|
News News regarding BSD and related. |
|
Thread Tools | Display Modes |
|
||||
OpenBSD will disable DoH in Firefox by default
The new DNS over HTTPS setting which Mozilla will roll out on Firefox will be disabled by default on OpenBSD:
https://marc.info/?l=openbsd-ports&m...5437630591&w=2 Code:
#OpenBSD has disabled #DoH by default in our #Firefox packages. This is active in -current, and will be in our 6.6 -release. From @otto 's commit message: """Disable DoH by default. While encrypting DNS might be a good thing, sending all DNS traffic to Cloudflare by default is not a good idea. Applications should respect OS configured settings.""" |
|
||||
What are the consequences for us, user of FireFox and OpenBSD? And I found that on wikipedia:
Quote:
|
|
|||
You will enjoy a safer Internet this way.
Paul Vixie gave a nice talk about DNS (including DoH) at vBSDcon this year; worth watching when the video emerges. |
|
|||
Quote:
Does it mean DoT is easier to intercept/attack using MitM than DoH? What about DoT with pinset (Stubby)? Firefox exposes two ways of controlling DoH for IT departments, so they can turn it off for their users: 1. policies.json file 2. using Group Policy (Windows only) Regular users on their private devices can, as always, disable it by about:config.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
|||
I forget some things about this DoT/DoH/DNS things and did some recollection of them. My thought is that silent opportunistic DoT is useless. There should be an alert or at least some indicator for GUI users that DoT might be intercepted when certificate is not validated against pinset.
I understand that IT departments running corporate networks should be able to log or even sometimes block DNS requests, but it must not undermine privacy of users who use Internet in their home. I don't like some decisions Mozilla have done over the last few years, but experimenting with DoH isn't one of them.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase Last edited by e1-531g; 14th September 2019 at 07:55 PM. Reason: Added last sentence |
|
|||
As an reaction to Mozilla actions some ISP begin to experiment with DoH and DoT.
https://www.ispreview.co.uk/index.ph...h-and-dot.html It would be nice to have a standard that would allow DHCP (or something similar) announce not just unsecure DNS servers but also secure DoH/DoT ones and make it mandatory for DoH/DoT-enabled ISP-provided DNS servers to implement DNSSEC. Added: News from July: Mozilla: No plans to enable DNS-over-HTTPS by default in the UK
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase Last edited by e1-531g; 19th September 2019 at 04:53 PM. Reason: Added old news |
|
|||
Quote:
2. When I download Firefox installer for Windows I choose installer with language used in my country. There are many installers because there is more than one language in the world... Also OS specifies language to programs by environment variables. 3. A lot of work and other resources is needed to setup and operate open DNS server. For example it must be resistant against DDoS attacks.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
Thank you for replying!
Quote:
Quote:
Quote:
|
|
|||
Quote:
There are also different modes how DoH client works in Firefox. network.trr.mode specifies that. For example value 2 means "Use TRR first, and only if the name resolve fails use the native resolver as a fallback.". It wouldn't bork all users if Mozilla would set 2 as default.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
Quote:
|
|
||||
To pass the time until the video of the Paul Vixie talk surfaces here's another take on the subject:
https://www.youtube.com/watch?v=pjin3nv8jAo NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert |
|
|||
DNS over HTTPS (and all its friends & relations) (2019)
@ibara Is this a video you talked about? Meanwhile: Microsoft Jumps on the DoH Train – Company to Introduce Encrypted DNS Quote:
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
Thus far DoH in Firefox has been pretty valuable for me in helping me bypass my Indonesian ISP’s block of sites like Reddit and Netflix (that they're blocked is all kinds of stupid in the first place, but it is what it is).
I too dislike for DoH doesn't integrate well with /etc/resolv.conf and the like, and how it's a browser thing rather than a system thing. Hopefully that's a temporary situation which will be resolved once DoH gets wider adoption.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
|||
Quote:
Have anyone any explanation why Quad9 DoT is slower than DoH? I know it is not the case when it comes to Google's and Cloudflare's DoH vs DoT performance.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
|
||||
DNS-based ad-blockers are pretty rare; it's not what the overwhelming majority of people use. The reason that Firefox and Chome implement it in-browser is because that's easy and comparatively quick, whereas updating people's system resolvers is a long and hard process that will take many years.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
|||
They are not that rare in Android world.
Quote:
I still haven't come to final conclusions yet on DoH vs DoT.
__________________
Signature: Furthermore, I consider that systemd must be destroyed. Based on Latin oratorical phrase |
Tags |
doh, firefox, openbsd |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD xterm(1) now UTF-8 by default | J65nko | News | 1 | 10th March 2016 07:22 PM |
Any info on OpenBSD 5.6's new default IPv6 to off change? | SlyM | OpenBSD General | 4 | 2nd November 2014 09:45 PM |
is nginx going to be default OpenBSD httpd? | ershiba | OpenBSD General | 4 | 6th January 2013 03:55 AM |
OpenBSD switches from pthreads to rthreads by default | Alphalutra1 | News | 7 | 20th February 2012 06:19 PM |
Is OpenBSD secure by default from ssh users? | steamrent | OpenBSD Security | 2 | 19th December 2011 09:21 PM |