Firefox: Leave My DNS Alone
markalanrichards.comMozilla jumped the gun on this, all they really needed to do was announce their DoH application program _before_ they started turning it on by default.
As it stands, Mozilla has a Trusted Recursive Resolver Policy[0], which CloudFlare abides by, but lots of other resolvers (such as Quad9) are not allowed to be added to the FF config.
I'd reached out to Mozilla months back asking for the application process (when they announced the TRR policy). I've been running a DoH resolver from within Indian jurisdiction (for legal research) - but without Mozilla having a process - it is just me using it.
[0]: https://wiki.mozilla.org/Security/DOH-resolver-policy [1]: https://captnemo.in/doh/
Paul Vixie gave just gave a talk at vBSDCon about DNS-over-HTTPS where he outlines some the problems he seems at it. Hopefully the video will be up shortly, but in the meantime some slides:
Agreed. Mostly regarding the part that DNS should be solved at the OS level. Encrypted DNS is a good idea, HTTPS seems like a questionable encryption layer, but it will serve. However, apps should not take DNS into their own hands.
DNS is part of a systems configuration. By setting it, you choose, and can change, your views of the internet. If all of a sudden, that view becomes inconsistent across apps, that is confusing. Moreover, if an application gives an unexpected view of the world (e.g. missing local domains, local redirects, or local blocks) that can have negative impact.
If we screw this up in our haste to secure DNS, we'll be stuck with another legacy half-solution our internet infrastructure. This is essentially taking on global technical debt to get secured DNS requests just a bit faster.
For us Russians, it's a very welcome feature. Our government illegally does mass-scale censorship/blocking of websites, making the Internet almost unusable without commercial VPN, and it looks like soon commercial VPN services would be blocked too. This DoH feature might help to combat the problem without complex measures.
I, for one, rejoice that the United States government has outsourced the squashing of unpopular, dissenting opinions to private industry.
Having search engines and social media sites implement our censorship affords American citizens more room to do victory laps about our Constitution.
It would be nice if Firefox also had DNS-over-TLS support.
I'm not against encrypted DNS, and can see where DoH can be handy for a lot of the general public, but as someone in IT, having to jump through hoops to keep our internal split-horizon DNS workings is annoying.
I don't have a problem with DNS-over-TLS, I don't know enough about it... but I'm afraid I want DNS from Firefox's perspective to be plaintext, transparent and easy for me to check and even change. Like the filesystem is.
Not just for me, easy for Privacy International to audit when verifying apps tracking, easy for OpSec on my work laptop and easy for my firewall tooling to intercept and manage.
I want the OS's network stack to transparently proxy that plaintext request to an encrypted one: which may well be DoH or DNS over TLS, just like filesystem drivers proxy plaintext file requests over encrypted hard disks.
Whether this is by a plain text request over loopback, using the existing plain text DNS protocol or a more efficient OS api I'll happily leave evolution to resolve: but for now the plaintext protocol might be the fastest thing to proxy.