Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Opting out of Firefox's DNS-over-HTTPS by blocking use-application-dns.net #1051

Closed
ndrwy opened this issue Sep 17, 2019 · 13 comments
Closed

Comments

@ndrwy
Copy link

ndrwy commented Sep 17, 2019

Found an interesting link: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Network administrators may configure their networks as follows to signal that their local DNS resolver implemented special features that make the network unsuitable for DoH:

DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with either: a response code other than NOERROR, such as NXDOMAIN (non-existent domain) or SERVFAIL; or respond with NOERROR, but return no A or AAAA records.

DoH will be enabled by default end of this month: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

So in short, including use-application-dns.net in a blocklist will not enable DoH in Firefox browsers.

(I created this ticket just to bring this to attention and discuss if needed, I'm not seeking any particular action; feel free to close any time)

I noticed Pi-Hole is blocking this domain by default: pi-hole/pi-hole@525ec8c

For my home network I think I will be blocking this domain as well, mainly to ensure ads/nasty stuff continue to be blocked for my parents.

@spirillen
Copy link
Contributor

spirillen commented Sep 18, 2019

Hi @ndrwy Thanks for the notification :=)

This is actually potential a huge privacy issue as it is written that Firefox by default will route all your DNS traffic to an external source beyond your control and without your accept and knowledge, and who is the external DNS hosting company and what will they do with all the data they collect. Since nothing is free I'll bet they are going to sell the data to bad companies like Google, Facebook etc.

The other potentional privacy bomb in this is Mozilla haven't written anything about who the external provider is or going to be. But personally I guess it would be the bad host traffic collector Cloudflare

FireFox_DOH

@Martii
Copy link

Martii commented Sep 19, 2019

@spirillen

... potential a huge privacy issue ...

I agree completely. I've been using DoT which Moz's telemetry can't detect easily i.e. every test shows that I "might be at risk" but verified with wireshark that all requests on all my networks are using it effectively.

Thanks for the screen shot... this is currently under Preferences -> Network Settings ... Settings button. Now I know where to watch for this abomination. 😸 (EDIT: Seems to be about:config?filter=network.trr.mode , about:config?filter=network.trr.uri , and about:config?filter=network.trr.custom_uri )

What's interesting on Android 9 is their "Private DNS" option in "Automatic" mode did zilch and always chose my cellulars DNS... thought that was an interesting find while I was traveling (corrected it too). I'll admit that DoT isn't perfect since one of the WiFi hubs I was on actually had a residential login with 1.1.1.1 (usually cloudflare) which made me switch to quad9.net. At least it detected that it was not the real 1.1.1.1

@ScriptTiger
Copy link
Contributor

Chrome is starting to "experiment" with DoH, as well. If you're still not sure why this is a scary thing, check out this Bluecat presentation, particularly the last few bits that really drive things home around the 21-minute mark. I've ranted countless times about this before, but I really liked the concise wording and the numbers here that help put things into perspective.

https://www.bluecatnetworks.com/blog/the-future-of-dns-privacy-dot-doh/

So same point though, how can I use DNS over HTTPS if I want DNS privacy? Is it vastly more accessible? If I wanted to go change the plumbing of my DNS subsystems and my operating system, it's equally as inaccessible. It's something that you don't expect users to ever do. However, the browser vendors are adding direct support for DoH in their browsers. Some of the browser vendors already ignore the operating system's stub resolver, but now they're adding direct support for DNS over HTTPS such that a user may have no idea that they're using it. Mozilla may or may already in a recent data started optimistically searching for reachable DoH recursive resolvers and then enabling them by default. Their initial go to market partner is CloudFlare with this, with CloudOne they have an under 5% market share, but the second they do that, then the 5% of users that use Firefox would be using DoH, whether they knew it or not. That's sort of scary, it's not that big of a market share, but it's something they can easily do. More scary is Google. Google provides a DNS over HTTPS service. Chrome has a 63% market share. Here's a quote from APNIC, which I think is pretty good:

"If a browser chooses to use DoH as their default, then there's little that the platform and the network can do to prevent it. If the browser has installed DoH support, then control over DNS name resolution function has passed from the user to the browser provider, and rather than being an esoteric function enabled by a handful of users," the way we would do DoT or muck with the operating system, "It becomes a mainstream service potentially by billions of users."

Tomorrow, Google can drive like their 63% market share of browsers out there and drive all of that DNS traffic to them. That's a sort of scary thing when you start thinking what's in it for them, but also what's in it for the DNS in general? Which tends to want to be decentralized. But that's pretty scary, especially since users don't know, and the users that don't know also don't care. They want a good internet experience. They really, most users, aren't even thinking about this from a privacy standpoint at all.

@Martii
Copy link

Martii commented Sep 22, 2019

The probable potential for abuse is massive in a market based system. As always the end-point resolver always knows everything. Privacy in both corporate and home users also deals with the realm of security as well... albeit there are a lot of others ways to expose someones identity and practices besides DNS. With an opt out like the UK has with the GDPR that just serves to point a finger to those requesting removals imho. It involves actively querying any provider, whether known or not known, to delete that information. Most people are quite lazy when it comes to that, again imho. How many times should one have to do that?... daily?, hourly?, etc. I understand the need for encryption but it has inherent failures for security/privacy. Privacy is a component of security in my book although I'm probably in the minority.

There's no easy solution to the dilemma of providing security by having privacy inclusive.

@spirillen
Copy link
Contributor

Hi @Martii

I Agree with most of your post, but to make it clean from my point of view.

Encryption is REQUIRED for privacy, but to whom to trust the data shall ALWAYS be the endusers choice, and not some ugly preset stuff you have to opt-out of, all privacy related even merely shall always be a opt-in.

And the "easy way to implant privacy":
We all need our own DNS recursor which by default query the root servers over TLS.
Next, generate an RFC that says the root servers are not permitted to do any query logging on second domain level.

This leaves the privacy issue between the end-user and the domain holder. (Specifically used the word holder as it could have been hijacked from the owner)

@ScriptTiger
Copy link
Contributor

Well, kind of like how Facebook took care of the breach of contract by simply calling Cambridge Analytica and telling them to delete their Facebook data, which they then promptly stated they did but in actuality didn't, just telling someone not to do something may mean something legally but in reality it doesn't mean anything if there's a profit to be made that's worth the risk. Large corporations break the law every day and are happy to pay the chump change fines that go along with it because the profit they make from breaking the law is orders of magnitude greater than what they pay out in legal fees and fines.

For privacy and security to have true meaning, the protocols must be reworked to incorporate modern best practices on the most fundamental levels and never falling back to someone's word and a handshake. This might include incorporating peer-to-peer technologies, blockchain technologies, and other distributed decentralized technologies that can come with a level of trust, security, privacy, and everything else expected of modern technology. Perhaps in 10 years all of that will be proven ineffective, but we should at least strive to progress with what we have instead of just making small twists to a relic technology known to be full of holes simply because each mutation brings about new opportunities for profit.

The truth of the matter is that Silicon Valley was once a diverse and tolerant landscape, but over the years business and enterprise drove out diversity and tolerance. We shouldn't be letting ourselves be guided by the misguided, fools to follow a fool. Wielding capitalism irresponsibly to a level of extremism may work out short term for a privileged few, but if anything is known it's certainly the impending doom should this continue unchecked.

@spirillen
Copy link
Contributor

For privacy and security to have true meaning, the protocols must be reworked to incorporate modern best practices on the most fundamental levels and never falling back to someone's word and a handshake. This might include incorporating peer-to-peer technologies, blockchain technologies, and other distributed decentralized technologies that can come with a level of trust, security, privacy, and everything else expected of modern technology. Perhaps in 10 years all of that will be proven ineffective, but we should at least strive to progress with what we have instead of just making small twists to a relic technology known to be full of holes simply because each mutation brings about new opportunities for profit.

To this you'll have to add a way better encryption.... I can recall an almost 20 years old article describing how a IT student in the east had broken a standard 256bit encryption in less than 30 seconds back then.. (Remember it was a time where a pocket watch had more power than a PC)

But yes where money are to made they are. Like the new GDPR is written to protect the big suckers like Google and Facebook again competitive smaller businesses, a cost of running against the GDPR is 250.000€.... which is nothing to them, but the sure death of small competitors....

@ScriptTiger
Copy link
Contributor

If you're up for some more light reading, our very own resident expert Paul Vixie tweeted directly at Cloudflare's Head of Research, Nick Sullivan, in regards to DoT versus DoH almost a year ago in a series of tweets, so don't forget to scroll down and click through all of his replies:

https://twitter.com/paulvixie/status/1053765281917661184

@spirillen
Copy link
Contributor

Hi Tiger , thx for the link... Paul Vixie is to be my BFF of the week 🔐 And Here i was about to think I had paranoia 😀

@spirillen
Copy link
Contributor

A little info:

I've been testing this domain record use-application-dns.net as NXDOMAIN.

The results seems to inactivate the DoT, but it won't grey out the option for setting it, which I would have expected..

@ScriptTiger
Copy link
Contributor

ScriptTiger commented Jan 31, 2020

@StevenBlack, I'd like to make a second motion to delete all of @infinitewaveparticle's comments and block him/her/them from further access.

Repository owner deleted a comment from infinitewaveparticle Feb 1, 2020
@StevenBlack
Copy link
Owner

@ScriptTiger comment deleted. Thanks for the heads-up.

@XhmikosR
Copy link
Contributor

@StevenBlack Isn't this issue now solved with the latest list updates + Pi-hole v4.4?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants