Disabling Firefox's automatic switch to DoH

[netware5]

What happens if you have some VPN service activated?

I use PIA (Private Internet Access) Client Application with Windows 10. I haven't configured my router to connect to PIA.

When I go to PIA Client App Settings - Network - Network Preferences - Name Servers, and choose for example "PIA DNS", will the DoH of Firefox (or Brave or Chrome or whatever in the future) bypass the PIA DNS as well?

Yes, I think. Your browser will just make DoH request to the Cloudflare (or maybe other DoH service in future) and this request will be tunnelled via the PIA VPN. So definitely the browser will bypass the PIA DNS. Unless, as @ColinTaylor said above, the PIA DNS servers implement the canary test/block.

 

[RMerlin]

Why not make it an always-on feature? Shouldn't be a reason to configure this; if you're on a network like mine, you should be forced to do what my router says you're going to do. I'm not sure why web browsers think they have the right to manipulate traffic, especially in the case of Google... now ALL your traffic can belong to them if you use Chrome and you can be profiled further. This isn't an increase in security, it's an attack on privacy (at least the way I see it). Not that this point is neither here nor there, but the pi-hole guys aren't even going to give the option; if you're on my network, your DNS traffic does what I say it does: https://github.com/pi-hole/pi-hole/pull/2915

I also strongly disagree with Mozilla's decision, and believe a browser should not mess up with a network's established resolving infrastructure. However I'm reticent at also doing the same thing as them, by automatically bypassing a software's expected behaviour, as some users might actually expect Firefox to indeed automatically use DoH without them having to change anything.

So while I haven't made a final decision yet, I feel that having a third option that automatically kills that feature when the user has a DNSPrivacy configuration might be an acceptable compromise as a default value, since it would serve to ensure that a user configuration (the DoT servers) would not be bypassed by a browser's automated feature.

Since the next release is probably months away from now, I have time to let it all simmer a bit, also see how Mozilla will react to the public outcry that is starting to come from the technical crowd.

 

[RMerlin]

What happens if you have some VPN service activated?

If you use an application, then unless the servers used by that application implement the canary domain, you will be automatically redirected to the DOH servers whenever using Firefox.

Note that Mozilla only implements this (for now) for US users. I don't know how they check that location, so it's also possible that if they rely on an online public IP test, a VPN endpoint being outside of the US might fool the browser into thinking you are not in the US, and disable the feature. Or the opposite might also happen for non-US users connecting to a US server.

This is yet another reason why Mozilla's implementation is a really, really bad idea. Lack of predictability will make technical support a nightmare. Implementing an important software feature that may or may not be transparently enabled based on a bunch of opaque (to the end-user) criteria makes it hard to troubleshoot anything tied to a feature that may or may not be enabled by default.

Bottom line, unless someone studies the details behind Mozilla's implementation, there's no way to know for sure short of testing it.

 

[CriticJay]

Bottom line, unless someone studies the details behind Mozilla's implementation, there's no way to know for sure short of testing it.

But we can do that, right? Since they're open-source?

 

[bits]

This isn't an increase in security, it's an attack on privacy (at least the way I see it).

I think the concern is that you are controlling the users data.
You can easily uniquely identify the user and you are the exact risk that is being removed.

It is the network that is not controlled by the user that privacy apps are trying to remove.
No different to VPN or even when torrent apps started encrypted or mimicking http.
You are about to embark on a cat and mouse game because you are the "problem" being "fixed"

 

[RMerlin]

But we can do that, right? Since they're open-source?

Sure, if you have the time to spend on it, and assuming that the final code is already on their repo. They could change anything between now and the final release.

 

[ironclad]

Mozilla always has users' best interests at heart.

https://en.wikipedia.org/wiki/Mozilla_Corporation#Google

 

[Skeptical.me]

So far in 69 release, 70 beta, and 71 Nightly, DoH has remained unchecked in the Network Settings panel.

Once it's implemented as opt-out can't we just about:config and disable it?

 

[Skeptical.me]

I also have the same question.

BTW I think that due to the recent significant changes in DNS "world" in last years it is a time now to create a sticky post about different options to implement secure DNS in AsusWRT Merlin. The recent Firefox and Chrome move to DoH just demonstrate the need of such guidance. I am sure that many forum users will appreciate the guidance regarding PROS and CONS of different secure DNS options, how to implement them in home network and how to circumvent these, which are enforced by browser vendors like DoH, if the user wish so.

Now searching the forum shows many posts related to that issue. But bringing them in one single sticky post would be very helpful.

Good idea, I'm certainly confused about this whole DoH thing.

I use the OpenVPN clients in Merlin to route ALL network traffic over the VPN tunnel and DNS. I want to keep it that way.

 

[Kingp1n]

Good thing I don't use Firefox!

 

[MarkRH]

Once it's implemented as opt-out can't we just about:config and disable it?

That or it will still be a check-box option.

 

[meistadieb]

This is not only relevant for Firefox. Chrome is also approaching to implement DOH: https://www.chromium.org/developers/dns-over-https

 

[AndreiV]

This is not only relevant for Firefox. Chrome is also approaching to implement DOH: https://www.chromium.org/developers/dns-over-https

It pays to read the entire thread :

https://www.snbforums.com/threads/disabling-firefoxs-automatic-switch-to-doh.58910/#post-515014

 

[AntonK]

Not being a real techie, I'd be keen to hear what some of you think of this Firefox Add-on: Firefox Private Network. I'm trying it now, and Cloudflare is showing as my ISP. Does an add-on like this affect the way I'm interacting with my router settings?

Anton

 

[ColinTaylor]

Not being a real techie, I'd be keen to hear what some of you think of this Firefox Add-on: Firefox Private Network. I'm trying it now, and Cloudflare is showing as my ISP. Does an add-on like this affect the way I'm interacting with my router settings?

Seems to be some sort of proxy service. So probably not directly related to the DoH issue being discussed in this thread. May be best to create a separate thread if you want to discuss it further.

 

[hw1380]

Firefox looks for a certain canary domain to disable that automatic feature when using, for example, a parental or ad filter provided by your DNS servers.

For now, you can use that canary domain to prevent that automatic DoH enabling, by creating a /jffs/configs/dnsmasq.conf.add file, with the following entry:

server=/use-application-dns.net/

Then, restart dnsmasq:

service restart_dnsmasq

I am currently evaluating how to implement this in the firmware. The initial tentative plan is to have a new switch to enable that "Block Firefox automatic DoH usage", with the following options:

0-Enable killswitch if using DNSPrivacy (the default)
1-Enable killswitch
2-Diasble killswitch

The default value would be to enable the killswitch if you use DNSPrivacy (i.e. DNS over TLS), to ensure that browsers won't automatically bypass it.

This is still all being evaluated on my end.

I assume that this approach has no effect as long as any VPN client is configured with DNS mode Exclusive?
Because AFAIK Exclusive mode bypasses dnsmasq.

 

[meistadieb]

It pays to read the entire thread :

https://www.snbforums.com/threads/disabling-firefoxs-automatic-switch-to-doh.58910/#post-515014

What's your point? I posted the relevant link with additional information.

They promise to upgrade the protocol if possible and don't change the dns provider but they still change the technic which is used. DoT and DoH use different ports which could be relevant (which I can't tell). And in addition maybe other users want to ask the chromium project to expand the list with other DNS providers.

 

[RMerlin]

I assume that this approach has no effect as long as any VPN client is configured with DNS mode Exclusive?
Because AFAIK Exclusive mode bypasses dnsmasq.

Correct. People should then manually disable DoH support within Firefox.

 

[cmkelley]

Point of interest: the OpenBSD folk have disabled DoH by default in their port. It can still be enabled, if desired.

 

[Gar]

https://www.tomshardware.com/news/us-congress-dns-https-anticompetitive,40509.html