DNS over HTTPS

User avatar
StuartR
Administrator
Posts: 11446
Joined: 16 Jan 2010, 15:49
Location: London, Europe

DNS over HTTPS

Post by StuartR »

Firefox has the ability to do DNS lookups using HTTPS, which provides additional privacy by hiding your DNS lookups from your ISP so they don't know what web sites you are looking up.

This will be enabled by default in most countries. If you're in the UK then you may want to manually enable this, as the government is worried that it will stop them spying on your web browsing!

Mozilla: No plans to enable DNS-over-HTTPS by default in the UK
StuartR


User avatar
stuck
UraniumLounger
Posts: 6585
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: DNS over HTTPS

Post by stuck »

Thanks Stuart.

Couple of follow up questions, any recommendation(s) on:
1) Which DoH server to use? The default 'Cloudflare' one or an alternative from this list:
https://github.com/curl/curl/wiki/DNS-o ... le-servers

2) What's the 'best' way to make this change, the simple method, using the Settings dialog or the more involved method of manually editing FF's config file:
https://www.zdnet.com/article/how-to-en ... n-firefox/

Ken

User avatar
StuartR
Administrator
Posts: 11446
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: DNS over HTTPS

Post by StuartR »

Ken,

1. I just used the default Cloudfare server. I suspect this all depends on how much you are worried about privacy and who you trust.
2. The settings option didn't exist on my system, so I used about:config to set network.trr.mode to 2, no other changes needed
StuartR


User avatar
stuck
UraniumLounger
Posts: 6585
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: DNS over HTTPS

Post by stuck »

Thanks again, I'll try this out when I get home this evening, can't poke around with my settings here at work.

Ken

User avatar
stuck
UraniumLounger
Posts: 6585
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: DNS over HTTPS

Post by stuck »

I was able to turn on DoH via the Options dialog. I then checked the config file, network.trr.mode was set to 2 and network.trr.uri was pointing to the default Cloudflare server.

Now I'll wait and see what happens in the coming days. Not that anything I do on the Internet is worth hiding from my ISP.

Ken

User avatar
StuartR
Administrator
Posts: 11446
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: DNS over HTTPS

Post by StuartR »

I'm pretty boring too Ken, but I prefer to make it difficult for the trackers to see everything I do.
StuartR


User avatar
PaulB
BronzeLounger
Posts: 1504
Joined: 26 Jan 2010, 20:28
Location: Ottawa ON

Re: DNS over HTTPS

Post by PaulB »

I already use Cloudflare 1.1.1.1 and 1.0.0.1 as my DNS Servers. Would it still benefit me to implement DoH? BTW, this has nothing to do with Homer Simpson, does it? :innocent:
Last edited by PaulB on 09 Jul 2019, 02:37, edited 1 time in total.
Regards,
Paul



User avatar
BobH
UraniumLounger
Posts: 8257
Joined: 13 Feb 2010, 01:27
Location: Temple - Deep in the Heart of Texas

Re: DNS over HTTPS

Post by BobH »

I'm in the US but discovered that my Firefox did not have DoH enabled. I used the Tools?>Options>General>Network Settings>Settings and enable it and chose to use the Cloudfare default.

Does this mean that Firefox is bypassing my ISP's DNS server? Should I go through the process of choosing a DNS service other than the one at my ISP? I guess I'm not clear on what Cloudfare does. Does it become my DNS server now that I've enable DoH?

Again, thanks for bringing this to my attention, Stuart. I'm a respectable older fellow who likes to preserve as much privacy as he can . . . which seems to be damned little any more.
Bob's yer Uncle!
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 7 >HPE 64-bit, MS Office 2016

User avatar
Argus
GoldLounger
Posts: 2970
Joined: 24 Jan 2010, 19:07

Re: DNS over HTTPS

Post by Argus »

PaulB wrote:I already use Cloudflare 1.1.1.1 and 1.0.0.1 as my DNS Servers. Would it still benefit me to implement DoH?
You can always try, Paul. You are already trusting Cloudflare, :smile: and this is supposed to add some privacy (and security, even if man-in-the-middle is rare), so you can compare the performance with previous experience. (There could perhaps be some increased performance here)
PaulB wrote:BTW, this has nothing to do with Homer Simpson, does it? :innocent:
:grin: :doh: :bingo: I hope it won't end there.

This is used by different clients running on an OS, such as Firefox, and will only work if there's support for that, such as in recent versions (and being enabled), and with the servers that are available at the moment (as in the list on the page Ken linked to), other software will use whatever is configured via router etc. such as an ISP's DNS servers. Then as mentioned somewhere, the software won't tell you if it falls back to using regular DNS. I guess that one could see this "per-application approach" as something good, at least now, that one can override a general setting. (Guess it is also possible to have a local DoH server for everything.) One could perhaps also compare different use cases, someone using a laptop, moving about and connecting to lots of different networks (using different DNS servers), or if using the same all the time. Anyhow, I've not tested it yet.

(And it's not all about hiding something from the typical DNS provider, the ISP, anyone (well, routers on the path) along the route to the DNS server, and back, can see.)

(And as mentioned below, an ISP can still figure out which sites we are visiting since the Server Name Indication, which is part of the initial request to set up an encrypted connection, TLS handshaking, isn't encrypted.)

A quite good explanation (in this case from Mozilla, when they first introduced some tests, it later arrived in Fx 62, I think): A cartoon intro to DNS over HTTPS

For those that want to dig deeper into other Trusted Recursive Resolver-entries (trr) in Firefox (let's say, supplementary studies :grin:):
Inside Firefox’s DOH engine
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
StuartR
Administrator
Posts: 11446
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: DNS over HTTPS

Post by StuartR »

BobH wrote:Does this mean that Firefox is bypassing my ISP's DNS server?
Yes, it does, but only for web sites that you access using Firefox. Your ISP's DNS server will still be used for other stuff.
BobH wrote:Should I go through the process of choosing a DNS service other than the one at my ISP? I guess I'm not clear on what Cloudfare does. Does it become my DNS server now that I've enable DoH?
I would choose a DNS service that is not your ISP. Cloudfare doesn't know who you are, but they know what web sites you are visiting. You're ISP does know who you are, but with this they don't know what you're doing.
Argus wrote:this is supposed to add some privacy (and security, even if man-in-the-middle is rare)
In this specific case, man-in-the-middle is VERY common. Most ISPs record what web sites you access and store the information for a long time. In some countries they are required to do this by law.
StuartR


User avatar
stuck
UraniumLounger
Posts: 6585
Joined: 25 Jan 2010, 09:09
Location: up North (but it's not that grim)

Re: DNS over HTTPS

Post by stuck »

:stop: Pedant Alert!

It's Cloudflare, with a 'l', not Cloudfare, without a 'l' :grin:

Ken

User avatar
Argus
GoldLounger
Posts: 2970
Joined: 24 Jan 2010, 19:07

Re: DNS over HTTPS

Post by Argus »

StuartR wrote:
Argus wrote:this is supposed to add some privacy (and security, even if man-in-the-middle is rare)
In this specific case, man-in-the-middle is VERY common. Most ISPs record what web sites you access and store the information for a long time. In some countries they are required to do this by law.
That's true, Stuart. We have that discussion here as well. :smile: (What with IPRED, intellectual property rights directive, pirate bay etc. Here we had the Data Retention Act, in 2012 I think, forcing ISPs to store traffic data for 6 months, then some stopped, the case with Tele2 went all the way to European Court of Justice, some 2.5 years ago, which found that the (Swedish) law was in violation with articles about privacy and protection of personal data (in the charter of fundamental rights in EU). Now a revised law is proposed, some ISP has said they are going to take it to court again. (I have heard about DRIPA and IPA in the UK.) I was going to mention that I've heard that it's also rather common to sell info about user statistics in some parts of the world.

But I didn't see them (ISPs), or that, as a typical man-in-the-middle (attack), such as spoofing etc. i.e. a security problem, rather a privacy ditto; but since it can mitigate both problems, the merrier. (And it's true that clear text queries isn't only a privacy problem, it can also be a security problem.)

I agree and think that increased privacy and security in DNS is a really good thing, and there are some "cool" other aspects in DoH such as Server Push. (And what is a challenge to some might be a benefit to others, i.e. for example DNS queries "hiding" in HTTPS traffic.)

Here is a video that discuss this a little bit; DNSSEC, DNS over TLS and DNS over HTTPS (and SNI leaks mentioned above).
UTmessan 2019 - The good, bad and ugly of DoH and DoT [UTmessan is a conference and exhibition for the IT industry in Iceland.]
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
BobH
UraniumLounger
Posts: 8257
Joined: 13 Feb 2010, 01:27
Location: Temple - Deep in the Heart of Texas

Re: DNS over HTTPS

Post by BobH »

For those like me who need a primer on how the HTTPS protocol works, this web page gives a good explanation without too much techno-speak.

:cheers: :chocciebar: :thankyou:
Bob's yer Uncle!
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 7 >HPE 64-bit, MS Office 2016

User avatar
BobH
UraniumLounger
Posts: 8257
Joined: 13 Feb 2010, 01:27
Location: Temple - Deep in the Heart of Texas

Re: DNS over HTTPS

Post by BobH »

OK, I'm ready to search for a DNS server that is not at my ISP. I've done some searching and found info on how to find the fastest DNS server using a benchmark app; and I've found a list of the most secure DNS servers, but before choosing one I'd like to ask the opinion and experience had from you folks.

:cheers: :chocciebar: :thankyou:
Bob's yer Uncle!
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 7 >HPE 64-bit, MS Office 2016

User avatar
HansV
Administrator
Posts: 71516
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: DNS over HTTPS

Post by HansV »

The CloudFlare DNS servers at IP addresses 1.1.1.1 and 1.0.0.1 are good choices, as are the Google DNS servers at IP addresses 8.8.8.8 and 8.8.4.4

In the past, I liked the OpenDNS servers, but they have become rather slow, at least from this side of the pond.
Regards,
Hans

User avatar
BobH
UraniumLounger
Posts: 8257
Joined: 13 Feb 2010, 01:27
Location: Temple - Deep in the Heart of Texas

Re: DNS over HTTPS

Post by BobH »

Thanks, Hans!

I've set Firefox to use DoH and Cloudfare. Does that mean that I'm automatically using one of the Cloudfare DNS server you mentioned?

I'm a bit confused by Stuart's statement ...
Yes, it does, but only for web sites that you access using Firefox. Your ISP's DNS server will still be used for other stuff.
What other stuff might my ISP use their DNS server for if I use only Firefox and Thunderbird to access it? Are there other ways that I use my ISP that I'm not aware of?
Bob's yer Uncle!
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 7 >HPE 64-bit, MS Office 2016

User avatar
HansV
Administrator
Posts: 71516
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: DNS over HTTPS

Post by HansV »

If you use another browser, such as IE or Chrome, it'll use the DNS set in Windows, which defaults to your ISP's DNS.
Windows Update will also use the DNS set in Windows.
Regards,
Hans

User avatar
StuartR
Administrator
Posts: 11446
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: DNS over HTTPS

Post by StuartR »

You probably access the internet with many things that are not web browsers too. Examples might be products that check for license information, email clients, windows time service checking the time, windows update, etc.
StuartR


User avatar
BobH
UraniumLounger
Posts: 8257
Joined: 13 Feb 2010, 01:27
Location: Temple - Deep in the Heart of Texas

Re: DNS over HTTPS

Post by BobH »

Thanks, Hans and Stuart!!!

It's time to set a new DNS. First a search to find out how to do that.

:cheers: :chocciebar: :thankyou:
Bob's yer Uncle!
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 7 >HPE 64-bit, MS Office 2016

User avatar
Argus
GoldLounger
Posts: 2970
Joined: 24 Jan 2010, 19:07

Re: DNS over HTTPS

Post by Argus »

As Stuart said, there can be many things using the Internet; and as I mentioned above it is a per-application approach. (A topic for another thread could be how many are using the default time server, NTP server.)

You know what Bob, speaking of HTTPS in general, if accessing the Lounge via HTTPS, and looking at a thread with a post from you one will notice an icon change in the address bar; in for example Firefox it will say something like "Parts of this page are not secure (such as images)". :grin: :hairout: It's the weathersticker from wunderground in your signature. :smile:

This mixed content, i.e. some components on the web page using HTTPS and some HTTP, could of course be anything, such as JavaScript etc. We see it quite frequently when we browse the web, not much one can do. This warning from browsers is of course good, we don't want to see mixed content on pages at, say, a bank site or similar since in worst case user data could be at risk. But now browsers (at least Fx) are blocking mixed active content (even if the padlock icon is green there can be some).

In this case it's a grey padlock with an orange triangle that is there for information: that Firefox is not blocking insecure passive content, such as images. No problem, this is what Mozilla says about this case: "Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site."

In this case it was simple to identify which content might be using HTTP, in other cases one can use the Developer Tools in Firefox (press F12, Network tab).
Byelingual    When you speak two languages but start losing vocabulary in both of them.