Your thoughts on DNS-over-HTTPS as default

So apparently DoH is on its way to becoming a default setting in Firefox. Google is also following along. My concerns with this:

  • software (potentially malware) will be able to easily bypass network-level dns filters and monitoring. This is an issue with DoH in general and not only related to browsers.

  • setting Cloudflare (or any other service for that matter) as default dns for every browser instance is a step toward centralization, with huge privacy related drawbacks. Configuring your own DoH-compatible dns server is apparently not so easy.

I also use network-level dns filtering to block ads and trackers across all my devices.
What are your thoughts on this?

1 Like

Also Pi-hole has no plans for blocking DoH.

Home users can disable it if they use Pi-Hole, no problem.

Network admins, ISPs, and governments can disable it too, at least for now.

Ultimately I believe this is a good thing, and I strongly believe all network traffic should be encrypted. I would like to see more DNS providers offering DoH/DoT connections before it is made the default, and that choice should be easily configurable to the end-user: i.e. you should be able to go into your browser settings and select a DoH provider, rather than fiddle with about:config. I personally would also prefer DoT to DoH, but people are fairly divided on that subject.

2 Likes

My concern is more with applications which will have DoH/DoT on by default, and will not permit me to disable it. I may not be able to block ads/trackers at all on some devices (very uncool).

My other main issue with this technology is centralization. Assuming at the moment Chrome uses system proxy settings for dns, hardcoding Google’s dns as default means Google will spy on half the world’s dns requests. Yes, we will be able to change the provider, but practically speaking >99% will not.

I genuinely do not understand why this technology is considered better than what we already have. ISPs will not be able to spy on users, but tbh Google is not any better. Am i missing something here?

I genuinely do not understand why this technology is considered better than what we already have. ISPs will not be able to spy on users, but tbh Google is not any better. Am i missing something here?

To make it easily, on a security stand-point, it allows your DNS request (I’m taking classic ipv4/ipv6 ones) to not be intercepted by either a ManInMiddle attack (Like, me being on your same public wifi) or your ISP (That’s technically a MiM attack too). With that, either monitoring which DNS request you do or manipulate your DNS request (Phishing attack for a MiM at your wi-fi or censure at your ISP to talk about only those ones) can be done.
Making DNS request on HTTPS (And not http, it can be done but it offers those same issues i’ve talked about) or via TLS (An another protocol in which i don’t really know the details personally) rrsolve those issues.
Now, of course, your worries about hard-coded DNS queries are true (That already the case on Android system for example).
However, if you block for example, Google connections.
“Oh no, this application that i’m gonna use have hard-codded the Google DoH in them !”
Application proceed to connect to Google DNS →Your DNS →X their hard-coded Google DNS.
Application can’t contact the Designed DNS because it has been blocked by your DNS

Problem blocked, if your system in itself completly redirect ALL traffic to the DNS of YOUR choice, or even if your router use ONLY the DNS you have specified. (Apart from possible Leaks exploit that would be abused by those bad people of course)

In the case for example of an unpatched Android, it works like that:

“Oh no, this application that i’m gonna use have hard-codded the Google DoH in them !”

                                                                                            →→→→→

Application proceed to connect to Google DNS →↑Your DNS ↓→ their hard-coded Google DNS.
Application can contact the Designed DNS because it has excepted by your system wgo manage DNS calls, despite being setup bybthe user to use his DNS.
“AH-AH, I’M THE BAD APP, AND I’VE SENT THE MODEL OF YOUR EMULAT…wai what ?”
Well, joke aside, that basically that.

The problem is simple!

:one:
How to turn off DoH in firefox
:point_down:

To turn DoH off in your firefox, go to Settings->Network Settings and untick the Enable DNS over HTTPs checkbox.

Alternatively, go to about:config in the address bar, search for network.trr.mode and set it to 5.
about:config
network.trr.mode
5

:two:
Use a VPN service that provides encrypted DNS service .
:point_down:

Well, you can also configure Firefox with your own DoH provider settings instead of disabling it.
For ProtonVPN, they don’t seems to provide any DoH DNS.

On free servers it’s 10.8.0.1 on paid TCP it’s 10.7.7.1 and on paid UDP it’s 10.8.8.1.

So, i suppose they just encrypt it DNS likewise. In that case, if you are using a VPN which doesn’t provide any DoH, it’s better to disable it.

When it comes to the division:

the divided should heed your keyword - that of “choice”.

Big ‘right on’ Jonah!
:peace_symbol:

.

Thanks for all the replies! Just a small clarification, my question was rather less about the technical side of DoH/DoT for a single user, and more about the general (possible) downsides of the technology like possibly weaker network security in home or corporate environments and global-scale centralization of DNS services. I consider these topics important, and sadly i don’t see much discussion about them.

I did just give you the solutions for home and corporate networks to disable DoH by default in my other reply, so clearly Mozilla is considering these use-cases in their deployment.

However I fundamentally disagree with the idea that adding encryption to certain protocols is anything but a benefit for the general end-user.

I think malware has previously been able to do that already, however it would have needed to invent it’s own version of DoH before there was an RFC or ship a Tor instance which some have done.

:+1: this is something I think DoT did better. I hope https://tools.ietf.org/id/draft-livingood-doh-implementation-risks-issues-03.html#Centralization will result to anything.

1 Like