Maybe there should be a separate thread on how DNS works, rather than the back-and-forth taking place here?
I wouldn't personally call it a back and forth. Well, I guess the forth would be the people discussing a great new feature that Firefox is providing that improves security and privacy (DNS over HTTPS). The rest isn't a "back", more like some arms waving in the air by people trying to look smart whilst contradicting themselves.
The statement 'improves security and privacy' is bogus. Where is the measurable test case that shows this improvement? How does it improve it other than forward your queries to a cloud provider? For that matter, use VPN. Mrk
There's interesting information here about how encrypting DNS queries can improve security. https://dnscurve.org/espionage.html
But some VPN client implementation have been shown to be inferior and leak DNS request in clear. In those cases the damage would have been mitigated by having used encrypted DNS. Even in the worst possible case, that your VPN client crashes (and presuming that it it has no kill switch functionally whatsoever), your box DNS queries at least would still be encrypted (small comfort if your other traffic normally otherwise unencrypted, but still...). DOH (or DOT or any other DNS encryption tech) does not make VPN irrelevant and vice versa. It's an additional layer of defense. Only thing is the trust issue that each has to solve his/her own (that is: do you trust XYZ or should you setup your own server ? ). But even with both VPN and/or DOH/DOT etc... the last mile problem is not solved. That is, the DNS stuff all the way to root is still not encrypted but maybe someday...
Attacker p0wns your router and can redirect DNS traffic to server controlled by attacker. Then you can try connecting to trusted site, but end up on site serving you malware or impersonating that site. Serving bad IPs of Mozilla server probably also allows for crippling self-update functionality.
You lost me there. Attacker pwns your router? Wow, slow down, this is not a movie. Real-life not fiction. Mrk
It happened in the past. Examples [1][2]. Risk of infection is significant for those using routers with outdated firmware, but a lot of people has devices that are not longer supported by vendor and are not even aware they should put it to trash and buy new one.
That's what I really hate with commercial off-the-shelf routers. They life time is poor and support often even poorer. And you never know what might be lurking in the firmware when buying router from let say, China .... And some router you can't even flash with alternative firmware like DD-WRT, Tomato or Open WRT because hardware not supported or the hardware is older than Moses and no new updates. Better build your own router from raspberry Pi or some other credit card sized minicomputer. 1) You always know whats running inside it and can update it indefinitely 2) It has superior lifetime versus commercial ones and 3) The hardware specs are often way higher than even the most top-notch commercial router Many times you don't need even buggy firmware to get in.... It's surprising how many open devices are out there wide open with default login Like this piece of junk in USA with default username/password... ...just lil change to that Primary DNS field and it's game over....  Some inside stuff ... Floyd and Tawney must be really happy to know that their sysadmin is not lazy **** Yeah, I could upgrade your firmware (and change the password too) but im not getting paid so...ask your lazy sysadmin!
So why not fix the router problem and not invent a whole new era of bypass security like dns over https? Moreover, as I've always claimed, security news are alarming and disproportionate. That still doesn't explain how it improves security. It merely shows (in a few isolated cases) how you could potentially be "less insecure" if you are pwned (which is game over). How is this going to benefit hundreds of millions of Firefox users? Where is the test methodology that shows the security improvement - how do you measure it, over what time, what's the experiment? Mrk
With DoH DNS queries are encrypted. Without DoH DNS queries occur "in the clear" where they can be intercepted/read by others. How does encrypting DNS queries not improve security/privacy?
You cannot intercept traffic on a switched network easily. Where are the thousands or millions of cases of this ever happening? Moreover, how does this actially improve security? Where's the measurement of improvement? Where's the percentage of change of anything - apart from blanket statements? And how does it not improve security - without a measurable scenario, it's a meaningless claim. You can also say that wearing a kevlar vest improves security - which again, without context, is meaningless. Mrk
Do you feel that SSL/HTTPS in general improves security? It seems to me MITM attacks are rare when compared with the vast number of web transactions, but we still want to protect against them, don't you think?
Improves security in what way - there is not one security vector. It is helpful in that if you do activity on a network that you do not trust - your credentials will be encrypted and not readable. So if someone has access to a router where your traffic passes (ALL of your traffic, because packets may go different ways), they could decipher the message. This means primarily first-hop traffic, e.g. coffee shop router, because after that, the message may be fragmented over multiple networks or routers. But that's it - that does not guarantee anything else. You can still get scammed against a nice https site. Or whatever. DNS is not designed to be personal - and it carries no personal information. There's no reason to encrypt it. If the server is secure (i.e. does what it's supposed to), your queries are irrelevant. Forwarding traffic to a third-party dns is working around a non-issue. What guarantees that the third-party dns server isn't compromised? Encryption means nothing, because the traffic will be decrypted at the end point anyway. There's also the bigger conceptual issue - why would you trust Mozilla or CloudFlare to be your traffic gatekeepers? Or any company for that matter? When you sign up for an isp - they have a contractual obligation to YOU, as a person. They are most likely regulated. When you use a browser, no website/server out there has a contractual obligation to YOU, as a person. Mrk
That's not true. As @Victek already said, there can be MITM attacks which could redirect you to, e.g., phishing sites particularly if you're using a public WiFI.
Mozilla is not a router manufacturer. They are not in business of fixing vulnerable, proprietary router firmware. We're not assuming endpoint personal computer is pwned, just some device between DNS server and client.
It is true what I said - DNS does NOT contain personal info. MITM has NOTHING to do with it. Also 'there can be attacks' is a nonsense statement, it's like the popular scaremongering statement in news saying: millions are at risk. You could also die in a tsunami, so what. Mrk
Mozilla is also not a DNS company. And I agree, the security issue needs to be fixed by router manufacturers - not your BROWSER. Why do you assume that particular case? Why not assume that the entire stack is compromised? Why stop at some random device? Why not go for a random keylogger? Should we also use a browser-provided specially encrypted keyboard? Why not assume there's a camera behind your back? Or whatever random scenario you feel like using. Arguing the logic of a change based on one possible scenario out of millions is like saying we need to wear chain mail because sharks could attack someone off the coast of Australia. DNS over HTTPS is argued as a security improvement, I see no actual quantifiable theory to test that. The security improvement includes encryption as the argument - DNS is entirely non-personal. The would-be improvement is based on security claims that may or may not be relevant. Your browser is not a legal entity with any contracts with you - your isp is. This has nothing to do with Mozilla per se, all your software has that as-is warranty, which means they have no legal responsibility. Your isp does - and it has a contract with you in your name. This is perhaps something that security folks like - go ahead use it - but don't sell it as something important or valuable or even applicable just because you like it. Encryption is completely irrelevant. DNS security has nothing to do with your browser. And you cannot fix hardware or remote server issues with a browser. Mrk
Well, I was referring to your second sentence: "There's no reason to encrypt it". Following this logic - which fits with what you wrote here - means that for most vulnerabilities and security weaknesses in the past there would not have been any necessity to fix them. The majority of them were found by security researchers but were not de facto exploited in the wild. But many of them would probably have been exploited at a later time by evil hackers if they had not been fixed. So at the time when they were fixed there were no "thousands or millions of cases of this ever happening" and no exact "measurement of improvement". Does this mean for you that they shouldn't have been fixed because of irrelevance?
Uh...DNS has a thing called Extension Mechanisms for DNS (EDNS0). That can be used to pass any information that the DNS provider (like your ISP if you really want to use their server or any 3rd party server) likes. Like your network card MAC address (this is why I spoof all my NIC's MACs always) and exact IP address. From: https://www.ietf.org/archive/id/draft-tale-dnsop-edns0-clientid-01.txt "similar EDNS option is already being used on the public Internet in two different implementations. One is between the [dnsmasq] resolver on the client side and Nominum's [Vantio_CacheServe] upstream. It uses EDNS option code 65073 from the "Reserved for Local/Experimental Use" range to pass the client's Media Access Control (MAC) address. The other implementation is for Cisco's [Umbrella], aka OpenDNS, which encodes the client's MAC address and complete IP address. It uses option codes 26946 and 20292, respectively, from the middle of the "Unassigned" range." That's why: 1) Don't use ISP DNS, ever. 2) Encrypt your DNS queries so that even if the upstream server uses EDNS0 (note DNSSEC support needs EDNS0!) for something fishy at least, at least your ISP or anyone between you and upstream can't pick it (damage mitigation) No, ISP only obligation is for goverment and it's regulations. If the goverment say "jump!" they ask "how high?". Like happened in Turkey and like happens every day in thailand where the ISP strips STARTTLS from e-mail connections.... Or like happens everyday in China and Russia. Never use ISP DNS. Always use either your own server or if that's not possible for some reason, some reputable 3rd party server.
Stefan, I don't buy into that. My isp already has my ip and mac address, so what. Second, you can extend things, but then the client actually has to send that information. Third, the isp have obligations. But if you want to argue politics, that's a separate topic. summerheat, regarding security vulnerabilites, they are overrated. Should they be fixed, why not. But from there to END of THE WORDL ZOMG!!! PATCH NOW!1 well that's a bit of a leap of faith. The beauty about security is that it's inherently unprovable - if you ask someone, do you want to protect your children from cyber threats, what do you expect the person to answer. Or if you say, would you like your data stolen? Or hax0rs are attacking the country. Are there legitimate cyber threats? Yes. Is most of the security drama overblown? Yes. Those two are not mutually exclusive. Mrk
Tell that, e.g., all those hospitals, power stations etc. which have been attacked by ransomware. I'm not sure if they would agree. The problem with security issues is that nobody can reliably tell beforehand how relevant/critical/widespread they are or might become - there have been many examples in the past. That's why an anticipatory approach is always preferable.
I agree with that completely. Pro-actively securing OSes, browsers, multi-layer defense are preferable than reactionary approach - fixing vulnerabilities just after massive malware outbreak.
