Firefox recently introduced DNS over HTTPS in firefox for "securing" application dns. I am personally of the opinion that applications should NOT attempt to work around a broken system resolver as this is a system issue that is out of scope of the application. But I digress. While DoH is a security upgrade in theory and in practice (most of the time) vs normal DNS, firefox's implementation contains a fatal flaw in the default settings that make it effectively off unless you explicitly turn it on.

By default DoH in firefox is "oppurtunistic". Specifically if your upstream DNS makes eplicitly not resolve firefox turns DoH off. Yes DNS is rather insecure and your ISP can do whatever it wants and that's kind of the problem. Firefox is depending on your system's DNS being secure to ... uh... secure appliation level dns in Firefox. See the problem yet? The real solution here isn't to use firefox's dangerous by design defaults, it's to secure your system's DNS. By securing the system's DNS, ALL of your queries should be safe regardless of what application is in use.

The real problem with application specific DNS is that it makes securing DNS on the entire system impossible. If every application had its own DNS settings then how do you get every single program to use secure DNS? How can you be sure they won't have the same flaws as firefox? This fragmentation of DNS settings just makes securing the system's DNS harder and it's already hard enough as it is. If every application was in charge of securing DNS then you are responsible for changing the settings on every single one of them. That's worse not better. In addition if that wasn't already bad enough, phoning home to a centralized HTTPS server to resolve names kind of feels like your application is malware. If I am not in control of this as a user then I personally consider this application to be malware. This is the direction that DNS is headed with application level dns security. So if you want to change your DNS now not only do you have systemd-resolved, NetworkManager, /etc/resolv.conf, libnss and whatever other glibc dns shims for dns there are, you have... EVERY SINGLE APPLICATION. Sounds lovely right? Maybe they can add a DBUS api for managing application dns (this was bad joke, please don't actually do this redhat).

I want a better DNS but DoH embedding in each application is the wrong direction, we need MORE decentralization not less. We need trust agile authenticated/signed DNS at the system level. This is not an easy problem to solve and embedded DoH is a lazy webshit tier solution made by people who think they can still trust the x509 CA cabal (you can't). DPI companies make devices that can perform silent TLS MitM using the intermediate wildcard CAs they purchased from Verisign and friends. This is mostly on corporate networks, but who's to say you're not on a one now? (cough cough comcast/nbc). Juse use DNSCrypt-Proxy I guess because at the very least it exploits the firefox DoH backdoor to turn off firefox's DoH so it's easier to use (Lokinet does this too).

Posted at by jeff     Tags: firefox, dns, doh, dns over https,