53 comments

[ 2.9 ms ] story [ 112 ms ] thread
Have Mozilla figured out how they are going to handle corp users enabling this and not breaking corporate DNS?
best response I've had to that is 1) they'll retry queries internally if they don't work externally (leaking everything first) 2) people should not have internal only domains, everything to the cloud!
That seems very leaky to me. It would be a shame if we had to block CF's DNS IP's.
I would rather CF (or any other company) not get a list of all our internal domain names.
It's likely that the assumption is that in 'enterprise' or large organizations software installation and configuration is managed or that they fall back if they can't (but as the blog post says; DNS over HTTPS is hard to block).
With BYOD that is less and less likely to be true..
And Android P is already gearing up to DNS over HTTPS as well with Android itself going with DNS over TLS.

Don't know what the iOS stance on this is.

I've not seen many orgs manage FF settings. Typically AD policies apply to MSIE/Edge. Has this changed?
As a single data point, my current and quite large company manages firefox settings. I discovered this when they turned off the search in address bar feature...
If anyone wonders why anyone would do that it might be because the autocomplete in search bar leaks metadata not only about what you search but also about what sites you visit.
It seems many orgs manage to shoot themselves in the foot quite badly with centrally managed browser. In all the environments I've seen, IT have managed to disable auto-update on Chrome or Firefox and break the centrally managed updates for a long time, creating an easy avenue for malware or worse to get in.
An update is that on Reddit a Firefox employee has responded on my crosspost to reddit: https://www.reddit.com/r/firefox/comments/9cx8hk/on_firefox_...

Clarifying that this is just an A/B test and there are no plans to continue using CloudFlare for all users.

To clarify, only in nightly and previously disclosed [0] (results at [1]).

The article is right to be fearful that FF is pondering a default change, but until that is even on the table, I'm not worried. Now if they wanted to make it really really easy for regular users to change from your default ISP DNS to CloudFlare, I'd actually be OK with that, but I'd expect it to be implemented like search engine providers where anyone could just as easily be the DNS provider chosen (ideally without any CloudFlare favoritism). And it would be clear who your DNS provider is maybe via an icon (if there is real estate for it).

0 - https://blog.nightly.mozilla.org/2018/06/01/improving-dns-pr...

1 - https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-...

They have a contract with CloudFlare with stronger privacy protections for FF users. This goes beyond the normal CloudFlare privacy policy. https://developers.cloudflare.com/1.1.1.1/commitment-to-priv... They're not just picking providers at random.
I am a bit naive. Who is paying who in this contract? What is either side getting out of it? Why can it not just be a pluggable DNS provider situation and let CloudFlare compete with anyone else for opt-in (including extra privacy features if so desired)? Also curious, why would CloudFlare offer stronger privacy protections for one type of user and not another...what is CloudFlare getting out of the lesser-protected users since it is clear everyone is not given the same treatment?
It will almost certainly be configurable. My point is that you'd have to evaluate the privacy policy of each provider for yourself which is more work than just picking from a drop-down menu. And even if you put in the normal CF endpoint, you would only be covered by the normal CF ToS and not by Firefox's special deal. The "favoritism" has a material impact on privacy.
Surely it can be seen why this comes off as shady. Browser vendor inks deal w/ third party company. Deal includes special provisions company will not otherwise provide users of its service. Browser vendor promises to give preference to third party company. Details of deal, at least to me, are not very transparent.

In general I agree that using other DNS providers besides the ISPs has benefits. But not sure I think it should funnel to a single, preferred company. Nor do I think that they should collect anything at all, reduced compared to their original or not. I think some transparency is deserved here about the contract if/when a regular FF release is shipped encouraging users to use Cloudflare, specifically around the motives of wanting this data. Granted, I am a bit more paranoid than most.

This was a one-off experiment with a really new technology, it makes sense to go with one global provider for that. (If you want to use it already outside that, you can enable it and set a server of your own choice)

If they intended to ship with DoH default-enabled, I'd hope Mozilla would not go with any single provider as a default.

Agreed on all fronts. A single provider for tests makes plenty of sense. Time will tell whether the deal amongst the two companies has legs beyond this test.
What Cloudflare wants is the most people/consumers possible using their DNS. Doing so will make lookups and translations faster for their customers than anyone else as the content is basically on the same network as the DNS lookup. When they go sell Enterprise content delivery services to their big customers they can tout a huge base of users tied to their DNS and sell on the performance enhancement these people will see when accessing Cloudflare customers content. CDN is all about shaving milliseconds off of content delivery and having a huge base of consumers using Cloudflare for DNS differentiates them and provides a measurable performance increase.
CF is an american company. They are subject to NSLs. Why should anything they say be trusted?
According to the tweet linked from the post: "DoH might become enabled by default at some point, which is what has been said. But no-one has specified exactly how or with which operators (yes, plural). Because we don't know. That's not planned yet. And "might" is still "might [not]" as well." (the [not] was not there, but I think this is what Daniel meant). https://twitter.com/bagder/status/1036364374728953858
This seems well-intentioned but incredibly dangerous. There's no promise CF can make that justifies trusting them to receive a stream of every request from every FF browser, with all this trackable metadata.

In particular, I think it would be unsurprising if CF's lines were tapped upstream. CF and Mozilla staff have a history of treating TLS as if it protects all content, rather than as a tool for keeping narrowly defined secrets. I explain further at https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-... .

Does Google do this with their own DNS service in Chrome...or would this open the door for them to do so? I don't like the implications.
But since there's already a high risk of ISPs sniffing or even redirecting this traffic, you'd have to show that the risk for the average user is higher with CF.
It funnels all _firefox_ requests through CF, as opposed to all _$ISP_ requests. Which one is worse for the user I find hard to say, but they'd definetely generate two completely different datasets. (for example, CF's set would be international).
At the moment, this is an A/B test to see if DNS over HTTPS can keep up with regular DNS in term of performance in a real-world setting. It’s an opt-in study. That’s about the extend of it.

You can explicitly enable DNS over HTTPs on recent FF versions if you want to, then you need to pick a provider. There are a few available choices out there. There’s a list on the cURL docs IIRC. Due to the standard being finalized right now, the list is understandably quite short, by there’s no particular reason you ISP shouldn’t offer a suitable DNS server in the future.

>This seems well-intentioned but incredibly dangerous.

Like many of the things the Mozilla Corporation has been doing these last years.

The big issue with Mozilla, is that they are dependent on outside revenue (which for the most part ultimately comes from advertising). A big chunk of their revenue comes from Google. If CloudFlare were to offer Mozilla a lot of money to use CloudFlare DNS, they would likely do it.
> The big issue with Mozilla, is that they are dependent on outside revenue

While this is technically true it is kind of misleading to single Mozilla out as depending on a certain large sponsor given who owns Chrome (and who owns Edge, IE and possibly less problematic, Safari).

This is just like when Facebook wanted to handle all of your iOS traffic via a VPN app for "secure Internet" reasons. "Trust us, you have nothing to worry about, your traffic is safe with us" and then they were caught analyzing traffic data of all apps other than Messenger or Facebook. Yeah. "Trust"
> they were caught analyzing traffic data of all apps

Source?

Onavo has been a critical part of Facebook's recent startup acquisitions, and the data they had was very powerful.

"The tool shaped Facebook's decision to buy WhatsApp and informed its live-video strategy, they say. Facebook used Onavo to build its early-bird tool that tips it off to promising services and that helped Facebook home in on Houseparty."

https://www.engadget.com/2017/08/13/facebook-knew-about-snap...

https://www.foxbusiness.com/features/the-new-copycats-how-fa...

In this case they do actually have a contract in place. So there could be real penalties if they violate the privacy agreement.
A friend of mine has a simple static hobby website on his own .net domain. It isn't reachable through CloudFlare DNS. This has been true for over two months. Google DNS can see it, as can my ISP's.

I recently noticed that his self-hosted email is sometimes being flagged as spam because it lacks spf.

Is CloudFlare filtering their DNS results, maybe against a spam blacklist?

Perhaps his DNS servers just wont talk to 1.1.1.1 for $reasons?
Can you share the domain name so we can investigate?
I can't share the domain name but its DNS servers are:

  ns3.cisws.nl
  ns6.cis-websolutions.nl
Sharing the domain is usually critical.

Picking a random domain hosted on those nameservers, mdfs.net, it looks like, of the 4 IPs, 2 are down and 1 of the remaining ones doesn't support TCP.

http://dnsviz.net/d/mdfs.net/W48OcQ/dnssec/ https://ednscomp.isc.org/ednscomp/4040283963

1.1.1.1 is less tolerant than some resolvers of that level of breakage.

https://community.cloudflare.com/t/ipv6-timeouts-appear-to-b...

Thanks for having a look. If I understand that correctly the DNS servers are returning IPv6 addresses for themselves, which aren't functioning. So he needs to get his host to stop returning the IPv6 addresses (or to fix IPv6).
Yup. And also one of the IPv4 IPs isn't doing TCP.

I'm not sure nothing else is wrong, but the IPv6 issue is likely why 1.1.1.1 is having trouble resolving it.

That title is a hell of a lot misleading considering this is for an early A/B test and there are no plans to enable this for all users.
Is there any easy way to change/update the DNS lookup server? I do not trust Cloudflare or Google or anyone for that matter.
Cloudflare's 1.1.1.1 DNS already censors torrent/piracy focused domains, for example rarbg and thepiratebay.

On the other hand, they resolve websites which are considered illegal in my country, which would normally be censored by my ISP (e.g. not approved betting websites).

That's a load of crap. Actually it's a bucket of crap.
(comment deleted)
Given that my ISP currently tracks DNS and blocks whatever they feel like at that level, I actually think this is a good move.

The measure I'm looking at is that of sensible defaults: is this default more sensible for a majority of the user base than the existing default? For anyone outside the rule of GDPR using a regular ISP, this option is far better. The joint privacy policy Mozilla + Cloudflare is much better than a regular ISP.

And given that we all go and change the DNS of every computer we and our extended families own to 8.8.8.8, 8.8.4.4 or 1.1.1.1, I don't see why we'd think Mozilla doing it by default is a bad thing.

Cloudflare is too big and to much of an activist culture to be a stewardif such traffic as it has now let alone firefox's chuck of traffic.
Cloudflare wants to control the entire internet.

WAKE UP.

When is enough enough? We've seen what happens to these companies in Google and Facebook. They have to be stopped.