DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th September 2019
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 207
Thumbs up OpenBSD will disable DoH in Firefox by default

The new DNS over HTTPS setting which Mozilla will roll out on Firefox will be disabled by default on OpenBSD:

https://marc.info/?l=openbsd-ports&m...5437630591&w=2

Code:
#OpenBSD has disabled #DoH by default in our #Firefox packages.  This is active in -current, and will be in our 6.6 -release.

From @otto 's commit message:

"""Disable DoH by default.  While encrypting DNS might be a good thing, sending all DNS traffic to Cloudflare by default is not a good idea.
Applications should respect OS configured settings."""
https://bsd.network/interact/102767562311572315
Reply With Quote
  #2   (View Single Post)  
Old 11th September 2019
ripe's Avatar
ripe ripe is offline
Shell Scout
 
Join Date: Feb 2013
Location: Occitanie, France
Posts: 103
Default

What are the consequences for us, user of FireFox and OpenBSD? And I found that on wikipedia:
Quote:
Criticism

The Internet Watch Foundation and the Internet Service Providers Association (ISPA)—a trade association representing UK ISPs, criticised Google and Mozilla for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. Mozilla responded to allegations by the latter (who nominated Mozilla as an "internet villain"), arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure".[23][24] On 9 July 2019, the ISPA withdrew Mozilla's "Internet Villain Nomination and Category."[25]
Reply With Quote
  #3   (View Single Post)  
Old 13th September 2019
ibara's Avatar
ibara ibara is offline
Real-life IT professor
 
Join Date: Jan 2014
Posts: 717
Default

You will enjoy a safer Internet this way.
Paul Vixie gave a nice talk about DNS (including DoH) at vBSDcon this year; worth watching when the video emerges.
Reply With Quote
  #4   (View Single Post)  
Old 13th September 2019
ripe's Avatar
ripe ripe is offline
Shell Scout
 
Join Date: Feb 2013
Location: Occitanie, France
Posts: 103
Default

Ok thanks
Reply With Quote
  #5   (View Single Post)  
Old 14th September 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by ibara View Post
You will enjoy a safer Internet this way.
Paul Vixie gave a nice talk about DNS (including DoH) at vBSDcon this year; worth watching when the video emerges.
I have found that tweet: https://twitter.com/paulvixie/status...86628832382977
Does it mean DoT is easier to intercept/attack using MitM than DoH? What about DoT with pinset (Stubby)?

Firefox exposes two ways of controlling DoH for IT departments, so they can turn it off for their users:
1. policies.json file
2. using Group Policy (Windows only)

Regular users on their private devices can, as always, disable it by about:config.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #6   (View Single Post)  
Old 14th September 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

I forget some things about this DoT/DoH/DNS things and did some recollection of them. My thought is that silent opportunistic DoT is useless. There should be an alert or at least some indicator for GUI users that DoT might be intercepted when certificate is not validated against pinset.
I understand that IT departments running corporate networks should be able to log or even sometimes block DNS requests, but it must not undermine privacy of users who use Internet in their home.

I don't like some decisions Mozilla have done over the last few years, but experimenting with DoH isn't one of them.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 14th September 2019 at 07:55 PM. Reason: Added last sentence
Reply With Quote
  #7   (View Single Post)  
Old 19th September 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

As an reaction to Mozilla actions some ISP begin to experiment with DoH and DoT.
https://www.ispreview.co.uk/index.ph...h-and-dot.html

It would be nice to have a standard that would allow DHCP (or something similar) announce not just unsecure DNS servers but also secure DoH/DoT ones and make it mandatory for DoH/DoT-enabled ISP-provided DNS servers to implement DNSSEC.

Added:
News from July: Mozilla: No plans to enable DNS-over-HTTPS by default in the UK
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 19th September 2019 at 04:53 PM. Reason: Added old news
Reply With Quote
  #8   (View Single Post)  
Old 19th September 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 882
Default

I'm sort of confused and/or puzzled by some things:

1) How does encrypting DNS traffic inhibit website traffic filtering? Once someone has done the DNS lookup, by whatever means, they are then going to go the website in question directly, and that can be blocked, etc. If they're using a VPN tunnel, then no, but by the same token the DNS request would be hidden from the ISP too.

2) How can Mozilla disable HoT in the UK? If you download firefox you get the same tarball everywhere don't you?

3) Why doesn't Mozilla just set up a reliable DNScrypt-proxy server and publicize it? Is it because it's too difficult for most users to enable the use of this on their computers?
Reply With Quote
  #9   (View Single Post)  
Old 19th September 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by IdOp View Post
I'm sort of confused and/or puzzled by some things:

1) How does encrypting DNS traffic inhibit website traffic filtering? Once someone has done the DNS lookup, by whatever means, they are then going to go the website in question directly, and that can be blocked, etc. If they're using a VPN tunnel, then no, but by the same token the DNS request would be hidden from the ISP too.

2) How can Mozilla disable HoT in the UK? If you download firefox you get the same tarball everywhere don't you?

3) Why doesn't Mozilla just set up a reliable DNScrypt-proxy server and publicize it? Is it because it's too difficult for most users to enable the use of this on their computers?
1. Without DNS blocking you may block by IP, but it lowers granularity of filtering. HTTP service on one server may serve webpages for many domains owned by different people and companies. DNS blocking is good enough for blocking content for most users.
2. When I download Firefox installer for Windows I choose installer with language used in my country. There are many installers because there is more than one language in the world... Also OS specifies language to programs by environment variables.
3. A lot of work and other resources is needed to setup and operate open DNS server. For example it must be resistant against DDoS attacks.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 19th September 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 882
Default

Thank you for replying!

Quote:
Originally Posted by e1-531g View Post
1. Without DNS blocking you may block by IP, but it lowers granularity of filtering. HTTP service on one server may serve webpages for many domains owned by different people and companies.
Good point, I hadn't thought of that.

Quote:
2. When I download Firefox installer for Windows I choose installer with language used in my country. There are many installers because there is more than one language in the world... Also OS specifies language to programs by environment variables.
True, but the association between language and country is far from reliable, and users can choose any language they want as well. So it seems a very imprecise way to enable or disable something in one country, and a way that's usually easy to circumvent.

Quote:
3. A lot of work and other resources is needed to setup and operate open DNS server. For example it must be resistant against DDoS attacks.
Also a good point. But, isn't it likely that the bad guys will soon find a way to volley their DDoS attacks at Mozilla's DoH servers? It would be a "single" point of failure and if that happens won't all firefox users (i.e., the ones using the built-in DoH) be borked?
Reply With Quote
Old 19th September 2019
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by IdOp View Post
Also a good point. But, isn't it likely that the bad guys will soon find a way to volley their DDoS attacks at Mozilla's DoH servers? It would be a "single" point of failure and if that happens won't all firefox users (i.e., the ones using the built-in DoH) be borked?
Mozilla partnered with Cloudflare, because CF are specializing in defense agains DDoS attack and other attacks. Cloudflare have staff that is working 24/7 to keep they infrastructure working despite constant DDoS attacks.
There are also different modes how DoH client works in Firefox. network.trr.mode specifies that. For example value 2 means "Use TRR first, and only if the name resolve fails use the native resolver as a fallback.". It wouldn't bork all users if Mozilla would set 2 as default.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 19th September 2019
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 882
Default

Quote:
Originally Posted by e1-531g View Post
Mozilla partnered with Cloudflare, because CF are specializing in defense agains DDoS attack and other attacks. Cloudflare have staff that is working 24/7 to keep they infrastructure working despite constant DDoS attacks.
There are also different modes how DoH client works in Firefox. network.trr.mode specifies that. For example value 2 means "Use TRR first, and only if the name resolve fails use the native resolver as a fallback.". It wouldn't bork all users if Mozilla would set 2 as default.
Thanks for the further good insights. One question is, would CloudFlare provide all the same advantages for a DNScrypt-proxy service?
Reply With Quote
Old 20th September 2019
Sensucht94's Avatar
Sensucht94 Sensucht94 is offline
Real Name: Paolo Vincenzo Olivo
Fdisk Soldier
 
Join Date: Oct 2017
Location: Rome
Posts: 69
Default

I love this thread, it's full of interesting highlights, thank you guys for the heads up
__________________
Be the change you want to see in the World
Reply With Quote
Old 20th September 2019
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 207
Default

To pass the time until the video of the Paul Vixie talk surfaces here's another take on the subject:
https://www.youtube.com/watch?v=pjin3nv8jAo
NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert
Reply With Quote
Old 2 Weeks Ago
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

DNS over HTTPS (and all its friends & relations) (2019)
@ibara Is this a video you talked about?

Meanwhile:
Microsoft Jumps on the DoH Train – Company to Introduce Encrypted DNS
Quote:
“We are making plans to adopt DNS over HTTPS (or DoH) in the Windows DNS client”, Microsoft said on Sunday. “As a platform, Windows Core Networking seeks to enable users to use whatever protocols they need, so we’re open to having other options such as DNS over TLS (DoT) in the future. For now, we’re prioritizing DoH support as the most likely to provide immediate value to everyone.”

The company did not specify when the service will be available.
Maybe after that ISPs are going to offer DoH or DoT resolvers?
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 2 Weeks Ago
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Indonesia
Posts: 2,208
Default

Thus far DoH in Firefox has been pretty valuable for me in helping me bypass my Indonesian ISP’s block of sites like Reddit and Netflix (that they're blocked is all kinds of stupid in the first place, but it is what it is).

I too dislike for DoH doesn't integrate well with /etc/resolv.conf and the like, and how it's a browser thing rather than a system thing. Hopefully that's a temporary situation which will be resolved once DoH gets wider adoption.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 1 Week Ago
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by Carpetsmoker View Post
I too dislike for DoH doesn't integrate well with /etc/resolv.conf and the like, and how it's a browser thing rather than a system thing. Hopefully that's a temporary situation which will be resolved once DoH gets wider adoption.
DoH is meant to bypass not only your ISP blacklists, but also your own OS settings. It is feature, not a bug. It is especially valuable for mobile in-app tracking & advertising, because it may circumvent DNS-based system-wide ad-blockers.

Have anyone any explanation why Quad9 DoT is slower than DoH? I know it is not the case when it comes to Google's and Cloudflare's DoH vs DoT performance.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 3 Days Ago
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Indonesia
Posts: 2,208
Default

Quote:
Originally Posted by e1-531g View Post
DoH is meant to bypass not only your ISP blacklists, but also your own OS settings. It is feature, not a bug. It is especially valuable for mobile in-app tracking & advertising, because it may circumvent DNS-based system-wide ad-blockers.
DNS-based ad-blockers are pretty rare; it's not what the overwhelming majority of people use. The reason that Firefox and Chome implement it in-browser is because that's easy and comparatively quick, whereas updating people's system resolvers is a long and hard process that will take many years.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 3 Days Ago
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 508
Default

Quote:
Originally Posted by Carpetsmoker View Post
DNS-based ad-blockers are pretty rare;
They are not that rare in Android world.

Quote:
Originally Posted by Carpetsmoker View Post
The reason that Firefox and Chome implement it in-browser is because that's easy and comparatively quick, whereas updating people's system resolvers is a long and hard process that will take many years.
One step further there is concept called resolverless dns. It wouldn't make sense to create resolverless dns for system-wide usage.

I still haven't come to final conclusions yet on DoH vs DoT.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Reply

Tags
doh, firefox, openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD xterm(1) now UTF-8 by default J65nko News 1 10th March 2016 07:22 PM
Any info on OpenBSD 5.6's new default IPv6 to off change? SlyM OpenBSD General 4 2nd November 2014 09:45 PM
is nginx going to be default OpenBSD httpd? ershiba OpenBSD General 4 6th January 2013 03:55 AM
OpenBSD switches from pthreads to rthreads by default Alphalutra1 News 7 20th February 2012 06:19 PM
Is OpenBSD secure by default from ssh users? steamrent OpenBSD Security 2 19th December 2011 09:21 PM


All times are GMT. The time now is 04:28 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick