On 4/12/20, Reco wrote: > On Sun, Apr 12, 2020 at 12:35:44PM +0200, to...@tuxteam.de wrote: >> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote: >> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote: >> > > That's why I cringe at the idea that browsers want to start doing >> > > name resolution over HTTPS. >> > >> > This simple one line of dnsmasq configuration will disable this >> > problematic feature for good for Firefox (basically it creates a bogus >> > NXDOMAIN response for this particular site): >> > >> > local=/use-application-dns.net/ >> >> I don't quite understand [1] how the dnsmasq config has a say on >> whether the browser resolves things over HTTP (it won't ask the >> resolver in the first place, would it?), but thanks for the pointer >> anyway. >> >> Cheers >> [1] That's not a rhethorical flourish, it's genuine. I know too >> little about DNS-over-HTTP to be of any use at this point. > > The questionable idea behind DOH is that the browser makers do not trust > your local resolver.
Mozilla claims it's a privacy issue: https://support.mozilla.org/en-US/kb/firefox-dns-over-https Benefits DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior. Altho I suspect "cannot" should be changed to "has a slightly harder time to" > As usual, main arguments here are: > > 1) One can use a local resolver with the ability *not* to resolve > certain DNS queries, which refer to the sites which just happen to > contain advertisements, fingerprinting, tracking, cryptomining etc. > Since all two major browser makers (Google and Mozilla) happen to rely > on revenue generated by advertising *and* users' browsing habits this > obviously can not be tolerated. Wasn't there a fairly recent kerfluffle about an upcoming change to chrome that would break things like the uMatrix addon? hrmm... ok, found it https://bugs.chromium.org/p/chromium/issues/detail?id=896897&desc=2#c23 If this (quite limited) declarativeNetRequest API ends up being the only way content blockers can accomplish their duty, this essentially means that two content blockers I have maintained for years, uBlock Origin ("uBO") and uMatrix, can no longer exist. If firefox wasn't a viable alternative to chrome, what are the chances that change would have been implemented? > 2) ISPs can intercept DNS queries, and modify them at their leisure. > Usually considered a first step to a censorship, implemented in this > particular form at certain European countries. along with ISPs can monitor DNS queries and sell the info. https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data Ellen Canale, director of corporate communications at Mozilla, wrote in an email, "This is part of a pretty aggressive campaign we've seen from the ISPs to protect their control over DNS traffic and the tracking opportunities it provides them." > 3) Bad guys and gals can hijack DNS too, to the usual hilarious results. And the bad guys and gals can use DOH to "hide" their traffic and circumvent things like pihole. I just did a quick search and couldn't find anything for smart TVs using DOH. Probably because my search skillz sux :( > With the advent of HTTPS all this may be seen as moot points (if you're > redirected elsewhere the certificate validation should fail), but > nevertheless DOH is forced upon the collective throat of Firefox users > as we speak (and Chrome users are likely to follow them Soon™). > Currently a Firefox user is supposed to trust Cloudflare to do DNS > queries for them, and HTTPS is used for this purpose because Security™. For some values of "security", DOH _is_ more secure. How many people use a dnssec validating resolver? At least Cloudflare resolvers have dnssec enabled. ^shrug^ there's lots of trade-offs to be made in this area. I'm certainly not a fan of DOH and I do my best to block it on my network.. I just think there are some privacy/security arguments for DOH that you're minimizing. Regards, Lee
