy and security sensitive.
With this change almost everyone (i.e. people who don't mess with their OS setting and don't know or care what DNS is) are markedly better off.
I am no sysadmin but working closely with some. I have never seen any case where HTTPS-MITM helps. Yes, theoretically it does allow us to scan for malicious content in a secured connection. Brilliant, but that are not the attack vectors they are concerned about.
So what is left is that breaking up TLS just infringes on privacy and allows for tighter control. The security aspect is laughable.
Users are angry that their internet got slower, an it creates an enormous administrative cost, because you need countless exceptions to the rules.
Some of your best friends, eh? The point of MITMing HTTPS in an enterprise setting is not inbound content scanning (though that's pretty useful to), it's to prevent outbound transfer of secrets/HIPAA or PII data/financial data, and it's a regulatory requirement for some industries.
Besides, the point of DoH is to move DNS into the browser, which Google also controls, to prevent pihole-like DNS-based ad blocking. Cloudflare supports it because it allows them to lock down one of the few remaining actual distributed systems powering the internet. These companies are not your friends, and you should think harder about their incentives.
> it's a regulatory requirement for some industries.
It won't be when it's functionally impossible, which seems to be the point.
You do see the light at the end of the tunnel, right? Browsers shipping their own unmodifiable CA stores and disrespecting 3rd-party CAs signatures for public DNS names.
It seems you don't understand that there's Firefox ESR and other browsers too. The law very likely won't change just because consumer-friendly browsers by default are not enterprise-friendly. Big corps provision and manage their machines themselves, they modify the packages' built in configuration (they either create a new install package, or do it after install with scripts, or - if the application supports some kind of "group policy" then they use that).
Cost of compliance is a real thing, and making the workstations secure and compliant with their own policy is their responsibility in those industries. It's not fun, but it's perfectly doable.
Sysadmins should concentrate on managing and securing the devices and not the network. This is advantageous with todays mobile workforce where users expect the same experience at the office, coffee shop or home.
The argument that because encryption can be used for nefarious purposes it should not be offered by DNS providers at all does not add up. ISPs can block, redirect and sell DNS traffic and many are already doing some or all of these.
I’m specifically arguing that dns lookups should not be encrypted. Dns can be descriptive: ntp.example.com sounds like an Ntp server. Oh- this pcap shows an ntp flow afterwards. Probably synchronizing time.
Oh- adnetwork.example.com. Probably serving up ads.
I need to look at every protocol flow and sort by IP?
Who in their right mind blindly trusts all computers like this? If you ever want to troubleshoot your network, your job becomes way more tedious if dns requests are encrypted.
The issue comes from network operators wanting to control DNS from being a middleman in the connection, but there is no way to ensure the people acting as middlemen in the connection are authorized to be in the middle or authorized to change those DNS requests.
If a network operator can change DNS, then the ISP, network hops, or a malicious twin AP can as well.
ISPs also provide "their" DNS rr's. That does not mean you have to use ISPs' DNS RR to access the DNS.
> The DNS belongs to the network.
This is the question - should the network really be able to tell the client what IP corresponds with a DNS name? if no, then there's no good solution to blocking websites where you can't install things on the client's device. Meanwhile, if you say yes, then you must also say yes to ISPs being able to tell the client what IP corresponds to a DNS name. The only solution in an enterprise context is to buy new hardware (or install a software update if Cisco is feeling benevolent) that runs a DoH server. In a school-bocking-porn context, you could ban the biggest offenders via IP (mindgeek sites have a dedicated IP space I think, and you could cron your own DNS lookups for other non-CDN sites) and use SNI whitelist until eSNI is added to iOS.
The main argument should be that the OS controls what DNS is used.
The user of the OS can then set their own DNS. If applications just ignore this and use their own it takes away power from the user. Sure Firefox lets you turn it off, but a lot of people won’t bother.
