If you're on current macOS/Windows/Linux/Android/iOS/ChromeOS you probably just want to configure DoH or DoT at the operating system level so it is done system wide. The other half reading this probably want a "how to force disable" guide instead of a "how to" guide. The automatically rolled out browser specific method described in this article is really directed at users that don't know this is even a choice and probably wouldn't have an opinion one way or the other if they did.
Somewhat unrelated but Firefox also supports SOCKS proxying independent of the OS config. Combining this with ssh -D and you can effectively VPN your Firefox traffic out any box you can ssh to, including the DNS requests. This has been both useful for me as a troubleshooting tool and as a simple internet VPN.
This is objectively a terrible decision. Technologically, politically, culturally. We had a very good design in DNS, and people are throwing it away because they're terrified about the potential that their ISP might use their data. Never mind that Netflix already does it to them when they watch TV, Target does it to them when they buy condoms at the store, Google does it with their mail and search results, ESPN does it to them when they play fantasy football, and Starbucks does it to them when they buy their venti mocha frap. But because Comcast might also know what they do in their private life, we should ditch one of the internet's most important protocols, and give all our data to Cloudflare, a central TCP-based US-owned DNS resolver.
Nobody in the world needs DNS over HTTPS. If you actually need to hide your DNS requests, you have bigger problems that you need a real VPN for. This is a unilateral political decision by the people who have the most power over browsers because they have an emotional obsession with privacy, even if it makes technology in general worse.
I think encrypted DNS as a default is a good thing and swapping (with a notification to let you know what they did, why, and an easy button to revert the setting) in an update would be great.
> We completed our rollout of DoH by default to all United States Firefox desktop users in 2019
Why did this setting change for me today mid-session? Did someone malicious use this functionality to change my settings outside of the context of an update? I don't want anyone to be able to remotely change my privacy settings. Knowing this feature exists makes me extremely uncomfortable and has broken my trust in my browser.
I went to the effort of setting up a pihole, and pointing all the devices on my network to it.
When I saw this notification for the first time yesterday I was a bit annoyed - do I now have to think about every application ignoring OS level settings and using its own?
I see a lot of people who do no like this. And that is totaly fair. I do not want or need this either, I have my own resolver on my pi-hole and why the f whould I want FF to mess with that.
However, for 'normal' users, this is actually an important an big improvement imo. You cannot expect everyone to understand how it all works and how to run a dns server. If you can, you might not be the target audience for such features.
That being said, I'd prefer my FF without all the 'services' and bullshit. I tried Librefox, but couldn't get it to run. Gave up after 30s. Guess I'm not the target audience for that and I'll deal with disabling mozilla's spam ;)
One problem I've found when trying to switch to an alternative DNS provider is that e.g. different parts of Akamai's CDN servers have different peering arrangement with ISPs and Akamai uses DNS for directing you to a server that is well-connected to your current ISP.
So when using an alternative DNS server, download speeds for anything hosted by Akamai would always slow to a crawl in the evening because I got directed to the wrong set of Akamai servers.
I just got this automatic up/down/side-grade. DNS to be handled by a partner service provider, so they get all my data instead of my ISP getting it? Doesn't seem like an improvement. I think I will turn this off.
If you're a dev who uses curl / requests / HTTP libraries, just browser-level DoH isn't enough for ISP privacy or govt censorship evasion.
On Ubuntu 18, I installed "dnss" at the OS-level to send all DNS requests as DoH. Currently, it just forwards them to CloudFlare's DoH URL. But I can also install it as a DoH proxy on my remote server if I want to move away from CloudFlare.
It works fine and is easily installed without any builds or PPAs. The only problem with it is that I had to disable systemd-resolved first to reserve port 53 for dnss.
It is amusing that in Europe, there is this big DGPR drama playing out about websites embedding resources from US companies. Like Google Fonts, Tweets and Facebook like buttons.
Yet the browser sends each and every website the user visits to a US company.
All in all, I tend to think that it is a net positive.
Downside: Now one US companies gets all my DNS queries. But can they stitch them together? I tend to think they can't easily. And will hopefully not keep enough logs to do so later.
Upside: My ISP and the cafes and hotels I visit do not get the info which websites I visit.
The protection could be made even stronger if the browser would send 5 DNS requests for every IP it needs. So if you visit news.ycombinator.com it additionally sends 4 random hostnames to cloudflare.
I use pihole configured with nextdns DoH as primary upstream server and cloudflare as backup. So all devices connected to the network end up using DoH. Works very well.
In addition, if you configure tailscale on your mobole devices, they can still use your pihole+nextdns/cloudflare even when roaming over 4g.
I have a Pihole set up as my DNS resolver on my home network. My understanding is that this blocks ads at the DNS level. So if I it anyone in my family enabled DoH this would defeat the Pihole services? Can someone confirm this?
DoH creates a precedent where parents are not able to easily control the internet access for their kids. It is fairly easy to setup the router these days and block porn,gambling,malware,social media. Not to mention the OS level config on devices to use a particular DNS server.
Now, we (parents) need some remote management OSS (like in a corporate world). I want to ensure the config of the laptops,tablets,phones does not use DoH but only the DNS of the PiHole.
DoH is great but I feel the pain.
The point of DNS-over-HTTPS is to protect users from censorship and surveillance by their network operators. Does anyone have any reason to try to block it on their networks (not just wanting to turn it off on their own devices), other than that they're network operators who want to be able to censor and surveil traffic from other people's computers?
I wonder when the DNS root servers are going to adopt DoT or DoH, or something that isn't plaintext.
How hard can it be for Firefox to embed its own recursive resolver that talks only to the root servers? If you are really concerned about privacy that’s the only way to go. Other than that it makes little sense to me to trust one company over another.
Funny, I reported a bug to Mozilla about their NextDNS offering being mis-configured, and it leaked DNS queries. I turned it on by going to Preferences > General > Network Setting and then fired up Wireshark, and all the queries were sent in the clear, even with NextDNS set to 'Enabled'. They seem to have fixed it. Lesson here: sniff your network traffic and don't blindly trust that DoH is configured properly.
Forget Cloudflare and Google DNS, and use an independent and private resolver. Both uncensoreddns.org and mullvad.net offer DoH and DoT.
Does anyone know how well modern DoH infrastructure works with geographically specific results? E.g., google.com on any "real" DNS points me to a google proxy on a nearby ISP, usually mine -- netflix also has local ISP boxes.
Don't see how this can work unless Cloudflare/NextDNS is all knowing about the world DNS infrastructure.
"Are parental controls enabled?"
I wonder how it does that. Will the browser be making DNS requests for playboy every so often?
... and the DNS-over-HTTPS providers that come with Firefox / Chrome censure DNS as they like, very obvious now due to our east friends news sites being blocked
that being said, I use this at my work machine so that the local IT agent cannot access the DNS resolver cache
burried lede :
> We began our rollout by default to Russia and Ukraine Firefox desktop users in March 2022.
I donate $10 a month to the Mozilla foundation, and I see this as: Good, not perfect.
I had problems accessing RT from Romania because our ISPs blocked it (something that is uncommon in this country). I chose a DNS server from the Firefox config page and managed to get it. Really great feature.
I am surprised Mozilla is pushing for DoH. I was expecting Google to lead the front since most of their revenue comes from ads and the DNS-level ad blockers are easily defeated by DoH.
How does this work with pi-hole? Or it basically doesn't because it bypasses any blocking of the malicious you're performing like that?
I prefer to avoid Mozilla as much as Google. I use DoT (which I think is a better alternative than DoH) against uncensoreddns.org and Quad9.
Is it possible to configure this to use the same cloudflared redirection I am using for my pi hole?
What is the latest on use of http cookies in DoH?
DNS over HTTPS is a trojan horse to allow application developers to subvert the system administrator's DNS policy. Specifically, so that companies like Google, Microsoft, Amazon can ensure that you cannot prevent ads being displayed in their little black boxes (hardware or software).
This is dangerous, anti-user, and should be avoided at all costs.
DNS over TLS is the correct and appropriate solution here.
You can ensure your (Firefox) browser does not use DNS over HTTPS by configuring a canary domain: https://support.mozilla.org/en-US/kb/canary-domain-use-appli... but let's be clear here, nobody besides Firefox is going to respect user choice about using DoH.
Firefox by default directs DoH queries to DNS servers that are operated by a "trusted partner".
That's what I don't want - Firefox offering services.
Once you have a centralized server, with a huge number of minor queries passing through it, the operators get uppity. They start thinking they have editorial authority. Someone will decide that the DNS server should censor something. Child porn is the usual excuse, and then, after a while, you can't see sites that mention Tienanmen Square or Ukraine any more.
I'm quite happy with Sonic's classic DNS server. It just answers DNS queries and forwards requests to the appropriate upstream DNS server as required.