-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ToDo: DoH section or entries #1027
Comments
I run a private DNS server using AdGuardHome and I've got it set up to accept DNS, DoT, and DoH requests. I've got all my browser profiles set up to use my AdGuardHome instance via DoH. I cannot for the life of me get Firefox to recognize the |
Oh also if you want to enable encrypted SNI, you must have DoH enabled; otherwise the In my opinion this is somewhat well intentioned but ultimately also somewhat annoying. Yes, if you ultimately don't use DoH which site you're visiting is leaked anyways. But someone could be using a local DNS server that accepts regular DNS requests and forwards them over DoH or DoT. |
FWIW: My DoH overrides /*** [SECTION 6750]: DoH ***/
/* 6751: DoH mode ***/
// user_pref("network.trr.mode", 2); // enable TRR (with System fallback)
user_pref("network.trr.mode", 3); // enable TRR (without System fallback)
// user_pref("network.trr.mode", 5); // Disable TRR
/* 6752: DoH resolver
* The second pref is optional for DoH mode 2 and required for mode 3 ***/
user_pref("network.trr.uri", "https://xxxx/dns-query");
user_pref("network.trr.bootstrapAddress", "x.x.x.x");
/* 6753: DoH resolver list
DEFAULT(72): [{ "name": "Cloudflare", "url": "https://mozilla.cloudflare-dns.com/dns-query" }]
DEFAULT(73): "[{ \"name\": \"Cloudflare\", \"url\": \"https://mozilla.cloudflare-dns.com/dns-query\" },{ \"name\": \"NextDNS\", \"url\": \"https://trr.dns.nextdns.io/\" }]"
***/
// user_pref("network.trr.resolvers", "[{ \"name\": \"<NAME1>\", \"url\": \"https://<URL1>\" }, { \"name\": \"<NAME2>\", \"url\": \"https://<URL2>\" }]");
/* 6754: ***/
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
/* 6755: enable ESNI
* ESNI has nothing to do with DoH, but the implementation in Firefox requires it ***/
user_pref("network.security.esni.enabled", true); I ignored other prefs such as
|
This comment has been minimized.
This comment has been minimized.
Linux Debian testing - Firefox 80.0.1 64bits user_pref("network.trr.mode", 2); I pick my DoH server from : |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
stay on topic please: reminder from the first post: This is not a debate on this state = good, this state = bad |
FYI: seems like 1544233: DoH +hosts file was resolved in FF83 by 1616252 .. so that's good. More parity, possible holes fixed etc |
I would very much like to see a default of disabling DoH in this. I think it is only a matter of time before Mozilla starts to roll this out as default enabled. On our network we block DoH, but we also use a default user.js based upon the Arkenfox and having this set here helps a lot. |
@iio7 that's easy enough ... just set Thanks @rusty-snake @2glops for your configs 👍 ANYONE ELSE .. and I can't stress this enough ... NOW IS THE TIME TO CONTRIBUTE ... links on how DoH, ESNI, bugzillas, what works and what doesn't, known bugs, your configs, anything. It would be cool to get this issue resolved and out of the way. Thanks |
good article/summary: https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 |
note: |
Securing DNS is a good thing, although it can conflict with some anti virus applications that check DNS traffic. The question is more if using the current DoH implementations in internet browsers is the best solution? Personally I don't think it is wise the redirect DNS traffic from internet browsers to just a few DNS providers, it centralises DNS for the internet browsers to just a few DNS providers and that is my main concern. Another issue is that current DoH providers in internet browsers don't always redirect you to the nearest datacenter where you local DNS servers from your providers do(I assume). I noticed that with some social media site I got redirected to another country while that web site had it's own datacenter in my own country. So personally I don't use Firefox' DoH. I do use secure DNS, but I run my own DNSCrypt application and use multiple secure, DNSCrypt, DNSSEC, no logging, no filtering, DNS servers in my own country to load-balance my DNS queries to. |
Are you, and if so when, going to add these new prefs? |
IDK, are they somehow important? |
Well, read your own link. 😛 😄 But, quote:
But I don't know how long that will take, users who already used the pref |
this is not something that is going to happen any time soon, DoH is super low priority and I refuse to do it myself - hence why I nagged you to say why they are important: read OP, why do I have to always do everything, including looking it up and searching for how it is used in DoH and all that - there was an earlier smallish DoH prefs in the user.js about two years ago which in the end I ripped out precisely because I was left holding the bucket, and there were too many bugs/changes - I'm not going back to that
|
BTW: Does anyone know if/how |
DoH, ODoH, xDoH ? For sure, it's time to wait and see : |
I was just a little bit confused why you asked if the new prefs were somewhat important. Because the user.js had the pref And FYI, I did read the OP, I was merely commenting on it because you commented about removing the ESNI pref
If you used ESNI you now want ECH and don't wait till Mozilla makes it default. Although I understand it is a TLS 1.3 extension and web servers have to support it, but that was the case with ESNI also that web servers have to support it.
FYI2, ESNI/ECH have nothing to do with DoH. ESNI/ECH are TLS extensions. It are two different ways to hide which site you are visiting, one is in the DNS traffic and the other is in the TLS traffic.
I noticed this, but because of the 'recent' comments in january I though it was ok to comment and give my thought about DoH. You asked for input, I gave mine. |
Firefox esni implementation required DoH to be enabled. With |
That is done by Mozilla, it has no use of encrypting you SNI while your DNS is not encrypted and still exposing which site you are visiting. |
I could be wrong, so no guarantees. But I would say it are two different things.
|
never had it, doesn't have it now. I only mentioned it was being removed since it was in rusty's overrides |
Than that is a misunderstanding on my side, sorry for that. |
@gitthehubs you seem to be right. Looks like it is inspired by AltSvc but different. (https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-httpssvc-03.html#name-relationship-to-alt-svc). |
https://blog.mozilla.org/en/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/ so after 2+ years .. rollout is so far .. USA .. and Canada about to start .. so glad I ignored all of this for 2 + years |
My main FF (portable with user.js) shows Not sure why I've never seen a prompt or been rolled out to: maybe from the old pref when it was in the user.js, or maybe I had the xpi removed (I don't bother anymore as it forces a full download to update via the app) So sorry all you sucker loser en-US arkenfox users, while I was busy working from early in the morning until late in the evening and making many phone calls and having many meetings, the boat sailed (probably from Florida full of superspreaders) and you were already rolled out .. lulz 🤣 I plan to close this before release 91 (for ESR). I will add the basic rollout pref (inactive), point to the UI, and reference some links. That's it. Just giving you all the heads up in case anyone wants to add anything after 2+ years |
notes to self:
@rusty-snake I don't use DoH because I live in a utopian non-shit non-3rd-world country which values privacy ... do you have any other links or info, like test pages - etc - e.g. https://old.reddit.com/r/privacytoolsIO/comments/cplstn/doh_confirmation_test/ ? |
Actually you can use any dns-leak test like https://browserleaks.com/dns or https://www.dnsleaktest.com/ though the results can be confusing. There are two support pages, not sure if they are relevant. Since firefox remove esni, ... |
My first impression is that it needs it's own section, as there are quite a few prefs - the main one of course is to block the rollout by default (AFAIK there is a notification panel allowing you to cancel, or at least to let you know). I think the rollout has been limited to the USA so far - but at some stage they will flip it for a lot more (not sure how that works - since I assume most arkenfox English users install en-US builds?)
This is not a debate on this state = good, this state = bad. There are pros and cons to both. It's more about what prefs to add, references, and so on. My initial thoughts are the section header can have some references/info on whether or not DoH is for you (pros/cons) as everyone's threat model will differ, and we can dispel some myths or whatever. And then the only active pref is to block the rollout - thus putting the choice in the hands of the end-user, not some rollout. All other prefs are for those who want to setup their DoH config and use it.
After lots of teething issues and shitloads of bugs and changes, I think DoH is finally ready. IANAE on this shit, so help is appreciated, especially from those using it who know the pitfalls and what configs screw things up etc
FYI: DoH + CNAME cloaking is finally fixed in ESR78.4 and FF82
It's things like this bug, and constant new prefs and pref changes and UI changes etc, why I never wanted to have a DoH section/entries and dealing with the inevitable fallout/issues and it's why I removed what we had about a year ago or whenever it was .. but now I think we can look at adding it back in
edit: typos
The text was updated successfully, but these errors were encountered: