[MOVED] David Ross
Follow

For anyone else hyperventilating at the testing of the new standard recommendation:

You might like to hear about options to still use DoH and NOT is not about to introduce a Single Point of Failure. It's testing a new standard via one of the early adopting DNS providers.

Anyways, here's a list of alternative DoH end-points! github.com/curl/curl/wiki/DNS-

@david_ross @Digitalcourage Would the two of you mind talking about and eventually discussing that issue? Could be helpful. 😉 With all the dispute going around right now, ending (worst of all) in recommendations to immediately stop using Firefox (in favor of what??), there's a load of damage likely to be caused in communicating privacy-sensitive browser choices to end users... 😐

* please do use some caution!

That list does include some seemingly random projects. Be sure to check their privacy policies etc before making any rash decision surrounding your personal privacy and security. Use the same level of historical critique as one might throw at a large provider as Cloudflare.

Implementing the tech ≠ a guaranteed safe user choice. 😉

@david_ross I don't know about 'hyperventilating', however, it is good to be aware of what options/alternatives might become/are available, so one, at least, has choices. I'm grateful a discourse is taking place here. Thank you for your input/information. 👍

@itdm5j21 considering it's in response to a FUD article calling it all "dangerous" that's since been corrected and yet still been providing me @'s over 24 hours later - I feel it's appropriately 👋 dramatically 👋 worded.

Firefox was literally founded on providing users autonomy and there is zero sign of that vision changing.

@david_ross I've read toots, almost 'reactionary' too: others I've found helpful; yours one of them.
As progressive trial/limited resources - DoH servers, maybe there's over-reaction. People are super sensitive now. Given recent disclosures, concerns need to be accepted as legit.
I'm not questioning the mission statement and not dumping; simply watching how trial goes. You though put further information up here: I'm glad you did as on balance I'm better informed. Thank you. 😎

@itdm5j21 OMG thanks! I'm actually rather floored by that. Really appreciate the feedback!

@david_ross Cloudflare seems to have the only endpoint that is available as a Tor Hidden Service, no? Do you know of any others of those?

Kinda wanted to set that up, but was worried about depending only on one DNS service.

@ted You know that's an angle I have not explored as yet. Though I do often use , and , so it's one thing about I too would like to know eventually. I can't imagine Tor would want to touch it until it's stable.

Hashtagged for reach.

@david_ross I was thinking more about setting up a small DNS cache box (probably a RaspPi) on my network that would use it. Then everything on my network would have secure DNS.

Reality is that even if Firefox and CuRL support secure DNS, that's a small portion of the DNS requests coming from my network. Need to handle all the IoT, Electron Apps, etc. as well.

@ted I did this on my laptop to implement OpenNIC into `netctl` and than at least ATTEMPT to get it all working in LXC. To implement a dev container model for greater settings & data isolation. Took me so long!! Sounds like a PiHole? Best of luck with testing it though.

@david_ross that's interesting, I had only thought about PiHole as an Ad Blocker. Really is about the same thing. Thanks!

@ted Troy Hunt also trusts all his Have I Been Pwned backend to Cloudflare. 24 hours later I'm rather drained of the topic. Nothing that a big burger won't fix 😜

blog.cloudflare.com/validating

@david_ross
7 end ooints is not what I call widely developped. And I have no trust in ANY of those endpoints.
Moreover by making the change only through about:con,fdig Mozillez is indeed giving the private data pof 90% of its users to US govt.

@R1Rail because it is a draft standard. It's not even complete!

Use Nightly? It's an alpha version of Firefox. A tiny proportion of total users use it because they like testing things.

Mozilla ALWAYS puts its tests behind a pref.

Nightly features don't always hit the stable release. If it were to there would be an anouncement. That release would hit October 23.

Anyone can start a DoH. Even you. Your ISP. Most wait until such things are stable. Mozilla is testing in a suitably careful manner

@david_ross I unterstood it would be in firefox 62 (see github.com/curl/curl/wiki/DNS-). Far too early for a wide deployment.
I would have called it an option if it were off by default, but no it's on. And the standard interface to firefox options does not allow to disable. You miust go to some cumbersome interface with a very cryptic name and no reference to all the options (developer.mozilla.org/en-US/do is very small indeed)

@david_ross And the mere fact to have a centralized default shpows that Mozilla foundation cannot be trusted on all subjects.

@R1Rail Alpha tests start somewhere! They started these tests May (!!) there were 3 DNS provider testing DoH

Google, Cloudflare, CleanBrowsing (which blocks adult content).

Have you taken the time to read Mozilla's articles?? "But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them." hacks.mozilla.org/2018/05/a-ca

@david_ross And if I do not want to use ANY of the existing DoH server ?
I do not trust any of them. I want tpo use my own DNS and HTTPS does not provide me anything except the obligation of using untested and thus buggy software.

But we agree on one point : DoH is not a mature technoclogy that's why making it compulsory is a failure. And making it compulsory to use one of very few providers is a danger.

@david_ross
Alpha tests belong to specilaized software, not end user one. And if DoH was so good why limit it to the browser ?
DoH may be good in some cases, not in all of them.
And since mozilla's article speaks of trust, trust is NEVER gven. Why should I trust cloudflare ? A company which puts tracking cookies on all connections it manages (far too many) ?

@david_ross In the projected scenario, DNS requests goes eover HTTPS to a centralized point, which then does a standard unencrypted request. It may work when your LOCAL network is less trustwirthy than cloudflare. I have no trust AT ALL in ANY big company which centralizes internet. Much less than in my local network. So for me DoH is LESS secure than standard DNS, and this movce to DoH is a move to LESS secure networking.

having choice between google, cloudflare or facebook is very BAD news.

@david_ross So as summary the sentence I find very Dangerous is the one you cite
"Users can configure Firefox to use whichever DoH-supporting recursive resolver they want."
Which males DoH compulsory. And it is BAD.

@david_ross I wonder. Has the IETF considered letting clients lookup domain names known to a resolver using hash prefixes?

Because I think no matter how poor DNS is in regards to privacy if there's to be an upgrade I think those who care about it want to not have to trust the resolver so much.

@david_ross Lots of good comments & concerns on the LWN article still remain unresolved: lwn.net/Articles/756262/

"The quest to over-re-engineer every protocol to run on top of HTTPS, be centralised, be slower and aid in surveillance continues."

@downey I am a volunteer. I have no intention of stepping into every dumpster fire conversation that exists on the web.

Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!