So #Mozilla is about to enable DoH by default for all US users:
I'm really happy with the idea behind DoH and the fact that we get properly secured client DNS but at the same time I consider it a problem when this is all done through one Vendor. DNS is one of the few systems that are still distributed right now for both, client resolvers and backend.
Maybe Mozilla just has to make sure that there are more vendors ready to work with #DoH before rolling out defaults?
@sheogorath Doesn't it seem normal for a vendor to try and get an edge over others by implementing a new key feature? Remember when Apple decided to block the Flash plug-in on iOS Safari, and everyone lost their shit? And now we're hard-pressed to find a browser that still runs Flash.
@aeveltstra But this was a vendor internal decision. What we see here is Mozilla enabling a single vendor to possible mass surveillance. Happening or not, they are able to do that. Not that they wouldn't be without due to a big amount of websites being hosted behind cloudflare, but Mozilla gives an additional push there. Not sure if I should like that.
@sheogorath @aeveltstra IMO this entire idea is terrible. It results in your browser using a different DNS server then the rest of your machine, why would one want that?
It also provides another great centralization of core internet services. But the internet is decentralized by design and with very good reasons.
There are other ideas to encrypt DNS (DOT, DnS over TLS). In my opinion, DNS should not be a concern for a browser.
Yes and no. We wait for encrypted DNS for decades now. Sadly not much happened on the OS side. This is why Mozilla and Google are taking action now on the Browser side, as this is where they have the power to do so. If OS vendors would have implemented something comparable 5 years ago, I don't think we would have this discussion now.
DoH is more attractive because there are prominent providers of DoH servers, which is of course the only reason why Mozilla would even consider such a move. It's no surprise that Google is offering a DoH service and the same goes for Cloudfare.
Which distro provides DoT by default? I know android added DoT support in Android 9.
But for regular Linux distros, I can't think of one, that comes with a DoT resolver enabled by default (and at the end of the day, that's what matters).
And looking at the market Browsers cover, even with all Linux Desktops running DoT there is still Windows and MacOS missing, which are huge user bases that seems to have no interest in DoT or similar.
Yes, that's a classical chicken-egg problem, just like with DKIM and other ideas which rely on the decentralized internet picking up a good idea. It's the centralization that's both an enabler and a problem.
From a dictatorship perspective DoH is bad news, because it's very hard to detect as it's just another HTTPS connection.
If you are a dictator, you don't want people to use DoH, not the other way around.
I talked about this with some people coming from countires with quite limited/non-free internet (at least compared to me) and they were more welcoming DoH than being concerned about it.
Censoring regular DNS is trivial, DoH is a lot harder.
I'm not sure what you mean by forcing?
For regular DNS a rewirte of all requests is a trivial iptables rule in a middle box. For DoH every accessible web server that serves HTTPS (DoH doesn't allow plaintext HTTP for DNS in the current browser implementations) can also run an DoH resolver and therefore could may be provide uncensored DNS.
@sheogorath @schaueho @aeveltstra I admit that technically I don't know how the dns request are incapsulated inside the https, but if a browser can enable DoH, and you said you can chose which DNS server to use, wouldn't it be also possible to force the browser using a particular DNS server, without allowing the user to change it?
So, if the DoH implementation in Mozilla leads to a wide availbility of DoH servers (even if they would in turn point to the currently available major ones), then the problem can go away.
@aeveltstra @sheogorath No. The root DNS servers know nothing about my querying my local DNS service provider. Also, the root servers are not centralized in the sense that they are owned or managed by a single company (cf. https://www.iana.org/domains/root/servers).
Okay, then you have IANA and ICANN. I guess it's fair to call this "centralized", too. And not everybody is happy with this or IANA / ICANN in general either, of course.
@schaueho @aeveltstra @sheogorath
There are alternatives to the current centrally managed DNS root: https://en.m.wikipedia.org/wiki/Alternative_DNS_root
Besides the death rate of these projects, most notably there is a Chinese one aimed at reclaiming sovereignty over that fundamental aspect of Internet architecture.
@aeveltstra @sheogorath The internet as a "bunch of services running atop of TCP/IP" had for quite a while developed in a decentralized fashion. Think about email, usenet, IRC, http -- all decentralized.
I think we've seen a push towards centralized services in the last ten to 15 years, because Google and other similar big players offered a lot of value. I think we have in more recent time started to recognize the downside of this trend. I think it's time for federation again.
@sheogorath Understood. But isn't the point moot? Isn't the entire internet based on the 7 ARPA servers that originally made up its backbone?
@sheogorath TBH, I don't even get the fuss about why a browser would need to do DoH. It usually talks to a local DNS resolver, e.g. in your own router. So if a more secure DNS should be implemented, it would need to be there, not in your browser.
@marix Agreed. But we were waiting for this for around two decades now and it simply didn't happen. That's why Mozilla took action here, which is in general a good thing.
(Don't get me wrong, DoT, DNScrypt and more exists, it's just implemented almost nowhere)
Encrypted DNS is becomes more and more important due to global mass surveillance and censorship, as well as simply security from DNS hijacking "on the last mile".
@sheogorath it might on one hand cause problems but it might also proof to be a bold move which gets something rolling out.
What are your major concerns, that would stand against taking that risk?
@w4tsn Mainly Cloudflare as currently only public resolver that will be enabled by default. We need more DoH providers on that list. Rolling out DoH with cloudflare as default for people around the world (not there yet) this provides a very central point to surveil pages they visit.
Especially problematic is this whole situation due to the missing awareness of this ability around most people.
@sheogorath last time I heard, they want to do that.
AFAIK they are still searching for providers for Europe.
Also US-only for now.
This is my personal microblog. It's filled with my fun, joy and silliness.