How Firefox could support automatically using local DNS over HTTPS servers

March 16, 2020

On the surface, one of the challenges for Firefox automatically using different DNS over HTTPS servers is that Firefox considers your ISP to be a threat. This means that Firefox doesn't want to just use your local DNS over HTTPS server any more than it wants to just use your normal local DNS server. Firefox's use of DNS over HTTPS is explicitly to avoid surveillance from various parties, including the local network, so to do this it needs to go straight to a trusted (public) DNS over HTTPS server.

But there is a leak in this security model, in the form of Firefox's canary domain for disabling its automatic DNS over HTTPS. Any local network can already tell Firefox to disable DNS over HTTPS, defeating this anti-snooping measure. This is necessary because Firefox can't reliably detect when DNS over HTTPS to a public DNS server won't work properly for the local network, so networks with special name resolution setups need some way to signal this to Firefox.

(As a practical matter, Firefox not supporting a way to disable its automatic DNS over HTTPS to public DNS servers would result in a certain amount of the remaining Firefox users dropping it, because it didn't work reliably in their network. So Mozilla's hand is forced on this, even though it allows ISPs to step in and snoop on people again.)

Since Firefox already supports disabling automatic DNS over HTTPS entirely through a network doing magic tricks with the canary domain, it could also support a way of using the canary domain to signal that Firefox should use a local DNS over HTTPS server. This is no worse than turning off DoH entirely (in both cases your DNS queries are going to the network operator), and has some advantages such as potentially enabling encrypted SNI.

(Firefox's threat model might say that it can't enable ESNI with an untrusted local DNS over HTTPS server that was picked up automatically.)

Comments on this page:

By Andrew Campling at 2020-03-16 06:25:22:

Chris Whilst the situation may vary in other markets, European ISPs are prevented by GDPR from monetising the DNS data of their customers. The protections for those using US cloud DNS providers are potentially weaker - FISA 702 leaves the data of non US citizens open to warrantless access by US law enforcement agencies.

You should also consider the increasing use of DoH by applications that do not notify users, seek their permission nor allow configuration, as well as by malware.

Written on 16 March 2020.
« Why the choice of DNS over HTTPS server needs to be automatic (a sysadmin view)
A problem I'm having with my HiDPI display, remote X, and (X) cursors »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Mar 16 00:53:28 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.