DNS-over-HTTPS: Privacy and Security Concerns

Discussion in 'privacy technology' started by mood, Sep 7, 2019.

  1. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    254
    Location:
    USA
    Thanks for your reply to my post #72. I was just curious if Beyonder in post #57 might have run into problems in setting up Quad9 in Connection Settings.

    I've been working the network.trr prefs since DoH first showed up in Firefox version I-forget-the-#. Almost two years now, I think; how time flies.

    The screenshots do verify the default mode is 2 (fallback) even though the bootstrap data are made present in network.trr.

    I'd like to see an an "Enable bootstrapping" checkbox in the Connection Settings to set mode 3. I'm not holding my breath.
     
    Last edited: Jan 3, 2020
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    @Surt
    FWIW ~
    Getting Started with DoH and Quad9 - 2018-10-05 - Updated July 25, 2019
    https://www.quad9.net/doh-quad9-dns-servers/
    Firefox
    DNS over HTTPS (DoH) is not enabled by default, so you have to type about:config in your browser bar to open up the settings page.

    In Settings, you can modify 3 items related to the Trusted Recursive Resolver (aka network.trr):

    • network.trr.mode
      • trr.mode controls when and how DoH should be used. By default it is set to 0, meaning it is disabled. If you change it it will enable it.
        • 0 — Off (default). To use operating system resolver.
        • 1 — Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
        • 2 — First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
        • 3 — Only. Only use TRR. Never use the native (after the initial setup).
        • 4 — Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
        • 5 — Off by choice This is the same as 0 but marks it as done by choice and not done by default.
        We recommend trr.mode of ‘2’ so it will fall back to the default resolver if the connection to the DoH server fails. If you only ever want to use DoH you can set it to 3 – You will be unable to resolve DNS names if your DoH server goes down and you won’t have a back-up using your system resolver.
    • network.trr.uri (this is where you specify the resolver you want to use)
    • network.trr.bootstrapAddress (you can forgo setting this and it will use the native system resolver for the initial query for hxxps://dns.quad9.net/dns-query)
    https://www.quad9.net/wp-content/uploads/2018/10/ff-setting-doh.png

    You can check out the logs by typing about:networking#dns into your browser bar. Look for TRR ‘true’ entries to see what is being looked up via DNS over HTTPS.
    for example: msn.com with uBlock Origin disabled
    png_3604.png
     
    Last edited: Jan 3, 2020
  3. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    254
    Location:
    USA
    Hmmmm. First time I've seen this and I haven't changed a thing in my setup...

    FirefoxDoHcloudflareDDos.jpg
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,335
    Location:
    Member state of European Union
    It is fine. It may happen whether you are using Cloudflare DNS or not.
     
  5. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    254
    Location:
    USA
    Thanks. I found it interesting and new, not reading about it anywhere else. I thought I'd attempt to begin a discussion on it.

    Had I considered malicious I'd've peppered my post with :eek:
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,613
    Firefox 73 Released [...] New DoH Provider
    February 11, 2020
    https://www.bleepingcomputer.com/ne...ed-with-security-fixes-new-doh-provider-more/
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
  8. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    254
    Location:
    USA
    True, YogaDNS is pretty darn good. Otherwise, with even less effort one can just tweak the preferences in network.trr for one's fav provider.
     
  9. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    790
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,613
    Firefox turns encrypted DNS on by default to thwart snooping ISPs
    US-based Firefox users get encrypted DNS lookups today or within a few weeks
    February 25, 2020

    https://arstechnica.com/information...ed-dns-on-by-default-to-thwart-snooping-isps/
    Mozilla: Firefox continues push to bring DNS over HTTPS by default for US users
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    I have just had a prompt to use DoH in Firefox. I thought this was only rolling out to US users? Could this be because I had my VPN set to the US? I was still being prompted after I turned my VPN off.
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,195
    Location:
    DC Metro Area
    Guessing: Not sure this sounds like "by default."
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,621
    Location:
    Among the gum trees
    I know I can enable it manually in FF settings but this is the first time I've seen the prompt. Maybe they are expanding the rollout?
     
  15. MonarchX

    MonarchX Registered Member

    Joined:
    Apr 27, 2019
    Posts:
    14
    Location:
    Here
    How can DoH be forced/enabled in Chrome and/or Chromium-based browsers?

    Firefox already has the option to force it, but I cannot find it in Chrome or the latest Edge Chromium Canary version.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    I don't believe DoH support is built into Chrome yet, but you can easily implement YogaDNS to get the same result.
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    Chrome
    png_5464.png
     
    Last edited: Mar 29, 2020
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    What version of Chrome are you using? I have the latest release - 80.0.3987.149 - and I can't find that feature in the list of experimental flags.
     
  19. MonarchX

    MonarchX Registered Member

    Joined:
    Apr 27, 2019
    Posts:
    14
    Location:
    Here
    I found it in the latest Brave browser version, but not in the latest Edge Chromium version.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    new Edge
    png_5469.png
     
    Last edited: Mar 29, 2020
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    png_5467.png png_5468.png
     
    Last edited: Mar 29, 2020
  23. MonarchX

    MonarchX Registered Member

    Joined:
    Apr 27, 2019
    Posts:
    14
    Location:
    Here
  24. MonarchX

    MonarchX Registered Member

    Joined:
    Apr 27, 2019
    Posts:
    14
    Location:
    Here
    Does it make sense to enable DoH with Chrome and/or Firefox when VPN with custom DNS is used? My VPN uses it's own custom DNS for use in both Network Adapter and TAP Driver settings when connecting via OpenVPN. What about Encrypted SNI setting? Tor currently has that setting, but it is set to disabled as default.
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    Thanks for the screenshots. The setting comes up in Edge, but not in Google Chrome. It's weird, but not a problem for me as I'm implementing DoH via YogaDNS.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.