What do you think of DNS over HTTPS?

I read this when FF started using DoH, gently written and easy to understand.

How can we fix this with Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH)?

At Mozilla, we feel strongly that we have a responsibility to protect our users and their data. We’ve been working on fixing these vulnerabilities.

We are introducing two new features to fix this — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three threats here:

  1. You could end up using an untrustworthy resolver that tracks your requests, or tampers with responses from DNS servers.
  2. On-path routers can track or tamper in the same way.
  3. DNS servers can track your DNS requests.

the three threats—resolvers, on-path routers, and DNS servers

So how do we fix these?

  1. Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
  2. Protect against on-path eavesdropping and tampering using DNS over HTTPS.
  3. Transmit as little data as possible to protect users from deanonymization.

It doesn’t work like that at all anymore. This was only true in the inital stages of development.

Your client machine will attach to a local server on your own computer or LAN (for now), relay to a local HTTPS DNS server where it will hop off to a HTTPS server (Google, CloudFlare, etc.). That HTTPS DNS space is fully encrypted end-to-end including queries.

The client piece will soon change with platforms and software as well once the protocol is officially approved.

OK, thanks. I did not know that :grinning:

I am all for DOH the problem is that you exchange a de centralised architecture with a centralised one.
In addition to that you move control from your ISP to a large corporation like Google.

Different companies with different goals. Both can and probably will use our data for their purposes.
It would be nice if we could choose which server our browser will use and there are independent organisations that we could choose from as our service providers.

Um, you can? In that there is at least Google, CloudFlare and Quad9. (And probably others.)

Yeah there are more than one options right now. But is this a free form field that you can edit and use a dns provider of your own?

Basically what I am saying is that there is a restriction on how many servers you can use.

DOH is not decentralised but I do not think the existing DNS is either. Both require what is called “root servers” to perform the task of management and downstream records. Transparency was the first topic on this scope which I believe is what you are referring to.

The control part of the arguement is more so the fact that anyone can now manage their own DOH hub whether it is an ISP or another commerical entity.

1 Like

Yeah, exactly my point. For example, with regular DNS, I have my own DNS server (if i want to) and I can choose which upstream DNS servers to use.
If a company or government chooses to filter out/block certain domains, I can use my own DNS system which might not be located in the same country to bypass these restrictions.
I would like to be able to do the same with DOH if possible, and I am not sure if this is currently supported.

This is not at all an issue if you’re using your own DOH architecture. The DoH client does not directly query name servers but the server allows you to define which DNS servers to query for records.

In addition, I know that providers like CloudFlare have been able to run both DOH and DoT simultaneously. CloudFlare also performs their own DNS name server management. This is how they avoid the filtering issue that you described.

According to the DOH standard, you are correct, the protocols it employs is a mismatch of TLS and HTTPS.

If you are highly concerned about the management (or lack) of DOH then you would use DoT (DNS over TLS) for this purpose and the protocols that DoT employs are generally TLS end to end even to name servers.

1 Like

Yes, in Firefox anyway, it is. One presumes if you wanted to run your own DNS provider and provide service over HTTPS you could.

1 Like

I am a bit late to the party but I love the idea of DNS being encrypted. I don’t like the idea of every application having its own DNS configuration/implementation. This will make troubleshooting DNS related issues for more difficult.

The ideal solution is for DoH or DoT or any other encrypted DNS protocol to be handled by the OS (I think Microsoft has mentioned that they are working towards DoH in Windows, and there is no reason why other OSes can’t do the same). This way all applications will use the OS provided DNS configuration/implementation (which is how it currently works) while still providing users the benefits of encrypted DNS.

From an implementation perspective DoT seems far nicer than DoH but it looks like DoH has all the traction, and given the continued push for http optimizations it might make more long term sense.

1 Like

Cheers for this, I have enabled it for my Firefox. I hope Chromium/Chrome will also follow the same path.

At least it is illegal for the ISP to use your DNS or search history for marketing and they are not allowed to sell it on, without your permission (GDPR).

I use DNS over TLS on my DNS server at home and DNSSEC as well. All my devices then go over my DNS server. I have disabled DoH at the firewall and added an internal DoH provider.

1 Like

I have been bypassing my ISP DNS server because it was broken in my case with very poor results. But my comment was related to have the option to control the settings of your apps.

Not everyone is as technical as you to have their setup on their network equipment.
Btw I like your approach :slight_smile:

Yes, I’m a bit of an outlier.

I am into IT security, have done the course for Ethical Hacking and I was a Data Protection Officer at my previous employer. That makes me very sensitive to people abusing my data.

2 Likes

One other thing that is possible is to bring up about:config and search for trr and look for the BootstrapAddress setting. This should bypass using your non DoH DNS to resolve for your DoH provider. In the case of mine, Quad9, I have put in 9.9.9.9.

1 Like

big_D is on my level on a technical scale but that’s because I experiment with newer technologies. I do like nickapos’ approach because this is what everyone else would have to experience to get it working. The biggest obstable again is design or engineering. This is why I’m closely following Microsoft’s developments and I do believe they will get it right so the software developers do not have to do the heavy lifting.

My concern with DNS over HTTPS is that I routinely use a hosts file for testing. I wouldn’t want DNS over HTTPS overriding this.

2 Likes

Are you bypassing your ISP’s DNS server by setting it on your router and/or PC? Are you restricted in any way from using another DNS server? I had that issue with my ISP years ago and gave up for the same reason.