@Gargron tldr:

With the current default settings, DoH will ask Cloudflare where your websites are, and Cloudflare is now a single point of failure (or tracking). And because this rollout affects everyone, including grannies, Cloudflare will potentially become responsible for internet reliability to a large fraction of Firefox users.

Subpost 

@Gargron I think it wouldn't be so bad, if it were opt-in instead and you'd be giving consent. I'd use DoH if on public WiFi but to be honest I'd use VPN in the first place before DoH. 😋

@Gargron I mean, without DoH or DoT or other form of encryption, everyone on the line can see your DNS requests, and manipulate them. Keep that in mind, too.

@Gargron It's more secure and private on one hand, but less private on the other hand. Feels like a mixed bag.

@sindastra @Gargron mozilla has a deal with cloudflare to provide a free vpn since recently

@Gargron I like how most of those articles ignore the reason for Mozilla to take this step:

No OS (that I know) went for secure DNS resolution within the past 20 years. There was a need and various potential standards for it. All ignored by OS vendors. Now browser vendors solve this problem and everyone is like "Trust us and respect our insecure OS defaults".

Now, OS vendors, move! Then they might get rid of it again, but the chances get less every day!

@sheogorath Using Cloudflare for all requests is still a bad move

@Gargron Fully agreed.

But I don't think the answer should be "Turn off DoH", the answer should be "Hey, I offer DoH as well! Allow people to use my service!"

But it's not happening 🤷

@sheogorath @Gargron Yeah, rotating through a list of public DoH servers would eliminate most of the concerns (even for the "granny scenario").

@Gargron @sheogorath

Using Cloudflare f̶o̶r̶ ̶a̶l̶l̶ ̶r̶e̶q̶u̶e̶s̶t̶s̶ is s̶t̶i̶l̶l̶ a bad move

@Gargron I'm really glad to see reasonable replies in this thread. No one going extreme or making drama. 😊 If my toot right here is drama, then apologies. 😄

@Gargron Initially it sounds like a good thing, until you realise the tracking capabilities...

@Gargron Mozilla should tell the user something like: "Look, we're encrypting your DNS requests. Click here to change your settings." And the user should change Cloudflare e.g. to SecureDNS

@Gargron
DoH is somewhat helpful for millions of users in China because the Great Firewall of China has been using DNS poisoning to block numerous sites (including MOST websites that you guys use daily, such as Google, Facebook, Twitter etc) for years. However, setting Cloudflare as default is not a good idea because GFC simply blocks the IP addresses of Cloudflare DoH resolver.

@Gargron
However, because DNS leak is a common problem in the OS level (even for those who don't understand what DNS leak is, they will search for a solution when they cannot access those sites), we (Chinese people who lives in mainland China) sometimes enable this DoH option in Firefox when we are using a proxy or VPN.

@Gargron
I'm using the word "somewhat helpful" because recently the GFC has been using some advanced techniques, including "SNI reset" to block a bunch of sites. So even if someone manually sets up correct IP addresses in the hosts file, it does not help without a fully functional proxy solution.

@Gargron
FYI a self-hosted DoH service for those who have to use DoH to bypass censorship:
fly.io/docs/getting-started/dn

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!