Opting out of Firefox's DNS-over-HTTPS by blocking use-application-dns.net #1051
Comments
|
Hi @ndrwy Thanks for the notification :=) This is actually potential a huge privacy issue as it is written that Firefox by default will route all your DNS traffic to an external source beyond your control and without your accept and knowledge, and who is the external DNS hosting company and what will they do with all the data they collect. Since nothing is free I'll bet they are going to sell the data to bad companies like Google, Facebook etc. The other potentional privacy bomb in this is Mozilla haven't written anything about who the external provider is or going to be. But personally I guess it would be the bad host traffic collector Cloudflare
|
I agree completely. I've been using DoT which Moz's telemetry can't detect easily i.e. every test shows that I "might be at risk" but verified with wireshark that all requests on all my networks are using it effectively. Thanks for the screen shot... this is currently under Preferences -> Network Settings ... Settings button. Now I know where to watch for this abomination. 😸 (EDIT: Seems to be about:config?filter=network.trr.mode , about:config?filter=network.trr.uri , and about:config?filter=network.trr.custom_uri ) What's interesting on Android 9 is their "Private DNS" option in "Automatic" mode did zilch and always chose my cellulars DNS... thought that was an interesting find while I was traveling (corrected it too). I'll admit that DoT isn't perfect since one of the WiFi hubs I was on actually had a residential login with 1.1.1.1 (usually cloudflare) which made me switch to quad9.net. At least it detected that it was not the real 1.1.1.1 |
|
Chrome is starting to "experiment" with DoH, as well. If you're still not sure why this is a scary thing, check out this Bluecat presentation, particularly the last few bits that really drive things home around the 21-minute mark. I've ranted countless times about this before, but I really liked the concise wording and the numbers here that help put things into perspective. https://www.bluecatnetworks.com/blog/the-future-of-dns-privacy-dot-doh/
|
|
The probable potential for abuse is massive in a market based system. As always the end-point resolver always knows everything. Privacy in both corporate and home users also deals with the realm of security as well... albeit there are a lot of others ways to expose someones identity and practices besides DNS. With an opt out like the UK has with the GDPR that just serves to point a finger to those requesting removals imho. It involves actively querying any provider, whether known or not known, to delete that information. Most people are quite lazy when it comes to that, again imho. How many times should one have to do that?... daily?, hourly?, etc. I understand the need for encryption but it has inherent failures for security/privacy. Privacy is a component of security in my book although I'm probably in the minority. There's no easy solution to the dilemma of providing security by having privacy inclusive. |
|
Hi @Martii I Agree with most of your post, but to make it clean from my point of view. Encryption is REQUIRED for privacy, but to whom to trust the data shall ALWAYS be the endusers choice, and not some ugly preset stuff you have to opt-out of, all privacy related even merely shall always be a opt-in. And the "easy way to implant privacy": This leaves the privacy issue between the end-user and the domain holder. (Specifically used the word holder as it could have been hijacked from the owner) |
|
Well, kind of like how Facebook took care of the breach of contract by simply calling Cambridge Analytica and telling them to delete their Facebook data, which they then promptly stated they did but in actuality didn't, just telling someone not to do something may mean something legally but in reality it doesn't mean anything if there's a profit to be made that's worth the risk. Large corporations break the law every day and are happy to pay the chump change fines that go along with it because the profit they make from breaking the law is orders of magnitude greater than what they pay out in legal fees and fines. For privacy and security to have true meaning, the protocols must be reworked to incorporate modern best practices on the most fundamental levels and never falling back to someone's word and a handshake. This might include incorporating peer-to-peer technologies, blockchain technologies, and other distributed decentralized technologies that can come with a level of trust, security, privacy, and everything else expected of modern technology. Perhaps in 10 years all of that will be proven ineffective, but we should at least strive to progress with what we have instead of just making small twists to a relic technology known to be full of holes simply because each mutation brings about new opportunities for profit. The truth of the matter is that Silicon Valley was once a diverse and tolerant landscape, but over the years business and enterprise drove out diversity and tolerance. We shouldn't be letting ourselves be guided by the misguided, fools to follow a fool. Wielding capitalism irresponsibly to a level of extremism may work out short term for a privileged few, but if anything is known it's certainly the impending doom should this continue unchecked. |
To this you'll have to add a way better encryption.... I can recall an almost 20 years old article describing how a IT student in the east had broken a standard 256bit encryption in less than 30 seconds back then.. (Remember it was a time where a pocket watch had more power than a PC) But yes where money are to made they are. Like the new GDPR is written to protect the big suckers like Google and Facebook again competitive smaller businesses, a cost of running against the GDPR is 250.000€.... which is nothing to them, but the sure death of small competitors.... |
|
If you're up for some more light reading, our very own resident expert Paul Vixie tweeted directly at Cloudflare's Head of Research, Nick Sullivan, in regards to DoT versus DoH almost a year ago in a series of tweets, so don't forget to scroll down and click through all of his replies: |
|
Hi Tiger , thx for the link... Paul Vixie is to be my BFF of the week 🔐 And Here i was about to think I had paranoia 😀 |
|
A little info: I've been testing this domain record The results seems to inactivate the DoT, but it won't grey out the option for setting it, which I would have expected.. |
|
@StevenBlack, I'd like to make a second motion to delete all of @infinitewaveparticle's comments and block him/her/them from further access. |
|
@ScriptTiger comment deleted. Thanks for the heads-up. |
|
@StevenBlack Isn't this issue now solved with the latest list updates + Pi-hole v4.4? |
Found an interesting link: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
DoH will be enabled by default end of this month: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
So in short, including
use-application-dns.netin a blocklist will not enable DoH in Firefox browsers.(I created this ticket just to bring this to attention and discuss if needed, I'm not seeking any particular action; feel free to close any time)
I noticed Pi-Hole is blocking this domain by default: pi-hole/pi-hole@525ec8c
For my home network I think I will be blocking this domain as well, mainly to ensure ads/nasty stuff continue to be blocked for my parents.
The text was updated successfully, but these errors were encountered: