News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    Posted on Alex5723 Comment on the AskWoody Lounge

    Home Forums AskWoody support Questions: Browsers and desktop software Other browsers Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    Viewing 8 reply threads
    • Author
      Posts
      • #2171099 Reply
        Alex5723
        AskWoody Plus

        Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users..

        Firefox continues push to bring DNS over HTTPS by default for US users

        Outside the US? you can switch on DNS over HTTPS manually.

        Firefox > Preferences
        Scroll down to Settings
        Click the Settings… button
        At the bottom, check Enable DNS over HTTPS
        Optionally, use the pull-down menu to change the provider

        2 users thanked author for this post.
      • #2171359 Reply
        anonymous
        Guest

        Have you noticed any positive difference during look up requests?

      • #2171412 Reply
        Alex5723
        AskWoody Plus

        Have you noticed any positive difference during look up requests?

        I use Portable Firefox ESR that doesn’t have this option.
        One positive point with DoH is that your ISP can’t track your surfing/URLs.

        • #2171452 Reply
          Paul T
          AskWoody MVP

          They can still track by IP.
          URL tracking is always limited in an HTTPS  session because you only need one DNS lookup to go to a site and then it’s internal references. And the DNS results are cached locally so one DNS lookup may be accessed many times without the ISP knowing, apart from IP address.

          cheers, Paul

      • #2171645 Reply
        Charlie
        AskWoody Plus

        If I’m reading things correctly then DoH is a good thing.  I’m wondering if this is the reason I see a lot of things happening at the bottom left of my FF browser.  To give you a for instance:  I click on my Askwoody bookmark and nothing comes up in the address bar, but down at the bottom left I see “Looking for Askwoody” followed by “Handshaking with Gravitar” and other things that flash by too quickly to read. By now Askwoody is in the address bar.

        All this takes somewhere around 8 to 10 seconds and then the webpage comes up.  I’m not sure if DoH is responsible for this, but I never saw it prior to about 3 to 4 weeks ago.  Has anyone else noticed this or have any comments?

        Win 7 Still Alive, x64, Intel i3-2120 3.3GHz, Linux Mint 19.1

        • #2171666 Reply
          satrow
          AskWoody MVP

          Response times might be slower.

          I don’t understand how Mozilla in their commit message can state it’s more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

          This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don’t trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to “work around using one protocol instead of multiple”. If you suffer from DNS poisoning, then pick better resolvers to use.

          I don’t see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.

          1 user thanked author for this post.
      • #2171651 Reply
        Microfix
        Da Boss

        Been using DoH since it was introduced in FF here in the UK months ago, and if there is any slowdown, I can’t say i’ve noticed it. One plus is, it’s also far more difficult for your ISP to track your internet site visits.
        Nice to get some internet privacy back..(OS dependant) well done Mozilla 🙂

        Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |
        1 user thanked author for this post.
      • #2171699 Reply
        Ascaris
        AskWoody_MVP

        I’ve been using DNS over HTTPS for a while (in Linux), thinking probably over a year on my Swift laptop, not just in the browser, but for all DNS resolution.  I haven’t noticed any latency change.  I don’t see how it would be any faster than standard DNS, but the increase in time to transmit the extra overhead can’t be much.

         

        Group "L" (KDE Neon User Edition 5.18.3).

      • #2171725 Reply
        Carl
        AskWoody Plus

        I’ve been using DoH (Cloudfare – IPv6) for well over a year without issue. I’ve not noticed any performance impact.

        You can also enable server name identification (SNI) encryption by typing “about:config” in the address bar and locating the setting:

        network.security.esni.enabled

        You can test your settings and browser security by visiting this Cloudfare test page:
        Browsing Experience Security Check

        You are not restricted to using Mozilla DoH servers. For example, the Mozilla Cloudfare server is “https://mozilla.cloudflare-dns.com/dns-query”, but you can use this “https://cloudflare-dns.com/dns-querythat”. Some other Doh providers can be found here:

        1) Github wiki list (curl documentation)
        2) AdGuard Known DNS Providers
        3) Privacy Tools – Encrypted Domain Name System (DNS) Resolvers

        CleanBrowsing also has 3 public DoH endpoints that provide filtering (family, adult, or security).

        Microsoft is planning to include DoH in Windows 10 at some point. Note the Firefox implementation may not be suitable for enterprise use since it ignores whatever settings the admin may have set in the router(s) or at the adapter level.

        Some argue that ISPs can still spy on you because they still know the IP address you’re visiting even if using DoH and ESNI. Knowing an IP address, however, isn’t as valuable as it once was since a single IP can map to multiple domains. I’m of the opinion that anything that makes life harder for those that wish to spy on me is a good thing.

        1 user thanked author for this post.
      • #2171853 Reply
        Lars220
        AskWoody Lounger

        “DoH support is already present in all major browsers. Users just have to enable it and configure it.”

        By Catalin Cimpanu for Zero Day | February 26, 2020

        “Here’s how to enable DoH in each browser, ISPs be d***ed”

        https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/

      • #2171882 Reply
        Paul T
        AskWoody MVP

        One plus is, it’s also far more difficult for your ISP to track your internet site visits

        No it’s not, but it limits the tracking to IP addresses rather than URLs. And URL tracking via DNS is only ever the base domain, e.g. http://www.askwoody.com.

        Your browser can and probably does track full URLs.

        cheers, Paul

        • This reply was modified 1 month ago by Paul T.
    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.