Can PureOS use DOH?

jaa84 · November 25, 2019, 3:13pm

CAN PureOS enable DNS over HTTPS? If so, how? if not, why not?

JAA84

OpojOJirYAlG · November 25, 2019, 4:18pm

This is not currently pre-installed nor a configuration option. DOH was discussed a decent amount here Pure Browser: Please add DoH support

If you find instructions for adding DOH to Debian or any Debian fork you can likely use those same instructions for PureOS.

kieran · November 25, 2019, 9:19pm

There really isn’t any such thing as “if not” in an open source environment. It’s your computer. Enable whatever you want. It is merely a question of whether you do it yourself or you want someone else to do it for you.

There are privacy reasons not to enable any centralised external DNS service and hence it is probably a good call by a distro not to enable it by default. That could change if authoritative name servers start supporting DoH. I recommend that you review the discussion that the previous post links to.

mstdnuser · November 26, 2019, 12:19pm

DOH isn’t gonna centralize DNS, alphabet inc./Google will. Mozilla’s approach to DOH is to connect to the nearest server with that capability.

kieran · November 26, 2019, 8:08pm

In practice, it depends on the numbers of servers available. Right now there are relatively few servers doing DoH, therefore using DoH makes DNS more centralised.

I agree that the concept of DoH does not in and of itself centralise DNS. If every DNS server in the world, recursive and authoritative, offered DoH then the choice of transport (HTTPS, or TLS, or TCP, or UDP) wouldn’t make any difference at all to centralisation.

This topic is not specifically about Mozilla / PureBrowser / Firefox. The original topic was.

However if you look at the proposition that “Mozilla will connect to the nearest server with that capability” then that could mean that 100% of your DNS requests go to exactly one server, which is fairly centralised. You then have to ask whether you expect the operator of that server to monetise you / record your lookups / surrender a record of your lookups to other parties. Do you trust that operator?

You also have to ask: why is the operator of the server making the service available, if it is a free service?

Let’s say that EFF decided to offer a DoH server. Most people would trust that its motivations are to further privacy. Maybe that’s what you mean by mentioning Google - because most people would believe that Google is going to monetise them.

For grins, has anyone checked what protocols can be used with the authoritative DNS server for puri.sm ?

Kyle_Rankin · November 26, 2019, 8:19pm

If you want the protection against ISP snooping that DoH provides, I would strongly recommend just using a full VPN instead. DoH is a DNS-only VPN–your DNS query still goes out to the Internet in plain text once it leaves your DoH provider, but the rest of your web traffic goes through the network that you apparently don’t trust (or otherwise you wouldn’t want to use DoH).

So far I haven’t come across a practical use case or threat model where someone isn’t better served by sending all their traffic over a trusted VPN instead of sending just their DNS data over a DoH “VPN”.

kieran · November 26, 2019, 8:22pm

Although it’s not either-or. You can use both - and doing so is not totally silly, in terms of not putting all your eggs in one basket. Would using both be justified for any given user? Who can say.

Kyle_Rankin · November 26, 2019, 8:25pm

The combined use of DoH and VPN is one big thing I don’t like about the fact that Mozilla has decided to turn on DoH by default. If you are a VPN user, then you have vetted and decided on a particular provider you trust. The moment you turn on DoH, your DNS traffic now goes through the VPN and to this third party that you may or may not trust and may or may not have vetted.

In my opinion it’s much simpler and safer to maintain trust in a single provider when it comes to semi-private web use. If you want actual anonymity instead of just privacy, then there’s always Tor.

kieran · November 26, 2019, 9:00pm

For sure. Enabling it by default without getting informed consent would be a bit doubtful.

I don’t know whether it is enabled by default though.

Edit / Preferences
(General section)
(Network Settings section)
Settings…
Enable DNS over HTTPS (checkbox - not ticked for me)
and
Use Provider (Cloudflare or Custom) (greyed out of course)

Firefox 70.0.1

I don’t think that I have tweaked this either way. ??

Kyle_Rankin · November 26, 2019, 9:01pm

Apparently they started rolling this out in September of 2019: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

kieran · November 26, 2019, 9:10pm

I also am a bit doubtful that just enabling it in one browser is the right approach - since then random other lookups will be unprotected (to the extent that someone wants that protection). I would rather it get enabled at the system level (and for me personally I will just enable it at the LAN level when I am ready, and no changes on any individual system will be needed, since I run my own local DNS server - so I definitely don’t want it enabled by default in the browser).

Clearly with the choice of Cloudflare or Cloudflare, unless you want to go “Custom”, this is also a high degree of centralisation, which concerns me.

I understand that these innovations have to start somewhere but …