Internal DNS, split brain DNS aren’t catered for without disabling support? I don’t want my internal names leaking to the internet, nor necessarily are they the same for external resolvers. Now yes the latter is a hack, but it’s one widely used still today.

The idea is laudable. But it feels hostile. I can disable support, but for how long?

A fair number of resolvers support DoH and dnscrypt-proxy also supports DoT. It's fairly feature rich, you can configure a hosts file and then some.

[0] https://github.com/jedisct1/dnscrypt-proxy

I will do the occasional tests with network.trr.mode to 3 (only use DNSoverHTTP) but I seem to have issues resolving github. I haven't looked that far into it.

EDIT: there do exist solutions to run locally.

I know it’s lazy and I should’ve done more work. But, burn out

The positives certainly outweigh the negatives of inconveniencing some IT admins who, as you correctly point out, are implementing a dirty hack anyway.

You completely missed the point of the parent, which is to NOT let internal hostnames out of the network.

The positives certainly outweigh the negatives of inconveniencing some IT admins who, as you correctly point out, are implementing a dirty hack anyway.

This is a perfect example of the irritating attitude I see from people pushing hostile features like this. Everyone wants their network to operate the way they want, and yet you think you know better than the actual owners of those networks.

Corporate networks are a small percentage of network traffic and their use cases are less important in the grand scheme of the internet.

DNS over HTTPS is a solution because network owners can't be trusted. Either by blocking or by taking their DNS logs and selling it to advertiser's.

DNS is unencrypted and a security risk. For the user. It's an old technology that needs to be updated.

DNS over TLS/HTTPS allows the browser to get a trusted record of IP which is a public register.

The bypass here is looking up what the corresponding IP address for a hostname is.

DNS based blocking isn't as effective as IP blocking.

You can feed a DNS based list of IPs you want to block into a firewall and have the exact same behaviour.

Both Firefox and Chrome have the ability to set enterprise user settings that can force certain configurations.

So you should have the ability to disable it if you want in your network.

If you're worried about the security of your network don't allow devices that you don't trust into it and restrict internet access properly.

What's more anyone can configure a custom DNS resolver on their device when connecting to a network.

> Originally these names were stored in and provided by a hosts file but today most such names are part of the hierarchical Domain Name System (DNS).

[0] https://en.wikipedia.org/wiki/NetBIOS#NetBIOS_name

There are whole isps and even countries (including the UK shortly) which mess with DNS requests. Helping the millions of users who are in that situation, and don't even know what D Sits, seems like a net good. As you say, experts can choose to disable it.

As long as they can. The problem with these ideas is that it can get increasingly difficult to work around them. How many hoops you have to jump through to pcap your own software on your own machines now that certificate pinning is becoming popular? What when someone will have the bright idea of implementing certificate pinning for DoH inside browsers, "because security"?

(I could live with the choice between having to somehow acquire Chrome Enterprise Edition vs. switching to Firefox, to have a browser I can control. I'm worried now that Firefox might be turning into Chrome, though.)

If you're implying the porn filter, no, the porn filter has been shelved 'indefinitely' because a) it's against EU law, b) it was May's personal project (she pushed heavily for it when she was Home Secretary, and it became a thing under her PM-ship).

5 means explicitly disabled. 0 (default) is whatever is considered default for now.

  1. about:config
  2. network.trr.mode = 5

If the Mozilla Foundation see this as an issue they should instead be developing a separate solution to provide this system wide. If you must bundle it with Firefox and offer to install it at browser installation or upgrade time. Don't install it by default and certainly don't enable it without user permission.

  test $# = 1|| exec echo usage: $0 query

  # requirements: sed, wc, xxd, openssl, ldns, drill
  # reference: https://tools.ietf.org/html/rfc8484#section-4.1

  a=$(drill -q /dev/stdout $1 |sed '1,2d;s/;.*//;s/ //g'|xxd -p -r|wc -m);

I wrote a glibc plugin that implements a caching DoH client for glibc, which can replace the DNS client or fall back to it - https://github.com/dimkr/nss-tls.

Not to mention that DNS over HTTP is one of the class of features where you might want to override sysadmin policy as a user.

I don’t buy that argument at all.

Why should we special case policies of one internet-protocol over all the others?

Also: implementing/marketing DoH as a way to bypass enterprise control and policies is a surefure way to find it permanently blocked at firewall level in said enterprises.

Ie your attempt at subverting control won’t gain you anything but deserved distrust.

I think you missed the nss-tls README and think nss-tls is not at the "OS level".

For the users, 99% of whom live in the self-updating browser these days, this is much better than waiting for an OS patch that they may or may not know how to install.

Nearly all applications use the standard library, i.e. getaddrinfo(3) or the old gethostbyname(3) or something that wraps them. Which itself uses the services configured in /etc/nsswitch.conf, one of which is DNS which will in turn query the DNS server(s) configured in /etc/resolv.conf.

You can also have other services configured in nsswitch.conf like "mdns" (multicast DNS for names of devices on the LAN) and "files" for /etc/hosts, or any other name resolution system. The general result is that you can change the settings for the whole system and even add completely new name resolution services (like, for example, DoH) and have substantially everything automatically use them.

https://linux.die.net/man/3/gethostbyaddr

It is one of the worst thing that can happen if this functionality moves into the application layer.

1: https://jrl.ninja/etc/2/strace-go-1.12.3.txt

src for above: https://jrl.ninja/etc/2/getaddrinfo.go.txt

0 - Default (will be one of the below options, right now it happens to be 5)

1 - Race regular DNS and DoH, use whichever one responds first

2 - Try DoH, use regular DNS if DoH fails

3 - Use DoH, regular DNS is disabled entirely

4 - unused

5 - DoH is fully disabled, always use regular DNS

It took me an embarassingly long time to realise I was still visiting the production site.

https://bugzilla.mozilla.org/show_bug.cgi?id=1453207

There's really nothing special about /etc/hosts and I think people treat it as something far more mythical and fundamental than it actually is. On just about every *NIX system it's just the file that is parsed by one of the default modules that distros install for the hosts service.

If you're not libc you shouldn't be reading /etc/hosts yourself and only accessing it via gethostname() and the like. But the whole point of application level DNS is to not do this.

If I were to remove the files module from my NSS config I would be very surprised that Firefox was resolving names from it.

You also can't parse /etc/nsswitch.conf to see if the files module is used because there's nothing special about that name -- my module blorp could read /etc/hosts and my files module could be pulling names from Redis.

As a coder, I completely understand mozilla's and your sentiment, but still, I am sure it's not the right direction to take.

There's better ways than using /etc/hosts. I run DNSCrypt and Unbound on my router: https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

then I simply point my DNS at my router IP. All DNS lookups are then done over DNSCrypt and over the VPN regardless of software, platform, or application. If I want to block a site I simply add it to filter.conf, ie https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

    local-zone: "example.com" redirect
    local-data: "example.com A 0.0.0.1"

It would be nice if Mozilla would stop breaking my shit and stop dishonoring my settings. This dread GNOME disease of knowing better than the user needs to stop.

This is "better" because it's following the spirit of domain separation. In fact, if Mozilla's application based resolver started mucking with /etc/hosts it would, in fact, be breaking your shit.

Calm down.

FFox has no need to be 'mucking' (which I understand to mean to 'write to') with hosts: it needs to read it and parse it. Failure to do so will always generate an endless stream of "hosts file isn't being honoured" style bug reports. I think you would agree with me that the FFox maintainers & dev's have got better things to do than to answer WONTFIX on the same fault again and again.

And thus, we arrive at the crux of the issue, as stated in my original post. It is not the job of everyday applications to be making decisions about name resolution.

>In fact, if Mozilla's application based resolver started mucking with /etc/hosts

Mozilla's application doesn't even need to know about /etc/hosts. It needs to ask the system name resolution interface to resolve a name for it, and then run with what it is given, rather than Mozilla deciding that their baby is too important to use that interface and then proceed to implement one on their own.

Don't turn DoH in FF on if you don't like it (or turn it off).

You're acting like mozilla is deciding this for you without giving you a say. They're not. They're offering you something you don't even have to accept - because they care about your privacy online and they're not happy about little governments dabbling in the censorship game either.

I'm pretty sure the TOR browser is using its own name resolution too - as a privacy feature. This isn't very different.

I'd like it if there were less of those.

Despite me agreeing with your need for hosts to work, your suggestion here wont. As the others have mentioned the hosts integration is down way down deep in the code (libc and kernell.dll as far as I know) and is basically an automated part of getting the address of a name, which does a proper DNS lookup automatically (if not found in hosts), meaning DoH wont get a chance.

This means that FFox will need to independantly look up and parse the hosts file as part of it's DoH lookup, basically mimicking what libc is doing on 'nix boxes. It's what the other GPs are mentioning as a no-go/non-starter, whereas I suggest it's not hard to parse a text file.

OTOH, in the real world, almost all websites that I've got to migrate are somewhat hardcoded for one domain (I've got this side project were I do websites hosting, good recurring money, little work).

Going for /etc/hosts is the only pragmatic choice here.

But one of the things that I'm testing is that SSL, HST-pinning, etc, is working. So I could fuck around with adding "--header" arguments to curl, etc. But really I want to test in a browser and if the name doesn't match I'll have issues.

Keep - things - separated - isolated - small

This is what browsers, like Firefox, are likely to do as it stands today.

Once OS vendors include support, your pihole can run a DoH server locally and all apps in your network use that DoH server.

Once there is a decent set of public/commercial DoH servers available, devs can simply follow the browsers' example: Directly embed a DoH client into the application and supply a hardwired list of URLs and certificates. To my knowledge, you cannot block that with pihole.

At least, if I were an app developer with financial interest in users not blocking my ads and trackers, this would seem like an obvious thing to do.

After all, glibc already did the hard work, why do it again?

(Oh and Applications with Ads were already able to do this, no need for firefox to do anything at all, it's just too complicated to be worth it)

> it's just too complicated to be worth it

That's the point. It's complicated and costly today if you have to design your own protocol, run your own DNS proxy and be the target of outrage if someone finds out.

It won't be if DoH normalizes application-specific DNS servers and provides an ecosystem with infrastructure and tooling for it.

I never take privacy statements on a website seriously. A company can say one thing and do another. HN crowd knows this better than anyone.

Even I keep logs for 7 days before selecting for permanent storage, they are saints.

Or you take 15 minutes and set up unbound.

For encrypted DNS setup I used this guide which worked: https://scotthelme.co.uk/securing-dns-across-all-of-my-devic...

https://docs.pi-hole.net/guides/unbound/#setting-up-pi-hole-...

It's going to be monetized out the ass, because bandwidth costs money.

(I trust a vpn to not be my isp or someone at the next table at a coffee place with WiFi. I trust paid vpn providers to provide decent performance. I’m not as worried about data mining)

This whole DNS over HTTP disaster makes it pretty clear to me as an end user that it's not though. I wouldn't trust a free VPN further than I can throw it, no matter who offered.

True. We've got DoT, which is a very viable alternative. Supported at OS level by Android. And there's DnsCrypt with clients on all major platforms.

> I wouldn't trust a free VPN further than I can throw it, no matter who offered.

Valid point.

Though, the present situation is that one pays the ISPs and yet they traffic shape, surveil, censor their users. I fear, after a point, VPNs might be the only way to access censor-free Internet across the globe.

Short of hosting their own, which consumers will not do, I don't see a scenario where VPN providers end up in a position that's more trustful than your average (Western world) ISP is today tbh.

Don't get me wrong, VPNs e.g. for access control or untrusted networks are great use cases in my book. I just don't like the snake-oil vibe surrounding VPNs that make it out to be a great way to secure everyday networking for consumers.

Please correct me if I'm wrong here, it looks like a weird approach to fix a protocol on a lower OSI level. Instead of fixing DNS&DNSSEC privacy a few key players bypass and replace it with their own solution, with Firefox pushing it onto users. My major gripes there are the added complexity and an aversion to wrap our whole networking stack into HTTPS instead of addressing the underlying problems. I realize that's more philosophical than technical grievances though, sorry for the wording.

I'm suggesting that the way Tarsnap organises its billing might be a good way for customers who buy VPNs to be sure that their browsing info is not actually the product the company offering the VPN is selling.

As for the application to VPN, I can't see much of a difference to other trustworthy businesses to be honest, I think I missed something there - are you referring to the prepaid aspect?

What they are not doing is offering the service for free or some flat rate and then finding non-obvious exploitative ways to monetise their user base.

Tarsnap is just a boring utility that you pay for what you use. VPNs should be like that.

methinks you're talking out of your butthole right now. I run a VPN service. I can get away with about 100 users per dedicated host. That gives me an average CPU of $0.80. If I went with tier-1 datacenters, my cost would triple. Public cloud DCs bring my costs up ~25%.

These numbers shrink with scale (e.g. buying dedicated bandwidth, bringing your own bandwidth, colo and increase server density, etc). Also mozilla has $69m in cash as of 2016, without counting assets and investments. They are okay to host few thousand more servers.. https://assets.mozilla.net/annualreport/2016/2016_Mozilla_Au...

Whether or not you think my anus is more capable than you estimating the cost, for an organisation that relies on soft revenue, this is serious money.

https://blog.cloudflare.com/1111-warp-better-vpn/

But privacy is the main concern and I would only use it if their were assurances that the VPN would not log nor sell user data.

Mozilla does get a lot of money to keep Google as the default search engine on Firefox so using a built-in VPN to draw more users may get Google to pay them more.

It was in the news about a week ago.

Keep in mind when enabling features ahead of widespread release in software, that obvious and/or non-obvious things are more likely to break when you do so than if you wait until it’s enabled for you.

This goes double for users on the Release channel of software rather than the Beta/Nightly/Canary/Whatever channel, since it takes weeks or months to fix problems.

I’m not saying “don’t”, but I am saying “be prepared to encounter self-inflicted issues”. The tendency is to blame the issues and the frustration of tracking down their cause on the software developer. Keep notes about what you enable, so you can try disabling it and see if that fixes it. Report bugs you find, and don’t panic if they’re known and/or unsolved.

https://i.imgur.com/NhifLq5.png

I wish Mozilla put efforts toward preserving settings and not reinstalling search providers one has purposefully removed. I understand that by using Nightly I cannot expect what a general user expects, but this problem exists in all browsers. I consider it user-hostile behavior that more emphasis isn't taken to preserve settings. Oh a new update? Clearly you want us to sync everything instead of just the few things you selected. Let's revert it all to defaults.

I also understand how settings are stored (the backend format) might change between minor or major versions. Sometimes factory defaults need to be reinstated - but it should be very fucking clear (with a notification) that the user should go review settings that have changed/reverted. And this cannot be a banner that shows every time an update applies. Give the user some transparency.

On Chrome when I ask it to preserve my previous session it preserves just that session's browsing history. This history is forgotten if I make a point to close all tabs and end the session. On Firefox I must save all history be to 'restore the current session'. Wish we had more control over this.

You can't disable Firefox from checking for updates (I wish this could be left to package managers on some systems). I understand but I don't want to be nagged. You can make Firefox ask you, but it will check nonetheless.

Why the fuck would I want "Recommmend features as I browse?" or "Recommend extensions as I browse?" I hate being advertised to.

"Warn you about unwanted and uncommon software" - who is making this determination? Who is Firefox talking to about what I download?

I wish I could sync settings, open tabs, addresses, history, etc - to an simple archive on close or periodically. No online service to sync against with another account I have to worry about.

Sucks that in hotels Firefox determines if there's a captive portal in effect by querying a Mozilla-hosted site (detectportal.firefox.com).

Blah.

But all browsers do this.

"Windows performs a series of network tests. The destination site of these tests is msftncsi.com,"

https://docs.microsoft.com/en-us/windows-hardware/drivers/mo...

"Shill, the connection manager for Chromium OS, attempts to detect services that are within a captive portal whenever a service transitions to the ready state. This determination of being in a captive portal or being online is done by attempting to retrieve the webpage http://clients3.google.com/generate_204. This well known URL is known to return an empty page with an HTTP status 204. If for any reason the web page is not returned, or an HTTP response other than 204 is received, then shill marks the service as being in the portal state."

https://www.chromium.org/chromium-os/chromiumos-design-docs/...

You typically can... not sure about your platform, but I use policies.json on Windows to disable update checks.

What do you mean by that? I have mine set to never remember history, and I often force-kill FF as a way to save a session. When I start it up again it prompts to restore the previous session.

> You can't disable Firefox from checking for updates (I wish this could be left to package managers on some systems).

Firefox's updater is disabled on Arch Linux and iirc also Ubuntu/Fedora/etc. The 'About' window says that it has been disabled by the system administrator. Presumably this is either an about:config setting (good) or a compile-time flag (sad).

> Why the fuck would I want "Recommmend features as I browse?" or "Recommend extensions as I browse?" I hate being advertised to.

These aren't ads; you can't pay to have your extension shown to users. Recommending features is done by the browser on your computer; iirc the addons recommendations are also computed locally based on anonymized data (don't quote me on that though).

I at least find the feature suggestions to have been helpful. Many normal people won't know about reader mode, and FF on Android also tells you that bookmarking a page will save it for offline use, which I would not have otherwise known.

> "Warn you about unwanted and uncommon software" - who is making this determination? Who is Firefox talking to about what I download?

Google is used; if a file seems suspicious only then are details sent to google to give the final word. I wish they were more upfront about that.

But FF is targeted at normal people, and this does help them not get malware. Advanced users like us can easily disable it. That doesn't excuse the lack of transparency though.

> Sucks that in hotels Firefox determines if there's a captive portal in effect by querying a Mozilla-hosted site (detectportal.firefox.com).

How else do you propose they do this? And better to have Mozilla host it than someone else. On Android you are forced to use Google's NTP servers, and I have no doubt their captive portal detection is also google-hosted. I'd bet the detection URL is exposed in an about:config flag on FF.

> I wish I could sync settings, open tabs, addresses, history, etc - to an simple archive on close or periodically. No online service to sync against with another account I have to worry about.

For what its worth, Firefox Sync is e2e encrypted with your password. If you log out of sync on all your devices and forget your password, the synced data is gone forever. To log back in you will have to reset the password, and since none of your devices are logged in (they act as backups for the data), it is gone forever.

I don't know if firefox clones your profile or creates a blank one when you switch channels, though.

That seems to be a common trend these days --- ignore what they want, claim that it's "for their safety/security/privacy/whatever", and gradually remove options for configurability.

In particular, this sort of "overstepping the boundaries" is unfortunately getting more popular, and IMHO it's rather disturbing that browsers have gone in this direction; software should follow the system defaults/configuration whatever they are. Yes, the platform coud be compromised or otherwise not to your liking. That's not your problem, Mozilla!

(I run everything on my network through a filtering proxy. These attempts to subvert it are definitely not welcome.)

It so happens that many of the people who post on this site actively administrate at least a home network for which they are also end users. But even in that rarified group, how many people don't connect their computers to untrusted Wi-Fi networks, regularly or at least occasionally? I'd guess it's a pretty low fraction. And among Firefox users in general, the fraction that has meaningful input over the configuration of any network they connect to is surely negligible. (Owning a router doesn't count if you don't know how to configure it.)

If you're really an end user, then you'll always have the ability to change Firefox's settings to turn off DoH, or point it at whatever server you want. It's only if you're trying to monitor someone else's connections that you're out of luck.

But will you, even in a year or five from now? And in the broader discussion of DoH-in-browsers, will the same be true about Chrome?

(I believe the answers are "maybe" and "not likely", respectively.)

Is this like a DHCP option or RADIUS attribute to supply DoH IP/Hostname?

As per a comment by Eric [unknown surname] at Microsoft here[1], you can enable it on desktop chrome by adding the following to your chrome launch options:

    --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST

0: https://github.com/bromite/bromite/wiki/Enabling-DNS-over-HT...

1: https://crbug.com/799753#c8

2: https://www.chromium.org/developers/how-tos/run-chromium-wit...

DNS should be provided by the OS, and not reimplemented in every application running on top of it.

Developers going the sysop direction of services Sysops going the developer way of statically linking

That’s a bold claim, and I see no data to back it up.

If anything, OSes only tend to get bigger with time.

The setup was a little bit fiddly to get going, but I'm now super happy with it. As a sidenote, it was interesting to see how effective uBlock Origin already was because I thought the Pi Hole's blacklists weren't working at first!

*I imagine I'm not catching every single one of the DNS lookups on my network, but I bet it's now a large percentage of them.

I am confused. The guide tell me to set:

network.trr.uri

But Foundation for Applied Privacy sounds nice and I want to force DNS over HTTPS. The site specifically tells me to use the the Firfeox setting page https://appliedprivacy.net/services/dns/ but that sets network.trr.custom_uri not network.trr.uri so whats the diffrence? And it also tells that I have to set the network.trr.bootstrapAddress but does not tell you to what in case I missed something.

Edit: Apparently they already thought of this and it's a feature!

The next step will be to deploy the TLS 1.3 Encrypted Server Name Indicator (ESNI)[1].

[1]: https://tools.ietf.org/html/draft-ietf-tls-esni-03

Thinking this is a step backwards is pretty naive.

This includes most people in the UK.

Fixed that for you.

ISPs are a crapshoot the world over apart from very few countries. Almost all block or mess with torrent sites.

Off the back of a trip overseas, the "free wifi" is also a mess with DNS hijacking for no other reason than to feed you a cookie / limit access for essentially no good reason. Breaking that shitshow when chrome eventually follows suit will be a nice change for users.

They can’t do the same for HTTPS.

At this point there is no way big tech corporations can get involved in censorship circumvention, but they can and are in censorship both to satisfy all the governments and for their own benefit.