Mozilla Firefox to force its own DNS?

General discussion about web technology.
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Mozilla Firefox to force its own DNS?

Post by barbaz »

https://www.theregister.co.uk/2018/03/2 ... y_worries/
This would actually be a disaster for my Internet privacy and security. It would bypass my DNS blacklist, making my browsing LESS secure and LESS private. Image

Can this be reliably killed with user.js? Or will I no longer be able to run current versions of Firefox even in VMs?

And on a somewhat related note, can dnsmasq can be configured to do DNS-over-HTTPS if the upstream DNS server supports it?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

This kind of thing has always backfired, they would be better off partnering with and supporting open initiatives like OpenDNS instead. While COMODO still does their "secure dns", it backfired for them long ago and they stopped making it default, but now just give options for it in their services, which still bothersome but at least not forced on people - ANYMORE. Although they have a crap load of other shady stuff they do that is annoying in the least and just outright anti-user in the extreme. Why Mozilla wants to follow the likes of Google, Comodo, Microsoft, et al down this path of anti-user behavior is mind-boggling. There are quicker ways to killing a brand and destroying user trust than slowing inching your way to the inevitable like people are too dumb to see it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Mozilla Firefox to force its own DNS?

Post by barbaz »

Thanks GµårÐïåñ for the feedback, but I'm not clear whether you're saying this can't be reliably killed by user.js?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by Giorgio Maone »

This would be controlled through a preference, and is almost surely going to be opt-in: I'm just one among the many which raised concerns in the platform development mailing list.
The whole thread (which originated the article you've linked) is worth reading to put things in context.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

barbaz wrote:Thanks GµårÐïåñ for the feedback, but I'm not clear whether you're saying this can't be reliably killed by user.js?
More than likely as Giorgio said, it will be controllable by a option/setting and certainly can be as such neutered using a `user.js` file but the fact is that the subset of the population who is going to know, do or modify this will be greatly less than the actual population who will go along with it. Of course if it becomes opt-in like Giorgio said and NEVER enabled by default (which such considerations change all the time with little notice to the users) then it should be safely ignored but we'll have to see how it looks in its final implementation. Also, keep in mind that often settings are changed behind the scene with embedded plugins which means that it will open up the potential that since it is there as an option it can be modified without interaction or changed to something else altogether by a rouge addon or whatnot. Any time you add an option that can be exploited by simply existing, then you open the userbase up, that's my gripe with it mostly. The concern that Giorgio brings up in his comment in the group is the main reason why I have all recipe and experiments hard killed in my profiles, so if they ever decide to be stupid, as in the Mr Robot incident to name one, then I won't even have to get hit by it to begin with.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Mozilla Firefox to force its own DNS?

Post by barbaz »

Thanks to both of you for the replies, and thanks Giorgio for that link. Sounds like it's not actually using the DNS lookup data at this stage, so its current form likely wouldn't bypass my blacklist.

I think for now I'll just wait until we know more about the final implementation and which prefs will be involved, and in the mean time avoid Nightly just in case.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox to force its own DNS?

Post by kukla »

This is disturbing news. FWIW, ever since ISP privacy protections for U.S. consumers were alarmingly removed last year, I have been using DNSCrypt.eu-nl (Netherlands), via dnscrypt-proxy in my Tomato flashed router for all my DNS lookups (that's the one I know about, but must be other ways to get this up and running.) Mostly fast and stable. Encrypted, non-logging, and keeps out ISP DNS snooping. Definitely in no need of Mozilla's "help" in this area. Could use OpenDNS, but even better DNS servers in Europe, where privacy is generally more respected.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

That service is hosted by an individual and I am not saying it is bad, but it seems that it has had no activity since 2016 and currently many of its links are 404, just be careful using services unless you can vet them thoroughly. Many VPN services outright say they won't log anything but that is in more cases than not absolutely false.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox to force its own DNS?

Post by kukla »

GµårÐïåñ wrote:That service is hosted by an individual and I am not saying it is bad, but it seems that it has had no activity since 2016 and currently many of its links are 404, just be careful using services unless you can vet them thoroughly. Many VPN services outright say they won't log anything but that is in more cases than not absolutely false.
Sure, might not always take "non-logging" at absolute face value, but "hosted by an individual?" "No activity since 2016?" Where are you seeing this? This is what I find:

dnscrypt.eu-nl DNSCrypt.eu Holland Free, non-logged, uncensored. Hosted by RamNode. Netherlands....

https://github.com/dyne/dnscrypt-proxy/ ... olvers.csv

RamNode doesn't quite look like an "individual"

https://www.ramnode.com/about.php

https://clientarea.ramnode.com/announcements.php (latest 1/18)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

DNSCrypt.eu = A free DNSSEC enabled, non-logged and uncensored DNSCrypt service by Simon Clausen = Individual
Hosting = RamNode = just a host, you host your site on GoDaddy that doesn't make you GoDaddy = "DNSCrypt.eu is operated by me, Simon Clausen."

You could do some research but again if you are happy with it, then go with it, no need to argue about it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox to force its own DNS?

Post by kukla »

Wasn't looking for an argument, just a bit concerned. Thanks for the information, will have to look more into this. Maybe switch to something else, since not sure I want to,keep having all my DNS go through this guy.
Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13G36 Safari/601.1
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

I reached out to them and straight from the horse's mouth:

Image
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox to force its own DNS?

Post by kukla »

GµårÐïåñ wrote:I reached out to them and straight from the horse's mouth:
First, thanks for looking into this. But can you perhaps provide some context. Can you say what you were asking when you "reached out to them." And what is he referring to that is "just a bandaid?" If that refers to the current state of DNSCrypt.eu, how is that like a bandaid? Does this mean that running any of the DNSCrypt.eu are not "safe," whatever that would mean? He's saying that the site has been "neglected," but don't really know what the implications of that are for me. If it's only his "site," then what real-world impact would that necessarily have on the DNS resolver itself?

Is it possible to see this conversation? Is it on github, twitter?

If the solution to whatever is "just a bandaid" is to run dnscypt-proxy v2 or SimpleDNSCrypt, I need to learn more about that, and if it is possible to run either out of the Tomato (Asus) router--the Tomato version (Shibby USB) a few years old by now: 1.28.0000 MIPSR2-132 K26 Max/Linux kernel 2.6.22.19 with Broadcom Wireless Driver 5.110.27.20012.

I could always switch back to OpenDNS, but not all that sure about that either.

As you can see, lots of questions. Plus research (mine) needed.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Mozilla Firefox to force its own DNS?

Post by GµårÐïåñ »

Sure, it's a public conversation, here you go https://twitter.com/GuardianMajor/statu ... 7417079813 have at it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox to force its own DNS?

Post by kukla »

I've read through that twitter conversation any number of times, but I'm only more confused. To the extent that I am able, I've tried checking out the references there to simple DNSCrypt and dnscrypt-proxy v2, among other things, which, at least to my uneducated eye, doesn't look like either can be installed in my Asus Tomato router, but which he might be saying are a needed replacement. Not sure of this, but they would seem to be appropriate for a client (Windows), not a router.

What should the takeaway be from the fact that his site, twitter account, and github are being neglected? Does this necessarily mean that the service itself, still working for me, is potentially compromised, unsafe (re. privacy or security) neglected in any way? An imperfect analogy: If someone allows thick weeds to grow on their overgrown front lawn, can one necessarily conclude that the interior of their house is also being neglected, in disrepair?

Still not understanding what the reference to "just a bandaid" is (btw, not seeing that part of the conversation in that twitter link you gave, even while logged in.) Unless I'm missing something, he doesn't appear to go into any detail there--I'm probably not seeing the full conversation. Can you say what you make of that? Does he mean that the version of DNSCrypt.eu which I'm currently using is "just a bandaid?" Or is he saying that fixing the links at his site that give 404s would just be a bandaid? (and wouldn't that mean that fixing those links would have no impact on the DNS service itself, that his site needs more than just those links being updated or removed?)

None of this is meant in the least to be argumentative, only asking for some advice. As you brought it up in the first place, and now that I'm a bit worried, I only want to know whether you think it's a good or bad bet to continue using his DNS resolver.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Post Reply