Pure Browser: Please add DoH support

DoH, or DNS over HTTPS, is a key feature recently added to firefox since version 68. It should be a must-have for pure browser, for protection against ISPs.

You can probably use a stub resolver in order to have DNS queries resolved however you want.

(That article is talking about DNS over TLS, which may or may not be good enough for you, but it also links to information relevant to doing DNS over HTTPS.)

I know you just want it working in Firefox “out of the box”.

Sure, that blog post gives several reasons why DoH is not as great for privacy as some people maybe think it is, but this claim seems strange: it says “DoH does not encrypt anything that is not also present in plain text”.

That is not true, is it? DoH does encrypt the name of the web page you browse to, which is otherwise present in plain text. That is the thole point, isn’t it? So, if someone is looking at my network traffic locally and simply scanning my traffic looking for certain web page names in plaintext, DoH would prevent them from seeing that. Either I have misunderstood this, or that blog post is wrong in saying “DoH does not encrypt anything that is not also present in plain text”.

It does encrypt the name when you request XYZ.com and encrypts the response that includes the IP for XYZ.com, what it doesn’t encrypt is that the next thing your computer does is try to connect to that IP and that IP is in plain text. With that IP anyone can do a reverse DNS lookup which takes that IP and finds the associated name.

So technically it adds a step to someone snooping on your traffic but a very small step that they’re likely doing anyway as it is more reliable to see where you’re actually connecting instead of the names of websites you might connect to.

You can probably use a stub resolver in order to have DNS queries resolved however you want.

I do prefer a local DNS server as the solution. I am going to deploy it locally on my device. This is actually a better solution than firefox’s DoH. It just requires a bit more effort. I am not going to request DoH feature since I will go this way.

However, lets be realistic. I want to get rid of the DNS server from my ISP, lets say, verison. If you are also a verison user you will know why I prefer Cloudflare.

Cloudflare might want to record all of our queries, but there are just too many. Cloudflare will only get aggregate results. I wont care if I am one of those.

Anyway, I need to either give it to cloudflare or give it to verison, or someone else. There is just no option that “I do not want to tell anyone on which website I am going to visit”.

Now lets talk about the key thing here: protection against DNS pollution. I dont mean verison is doing DNS pollution, it is not. However, I might need to travel to somewhere like, you know, China, where ISPs are so used to the art of polluting. I might be working for an evil corp who want to ban me from visiting certain sites. I might have some naughty friends. This is important since polluted DNS response will affect accessibility and integrity.

See my post above for why you are now actually giving this to cloudflare and Verizon in this example as Verizon still sees the IP you are going to and can do a reverse DNS lookup to see what the name/s is/are associated with that IP.

This scenario however… DoH would likely prevent a MitM attack, provided they can’t do SSL decrypt… which if you’re using a corporate device can be done transparent to the user; and even your own device, if the corporate SSL cert is installed, can be compromised this way on the corporate network.

A Nation State like China would likely also have the resources to accomplish this, though they’re more likely to just block access to any DNS service that doesn’t comply with them when they request information forcing you to either use theirs or one that is compromised.

While this might help in a handful of situations, I think we need to step back and look at the bigger picture to find a better long term solution.

I am from China and I know what they are doing. You are right, DoH is not enough, but it is very useful for people living in China. Chinese gov does not have enough resources to do this “in real time”, there is too much traffic.

Surely you are right. However a compromised device means compromised everything :-).

For some IP addresses, there are 10s, 100s or even 1000s of unrelated domain names associated with the IP address.

Also, what it doesn’t do is encrypt the request (necessarily) that the DoH DNS server makes on your behalf. It is true that that request is anonymised if made at all, and may not be made at all if the request can be answered from the DoH server’s cache.

With the emphasis on the if. Even then, you can protect yourself in some ways.

Also, if the following request for a web page is not itself (fully) encrypted then you are giving a snooper a fair view of your browsing regardless of how secure your DNS is.

That is true. Also, figuring out which IP address is from the desired resource and which is hosting stylesheets, javascript, or pictures, is also less than trivial. Of course, this does require that the SNI in the TLS header is also encrypted (which also relies on the DNS system).

As long as DoH to a pre set server is not the standard config i think it would be a nice feature to have in the tool box for certain use cases. So to me it sound like a reasonable request.

In general i don’t like the centralizisation which comes with DoH. But i think this could be defeated / less of a problem if DoH is optional and it would be possible to configure multiple DoH server which would be used at random. So no single entity has all the information. So i hope that most present dns server will offer DoH an d DoT in the future so it stays the users choise which to use. At the moment the discussion seams to come along with the centralisation and use of cloudflare. Which in my opinion is not that closely connected at the technical level.

As long as one uses one DNS server its kind of centralised in one point any ways. DoH and DoT just prevent the hops in the middle to know what in the request. Same for the reverse IP argument. It’s not really an argument neither for nor against.

DoH provides less security and privacy then often told / wished to do.
DoH wouldn’t be as bad if it would be as widely available as standard DNS.

Looking at the link I provided above, it is not “random” but at least it can be configured to round-robin a set of upstream servers - so no single entity has all the information, as you requested.

In Firefox, the relevant options appear to be in about:config under network.trr
https://wiki.mozilla.org/Trusted_Recursive_Resolver

That wiki page is incomplete, because, in my Firefox, there is also a network.trr.resolvers, which contains some JSON:
[{ "name": "Cloudflare", "url": "https://mozilla.cloudflare-dns.com/dns-query" }]

Better: Install a local caching recursive resolver with DNSSEC support. This is as simple as “apt install unbound”, and then updating resolv.conf to point at 127.0.0.1. This will reject the majority of silently tracked and modified DNS traffic. It wont protect from ISPs that are sniffing port 53 traffic though and/or intercepting and modifying DNS requests that aren’t specifically sent to their own servers. This is a minority though.

If you care about the minority:

Users can be given the option to configure their local caching DNSSEC recursive resolver to optionally forward to a preset list of resolvers (which may or may not support DoH or DoT), or alternatively manually set ones that are not in the preset list. The unbound config to forward all traffic over encrypted DoT to Cloudflare is as simple as:

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-tls-upstream: yes

And Google:

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
    name: "."
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
    forward-tls-upstream: yes

Your browser should not be using a different DNS resolution path to the rest of your system. It is an idiotic design.

Round-robin is an awful design for maintaining privacy with Internet traffic, and does the opposite of what you’re hoping for. All you do by using round-robin is give a list of all the properties that you visit, to multiple organisations, instead of one. One day you tell one DNS provider that you’re visiting pornhub, the next day you tell a different DNS provider you’re visiting pornhub. And so on, until they all know that you visit pornhub.

This is precisely why the Tor project introduced Entry Guards into the anonymity network.

The same is more or less true with the “random” approach that the post was requesting.

If you make a single or very limited number of visits to a few related sites, there may still be some merit in spreading the requests around (whether round robin or random).

I myself would not use DoH to a surveillance capitalism organisation at all. However in the context of this discussion, people want DoH, so it is a question of how they use it.

Also depends a bit on what you mean by random, if you seed the RNG by the hostname, then it’ll always use the same provider for the same hostname, while distributing the requests so no one server sees everything.

Or a straight hash on the hostname.

There are lots of ways of doing this but any centralisation, such as typically occurs with DoH, does not sit well with me.