DNS over HTTPS (DoH)

[netblue30]

I wanted to add DoH support by default for all sandboxes, but I ended up using OpenSSL. I don't want to create problems for anybody, so this goes as a separate project at least for now. We can bring it in firejail later.

https://github.com/netblue30/fdns

The proxy runs on port 127.1.1.1, so in firejail you would run:

firejail --dns=127.1.1.1 firefox

DoH functionality is already included in Firefox, and apparently some other browsers will follow (see https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/). We are more interested in things like bittorrent etc.

[glitsj16]

Thanks for another great addition! Realizing this is brandnew, I wanted to ask clarification on what's mentioned here:

$ cat /etc/firejail/globals.local
dns 127.1.1.1
ignore dns

The second line seems odd, as in my understanding ignore dns will undo what the previous line does, defeating its purpose. Or am I misunderstanding this? I ask because I already make extensive use of firejail's dns=127.0.0.1 option, pointing it to a local DNSCrypt client (running on 127.0.0.1), which seems to work as expected. I only use ignore dns in .local overrides for services that have net none.

On another note, I wonder if it makes sense to explicitly inform users on how to opt-out of Firefox's DoH by blocking use-application-dns.net (see this)?

[rusty-snake]

$ cat /etc/firejail/globals.local
dns 127.1.1.1
ignore dns

The second line seems odd, as in my understanding ignore dns will undo what the previous line does, defeating its purpose. Or am I misunderstanding this?

ignore dns wil ignore any following (but not previous) parsed dns command.
See my notes in this commit about seccomp, these are the same rules.

On another note, I wonder if it makes sense to explicitly inform users on how to opt-out of Firefox's DoH by blocking use-application-dns.net (see this)?

Or just set about:config?filter=network.trr.mode to 5.

[glitsj16]

ignore dns wil ignore any following (but not previous) parsed dns command.

@rusty-snake Thanks for clearing that up.

On another note, I wonder if it makes sense to explicitly inform users on how to opt-out of Firefox's DoH...

Indeed, there are several ways to opt-out. The network.trr.mode is a Firefox internal one. I referred to a DNS option. I just wanted to stress that a small entree in the fdns FAQ to inform users on how to opt-out would be nice.

[Nurmagoz]

I wanted to add DoH support by default for all sandboxes, but I ended up using OpenSSL. I don't want to create problems for anybody, so this goes as a separate project at least for now. We can bring it in firejail later.

yes it will cause alot of troubles and hope never to be implemented by default. This is privacy suckness design to route all your traffic through CDN:

https://twitter.com/isotopp/status/1170973842954686464

https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

Cloudflare does not block or filter content through the Cloudflare Resolver for Firefox. As part of its agreement with Mozilla, Cloudflare is providing only direct DNS resolution. If Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the Cloudflare resolver for Firefox, Cloudflare would, in consultation with Mozilla, exhaust our legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so.

Yeah i believe you! ... Only if im idiot..

[laniakea64]

I wanted to add DoH support by default for all sandboxes ... I don't want to create problems for anybody,

Sorry @netblue30 but enabling DoH by default like that will cause problems for people:

1. I have set up local DNS filtering at the system level, to e.g. block malicious domains and some particularly privacy-invasive domains. Per-program DoH bypasses the system DNS, so it will completely bypass this filtering. And firejail being a sandboxing program, this is even worse because firejail gets used to run the most exposed programs on the system. Bypassing security and privacy measures by default for the most exposed programs is unexpected and unacceptable.

2. No external DoH server will know about local domain names used for accessing local network resources. Using DoH by default will make such resources inaccessible by domain name, unnecessarily leak local domain names to an external server, and waste bandwidth.

3. I'm not sure I would be totally comfortable with the idea of my sandboxing program also being a server.

We can bring it in firejail later.

If DoH support does get integrated into firejail, please make it completely opt-in, like --dns= is now, and/or add a build-time switch to completely disable firejail's DoH support at build time. Thanks!

[netblue30]

@laniakea64

Sorry @netblue30 but enabling DoH by default like that will cause problems for people:

I had the feeling that would be the case, so it will stay forever as a separate plugin. It does bypass any dns-based security that is set up on the system or on the local network.

Mozilla was supposed to deploy DoH as default this autumn in the browser, but they are getting a lot of pushback from governments, ISPs and enterprise people. So they are cooling down on it. We'll see what they do next. Apparently, Google will make it opt-in in Chromium.

Anyway, as a separate/opt-in project it should be fine. Probably for enterprise users I will have to put a note on the main page of the project saying something like "don't use this on your employer network". I do expect them to start monitoring traffic on their networks.

@TNTBOMBOM

yes it will cause alot of troubles and hope never to be implemented by default. This is privacy suckness design to route all your traffic through CDN:

That's a good point. We just added --server=random where it pics a random server form the list. Currently we have 7 servers there, and the list is growing. The most interesting so far are two small privacy-oriented nonprofit foundations: https://42l.fr and https://appliedprivacy.net.

Thank you all for your input!

[pizzadude]

thank you netblue30 for keeping this optional