best response I've had to that is 1) they'll retry queries internally if they don't work externally (leaking everything first) 2) people should not have internal only domains, everything to the cloud!
It's likely that the assumption is that in 'enterprise' or large organizations software installation and configuration is managed or that they fall back if they can't (but as the blog post says; DNS over HTTPS is hard to block).
As a single data point, my current and quite large company manages firefox settings. I discovered this when they turned off the search in address bar feature...
If anyone wonders why anyone would do that it might be because the autocomplete in search bar leaks metadata not only about what you search but also about what sites you visit.
It seems many orgs manage to shoot themselves in the foot quite badly with centrally managed browser. In all the environments I've seen, IT have managed to disable auto-update on Chrome or Firefox and break the centrally managed updates for a long time, creating an easy avenue for malware or worse to get in.
To clarify, only in nightly and previously disclosed [0] (results at [1]).
The article is right to be fearful that FF is pondering a default change, but until that is even on the table, I'm not worried. Now if they wanted to make it really really easy for regular users to change from your default ISP DNS to CloudFlare, I'd actually be OK with that, but I'd expect it to be implemented like search engine providers where anyone could just as easily be the DNS provider chosen (ideally without any CloudFlare favoritism). And it would be clear who your DNS provider is maybe via an icon (if there is real estate for it).
I am a bit naive. Who is paying who in this contract? What is either side getting out of it? Why can it not just be a pluggable DNS provider situation and let CloudFlare compete with anyone else for opt-in (including extra privacy features if so desired)? Also curious, why would CloudFlare offer stronger privacy protections for one type of user and not another...what is CloudFlare getting out of the lesser-protected users since it is clear everyone is not given the same treatment?
It will almost certainly be configurable. My point is that you'd have to evaluate the privacy policy of each provider for yourself which is more work than just picking from a drop-down menu. And even if you put in the normal CF endpoint, you would only be covered by the normal CF ToS and not by Firefox's special deal. The "favoritism" has a material impact on privacy.
Surely it can be seen why this comes off as shady. Browser vendor inks deal w/ third party company. Deal includes special provisions company will not otherwise provide users of its service. Browser vendor promises to give preference to third party company. Details of deal, at least to me, are not very transparent.
In general I agree that using other DNS providers besides the ISPs has benefits. But not sure I think it should funnel to a single, preferred company. Nor do I think that they should collect anything at all, reduced compared to their original or not. I think some transparency is deserved here about the contract if/when a regular FF release is shipped encouraging users to use Cloudflare, specifically around the motives of wanting this data. Granted, I am a bit more paranoid than most.
This was a one-off experiment with a really new technology, it makes sense to go with one global provider for that. (If you want to use it already outside that, you can enable it and set a server of your own choice)
If they intended to ship with DoH default-enabled, I'd hope Mozilla would not go with any single provider as a default.
Agreed on all fronts. A single provider for tests makes plenty of sense. Time will tell whether the deal amongst the two companies has legs beyond this test.
What Cloudflare wants is the most people/consumers possible using their DNS. Doing so will make lookups and translations faster for their customers than anyone else as the content is basically on the same network as the DNS lookup. When they go sell Enterprise content delivery services to their big customers they can tout a huge base of users tied to their DNS and sell on the performance enhancement these people will see when accessing Cloudflare customers content. CDN is all about shaving milliseconds off of content delivery and having a huge base of consumers using Cloudflare for DNS differentiates them and provides a measurable performance increase.
According to the tweet linked from the post: "DoH might become enabled by default at some point, which is what has been said. But no-one has specified exactly how or with which operators (yes, plural). Because we don't know. That's not planned yet. And "might" is still "might [not]" as well." (the [not] was not there, but I think this is what Daniel meant). https://twitter.com/bagder/status/1036364374728953858
This seems well-intentioned but incredibly dangerous. There's no promise CF can make that justifies trusting them to receive a stream of every request from every FF browser, with all this trackable metadata.
In particular, I think it would be unsurprising if CF's lines were tapped upstream. CF and Mozilla staff have a history of treating TLS as if it protects all content, rather than as a tool for keeping narrowly defined secrets. I explain further at https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-... .
But since there's already a high risk of ISPs sniffing or even redirecting this traffic, you'd have to show that the risk for the average user is higher with CF.
It funnels all _firefox_ requests through CF, as opposed to all _$ISP_ requests. Which one is worse for the user I find hard to say, but they'd definetely generate two completely different datasets. (for example, CF's set would be international).
At the moment, this is an A/B test to see if DNS over HTTPS can keep up with regular DNS in term of performance in a real-world setting. It’s an opt-in study. That’s about the extend of it.
You can explicitly enable DNS over HTTPs on recent FF versions if you want to, then you need to pick a provider. There are a few available choices out there. There’s a list on the cURL docs IIRC. Due to the standard being finalized right now, the list is understandably quite short, by there’s no particular reason you ISP shouldn’t offer a suitable DNS server in the future.
The big issue with Mozilla, is that they are dependent on outside revenue (which for the most part ultimately comes from advertising). A big chunk of their revenue comes from Google. If CloudFlare were to offer Mozilla a lot of money to use CloudFlare DNS, they would likely do it.
> The big issue with Mozilla, is that they are dependent on outside revenue
While this is technically true it is kind of misleading to single Mozilla out as depending on a certain large sponsor given who owns Chrome (and who owns Edge, IE and possibly less problematic, Safari).
This is just like when Facebook wanted to handle all of your iOS traffic via a VPN app for "secure Internet" reasons. "Trust us, you have nothing to worry about, your traffic is safe with us" and then they were caught analyzing traffic data of all apps other than Messenger or Facebook. Yeah. "Trust"
Onavo has been a critical part of Facebook's recent startup acquisitions, and the data they had was very powerful.
"The tool shaped Facebook's decision to buy WhatsApp and informed its live-video strategy, they say. Facebook used Onavo to build its early-bird tool that tips it off to promising services and that helped Facebook home in on Houseparty."
A friend of mine has a simple static hobby website on his own .net domain. It isn't reachable through CloudFlare DNS. This has been true for over two months. Google DNS can see it, as can my ISP's.
I recently noticed that his self-hosted email is sometimes being flagged as spam because it lacks spf.
Is CloudFlare filtering their DNS results, maybe against a spam blacklist?
Picking a random domain hosted on those nameservers, mdfs.net, it looks like, of the 4 IPs, 2 are down and 1 of the remaining ones doesn't support TCP.
Thanks for having a look. If I understand that correctly the DNS servers are returning IPv6 addresses for themselves, which aren't functioning. So he needs to get his host to stop returning the IPv6 addresses (or to fix IPv6).
Cloudflare's 1.1.1.1 DNS already censors torrent/piracy focused domains, for example rarbg and thepiratebay.
On the other hand, they resolve websites which are considered illegal in my country, which would normally be censored by my ISP (e.g. not approved betting websites).
Given that my ISP currently tracks DNS and blocks whatever they feel like at that level, I actually think this is a good move.
The measure I'm looking at is that of sensible defaults: is this default more sensible for a majority of the user base than the existing default? For anyone outside the rule of GDPR using a regular ISP, this option is far better. The joint privacy policy Mozilla + Cloudflare is much better than a regular ISP.
And given that we all go and change the DNS of every computer we and our extended families own to 8.8.8.8, 8.8.4.4 or 1.1.1.1, I don't see why we'd think Mozilla doing it by default is a bad thing.
53 comments
[ 2.9 ms ] story [ 112 ms ] threadDon't know what the iOS stance on this is.
[1] - https://support.mozilla.org/en-US/kb/customizing-firefox-usi...
Clarifying that this is just an A/B test and there are no plans to continue using CloudFlare for all users.
The article is right to be fearful that FF is pondering a default change, but until that is even on the table, I'm not worried. Now if they wanted to make it really really easy for regular users to change from your default ISP DNS to CloudFlare, I'd actually be OK with that, but I'd expect it to be implemented like search engine providers where anyone could just as easily be the DNS provider chosen (ideally without any CloudFlare favoritism). And it would be clear who your DNS provider is maybe via an icon (if there is real estate for it).
0 - https://blog.nightly.mozilla.org/2018/06/01/improving-dns-pr...
1 - https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-...
In general I agree that using other DNS providers besides the ISPs has benefits. But not sure I think it should funnel to a single, preferred company. Nor do I think that they should collect anything at all, reduced compared to their original or not. I think some transparency is deserved here about the contract if/when a regular FF release is shipped encouraging users to use Cloudflare, specifically around the motives of wanting this data. Granted, I am a bit more paranoid than most.
If they intended to ship with DoH default-enabled, I'd hope Mozilla would not go with any single provider as a default.
In particular, I think it would be unsurprising if CF's lines were tapped upstream. CF and Mozilla staff have a history of treating TLS as if it protects all content, rather than as a tool for keeping narrowly defined secrets. I explain further at https://weblog.evenmere.org/posts/2014-05-16-tls-is-not-for-... .
You can explicitly enable DNS over HTTPs on recent FF versions if you want to, then you need to pick a provider. There are a few available choices out there. There’s a list on the cURL docs IIRC. Due to the standard being finalized right now, the list is understandably quite short, by there’s no particular reason you ISP shouldn’t offer a suitable DNS server in the future.
Like many of the things the Mozilla Corporation has been doing these last years.
While this is technically true it is kind of misleading to single Mozilla out as depending on a certain large sponsor given who owns Chrome (and who owns Edge, IE and possibly less problematic, Safari).
Source?
"The tool shaped Facebook's decision to buy WhatsApp and informed its live-video strategy, they say. Facebook used Onavo to build its early-bird tool that tips it off to promising services and that helped Facebook home in on Houseparty."
https://www.engadget.com/2017/08/13/facebook-knew-about-snap...
https://www.foxbusiness.com/features/the-new-copycats-how-fa...
I recently noticed that his self-hosted email is sometimes being flagged as spam because it lacks spf.
Is CloudFlare filtering their DNS results, maybe against a spam blacklist?
Picking a random domain hosted on those nameservers, mdfs.net, it looks like, of the 4 IPs, 2 are down and 1 of the remaining ones doesn't support TCP.
http://dnsviz.net/d/mdfs.net/W48OcQ/dnssec/ https://ednscomp.isc.org/ednscomp/4040283963
1.1.1.1 is less tolerant than some resolvers of that level of breakage.
https://community.cloudflare.com/t/ipv6-timeouts-appear-to-b...
I'm not sure nothing else is wrong, but the IPv6 issue is likely why 1.1.1.1 is having trouble resolving it.
On the other hand, they resolve websites which are considered illegal in my country, which would normally be censored by my ISP (e.g. not approved betting websites).
[1] https://www.reddit.com/r/Piracy/comments/8aa0ba/cloudflare_d...
The measure I'm looking at is that of sensible defaults: is this default more sensible for a majority of the user base than the existing default? For anyone outside the rule of GDPR using a regular ISP, this option is far better. The joint privacy policy Mozilla + Cloudflare is much better than a regular ISP.
And given that we all go and change the DNS of every computer we and our extended families own to 8.8.8.8, 8.8.4.4 or 1.1.1.1, I don't see why we'd think Mozilla doing it by default is a bad thing.
WAKE UP.
When is enough enough? We've seen what happens to these companies in Google and Facebook. They have to be stopped.