Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
being paid for this

AT&T is my DNS server, and today I ran in to a problem when searching
with DuckDuckgo, and got the message to check with Cloudflare to find
out what the problem is.

I had to go into settings change my DNS server back to AT&T.

Johnny <johnny@invalid.net> wrote:

> Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
> being paid for this
>
> AT&T is my DNS server, and today I ran in to a problem when searching
> with DuckDuckgo, and got the message to check with Cloudflare to find
> out what the problem is.
>
> I had to go into settings change my DNS server back to AT&T.

If you know the settings, you can specify which DoH (DNS over HTTPS)
service to use. Do you know settings for other?

DNS server settings inside of Firefox have no effect over the DNS
servers specified in the OS' DNS settings. Other web clients will use
the IPv4 and IPv6 DNS settings defined in the OS.

When in Firefox, what did you select for "Enable secure DNS using"? The
"Default protection" is new, and has Firefox decide if and when to use a
DoH (but it doesn't say which). Who it picks probably relates to where
you are as to which DoHs are available in that region.

"Increased protection" has you pick which DoH to use. 2 are
pre-defined: Cloudflare, and NextDNS. Pick Custom if you know the
settings to enter. However, according to the description, this level
only uses the specified DoH if the one Firefox picked isn't working.
"Max protection" always uses the one you specify. "Off" obviously means
you don't use DoH inside of Firefox. That means all DNS requests (port
53) are sent in the clear (no encryption, anyone can see to where you
connect, including your ISP).

I set it to Max. It used to be on or off, and I select On, and selected
Cloudflare. I want to know which DoH is getting used. I choose
Cloudflare as I did some reading about their DoH. I don't what string
to enter under Custom to pick one that isn't pre-defined in Firefox.
Since the point of DNS is to send a hostname and get back an IP address,
I expect the string would have to specify the IP address of whichever
other DoH you want to use. There are many DoHs providers available.

Cloudflare
NextDNS
Google
Quad9
AdGuard

Some argue DoT (DNS over TLS) is a better protocol, but there were
delays in protocol and implementation, so Mozilla and Google went with
DoH for now.

No, there's no recompense to Mozilla for using a particular DoH. It's
more like Cloudflare was one of the leaders, stabilize it, and Mozilla
was content with Cloudflare's performance.

If you set DoH in Firefox to off, Firefox uses whatever DNS servers you
configured for the DNS server(s) specified for IPv4 and Ipv6 in the OS
settings.

What was the error you saw? Some sites incorporate flood and [D]DOS
filtering where you might see their site protection notify you that
they're checking you to see if you are a malicious source. Cloudflare
has their own site protection services that a lot of sites use.

On 24/10/2023 23:56, VanguardLH wrote:
> Some argue DoT (DNS over TLS) is a better protocol, but there were
> delays in protocol and implementation, so Mozilla and Google went with
> DoH for now.

My personal preference is DNSCrypt rather than either DoH or DoT.
It's encrypted and it's no slower than unencrypted DNS.
But annoyingly only OpenDNS and almost nobody else implement it.

--
Brian Gregory (in England).

On 24/10/2023 23:56, VanguardLH wrote:
> I set it to Max. It used to be on or off, and I select On, and selected
> Cloudflare. I want to know which DoH is getting used. I choose
> Cloudflare as I did some reading about their DoH. I don't what string
> to enter under Custom to pick one that isn't pre-defined in Firefox.
> Since the point of DNS is to send a hostname and get back an IP address,
> I expect the string would have to specify the IP address of whichever
> other DoH you want to use.

My guess is the information on the strings for Cloudflare is somewhere
in here:
https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/

--
Brian Gregory (in England).

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

> VanguardLH wrote:
>
>> Some argue DoT (DNS over TLS) is a better protocol, but there were
>> delays in protocol and implementation, so Mozilla and Google went with
>> DoH for now.
>
> My personal preference is DNSCrypt rather than either DoH or DoT.
> It's encrypted and it's no slower than unencrypted DNS.
> But annoyingly only OpenDNS and almost nobody else implement it.

As I recall, DoT (DNS over TLS) and DoH (DNS over HTTPS) were designed
to replace DNSCrypt. They used encryption over TLS or HTTPS instead of
a proprietary DNScrypt protocol.

DNScrypt is easier and faster to setup at a server. No need to
establish a new connection for each DNS query. Traffic is encrypted
from end-user to DNScrypt server, but not necessarily between DNScrypt
server to DNS server (some DNScrypt servers operate as a relay to a DNS
server). I don't recall Firefox has native DNScrypt support nor Chrome.
Are you using a DNScrypt proxy?

With your example, OpenDNS is both a DNScrypt and DNS provider. Alas,
little support elsewhere, because DNScrypt uses its own protocol. It
does not work atop of or over TLS or HTTPS. Both endpoints (client and
server) would have to support DNScrypt. For example, Yandex has their
DNScrypt server to their DNS server that works with their Yandex web
browser.

https://www.opendns.com/about/innovations/dnscrypt/
Section 4.

There's a list of DNScrypt servers at:

https://dnscrypt.info/public-servers/

Peculiarly OpenDNS is not listed. OpenDNS was, as I recall, the first
major DNS provider (acquired by Cisco) that embraced DNScrypt. Sorry, I
have no info on how reliable or reachable are all those DNScrypt
servers, but the list indicates if they are just a proxy to another DNS
server which means DNS traffic from the DNScrypt server to the DNS
server may not be secure. The proxy could just be converting DNScrypt
to DNS-in-the-clear to the DNS server.

DoT is slower and more difficult to setup. Using TLS means the traffic
is encrypts from user-end to DNS server. Uses port 853 which makes it
easy to spot and control DNS traffic in a corporate network. Censor
filtering can block or monitor port 853. Supports most/all servers.

DoH uses port 443 which is the same as for HTTPS. Blocking or
interfering with port 443 traffic means doing the same for other HTTPS
connections. The vast majority of HTTPS have you connect on port 443.
DoH traffic is mixed in with all other HTTPS traffic. To anyone
inspecting your web traffic, the DoH requests over port 443 look like
other HTTPS traffic. However, your ISP can see to where you make
connections, so they can see you are connecting to, say, Cloudflare a
lot. A web page may have many off-domain resources, and each requires a
DNS lookup. Something called Oblivious DoH (ODoH) is being proposed.

https://research.cloudflare.com/projects/network-privacy/odns/

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

> VanguardLH wrote:
>
>> I set it to Max. It used to be on or off, and I select On, and selected
>> Cloudflare. I want to know which DoH is getting used. I choose
>> Cloudflare as I did some reading about their DoH. I don't what string
>> to enter under Custom to pick one that isn't pre-defined in Firefox.
>> Since the point of DNS is to send a hostname and get back an IP address,
>> I expect the string would have to specify the IP address of whichever
>> other DoH you want to use.
>
> My guess is the information on the strings for Cloudflare is somewhere
> in here:
> https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/

Yeah, saw that article. A bit too short to use a reference, though. My
guess, and only a guess, is you specify the IP address of the DoH server
along with perhaps a port number, like 1.1.1.1:443 for Cloudflare. I've
not tested what string syntax is supported, and didn't find anyone, even
Mozilla, describing what to specify for the Custom selection.

You get articles like:

https://support.mozilla.org/en-US/kb/firefox-dns-over-https

which tell you how to use what Mozilla pre-defined in Firefox.

https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS

Tells you what IP address to use for their DoH front-end server to their
DNS server. Yet it seems very strange that OpenDNS says to use a
hostname, like:

https://doh.opendns.com/dns-query (standard, no filtering)
https://doh.familyshield.opendns.com/dns-query (blocks adult content)

Yet that would require a DNS lookup on those hostnames to get the IP
addresses for those hosts. People like names. Computers demand
numbers. I would think the proper syntax would be (for OpenDNS):

https://2620:119:fc::2/dns-query (IPv6) ---.__ standard (no filtering)
https://146.112.41.2/dns-query (IPv4) ---'
or
https://2620:119:fc::3/dns-query (IPv6) ---.__ block adult content
https://146.112.41.3/dns-query (IPv4) ---'

Using hostnames means an in-the-clear DNS query to get their IP
addresses before the actual request that is HTTPS encrypted. Their
example to configure Chrome uses IP addresses, so why would they be
promoting in-the-clear DNS hostname lookups in Firefox?

If enabling DoH in Chrome is still enabled using an experimental flag, I
wouldn't use DoH in Chrome. Google has a well-known history of removing
support for flags, or not moving a removed experimental flag into the
normal configure options. It just disappears. The above article is
only 7 months old, so I doubt Google has yet to incorporate the
experimental flag as a released version setting.

By the way, after changing Firefox's DoH setting from Default (Firefox
chooses) or Increased to Max (always use) I find lookups are much
faster. There were times when connecting to many HTTP pages at once
that the TLS handshaking (status bar) was taking too long. Switching to
Max takes away decision-making by Firefox. I'd manually enter the URL
into each new tab, did so for 6 tabs, and still have to wait to connect
to the web server. With Max, I can't complete entering the URL in the
next tab before the prior tab begins to populate. Could be Mozilla
fixed stalls during multiple and concurrent TLS handshaking sessions,
and me changing to Max really didn't affect time-to-start-loading a web
page at many sites.

Am 24.10.23 um 23:01 schrieb Johnny:
>
> Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
> being paid for this
>
>
> AT&T is my DNS server, and today I ran in to a problem when searching
> with DuckDuckgo, and got the message to check with Cloudflare to find
> out what the problem is.
>
> I had to go into settings change my DNS server back to AT&T.

What exactly is your problem? If AT&T is not able to resove the request
it is a help. Cloudflare is at least as trustworthy as AT&T.

You can even use a DOHS-server in FF alongside your AT&T-server.

--
Gutta cavat lapidem (Ovid)

Am 25.10.23 um 00:56 schrieb VanguardLH:
> Johnny <johnny@invalid.net> wrote:
>
>> Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
>> being paid for this
>>
>> AT&T is my DNS server, and today I ran in to a problem when searching
>> with DuckDuckgo, and got the message to check with Cloudflare to find
>> out what the problem is.
>>
>> I had to go into settings change my DNS server back to AT&T.
>
> If you know the settings, you can specify which DoH (DNS over HTTPS)
> service to use. Do you know settings for other?
>
> DNS server settings inside of Firefox have no effect over the DNS
> servers specified in the OS' DNS settings. Other web clients will use
> the IPv4 and IPv6 DNS settings defined in the OS.
>
> When in Firefox, what did you select for "Enable secure DNS using"? The
> "Default protection" is new, and has Firefox decide if and when to use a
> DoH (but it doesn't say which). Who it picks probably relates to where
> you are as to which DoHs are available in that region.
>
> "Increased protection" has you pick which DoH to use. 2 are
> pre-defined: Cloudflare, and NextDNS. Pick Custom if you know the
> settings to enter. However, according to the description, this level
> only uses the specified DoH if the one Firefox picked isn't working.
> "Max protection" always uses the one you specify. "Off" obviously means
> you don't use DoH inside of Firefox. That means all DNS requests (port
> 53) are sent in the clear (no encryption, anyone can see to where you
> connect, including your ISP).
>
> I set it to Max. It used to be on or off, and I select On, and selected
> Cloudflare. I want to know which DoH is getting used. I choose
> Cloudflare as I did some reading about their DoH. I don't what string
> to enter under Custom to pick one that isn't pre-defined in Firefox.
> Since the point of DNS is to send a hostname and get back an IP address,
> I expect the string would have to specify the IP address of whichever
> other DoH you want to use. There are many DoHs providers available.
>
> Cloudflare
> NextDNS
> Google
> Quad9
> AdGuard

Never trust an American DNS. Even if it is a DOHS.

And once more a short remark/question and an endless answer.

> Some argue DoT (DNS over TLS) is a better protocol, but there were
> delays in protocol and implementation, so Mozilla and Google went with
> DoH for now.
>
> No, there's no recompense to Mozilla for using a particular DoH. It's
> more like Cloudflare was one of the leaders, stabilize it, and Mozilla
> was content with Cloudflare's performance.
>
> If you set DoH in Firefox to off, Firefox uses whatever DNS servers you
> configured for the DNS server(s) specified for IPv4 and Ipv6 in the OS
> settings.
>
> What was the error you saw? Some sites incorporate flood and [D]DOS
> filtering where you might see their site protection notify you that
> they're checking you to see if you are a malicious source. Cloudflare
> has their own site protection services that a lot of sites use.

--
Gutta cavat lapidem (Ovid)

On 10/25/2023 4:54 AM, Jörg Lorenz wrote:

>
> Never trust an American DNS. Even if it is a DOHS.
>

Please explain why you said that.

On Wed, 25 Oct 2023 10:49:30 +0200
Jörg Lorenz <hugybear@gmx.net> wrote:

> Am 24.10.23 um 23:01 schrieb Johnny:
> >
> > Why does Firefox want me to use Cloudflare as my DNS server, is
> > Firefox being paid for this
> >
> >
> > AT&T is my DNS server, and today I ran in to a problem when
> > searching with DuckDuckgo, and got the message to check with
> > Cloudflare to find out what the problem is.
> >
> > I had to go into settings change my DNS server back to AT&T.
>
> What exactly is your problem? If AT&T is not able to resove the
> request it is a help. Cloudflare is at least as trustworthy as AT&T.
>
> You can even use a DOHS-server in FF alongside your AT&T-server.

My question was why? When Firefox is first installed Cloudflare is the
default DNS server. Why?

On 10/24/23 16:01, Johnny wrote:
>
> Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
> being paid for this
>
>
> AT&T is my DNS server, and today I ran in to a problem when searching
> with DuckDuckgo, and got the message to check with Cloudflare to find
> out what the problem is.
>
> I had to go into settings change my DNS server back to AT&T.
>

DNS over HTTPS is kind of a ridiculous idea in the first place. For one,
DNS is not HyperText, so why would you use the HyperText Transfer
Protocol for it? (Don't bother answering, I know it's just to get around
lazy admins who block everything except ports 80 and 443--but that
doesn't make it right.)

Everything about the DNS over HTTPS rollout has been a mess. It should
NOT be on an application-by-application basis to ignore my computers'
DNS settings. If I want DNS over HTTPS, I will configure my systems to
use it. Firefox should not decide on its own to ignore my hosts file,
and it should not decide that it knows better than the DNS server I set
up. It certainly doesn't when it comes to my local network!

On 25.10.23 14:33, Retirednoguilt wrote:
> On 10/25/2023 4:54 AM, Jörg Lorenz wrote:
>
>>
>> Never trust an American DNS. Even if it is a DOHS.
>>
>
> Please explain why you said that.

You remember the year 2013 when Mr. E. Snowden uncovered the unlawful
and clandestine activities of a couple of four letter organisations in
the US and in particular of the NSA? They never stopped.

For the European Union the US is still an area in which data protection
and privacy is totally inadequate. The European High Court already
dismissed 2 treaties concerning the storage of data of European
individuals or companies with the US as not acceptable.

https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield

--
Gutta cavat lapidem (Ovid)

On 25.10.23 14:48, Johnny wrote:
> On Wed, 25 Oct 2023 10:49:30 +0200
> Jörg Lorenz <hugybear@gmx.net> wrote:
>
>> Am 24.10.23 um 23:01 schrieb Johnny:
>>>
>>> Why does Firefox want me to use Cloudflare as my DNS server, is
>>> Firefox being paid for this
>>>
>>>
>>> AT&T is my DNS server, and today I ran in to a problem when
>>> searching with DuckDuckgo, and got the message to check with
>>> Cloudflare to find out what the problem is.
>>>
>>> I had to go into settings change my DNS server back to AT&T.
>>
>> What exactly is your problem? If AT&T is not able to resove the
>> request it is a help. Cloudflare is at least as trustworthy as AT&T.
>>
>> You can even use a DOHS-server in FF alongside your AT&T-server.
>
> My question was why? When Firefox is first installed Cloudflare is the
> default DNS server. Why?

Because it is the fastest with the highest redundancy in the US?
I have never seen this behaviour. Sorry.

--
Gutta cavat lapidem (Ovid)

Am 25.10.23 um 16:04 schrieb rdh:
> DNS over HTTPS is kind of a ridiculous idea in the first place.

Again you try to Troll!
It is the best invention to protect the privacy of users. There is no
need that the internet service provider also knows *everything* users do.

--
Ave! Morituri te salutant!

Am 25.10.23 um 16:04 schrieb rdh:
> Firefox should not decide on its own to ignore my hosts file, and it
> should not decide that it knows better than the DNS server I set up.

Firefox never does that on his own. The user must take this decision.
And you are free to set up your DNS-server for other applications at
your OS-level.

To disperse DNS requests encrypted can be a very efficient and effective
way to avoid hidden privacy intrusions.

--
Ave! Morituri te salutant!

On Wed, 25 Oct 2023 18:50:56 +0200
Jörg Lorenz <hugybear@gmx.net> wrote:

> Am 25.10.23 um 16:04 schrieb rdh:
> > Firefox should not decide on its own to ignore my hosts file, and
> > it should not decide that it knows better than the DNS server I set
> > up.
>
> Firefox never does that on his own. The user must take this decision.
> And you are free to set up your DNS-server for other applications at
> your OS-level.
>
> To disperse DNS requests encrypted can be a very efficient and
> effective way to avoid hidden privacy intrusions.
>
>

The first time a did a new install of MX Linux and Firefox, Cloudflare
was the default DNS server. I found this out by accident, and changed
to AT&T.

I just noticed the privacy protection settings have completely changed.
There are several options now available.

On 10/25/2023 10:50 AM, Jörg Lorenz wrote:
> On 25.10.23 14:33, Retirednoguilt wrote:
>> On 10/25/2023 4:54 AM, Jörg Lorenz wrote:
>>
>>>
>>> Never trust an American DNS. Even if it is a DOHS.
>>>
>>
>> Please explain why you said that.
>
> You remember the year 2013 when Mr. E. Snowden uncovered the unlawful
> and clandestine activities of a couple of four letter organisations in
> the US and in particular of the NSA? They never stopped.
>
> For the European Union the US is still an area in which data protection
> and privacy is totally inadequate. The European High Court already
> dismissed 2 treaties concerning the storage of data of European
> individuals or companies with the US as not acceptable.
>
> https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield
>

Thanks for the reply. As a U.S. citizen by birth, I should be outraged
that the state of U.S. privacy is inadequate compared with many of our
closest allies. But in fact, I couldn't care less, given that the
mission of the federal law enforcement and intelligence agencies,
bureaus, etc. is to identify and interrupt domestic and/or foreign
criminal activities that violate our laws and/or constitute threats
against our country, and then prosecute the alleged criminal activity.

If they want to spy on me, I suspect that they will quickly realize that
I am a fully law-abiding citizen and they will move on to other people.
I don't engage in any illegal much less shameful behavior. I don't care
if the "government" knows my medical history, on-line shopping habits,
or reads my e-mail. I hope they enjoy seeing the travel photographs
I've occasionally posted on-line. However, I strongly prefer that they
didn't waste my taxpayer's dollars doing so and instead engaged in
activity consistent with their mission.

Of course, I would feel entirely differently if their mission was to
harass me or worse for my political or religious philosophy or if I had
a legal but atypical lifestyle or written things they happen to
disapprove of etc. However, I don't live in any of the countries where
the government routinely behaves that way. I wouldn't have voluntarily
spent 30 years on active duty in our military if I thought our
government engaged in those practices.

On 25/10/2023 03:01, VanguardLH wrote:
> Tells you what IP address to use for their DoH front-end server to their
> DNS server. Yet it seems very strange that OpenDNS says to use a
> hostname, like:
>
> https://doh.opendns.com/dns-query (standard, no filtering)
> https://doh.familyshield.opendns.com/dns-query (blocks adult content)
>
> Yet that would require a DNS lookup on those hostnames to get the IP
> addresses for those hosts. People like names. Computers demand
> numbers. I would think the proper syntax would be (for OpenDNS):
>
> https://2620:119:fc::2/dns-query (IPv6) ---.__ standard (no filtering)
> https://146.112.41.2/dns-query (IPv4) ---'
> or
> https://2620:119:fc::3/dns-query (IPv6) ---.__ block adult content
> https://146.112.41.3/dns-query (IPv4) ---'
>
> Using hostnames means an in-the-clear DNS query to get their IP
> addresses before the actual request that is HTTPS encrypted. Their
> example to configure Chrome uses IP addresses, so why would they be
> promoting in-the-clear DNS hostname lookups in Firefox?

The HTTPS protocol ensures that you are really connected to the DoH
server you think you should be connected to, just as HTTPS ensures you
really are connected to the HTTPS website you want. But that normally
only happens if you use the name rather than the IP address.

It's simpler with DNSCrypt because the server has a secret private key
and you tell the client to use the corresponding public key it can only
talk to the genuine server.

--
Brian Gregory (in England).

rdh <rdh@tilde.institute> wrote:

> On 10/24/23 16:01, Johnny wrote:
>>
>> Why does Firefox want me to use Cloudflare as my DNS server, is Firefox
>> being paid for this
>>
>> AT&T is my DNS server, and today I ran in to a problem when searching
>> with DuckDuckgo, and got the message to check with Cloudflare to find
>> out what the problem is.
>>
>> I had to go into settings change my DNS server back to AT&T.
>>
>
> DNS over HTTPS is kind of a ridiculous idea in the first place. For one,
> DNS is not HyperText, so why would you use the HyperText Transfer
> Protocol for it? (Don't bother answering, I know it's just to get around
> lazy admins who block everything except ports 80 and 443--but that
> doesn't make it right.)
>
> Everything about the DNS over HTTPS rollout has been a mess. It should
> NOT be on an application-by-application basis to ignore my computers'
> DNS settings. If I want DNS over HTTPS, I will configure my systems to
> use it. Firefox should not decide on its own to ignore my hosts file,
> and it should not decide that it knows better than the DNS server I set
> up. It certainly doesn't when it comes to my local network!

So, what's your problem? If you don't want an application to implement
its own DoH, just turn it off. Then the OS settings get used. Voila!

On 26/10/2023 00:05, VanguardLH wrote:
> rdh <rdh@tilde.institute> wrote:
>> Everything about the DNS over HTTPS rollout has been a mess. It should
>> NOT be on an application-by-application basis to ignore my computers'
>> DNS settings. If I want DNS over HTTPS, I will configure my systems to
>> use it. Firefox should not decide on its own to ignore my hosts file,
>> and it should not decide that it knows better than the DNS server I set
>> up. It certainly doesn't when it comes to my local network!
>
> So, what's your problem? If you don't want an application to implement
> its own DoH, just turn it off. Then the OS settings get used. Voila!

What if you are running a school network or a guest network at a library
or hospital and you want to make 100% sure nobody can resolve the
addresses of known porn, malware, racist hate, academic fraud and/or
fake news sites?

DoH has basically made it virtually impossible to do.

The closest you can do is to try and laboriously maintain list of known
DoH resolvers and block all TCP and UDP connections to them. And even if
you somehow manage to keep the list 100% up to date it can cause users
problems since a few DoH servers use CDNs and may share IP address(es)
with some of the normal websites that use the same CDN.

--
Brian Gregory (in England).

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:
> On 26/10/2023 00:05, VanguardLH wrote:
>> rdh <rdh@tilde.institute> wrote:
>>> Everything about the DNS over HTTPS rollout has been a mess. It should
>>> NOT be on an application-by-application basis to ignore my computers'
>>> DNS settings. If I want DNS over HTTPS, I will configure my systems to
>>> use it. Firefox should not decide on its own to ignore my hosts file,
>>> and it should not decide that it knows better than the DNS server I set
>>> up. It certainly doesn't when it comes to my local network!
>>
>> So, what's your problem? If you don't want an application to implement
>> its own DoH, just turn it off. Then the OS settings get used. Voila!
>
> What if you are running a school network or a guest network at a library
> or hospital and you want to make 100% sure nobody can resolve the
> addresses of known porn, malware, racist hate, academic fraud and/or
> fake news sites?
>
> DoH has basically made it virtually impossible to do.
>
> The closest you can do is to try and laboriously maintain list of known
> DoH resolvers and block all TCP and UDP connections to them. And even if
> you somehow manage to keep the list 100% up to date it can cause users
> problems since a few DoH servers use CDNs and may share IP address(es)
> with some of the normal websites that use the same CDN.

To be fair, it is possible to "lock" the DNS-over-HTTPS
configuration with a setting in the policies file, so a school etc.
would be able to do that:
https://mozilla.github.io/policy-templates/#dnsoverhttps

My problem with DNS over HTTPS is Mozilla enabling it by default so
that people send all their DNS activity to Cloudflare, who could
then spy on that info which would previously only have been seen by
your ISP (if their DNS server was in use before). Your ISP gets to
see the IP addresses you end up connecting to anyway, so they get
at least half the story either way, using Cloudflare is just an
extra information leak, and for me a leak into another country (the
USA) where the privacy rights of foreigners are no obstacle at all
to their government spy agencies.

OK so you can fix the leak by disabling DoH after they punch the
hole by default, but that's the wrong approach. Especially for
users who may not have heard about the change in the first place.

--
__ __
#_ < |\| |< _#

Am 26.10.23 um 01:05 schrieb VanguardLH:
> rdh <rdh@tilde.institute> wrote:
>> DNS over HTTPS is kind of a ridiculous idea in the first place. For one,
>> DNS is not HyperText, so why would you use the HyperText Transfer
>> Protocol for it? (Don't bother answering, I know it's just to get around
>> lazy admins who block everything except ports 80 and 443--but that
>> doesn't make it right.)
>>
>> Everything about the DNS over HTTPS rollout has been a mess. It should
>> NOT be on an application-by-application basis to ignore my computers'
>> DNS settings. If I want DNS over HTTPS, I will configure my systems to
>> use it. Firefox should not decide on its own to ignore my hosts file,
>> and it should not decide that it knows better than the DNS server I set
>> up. It certainly doesn't when it comes to my local network!
>
> So, what's your problem? If you don't want an application to implement
> its own DoH, just turn it off. Then the OS settings get used. Voila!

+1

--
Gutta cavat lapidem (Ovid)

Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:

> On 26/10/2023 00:05, VanguardLH wrote:
>> rdh <rdh@tilde.institute> wrote:
>>> Everything about the DNS over HTTPS rollout has been a mess. It should
>>> NOT be on an application-by-application basis to ignore my computers'
>>> DNS settings. If I want DNS over HTTPS, I will configure my systems to
>>> use it. Firefox should not decide on its own to ignore my hosts file,
>>> and it should not decide that it knows better than the DNS server I set
>>> up. It certainly doesn't when it comes to my local network!
>>
>> So, what's your problem? If you don't want an application to implement
>> its own DoH, just turn it off. Then the OS settings get used. Voila!
>
> What if you are running a school network or a guest network at a
> library or hospital and you want to make 100% sure nobody can resolve
> the addresses of known porn, malware, racist hate, academic fraud
> and/or fake news sites?

Those places allow using VPN to hide to where the workstation is
connecting? There are already blacklists of VPN entry and exit nodes to
allow blocking those.

Despite hiding the hostname the client wants to resolve to an IP address
to actually do a connection, the IP address of the target is still
known. If censorware is employed to block by hostname, it certainly can
block by IP address, too. Using a DoH service does not hide the IP
address to which you connect. Hiding the DNS lookup does not hide the
connection to the IP address retrieved from the DoH server.

Computer Nerd Kev <not@telling.you.invalid> wrote:

> Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:
>> On 26/10/2023 00:05, VanguardLH wrote:
>>> rdh <rdh@tilde.institute> wrote:
>>>> Everything about the DNS over HTTPS rollout has been a mess. It should
>>>> NOT be on an application-by-application basis to ignore my computers'
>>>> DNS settings. If I want DNS over HTTPS, I will configure my systems to
>>>> use it. Firefox should not decide on its own to ignore my hosts file,
>>>> and it should not decide that it knows better than the DNS server I set
>>>> up. It certainly doesn't when it comes to my local network!
>>>
>>> So, what's your problem? If you don't want an application to implement
>>> its own DoH, just turn it off. Then the OS settings get used. Voila!
>>
>> What if you are running a school network or a guest network at a library
>> or hospital and you want to make 100% sure nobody can resolve the
>> addresses of known porn, malware, racist hate, academic fraud and/or
>> fake news sites?
>>
>> DoH has basically made it virtually impossible to do.
>>
>> The closest you can do is to try and laboriously maintain list of known
>> DoH resolvers and block all TCP and UDP connections to them. And even if
>> you somehow manage to keep the list 100% up to date it can cause users
>> problems since a few DoH servers use CDNs and may share IP address(es)
>> with some of the normal websites that use the same CDN.
>
> To be fair, it is possible to "lock" the DNS-over-HTTPS
> configuration with a setting in the policies file, so a school etc.
> would be able to do that:
> https://mozilla.github.io/policy-templates/#dnsoverhttps
>
> My problem with DNS over HTTPS is Mozilla enabling it by default so
> that people send all their DNS activity to Cloudflare, who could
> then spy on that info which would previously only have been seen by
> your ISP (if their DNS server was in use before). Your ISP gets to
> see the IP addresses you end up connecting to anyway, so they get
> at least half the story either way, using Cloudflare is just an
> extra information leak, and for me a leak into another country (the
> USA) where the privacy rights of foreigners are no obstacle at all
> to their government spy agencies.
>
> OK so you can fix the leak by disabling DoH after they punch the
> hole by default, but that's the wrong approach. Especially for
> users who may not have heard about the change in the first place.

Hence my mention of the upcoming Oblivious DNS vver HTTPS (ODoH).
Obviously *any* DNS server you use will know the lookup you requested.
Not trusting Cloudflare means you don't trust your ISP's DNS server,
OpenDNS, or any other DNS provider. They must all be evil.

Am 25.10.23 um 19:56 schrieb Retirednoguilt:
> Thanks for the reply. As a U.S. citizen by birth, I should be outraged
> that the state of U.S. privacy is inadequate compared with many of our
> closest allies. But in fact, I couldn't care less, given that the
> mission of the federal law enforcement and intelligence agencies,
> bureaus, etc. is to identify and interrupt domestic and/or foreign
> criminal activities that violate our laws and/or constitute threats
> against our country, and then prosecute the alleged criminal activity.

You have - like most Anglo-Saxons - a quite different concept of privacy
and data protection.

The criminal and unlawful activity starts at the beginning and not at
the end. As the Romans already said: *Ex iniuria ius non oritur*.

(=Ex injuria jus non oritur is a principle of international law. The
phrase implies that "illegal acts do not create law".)

--
Ave! Morituri te salutant!