|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users..
Outside the US? you can switch on DNS over HTTPS manually.
Firefox > Preferences
Scroll down to Settings
Click the Settings… button
At the bottom, check Enable DNS over HTTPS
Optionally, use the pull-down menu to change the provider
Have you noticed any positive difference during look up requests?
I use Portable Firefox ESR that doesn’t have this option.
One positive point with DoH is that your ISP can’t track your surfing/URLs.
Response times might be slower.
I don’t understand how Mozilla in their commit message can state it’s more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?
This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don’t trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to “work around using one protocol instead of multiple”. If you suffer from DNS poisoning, then pick better resolvers to use.
I don’t see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.
Been using DoH since it was introduced in FF here in the UK months ago, and if there is any slowdown, I can’t say i’ve noticed it. One plus is, it’s also far more difficult for your ISP to track your internet site visits.
Nice to get some internet privacy back..(OS dependant) well done Mozilla 🙂
I’ve been using DoH (Cloudfare – IPv6) for well over a year without issue. I’ve not noticed any performance impact.
You can also enable server name identification (SNI) encryption by typing “about:config” in the address bar and locating the setting:
network.security.esni.enabled
You can test your settings and browser security by visiting this Cloudfare test page:
Browsing Experience Security Check
You are not restricted to using Mozilla DoH servers. For example, the Mozilla Cloudfare server is “https://mozilla.cloudflare-dns.com/dns-query”, but you can use this “https://cloudflare-dns.com/dns-querythat”. Some other Doh providers can be found here:
1) Github wiki list (curl documentation)
2) AdGuard Known DNS Providers
3) Privacy Tools – Encrypted Domain Name System (DNS) Resolvers
CleanBrowsing also has 3 public DoH endpoints that provide filtering (family, adult, or security).
Microsoft is planning to include DoH in Windows 10 at some point. Note the Firefox implementation may not be suitable for enterprise use since it ignores whatever settings the admin may have set in the router(s) or at the adapter level.
Some argue that ISPs can still spy on you because they still know the IP address you’re visiting even if using DoH and ESNI. Knowing an IP address, however, isn’t as valuable as it once was since a single IP can map to multiple domains. I’m of the opinion that anything that makes life harder for those that wish to spy on me is a good thing.
“DoH support is already present in all major browsers. Users just have to enable it and configure it.”
By Catalin Cimpanu for Zero Day | February 26, 2020
“Here’s how to enable DoH in each browser, ISPs be d***ed”
One plus is, it’s also far more difficult for your ISP to track your internet site visits
No it’s not, but it limits the tracking to IP addresses rather than URLs. And URL tracking via DNS is only ever the base domain, e.g. http://www.askwoody.com.
Your browser can and probably does track full URLs.
cheers, Paul
FYI. There is a topic on Encrypted DNS (which is bot DoH and DoT) here
https://defensivecomputingchecklist.com/#dohdot
There are two ways to enable this in the Chrome browser, one that is straight forward and one that is not. I document the straightforward one.
FYI: Encrypted DNS is also available system-wide on Android 9 and 10.
If you want to see what DNS servers your browser is using, there are many tester pages listed here
https://routersecurity.org/testdns.php
We need this because DNS server can come from 1 of 4 sources (that I know of).
Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
