WingNews logo WingNews GitHub [2]
top | item 20371741

How to Enable DNS-over-HTTPS in Firefox

269 points| smacktoward | 6 years ago |zdnet.com | reply

197 comments

order
[+] dimkr1|6 years ago|reply
Or, you can use https://github.com/dimkr/nss-tls - everything that uses gethostbyname(), addrinfo(), etc', including Firefox with network.trr.mode set to DNS, will use DoH
[+] krispbyte|6 years ago|reply
Why is this supported at the application level instead of the OS? So other tools like ping or nslookup can use it too.
[+] detaro|6 years ago|reply
Because applications can't ship OS level support, but want to experiment with it and add it now. That doesn't mean OS-level support can't be a thing, but it's a different level (waiting until the OS vendor gets around to it, or users explicitly installing and setting up tools for it)
[+] the_angry_angel|6 years ago|reply
This is my beef with (my understanding maybe incomplete, in which case I apologise) the implementation.

Internal DNS, split brain DNS aren’t catered for without disabling support? I don’t want my internal names leaking to the internet, nor necessarily are they the same for external resolvers. Now yes the latter is a hack, but it’s one widely used still today.

The idea is laudable. But it feels hostile. I can disable support, but for how long?

[+] 3xblah|6 years ago|reply
Here is an example of how one can use DOH "like ping or nslookup". This example uses HTTP POST and cloudflare-dns. Maybe check out "stubby" for "OS-level" DOH. Currently I think it only does DOT but future plans are for DOH.

  test $# = 1|| exec echo usage: $0 query

  # requirements: sed, wc, xxd, openssl, ldns, drill
  # reference: https://tools.ietf.org/html/rfc8484#section-4.1

  a=$(drill -q /dev/stdout $1 |sed '1,2d;s/;.*//;s/ //g'|xxd -p -r|wc -m);
(printf "POST /dns-query HTTP/1.1\r\nHost: cloudflare-dns.com\r\nAccept: /\r\nContent-Type: application/dns-message\r\nConnection: close\r\nContent-Length: $a\r\n\r\n"; drill -q /dev/stdout $1|sed '1,2d;s/;.*//;s/ //g;3s/..../0001/'|xxd -p -r)|openssl s_client -no_tls1 -no_tls1_1 -no_ssl2 -no_ssl3 -ign_eof -no_ticket -host cloudflare-dns.com -port 443 -servername 1.1.1.1|sed -n \$p|xxd -p|drill -i /dev/stdin|sed '/^;; Data: \\#/d'
[+] dimkr1|6 years ago|reply
Because the OS (getaddrinfo(), gethostbyname(), etc') doesn't implement DoH; it implements a /etc/hosts parser and a DNS (over UDP) client.

I wrote a glibc plugin that implements a caching DoH client for glibc, which can replace the DNS client or fall back to it - https://github.com/dimkr/nss-tls.

[+] snek|6 years ago|reply
This article got the trr.mode key slightly wrong

0 - Default (will be one of the below options, right now it happens to be 5)

1 - Race regular DNS and DoH, use whichever one responds first

2 - Try DoH, use regular DNS if DoH fails

3 - Use DoH, regular DNS is disabled entirely

4 - unused

5 - DoH is fully disabled, always use regular DNS

[+] the_pwner224|6 years ago|reply
I recall reading on a Mozilla blog that 0 is 'default'; right now TRR is disabled but eventually it will be enabled by default. If you want to disable it you should explicitly set it to 5, so that a future update does not enable it.
[+] stevekemp|6 years ago|reply
I enabled DNS over HTTPs in the recent past, and was very happy with it. Until I came to test a staging-version of a website and discovered that updating `/etc/hosts` to change the IP of the given name no longer worked.

It took me an embarassingly long time to realise I was still visiting the production site.

[+] ShinTakuya|6 years ago|reply
Using the hosts file to visit a staging environment is a gross practice anyway. Just make the domain configurable in your code and either but the IP directly or make some subdomain (or better yet, separate domain) redirect to it.
[+] plg|6 years ago|reply
My Pi-hole is set up to do encrypted DNS. Advantage: every device on my home network automatically benefits from this.
[+] xjay|6 years ago|reply
That is, until software on any of these devices start running their DNS queries through DoH directly, circumventing any DNS filtering at the perimeter.

This is what browsers, like Firefox, are likely to do as it stands today.

[+] noncoml|6 years ago|reply
So instead of getting spied, blocked, tampered, etc. by your ISP you are getting spied by Cloudflare? We didn’t solve the problem, just shifted it..
[+] kodachi|6 years ago|reply
I was thinking for a while to do more networking security at home, from basic stuff like a guest's wifi, to white-listing content and ports. How much time did it take you to set up Pi-hole to your liking?
[+] ignoramous|6 years ago|reply
Opera comes with a free VPN (which does collect as much data as it can), and I think, Firefox is primed to move in that direction, as well. Given how they already have a partnership for DoH, they might extend it for Warp, which might be great if they do it in a privacy-oriented way and do right by their users. Esp, as more and more govts censor the Internet and ISPs turn into trackers the need for Firefox to be the thorn in the neck of powers-that-be is ever more important.
[+] theturtletalks|6 years ago|reply
If Firefox included a built-in VPN, they could increase their market share substantially. As long as they keep privacy a priority, they can give Chrome solid competition.
[+] aasasd|6 years ago|reply
FF is planning to add a paid VPN as a partnership. It will be a non-free, paid feature―possibly in a separate paid version of the browser (not sure if they really plan to make a whole separate FF).

It was in the news about a week ago.

[+] floatingatoll|6 years ago|reply
I hesitate to rain on a positive parade, but..

Keep in mind when enabling features ahead of widespread release in software, that obvious and/or non-obvious things are more likely to break when you do so than if you wait until it’s enabled for you.

This goes double for users on the Release channel of software rather than the Beta/Nightly/Canary/Whatever channel, since it takes weeks or months to fix problems.

I’m not saying “don’t”, but I am saying “be prepared to encounter self-inflicted issues”. The tendency is to blame the issues and the frustration of tracking down their cause on the software developer. Keep notes about what you enable, so you can try disabling it and see if that fixes it. Report bugs you find, and don’t panic if they’re known and/or unsolved.

[+] o-__-o|6 years ago|reply
such as expecting an application (not OS) based DNS resolver to react to /etc/hosts changes...
[+] SimeVidas|6 years ago|reply
PSA Firefox Nightly is very stable (with occasional breakage on some websites). It has the latest features, including a convenient checkbox for DoH:

https://i.imgur.com/NhifLq5.png

[+] blitmap|6 years ago|reply
I don't know how I've improved the situation going from Chrome to Firefox and then to Firefox Nightly:

I wish Mozilla put efforts toward preserving settings and not reinstalling search providers one has purposefully removed. I understand that by using Nightly I cannot expect what a general user expects, but this problem exists in all browsers. I consider it user-hostile behavior that more emphasis isn't taken to preserve settings. Oh a new update? Clearly you want us to sync everything instead of just the few things you selected. Let's revert it all to defaults.

I also understand how settings are stored (the backend format) might change between minor or major versions. Sometimes factory defaults need to be reinstated - but it should be very fucking clear (with a notification) that the user should go review settings that have changed/reverted. And this cannot be a banner that shows every time an update applies. Give the user some transparency.

On Chrome when I ask it to preserve my previous session it preserves just that session's browsing history. This history is forgotten if I make a point to close all tabs and end the session. On Firefox I must save all history be to 'restore the current session'. Wish we had more control over this.

You can't disable Firefox from checking for updates (I wish this could be left to package managers on some systems). I understand but I don't want to be nagged. You can make Firefox ask you, but it will check nonetheless.

Why the fuck would I want "Recommmend features as I browse?" or "Recommend extensions as I browse?" I hate being advertised to.

"Warn you about unwanted and uncommon software" - who is making this determination? Who is Firefox talking to about what I download?

I wish I could sync settings, open tabs, addresses, history, etc - to an simple archive on close or periodically. No online service to sync against with another account I have to worry about.

Sucks that in hotels Firefox determines if there's a captive portal in effect by querying a Mozilla-hosted site (detectportal.firefox.com).

Blah.

[+] foleac|6 years ago|reply
For me this option is already available in the latest stable version of Firefox (67.0.4). I found it in "connection settings".
[+] johnklos|6 years ago|reply
I wonder how long it'll be before Firefox comes with it enabled by default. It seems that they're going to do it regardless of the loss of control implications to end users.
[+] userbinator|6 years ago|reply
It seems that they're going to do it regardless of the loss of control implications to end users.

That seems to be a common trend these days --- ignore what they want, claim that it's "for their safety/security/privacy/whatever", and gradually remove options for configurability.

In particular, this sort of "overstepping the boundaries" is unfortunately getting more popular, and IMHO it's rather disturbing that browsers have gone in this direction; software should follow the system defaults/configuration whatever they are. Yes, the platform coud be compromised or otherwise not to your liking. That's not your problem, Mozilla!

(I run everything on my network through a filtering proxy. These attempts to subvert it are definitely not welcome.)

[+] LogicX|6 years ago|reply
FWIW, there's a standard being developed to allow network admins to maintain control over DNS on their networks, even after this is enabled.
[+] mlrhazi|6 years ago|reply
I saw somewhere that this can be enabled in Chrome from chrome://flags/, but I can't seem to find it in mine, v75 on Mac. Was it removed from recent versions?
[+] judge2020|6 years ago|reply
A chromium project called Bromite exposes this flag[0], but I don't think it's ever been available on Desktop versions of Chrome (probably due to the likelihood of Schools, Enterprises, etc. getting mad if a user uses it to circumvent DNS blocks).

As per a comment by Eric [unknown surname] at Microsoft here[1], you can enable it on desktop chrome by adding the following to your chrome launch options:

    --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST
This can easily be done persistently via Windows, but I'm not sure what it would take on Mac. The official Chromium guide for starting with launch options[2] only recommends opening terminal every time, which would mean it can't be easily ran on each launch with the shortcut/dock icon.

0: https://github.com/bromite/bromite/wiki/Enabling-DNS-over-HT...

1: https://crbug.com/799753#c8

2: https://www.chromium.org/developers/how-tos/run-chromium-wit...

[+] needle0|6 years ago|reply
Is there any way to enable DoH by default but exclude certain domains that are managed by a local DNS server? (eg. intranet domains?)
[+] bzbarsky|6 years ago|reply
In Firefox? Yes. Set the "network.trr.excluded-domains" pref in about:config to a comma-separated list of the things you want to exclude.
[+] rmdoss|6 years ago|reply
Not from my experience. That's why I had to disable DoH locally.
[+] ChuckMcM|6 years ago|reply
Set up your own DoH server that uses your DNS server as a proxy.
[+] josteink|6 years ago|reply
A heroic, but misguided effort.

DNS should be provided by the OS, and not reimplemented in every application running on top of it.

[+] jbverschoor|6 years ago|reply
While true, the OS will contain less and less functionality. Which is funny because on one hand we want to have less dependencies, and on the other hand we have microservices for everything.

Developers going the sysop direction of services Sysops going the developer way of statically linking

[+] philo23|6 years ago|reply
After that ISP award thing came out it finally convinced me to look into DoH and give it a go. So I ended up setting up a Pi Hole this weekend running a local DoH-to-DNS proxy and then changing the DNS settings on my router to point to the Pi Hole. This also means my hosts file continues to work if I need it, and all* the programs running on my PC are transparently going through DoH without them being any the wiser.

The setup was a little bit fiddly to get going, but I'm now super happy with it. As a sidenote, it was interesting to see how effective uBlock Origin already was because I thought the Pi Hole's blacklists weren't working at first!

*I imagine I'm not catching every single one of the DNS lookups on my network, but I bet it's now a large percentage of them.

[+] redder2|6 years ago|reply
TLTR: Question: To what do I set network.trr.bootstrapAddress for https://doh.appliedprivacy.net/query?

I am confused. The guide tell me to set:

network.trr.uri

But Foundation for Applied Privacy sounds nice and I want to force DNS over HTTPS. The site specifically tells me to use the the Firfeox setting page https://appliedprivacy.net/services/dns/ but that sets network.trr.custom_uri not network.trr.uri so whats the diffrence? And it also tells that I have to set the network.trr.bootstrapAddress but does not tell you to what in case I missed something.

[+] m-p-3|6 years ago|reply
I tried to do it on Firefox Mobile (Android) through about:config but it didn't seem to work. Any idea why, without using an app like Intra?
[+] wst_|6 years ago|reply
Using stable Firefox 67.0.4 64-bit and this is right there on the options page in General/Network settings. Truth to be told, it will set network.trr.mode to 2, which falls back to normal DNS if anything is wrong, but nonetheless it's there.
[+] beezle|6 years ago|reply
I understand how DOH can help prevent DNS spoofing, but I really don't understand the privacy claims. Are not outbound connections, http or https, known by the ISP? Or is the assumption that the world is all behind a proxy like cloudfare?
[+] tus88|6 years ago|reply
Could something like pieHole intercept all DNS and send it over a VPN or something, while providing a local DNS cache? Seems unnecessary to wait for all software to support it nativity.

Edit: Apparently they already thought of this and it's a feature!

[+] DavideNL|6 years ago|reply
I think it's kind of strange that they are planning to enable DOH by default;

Your ISP can see all connections/ip addresses you connect to regardless of whether you use your ISP's DNS servers or not. So, in the end by using DOH in Firefox (= Cloudflare's DNS by default) you're just sharing your internet history with yet another third party.

This may be beneficial for some people where ISP's mess with DNS resolving, but for many other people it's actually a regression in privacy (especially if you live in a country that has higher privacy standards/laws than the US.)

[+] ziegeer|6 years ago|reply
An IP address is not always as telling as the DNS name of what you're connecting to. E.g. I may be connecting to a CDN like CloudFlare for content over HTTPS and my ISP will have no idea what I'm doing. But if I used the DNS name that refers to that content it would likely be more obvious in many cases.
[+] DanBC|6 years ago|reply
> This may be beneficial for some people where ISP's mess with DNS resolving

This includes most people in the UK.