Slashdot is powered by your submissions, so send in your scoop
Firefox Will Soon Encrypt DNS Requests By Default (engadget.com) 108
Not every request will use HTTPS. Mozilla is relying on a “fallback” method that will revert to your operating system’s default DNS if there’s either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will “revisit” its approach if attackers use a canary domain to disable the technology.
Users will be given the option to opt-out, explains Mozilla’s official announcement. “After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic.”
“We feel confident that enabling DNS-over-HTTPS by default is the right next step.”
how does it work? (Score:5, Interesting)
by fred6666 ( 4718031 ) on Sunday September 08, 2019 @09:37AM (#59170896)Will it still use my DNS server or not?
- As I understand it Mozilla uses Cloudflare’s DNS for DNS-over-HTTPS (https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/).
Between Mozilla and Cloudflare I guess we can expect a few sites “accidentally” not getting resolved.
I use pihole, so I’m more concerned with things resolving that shouldn’t. Cloudflare is nice and all but I like the blocklists.
Ditto. I trust my DNS (Pihole/Adblock) more than Mozilla’s nanny method.
There are literally dozens of 15 year old bugs in bugzilla.. but to a mozilla dev, apparently adding features that not only nobody wants, but will also break infrastructure is the right move.
- A slight tangent, but if you like the sound of the cloudflare DoH then you can configure pihole to use it upstream [pi-hole.net].
https://support.mozilla.org/en… [mozilla.org]
Set up RPZ to return NXDOMAIN for the “use-application-dns.net” canary.
Yes it sucks. Mozilla will likely even remove that eventually. If only they cared about fixing bugs more and adding useless, faddish, internet breaking features.
It’s correct to put accidentally in quotes since Cloudfare has censored sites in the past.
Re:how does it work? (Score:5, Informative)
by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @09:46AM (#59170914)No. The problem is that this bypasses your DNS server, so you lose control over DNS.
To prevent this,you can block access to the DNS over HTTPS servers in your firewall (there are not really many), forcing the browser to use your DNS servers.- And what happens when you want to use the DNS server of your VPN provider?
If the OpenVPN client bypasses the OS’s DNS settings, what happens when the browser wants to bypass the OpenVPN bypass? Who wins?
- The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.
Re:how does it work? (Score:5, Informative)
by caseih ( 160668 ) on Sunday September 08, 2019 @10:41AM (#59171058)Not sure what you mean. Firefox absolutely bypasses your local DNS servers when DNS over HTTPs is enabled. You can set up your own DNS over HTTPS server and manually configure Firefox to use it, but by default it will use cloudfare’s DNS servers.
None of this is not automatic in any of the senses that DHCP and normal DNS are. DHCP does not currently provide clients with DoH addresses to use, so the OS is not aware of DoH at all. I’m sure DHCP servers could add support for this like how it was done for netbios stuff. At that point one would expect Firefox to honor the OS-wide DoH setting. But it seems like Firefox wants to go its own way on this.
At that point one would expect Firefox to honor the OS-wide DoH setting. But it seems like Firefox wants to go its own way on this.
Mozilla is accomplishing two goals here: 1) They’re probably making a ton of money from Cloudfare for handing over access to the browsing habits of millions of people, and 2) they’re laying the ground work for Silicon Valley to wrest control of DNS from end users. Why would they care? Because Silicon Valley has made it very clear that their intention is to manipulate the outcome of the 2020 American Presidential election. Under the guise of policing “hate speech” they do everything in their power to margina
- I came here expecting to see more outrage like this and am surprised to see very little. Who could possibly believe a centralized internet is a good idea? I 100% agree with everything you said.
- How tight is your tinfoil hat?
Re:how does it work? (Score:4, Informative)
by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @11:36AM (#59171228)I guess I fell in a semanticst trap… For all practical purposes it is a bypass.The probem is that appliacations now seem to have their own DoH settings (as there are not OS wide DoH settings available). The problem with HTTPS is that organizations wanting to enforce the use of certain DNS and or DoH servers lose the ability to do this due to the use of HTTPS.
So to get control over DoH, organizations must block all known DoH servers to ensure that the company’s own DNS servers are used.
The browser does not bypass the local DNS servers. It uses a different protocol for resolution. So whatever DNS servers the OS uses, as long as you permit Firefox to use DoH (DNS over HTTPS), Firefox will use DoH, ignoring the OS DNS settings.
douÂâbleÂâspeak
“language used to deceive usually through concealment or misrepresentation of truth”
>And what happens when you want to use the DNS server of your VPN provider?
Inconceivable!
I have cox . . . *no-one* uses those unless they don’t know how to avoid them
hawk
- Just drop all outgoing traffic to tcp port 853 and be done with it. No need maintain a list of DNSoTLS servers.
That’s DNS over TLS, not over HTTPS (Score:5, Insightful)
by raymorris ( 2726007 ) on Sunday September 08, 2019 @11:23AM (#59171196) JournalAndroid and some others support DNS over TLS, a more lightweight, technically sound protocol that uses port 853.
Firefox is implementing DNS over HTTPS, a heavier, slower, generally crappier protocol that nobody but Firefox and Cloudflare use. They run it on port 443.
What, you mean to say there are ways to not use HTTP as the underlying protocol for every possilbe little thing? That is blasphemy. Everyone knows the OSI 1-layer model (http is the only layer, get over it)
- It would still be a 7 layer model. Quiz: From what layer does firefox operate its network request? Also all TCP/IP uses layers 1-3. Furthermore DNS still uses the same layers for HTTP and HTTPS. This doesn’t change the ISO model at all. But hey
DNS runs just fine over UDP or TCP. Over TCP, it’s trivially easy to pipe it through TLS. DNS needs to run on top of layer 4. It always has run on top of layer 4.
Instead of running it on top of layer 4, Firefox is pointlessly running it on top of http, adding three extra unneeded layers. Which seems to be popular these days – put http under everything. Next up, they’ll introduce TCP over HTTP.
- I am not understanding how you think that is different from what I said except that I did mislabel at TCP/IP as 1-3 not 4-3 as I haven’t needed to look closely at this for a while and remembered the exact layers wrong there (maybe that was your Point?) but for those following along here is the list of what protocols fit where in the ISO model [wikipedia.org]. If it did bypass layer 4 that would be one less layer, not 3 more, however DNS is layer 7 along with Firefox or any other application and HTTP(S). You have Firefox/Ot
Re:how does it work? (Score:4, Insightful)
by fahrbot-bot ( 874524 ) on Sunday September 08, 2019 @01:41PM (#59171536)No. The problem is that this bypasses your DNS server, so you lose control over DNS.
In addition, now your browser will be using one source for DNS and your system and other applications will be using a different one. Even though this *shouldn’t* make any difference, it’s not really ideal as now you could get two different behaviors.
Remember: A person with one watch knows the time, a person with two is never sure.
- Your nation’s police and ISP will not see as much as it did in the past for free over years of ISP logging.
Unless in a 5 eye nation where the NSA and GCHQ will collect it all
Private DNS setting on mobile: 1dot1dot1dot1.cloudflare-dns.com
Why should I trust Firefox’s resolvers? (Score:5, Insightful)
by La Gris ( 531858 ) <lea@gris.noiraude@net> on Sunday September 08, 2019 @09:45AM (#59170910) HomepageAny reason that one could have more trust in Firefox’s HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP’s or Google’s own DNS resolvers?
Why is it an opt-out and not a default off option.
I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.
I just don’t like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.
- Firefox is at least open about it. Not all applications are.
That’s about as comforting as a thug telling me that he’s gonna mug me.
- The thug is telling you that you can opt out of being mugged, you just have to say so.
I’m just going to not step in the giant pothole the first time, hey?
The thug announced it ahead of time so I can ensure that there aren’t any left over instances of his weapon around.
- Unless they’re actively informing you during the ‘mugging’ (since when has that ever happened and even if it had, most ppl click straight through) then all the thug has done is put out a press release that most victims won’t read or hear about.
The thug is telling you that you can opt out of being mugged, you just have to say so.
From “The Daily Show” (and other sources): Did this dude just opt out of an armed robbery? [facebook.com]
Firefox is at least open about it. Not all applications are.
At least Hitler was open about genocide. Not all despotic regimes are.
99% of the Internet has no clue what DNS even is, let alone set up their own resolvers.
Even if you set up your own resolvers, if you don’t keep up with it, you should consider that they may be compromised.
There is a real need to make sure everything goes over VPN for consumers, sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great. You should consider even your own Internet connection to be compromised at this point if you have any I
“Even if you set up your own resolvers, if you don’t keep up with it, you should consider that they may be compromised.”
You sir, are an absolute idiot!
Please elaborate. Calling people idiots while you have no clue what you’re talking about is dumb.
Why on earth would I not pay attention to my own resolvers if I don’t trust anyone else’s?
And so how are “they may be compromised”?
Even if you set up your own resolvers, if you don’t keep up with it, you should consider that they may be compromised.
Good grief. Anything and everything “may be compromised”. This communicates nothing.
Secondly so what? Assume your networks naming system is compromised. Like the underlying network identifiers resolved are themselves trustworthy so what difference does it really make from a security perspective?
There is a real need to make sure everything goes over VPN for consumers
Pure nonsense. VPNs are an answer to nothing.
All VPNs do is push the same set of problems further out while creating additional opportunities for compromise.
sure us high tech people may have our own solution but the number of hijacked cell phone poles and openWiFi AP is just too great.
This is what end to end security is for. VPNs are NOT
Actually that is incorrect. The Internet is a completely trusted and trustworthy interconnection of networks that accomplishes exactly what it was designed to do in the manner in which is was designed (and built) to do.
Your problem is likely that you are assuming design goals and processes that are not in evidence and were never intended — that you are conflating your “wishes and desires” with what actually exists — and that you are then assigning “trust” and evaluating “trustworthiness” based on your “w
Re:Why should I trust Firefox’s resolvers? (Score:4, Informative)
by AmiMoJo ( 196126 ) on Sunday September 08, 2019 @10:48AM (#59171078) Homepage JournalBy default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.
So for most people this is a massive privacy upgrade. Even if Mozilla was evil, they are likely far less evil than your ISP and also in less of a position to abuse the collected data.
You can of course opt out or use your own preferred DNS servers, as always.
Re:Why should I trust Firefox’s resolvers? (Score:5, Interesting)
by La Gris ( 531858 ) <lea@gris.noiraude@net> on Sunday September 08, 2019 @11:41AM (#59171240) HomepageWhat you call a massive privacy upgrade over exposing once DNS requests to own country’s laws, is more or like trading it for that of the Mozilla’s foundation’s own country laws.
What I see instead, is a war between third-parties, over who will be first in the pipeline to collect data, while making it harder for the other third-parties down the line to do so.
I think it is a bad move from the Mozilla foundation, with creepy red flags that they are fighting to be “The Internet”, because Google is fighting to be “The Internet”, because FaceBook, Microsoft and every other IT industry minions tried before.
Mozilla is using Cloudflare’s DNS servers. Obviously CloudFlare is literally Hitler because they booted off 8chan, but if we read their privacy policy for their DNS server they claim that they never save logs to disk and delete any logged data in less than 24 hours.
Of course they may be lying, but it does mean that the actual DNS servers are located all around the world in different jurisdictions and at least, since Cloudflare has an extensive CDN.
Currently there is zero evidence that Cloudflare sells that
, but if we read their privacy policy for their DNS server they claim that they never save logs to disk.
There is no privacy policy. There is only a FAQ.
There is no language in any public statement indicating data would not be saved to disk.
and delete any logged data in less than 24 hours.
They explicitly state data is permanently stored including:
Total number of requests processed by each Cloudflare co-location facility
Aggregate list of all domain names requested
Samples of domain names queried along with the times of such queriesAlong with standard boilerplate allowances for law enforcement requests for “any tangible thing”.
Currently there is zero evidence that Cloudflare sells that data to anyone. On the other hand ISPs are quite open about selling your data to the lowest bidder. In fact they tried to label Mozilla this year’s “internet villain” for introducing DoH.
We know for a fact they will at t
By default most people use their ISPs DNS servers. ISPs are generally neutral evil alignment, and in many countries are required by law to log DNS requests and hand them over on demand. They also get hit by lawsuits demanding that they corrupt their DNS databases to block access to certain sites.
The idea local ISPs are more evil than large scale centralization of everyone’s browsing history is backwards.
Centralization creates an aggregation of power which reinforces corruption. Having everyone’s D.N.S in one place is more valuable to leverage than a decentralized model where ISPs of varying degrees of integrity may well keep and leverage the information yet with greatly diminished benefit as a result of lacking economy of scale.
If you as an ISP go to Facebook and try and sell D.N.S history of your
Obviously you know nothing of which you speak.
First of all, Mozilla does not operate the DNS-over-HTTPS endpoints.
Those are run by a company called CloudFlare. CloudFlare is an American company. Currently these endpoints are located in the United States of America and are subject to control by CloudFlare and the United States government (and access by their spooks).
These endpoints are not currently AnyCast, however they may be in the future. That means that the endpoints and the actual servers will, in a
- Try any ISP? Trust your nations police who will collect it all in some nations?
Have it pass into a nation like the USA with freedom of speech and freedom after speech.
vs any nation who demands every approved ISP keep longs for years?
Nations that want to ban web pages when the gov/big telcos say?
Firefox might just get past all that nations level collection, filtering.
Everyone can use the internet as if from the USA.
Kind of like a VPN over what every ISP can log.Try any ISP? Trust your nations police who will collect it all in some nations?
I don’t trust anyone thank you very much. What does that have to do with the price of tea in China?
Have it pass into a nation like the USA with freedom of speech and freedom after speech.
vs any nation who demands every approved ISP keep longs for years?I do not know what planet you are from but on the planet I am living on the USA is quite the opposite of what you have described. The USA does not have “freedom of speech” nor does it have “freedom after speech”. It is the most corrupt hellhole bastion of corruption on the planet.
Nations that want to ban web pages when the gov/big telcos say?
I do not care what anyone else wants. They can get over it. They will get what I decide they can have and they will say thank-y
Any reason that one could have more trust in Firefox’s HTTPS DNS resolvers who can collect, alter hijack DNS response as much as any ISP’s or Google’s own DNS resolvers?
They’re laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can’t handle, for your ow
Actually it isn’t about censorship, but that they think they can make money off selling your browsing habits. People like money. Mozilla isn’t giving away software for fun.
“They’re laying the foundations necessary to give themselves the power to censor your internet access. The freedom afforded to individuals by the Internet really burns the hide of people whose entire political philosophy is opposed to individual freedom. You, as a lowly citizen, are not qualified to decide what you will read, what videos you will watch, or what pictures you will view. Oh no. You need wise overlords to screen that content and filter out anything that your little mind can’t handle, for your o
Re: Why should I trust Firefox’s resolvers? (Score:3, Insightful)
by dknj ( 441802 )I guess you’ve been triggered by the mention of using Cloudflare’s DNS because they don’t want to be associated with neo-nazi mass murderers.
Iâ(TM)ll bite, troll. The Cloudflare CEO backtracked on his word within 12 hours because his precious IPO was at risk. The problem here is the same problem with communism, it sounds great on paper, the first and maybe even second generation goes great for everyone, but then leadership changes. And they no longer see it the same way as the founders did. Now what do you do?
In this case, Cloudflare would have all of your data for XX years. What if Cloudflare goes public? Or leadership changes like it
Re:Why should I trust Firefox’s resolvers? (Score:5, Informative)
by tk77 ( 1774336 ) on Sunday September 08, 2019 @11:28AM (#59171206)I run my own DNS resolvers and cache that talks to the root DNS and my own internal network resolver for names to my LAN hosts.
I just don’t like that 3rd-parties decide on my own good without getting my prior explicit and informed consent.
I’m concerned about this as well so decided to dig through Mozilla’s documentation. If i’m reading this right:
https://support.mozilla.org/en… [mozilla.org]
A canary domain, “use-application-dns.net”, can be configured in the DNS server to return NXDOMAIN, and this will trigger Firefox to not use DoH.
Fascinating
All the more reason not to use it.
Thanks, that’s really helpful.
For those who use dnsmasq, add this to
# Force use-application-dns.net to NXDOMAIN in order to disable Firefox's DNS
# over HTTPS
address=/use-application-dns.net/On Ubiquiti routers use the following to set the dnsmasq option:
set service dns forwarding options address=/use-application-dns.net/
probably the same for Vyatta but I don’t know for sure
The point is this centralizes things even further. At least if it is by ISP, every single ISP has to be compromised (intentionally internally or externally maliciously).
And what with the corporate MITM going on, TLS is completely useless anyway.
- Lots of fun for people using VPNs, which many do when working remotely. I hope the opt-out is well documented and works
- by FaxeTheCat ( 1394763 ) on Sunday September 08, 2019 @09:51AM (#59170928)As many point out, this is bad for those wanting to control their DNS.
An exampel is that many enterprises have control over what they want the users to access (one reason is to be able to quickly block malicious sites).
The only way to do this is to block access to the DNS over HTTPS servers in firewalls or (ironically) on DNS.enterprises also have local only dns for some sites that are not part of any pub dns
The only way to do this is to block access to the DNS over HTTPS servers in firewalls
It’s impossible to distinguish DNS over HTTPS from regular HTTPS traffic.
- That is correct.
However, the most widely used DoH servers are known, and the DoH client must look them up using traditional DNS, so blocking (most of) them is relatively simple.- https://github.com/bambenek/bl… [github.com]
- At least some of them are already in our RPZ. Thanks for the link!
I believe GP said “block access to the DNS over HTTPS servers”. It’s trivially easy to block all access to the major DoH servers. You don’t even have to distinguish between DoH and any other https if you block those servers.
If you did want to distinguish, even just the size of the request and response is a pretty darn good indicator. Starting there, you can then come up with more and more cover ways.
You don’t even have to distinguish between DoH and any other https if you block those servers.
People aren’t stupid, though. If I want to run an unblockable DoH server, I just host it on Amazon AWS and set up a cron job to restart my server instance every couple of hours to get a new IP in the AWS IP space. Now the only way you’re every going to block access to my DoH server is to block the entire Amazon IP space from your network. Have fun with that.
- So how are the clients going to find the DoH server if it has an arbitrary IP? Using DNS? We already blocked the DNS name.
- It’s not. By default, Firefox will be using CloudFare’s DNS-over-HTTPS implementation. You can block that quite simply with deny host 1.1.1.1 port tcp/443.
Re:Problems for those wanting to control their DNS (Score:4, Informative)
by tk77 ( 1774336 ) on Sunday September 08, 2019 @12:24PM (#59171386)It looks like you can disable DoH for your network by returning NXDOMAIN for a specific canary domain (“use-application-dns.net”):
https://support.mozilla.org/en… [mozilla.org]
I’ve added this on my servers using binds reverse policy zone and adding an empty cname record for the canary domain.
The only way to do this is to block access to the DNS over HTTPS servers in firewalls or (ironically) on DNS.
If you are a corporation and have access to the software installed on the computers, you can require that every browser have a certificate installed so you can read the traffic. This is also something you can do if you are a powerful government.
How to turn it off (Score:4, Informative)
by Anonymous Coward on Sunday September 08, 2019 @10:14AM (#59171000)about:configChange network.trr.mode to 5 (means never to use the DoH service)
I also changed network.trr.uri from whatever url they had for it before to https://127.0.0.1/ [127.0.0.1]
Documented here: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ [mozilla.org]
Re:How to turn it off (Score:4, Interesting)
by fahrbot-bot ( 874524 ) on Sunday September 08, 2019 @02:02PM (#59171618)about:config
Change “network.trr.mode” to 5 (means never to use the DoH service)
I also changed network.trr.uri from whatever url they had for it before to https://127.0.0.1/ [127.0.0.1]
Documented here: Improving DNS Privacy in Firefox [mozilla.org]Addition documentation: Trusted Recursive Resolver [mozilla.org]
[This all assumes that Mozilla doesn’t change or remove the config settings willy-nilly, as they often do.]
From my “user.js” file:
user_pref("network.trr.mode", 0);I imagine I’ll have to change the value from “0” to “5” in the near future…
A couple of my customer organizations are using Cisco Umbrella for blocking DNS requests to phishing and other dangerous domains. The idea is to provide lightweight security framework without having to snoop into end-user traffic too deeply.
We have already notified them that DNS-over-HTTPS is going to cause a headache for them. Looks like the headaches are about to start. Sure, Firefox is open about it, but what about the next application down the line?
I guess we’ll just block the list of public DNS-over-HT
I guess we’ll just block the list of public DNS-over-HTTPS resolvers.
Good luck with that, since many of them are Docker images run on shared hosting in the same IP blocks as major CDNs. For example, Amazon AWS, Microsoft Azure, etc.
- My organization uses Cisco Umbrella to block access to Gmail and such like. Firefox ability to configure alternative DNS vs what’s set in OS is a win big for me.
Mozilla Payday? (Score:3, Interesting)
by OcCbXntZLeOg ( 6195574 ) on Sunday September 08, 2019 @10:53AM (#59171100)I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?
Well that’s a lot of hyperbole. If you know enough to have a manual DNS configuration then you can check the relevant boxes to stop Firefox from using DoH. For everyone else, it’s a good increase in privacy.
- vs a nation: with their telco, IPS, police, gov, mil in on every ISP log?
I wonder how much Mozilla is getting paid by Cloudfare for the browsing data of millions of unsuspecting users. How many people have their own DNS configuration specifically to avoid services that invade your privacy, only to have Mozilla hard-code DNS leaks into their browser?
Excellent timing for Cloudfare’s IPO…
I updated to Firefox 69 yesterday. Out of curiosity, I browsed to the settings page, and I already see that it has a “DNS over HTTPS” setting already appears there. And it is turned off.
Does this mean that, at some point in the next month, the good Firefox folks will helpfully turn it on for me?
Yes. Every setting that you set in a fashion that is contrary to the “approved” setting is subject to be change at any time and without notice to you.
Get used to it.
Yep. They’ll find a bug in the complex option processing, and instead of fixing it, they’ll just disable the option. They’re that idiotic.
Not only will they turn it on for you, the option will no longer even exist.
Will mess up DNS based load balancing (Score:4, Interesting)
This might mess up DNS based load balancing / region selection, where results returned by DNS lookup depend on the source of DNS request. I don’t know how prevalent this is now vs. other kinds, but it’s a tool and a useful tool at that.
Of course with many users pointing at 8.8.8.8 anyway, I don’t know if that’s a significant issue.
Firefox and Chrome sure are getting authoritarian (Score:4, Interesting)
by PrimaryConsult ( 1546585 ) on Sunday September 08, 2019 @11:35AM (#59171226)Firefox and Chrome seem to be playing a game of “hold my beer” of annoying decisions “for our own good”. Chrome takes away https://www/ [www] from the address bar, so I switch to Firefox. Now Firefox is overriding the system DNS server. I really don’t want to go back to Chrome but I also don’t want to have to look at the status of a checkbox every time Firefox updates. I am a lazy fuck and use the encrypted ‘cloud’ password store that both Chrome and Firefox offer, so going for Edge or more niche browsers isn’t really an option.
Brave.
They haven’t cocked it up so badly you can’t disable the intrusive bits, yet.
You’ll have to switch again in a year, but that’s been true since web browsers began.
Well, with Edge you do not have to worry about checking the settings. There are no use settable parts inside!
1: Chrome takes away “https://www/” from the address bar,
2: Now Firefox is overriding the system DNS server.(1) Disable the following flags in Chrome to get this back:
omnibox-ui-hide-steady-state-url-trivial-subdomains
omnibox-ui-hide-steady-state-url-path-query-and-ref(2) Set the following “about:config” item in Firefox to disable this:
Name: “network.trr.mode”
Value: 5[See this post [slashdot.org] for more documentation on this Firefox setting.]
…Users will be given the option to opt-out, explains Mozilla’s official announcement…
Good. But it really should be opt-in, not opt-out.
I see that the following config value uses a host name for the Trusted Recursive Resolver (TRR) URI.
How is Firefox going to resolve thatName: “network.trr.uri”
Value: “https://mozilla.cloudflare-dns.com/dns-query”- Pihole Ditto FF is not our old friend
F***u***c**k Mozilla (Score:4, Insightful)
by WaffleMonster ( 969671 ) on Sunday September 08, 2019 @06:06PM (#59172174)Mozilla is a bunch of two faced liars.
LIE: We care about your privacy not profits.
REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can’t be stopped without an equally absurd amount of effort.
LIE: End user will benefit by Cloudflare hijacking everyone’s DNS.
REALITY: Bypassing local DNS policy endangers end users in multiple ways:
1. Non Internet names will now be leaked to Cloudflare
2. DNS based filters installed on network to protect end users will be bypassed
3. Cloudflare will have aggregated access all users browsing historyI would add this is very interesting timing given Cloudflare is as we speak actively in late stage process of becoming a publically traded corporation.
No information is being kept from eavesdroppers they couldn’t get by inspecting IP header, SNI or cert ident. The idea local DNS operators are not trustworthy while large centralized providers are saints is obviously not a serious concept. It’s all doublespeak designed to make people feel good about being fucked over by yet another corporate power play.
REALITY: Firefox browser is constantly calling home for a patently absurd number of reasons that can’t be stopped without an equally absurd amount of effort.
It really does phone home a ridiculous amount, but you can block most of it just by blocking DNS resolution for *.(mozilla|firefox).(com|net|org).
…wait.
- Yeah, same here. My in-house DNS server blocked it (thankfully.) I set up a block list based on blacklisted site information from mvps.org and pgl.yoyo.org This is exactly the kind of thing that would get through (against my express wishes and configuration) with this new DoH service. No thank you.
Yeah, same here. My in-house DNS server blocked it (thankfully.) I set up a block list based on blacklisted site information from mvps.org and pgl.yoyo.org This is exactly the kind of thing that would get through (against my express wishes and configuration) with this new DoH service. No thank you.
So you’re an advanced user. That’s great, continue to be an advanced user and check the little checkbox to make firefox use the system DNS. And from the DoH wikipedia page:
The Internet Watch Foundation and the Int
Hear Hear! But how will the proles know what is going on since their web browser won’t work to be able to read the story?
That is the problem with the internet off switch. Before you can post that video on twit-twat that will save the world, you have to reboot the internet.
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Related Links Top of the: day, week, month.
- 985 commentsLinus Torvalds Reflects On How He’s Been Hostile To Linux Community Members Over the Years, Issues Apology, and Announces He Will Be Taking Some Time Off
- 929 commentsWikileaks Co-founder Julian Assange Arrested in London
- 810 commentsCalifornia Has a New Law: No More All-Male Boards
- 808 commentsTheresa May, Undone by Brexit, To Resign as UK Prime Minister
- 794 commentsMueller Report ‘Summary’ Delivered to US Congress
Slashdot Top Deals
- Get more comments
- 100 of 105 loaded
Who goeth a-borrowing goeth a-sorrowing. — Thomas Tusser
