Turn off DoH, Firefox

This is painful to read. Masses off unfounded FUD - the article deliberately buries that it&#x27;s trivial to change your DoH provider if you&#x27;re silly enough to believe that CF is actively logging DoH requests and selling them (CF is involved with serving vast swathes of the internet anyway - if they wanted to go down this route they have <i>far</i> more lucrative avenues open than selling DNS requests by IP).<p>If instead what you worry about is the government spying on your traffic then complaining about DoH is even <i>more</i> silly - DNS requests are routinely intercepted and monitored by ISPs in many countries, with the information available to the security services, who have very few restrictions on what they are allowed to do with this data. This is especially true in the country the author appears to be based (Germany).<p>DoH is vital to protect users around the world from censorship and worse. Enabling it by default is a <i>good</i> thing - protecting users from abuse shouldn&#x27;t only be opt-in. There has to be SOME default chosen, and the default needs to be a site large and well run enough to a) handle the load, and b) be in the firefox HSTS preload list. There aren&#x27;t a lot of good DoH providers that fit these criteria - CF is one of the few.

It&#x27;s very disturbing to see the overreach that Mozilla has resorted to and the &quot;privacy&quot; argument (it was &quot;security&quot; before that...) being used to justify essentially ignoring system configuration. My ISP has more accountability than a company in another country.<p><i>The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems.</i><p>Exactly. If Mozilla wants to, it&#x27;s more than welcome to reach into the VPN area with its own products, but I don&#x27;t believe this functionality should be part of a browser. They&#x27;re already reaching into the VPN area[1], should they also investigate bypassing Chinese censorship with their own &quot;firewall-busting&quot; obfuscating VPN? That&#x27;s not something most users want nor need in their browsers, and such functionality is really a cat-and-mouse game that I think is best left to smaller and less-well-known entities.<p>It&#x27;s unfortunate that browsers are already beyond &quot;neutral&quot;, when IMHO the only thing they should do is fetch exactly the page URL that was entered and display it.<p>Edit: yes, apparently people disagree and want Mozilla to control what the Internet (and every user, ignoring his&#x2F;her default configuration) does. This is really <i>really</i> disturbing.<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20927832" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20927832</a>

Of course, I&#x27;d rather trust unecncrypted plaintext DNS queries that go to my ISP and government!<p>If you don&#x27;t like CF just switch to different provider <a href="https:&#x2F;&#x2F;github.com&#x2F;curl&#x2F;curl&#x2F;wiki&#x2F;DNS-over-HTTPS" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;curl&#x2F;curl&#x2F;wiki&#x2F;DNS-over-HTTPS</a>

This is a gross over-simplification. Cloudflare is required by contract to respect your privacy, which is much stronger than even the privacy laws have here in the EU since it addresses everyone, not just the EU population:<p><a href="https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;1.1.1.1&#x2F;commitment-to-privacy&#x2F;privacy-policy&#x2F;firefox&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.cloudflare.com&#x2F;1.1.1.1&#x2F;commitment-to-priv...</a><p>The people fighting for the status quo probably know how to run their own resolver, even with DoH or DTLS. But Mozilla&#x27;s conundrum is how to protect <i>everyone</i> &#x27;s privacy (and to a certain extent, security). DoH, despite all its flaws, attempts to do that by piggy-backing on already working infrastructure, so it seems like a good fit to move everyone to DoH. But then, they&#x27;re the chicken-and-egg problem. How do you make sure people deploy local DoH resolvers if no browser enforces the move to DoH ? How do you make sure those resolvers are truthful, or even respect local law (having both is often impossible).<p>So, you need to compromise. I&#x27;d have preferred to have temporary non-profit third party entity handle this à-la-Letsencrypt, but Mozilla deemed its contract with Cloudflare sufficient to provide enough guaranties. Ideally, name resolution should be done closer to the user instead of being centralized like that. But by arguing instead of experimenting we just keep the status quo. Time will tell if this was a bad decision. But it&#x27;s not as clear cut as this blog post says it is.

&gt; The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!<p>You&#x27;re right. But so are Mozilla.<p>Here we are 30 years into the web, and we&#x27;re still using plain old DNS. DNS over TLS should have caught on, but it didn&#x27;t. Apple and Microsoft had years to ensure it&#x27;s implemented as standard, but they didn&#x27;t.<p>The points this article makes - about DHCP options, about multiple providers, are very valid.<p>But they&#x27;re also just talking shops.<p>The biggest problems here seems to be 1) DHCP can&#x27;t give internal DOH servers. When I&#x27;m at home I want it landing on my own DOH server, but when I&#x27;m away I want to use a different one. 2) Internal DNS resolving falls to bits

As someone who has donated to Mozilla over the years and used Firefox as much as possible, this makes me very unlikely to donate in the future.<p>People say that it&#x27;s trivial to change. It&#x27;s trivial to change for us who are technically minded. It&#x27;s far from obvious and will not be changed by non-technical users.<p>This will only increase the massive amount of data that Cloudflare gets about people&#x27;s online behavior. I am always very skeptical of centralization and of having a company get this much information. Remember google&#x27;s Don&#x27;t be evil? I&#x27;m extremely uncomfortable with such a massive centralization of data.<p>People might say that the status co is not great because DNS is sent to the ISP. I&#x27;d argue the status co is better because it&#x27;s far less centralized. And, at least for Europeans, I trust European legislation better than US legislations.<p>I can understand the argument that some countries have mass surveillance and it&#x27;s a net positive for users in those countries since it will protect them. But in that case, I feel that the default should be randomized from a list of provider, not only one company. I also would be much less concerned by this if it was an option on first startup with a clear explanation (even though users tend to not read and blindly click accept, it&#x27;s at least more of an informed consent)<p>And anyway, that purpose of preventing mass surveillance and blocking in those countries where it would actually be useful seems to be moot because of: &gt; Additionally, Mozilla is also working with ISPs to make sure users won&#x27;t use DoH as a way to bypass legally-set blocklists.<p>&gt; The organization said it&#x27;s been asking ISPs and providers of network-based parental control solutions to add a &quot;canary domain&quot; to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.<p>So, if isp in countries with censorship can use a canary website to prevent users from bypassing &quot;legally-set blocklists&quot;. What is the point again of enabling this?

There are two points:<p>1. centralization of all dns lookups is worrisome<p>2. Dns should not be handled by applications. It should be handled by the operating system.<p>I see a lot of people conflating the two in the comments.

It seems like this change by Firefox would bypass a pi-hole. Am I understanding it correctly?

I had no idea this was going to be the default. It&#x27;s massively wrong. I use a Pihole DNS server, which means after a lot of debugging I&#x27;d have discovered Firefox had unilaterally decided to <i>stop abiding by internet protocols</i>. It&#x27;s always one step forward and two back with these Moz guys. I guess that&#x27;s better than every step back like Chrome, but jeez Moz, get a clue.

This misses the forest for the trees. In the UK ISPs are already legally mandated to log your web requests and provide them to the government. Those who live under free regimes should not deny those of us who live under oppressive governments the right to privacy of our communications. The fact that cloudflare is a US entity and thus not subject to UK law is the whole point.

&gt; It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in.<p>I think it should be on by default. In my country encrypted DNS makes it more difficult for the government to track what people watch and to block sites.<p>&gt; And to select or enter the DoH provider instead of defaulting to Cloudflare.<p>You can enter any DNS server address in Firefox.<p>While I agree, that it is bad to concentrate all the world&#x27;s DNS queries in the hands of an entity under US jurisdiction, not encrypting DNS is much worse currently. So Cloudflare and US government are the lesser evil for me.<p>Also, if there were volunteers running free DoH servers then Mozilla could choose one of them randomly instead of sending all queries to USA.

What they should do is offer several alternatives when enabling DoH (Cloudflare isn&#x27;t the only DoH provider out there), and anto-detect if your ISP or local network supports it at the enterprise level.<p>At least you can change the provider in about:config. I don&#x27;t remember if you can do it through the settings page.

The only thing that annoys me slightly about this, is that I currently have a couple of pi-holes running at home (one for us, and one for the kids) and I have the Mikrotik setup to redirect any request for DNS to the correct pi (So even if they change the DNS on the device it still hits the pi)<p>This is going to make that a pain - especially if they introduce it in the mobile version?

It&#x27;s worth noting that CloudFlare has already proven itself to not be a neutral party - they have proven willing to take sites offline for both legal and social pressure reasons.<p>This will greatly impact the internet&#x27;s ability to route around censorship as if it were damage.

The Internet was a great distributed system with reasonable separation of concerns.<p>Now we are content that applications do their own name resolution and said resolution is centralised on a very few (non-altruistic) hands (CloudFlare&#x2F;Google).<p>Add amp to this. Sprinkle it with the views of people who run their own mail server and consider where this leaves us.<p>I am not that naive and think we can keep ourselves in 1995. But I do think we give up on too many of the good parts all to freely.

Disagree. Most users haven’t chosen their DNS server, so replacing one unchosen DNS server with another makes no practical difference. And DoH means that people snooping on your network can no longer spy on you.<p>Cloudflare has committed themselves to not track users via DNS requests, and only log what’s strictly necessary.<p>And if you distrust Cloudflare, you have a much bigger problem. Half the Internet routes through Cloudflare these days. If they wanted to spy on you, they have (potentially clear-text) access to a good chunk of your HTTPS traffic.<p>And as many others have pointed out, it’s a much better recommendation to have people change the DoH server to something else.

Living in Russia, I, for one, welcome DoH and ESNI. I know I trust Cloudflare more than my government and ISP (The same ISP that routinely spoofs requests to inject ad pages&#x2F;reminders to pay for service, nevermind all the blocked sites).

How will this affect using Firefox on an intranet, where there are often services and websites on a local-only DNS server? Will Firefox be unable to reach those sites by default?

Wow, thats awful that they&#x27;re sending all user DNS requests to cloudflare without informed consent.<p>Is this also potentially a violation of federal wiretap law?<p>My ISP being able to monitor where I connect is not great, but being exposed to my ISP <i>and</i> cloudflare monitoring it is not better-- and is also very unexpected.<p>There are also at least somewhat clear standards of privacy expected from ISPs, it&#x27;s entirely unclear to me what duty of care cloudflare has towards users of this service or what position they&#x27;d be in to resist further compromise of user data (through either legal or illegal means).

Does anyone knows why does mozilla think this is a good idea? Between each user sharing dns queries with their isps and everyone sharing dns queries with cloudflare it appears that it&#x27;s obviously more secure the first approach even if none of them is really that great.

One thing that concerns me greatly is debugging network problems.<p>Up until now, you could use dig, nslookup and other tools to see how your computers resolves to help you figure stuff out.<p>Now what do you do?<p>also what happens when firefox uses this cloudflare, some other X application will start using Z, and the third Y.<p>Also I work, and used to work for many small shops (under 50 people) in different industries. Its standard practice to have internal domains, sometimes even having different things on the same domain (ie mail.comany.co is diffrenet server form inside and outside the network).<p>If you don&#x27;t have AD (increasingly common here with apple and linux laptops being the 95% of users), you will have to go to each user on every device that has firefox and help him fix the settings.<p>I would say just block it at firewall level, but it&#x27;s not trivial, without breaking sites that use cloudflare.

If the single DoH &#x27;server&#x27; is the issue, wouldn&#x27;t having a list of several &#x27;servers&#x27; around the globe (hopefully in places where there isn&#x27;t any form of censorship and preferably though non-commercial institutions) that the browser selects randomly solve this?

I think this is a horrible idea and applications should respect the OS DNS configuration. I have already configured the instance of dnsmasq on my router at home to return NXDOMAIN for the canary domain.<p>That being said I am a little confused by those that are concerned because this change would mean their DNS queries will be sent to a US company and they don&#x27;t trust US companies. Firefox is developed and distributed by a US corporation and is just a susceptible to being forced to follow US government directives as Cloudflare.

Also, do keep in mind that by using DoH, you&#x27;re also rendering anything like Pi-Hole useless. The solution of course being to use DoH from the Pi-Hole device [0], picking your own provider and disabling it on Firefox. Only step you need to change is the part where upstream providers are given and use your own instead of Cloudflare&#x27;s default.<p>[0] <a href="https:&#x2F;&#x2F;docs.pi-hole.net&#x2F;guides&#x2F;dns-over-https&#x2F;" rel="nofollow">https:&#x2F;&#x2F;docs.pi-hole.net&#x2F;guides&#x2F;dns-over-https&#x2F;</a>

I simply don&#x27;t like DoH because I use a DNS provider that I have chosen - OpenDNS - specifically because they log my DNS queries <i>and let me see that log</i>. I don&#x27;t mind DNS lookups from my network being logged, as long as the provider does accurate, uncensored DNS lookups. It&#x27;s helped me find domains to block such as tracking domains used by IoT devices that I can&#x27;t configure myself.<p>I have my router directing all DNS traffic to OpenDNS so these devices can&#x27;t pick their own servers, any outbound requests on port 53 will be redirected. If they start using DoH&#x2F;DoT, I can&#x27;t do that so easily. I&#x27;d have to start monitoring outbound traffic and do hostname resolution on the IPs.<p>I think the privacy argument for DoH in the browser is fairly weak, since doing a DNS lookup is not really an indication of, well, anything really. No matter what domain it was, there&#x27;s no indication that the user intended to visit a website or use a service on that domain, it could be as simple as a lookup to load an embedded image in a spam email. The only good usage of it is to prevent censorship via DNS.

Idk folks, the entire debate seems to be out of proportion. 1) If you do not agree with Mozilla’s actions - do not user their browser. I mean Mozilla isn’t forcing anyone to use Firefox. As a company they are free to design their product as they see fit. As an individual you are free to either use their product or not. 2) If you disagree and still chose to use Firefox - just because you are reading this means you have the knowledge to disable DoH. 3) If Mozilla remove the option to disable DoH over CF and you don’t like it - use another browser. 4) If you are concerned for other people’s data going to CF (specifically people who are not as well informed, people who don’t know what DoH or even DNS is) - very noble indeed, but unfortunately options are limited here. Encourage people to do some research and to decide for themselves whether or not they are as passionate about it.<p>The main point I am making is just as we want to be free in choosing whether or not to use DoH over CF, Mozilla is as free to design their own product.

I was never a conspiracy buff but the hordes of shills here who think it&#x27;s a good idea to send the whole worlds browsing habits to the US a country with practically no protection of data lets this seem like a long prepared operation.<p>The Chinese had to hack BGP to get that kind of data for a limited time.

As a sysadmin and a user i dont see any problems with DoH, i can easily set a DNS entry[0] so that FF respects my company configuration. And as a user I&#x27;ve been using DoH for months, just not from cloudflare but from CZ NIC because the latency was slightly better. You can easily set your custom DoH provider with 2 clicks in the Options menu. Also for most users I see benefits, because most of them don&#x27;t use VPNs on free wifis.<p>edit: I also think OS maintainers are the main problem here, none of this would&#x27;ve happened if they supported DoT or DoH themselves.<p>[0] <a href="https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;configuring-networks-disable-dns-over-https" rel="nofollow">https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;configuring-networks-di...</a>

I think it&#x27;s good Firefox are leading the way on DoH.<p>The ability to chose which DNS provider you query will be next on the feature list for Firefox I imagine.<p>Cloudflare have the same mindset to do something about the vulnerability of DNS to snooping (see their 1.1.1.1 app). Two companies with the same mindset. I&#x27;m hoping others follow them.<p>The article itself sounds paranoid and divides those that would rather trust private companies (with good intentions) against those that would rather trust their ISP&#x2F;Government (also with good intentions).

With Mozilla pushing their users around, it&#x27;s inevitable that a FF fork with Moz&#x27;s shenigans disabled will become mainstream. What&#x27;s the current state of eg Seamonkey?

We are having zero problems with the current decentralized DNS architecture.<p>Evidently, Mozilla plays the role of a Google&#x27;s darling once again. Those financial &quot;donations&quot; have some interesting effects, aren&#x27;t they? Aside from an official &quot;Google Search Bar in Firefox&quot; line.<p>What&#x27;s even more interesting is that Hacker News moderator deranked the topic.<p>Probably all the actors represent the same mafia ring, as they painfully in need to defend those interests to stay commercially relevant in changing world (hello IPFS).

Maybe I&#x27;m missing something, but the &quot;I think just me and you was safer&quot; image feels a little misleading. There already was a third party - your ISP&#x2F;DNS provider.

In other news, bots have now started using DoH (one via Google&#x27;s DoH service):<p>* <a href="https:&#x2F;&#x2F;www.proofpoint.com&#x2F;us&#x2F;threat-insight&#x2F;post&#x2F;psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module" rel="nofollow">https:&#x2F;&#x2F;www.proofpoint.com&#x2F;us&#x2F;threat-insight&#x2F;post&#x2F;psixbot-no...</a><p>* <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20934680" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20934680</a>

I don&#x27;t know about you guys but in Turkey if you query wikipedia.org from 8.8.8.8 it doesn&#x27;t return results.<p>However if you use DoH you can access Wikipedia.<p>Thank you whoever contributed to DoH!

The stated problem is that there are few providers, as for the offending party - Firefox, it&#x27;s they&#x27;ve defaulted to a company based in the US or a 14 Eyes member.<p>It doesn&#x27;t feel right to address the issue by blaming the DoH, or Firefox, as they are not defaulting to the prime evil - Google.<p>I believe the better suggestion here to say is to set up own DoH servers, urge related parties to opensource their own implementation if there&#x27;s none.

The government already has your DNS queries. So the whole point of the argument is moot.<p>The ISPs, and anyone they share the data with, also already have the DNS queries, so the argument is wrong.<p>But also, if you do want just one government to have the data, do you prefer that data to go to your local country, which may be speech-oppressing regimes like Syria, Saudi Arabia, UK, Ukraine, or Iran?<p>I fail to see how this is in any way a step backwards.

List of FF &quot;integrations&quot; grows. There is also HIBP one. We need a clean from 3rd parties version, like ungoogled-chromium project.

Pretty hilarious that this entire article is negated by contractual agreements spelled out in Firefox&#x27;s FAQ in DoH<p><a href="https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;firefox-dns-over-https" rel="nofollow">https:&#x2F;&#x2F;support.mozilla.org&#x2F;en-US&#x2F;kb&#x2F;firefox-dns-over-https</a>

I don&#x27;t understand the DoH protocol entirely. I thought the entire point of it was to pass encrypted requests to CloudFlare. Can anyone confirm how this works? I thought this was the entire point of DoH, adding encryption to requests and directing it away from the plaintext DNS requests.

For those who are uneasy to use CF DoH, here&#x27;s a list of alternative DoH Resolvers<p><a href="https:&#x2F;&#x2F;github.com&#x2F;curl&#x2F;curl&#x2F;wiki&#x2F;DNS-over-HTTPS#publicly-available-servers" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;curl&#x2F;curl&#x2F;wiki&#x2F;DNS-over-HTTPS#publicly-av...</a>

I had to turn it off, not because I&#x27;m opposed to the idea, far from it, I&#x27;d love to use DoH, but because cloudflare&#x27;s spat with archive.is renders the whole thing useless if you ever need to browse archive.is stored copies of pages.

<i>As somebody who&#x27;s been working for internet security over 20 years, we strongly believe that applications should not choose the DNS server. The operating system is designed to manage DNS and network settings for all applications.</i><p>This is nonsense.

Not convincing. I live in Russia, explain why I wouldn&#x27;t want this turned on?

The result will be simple: FF market share in corporate environments will drop. If sysadmins have to jump through hoops simply to get the thing to respect corporate DNS settings, then it won&#x27;t be used.

In places like India, blocking is often done at the DNS level. Cloudflare and Firefox are big reasons I can get around stupid overbroad government blocking of whatever they think is anti-national or porn.

It&#x27;s weird how large companies can make decisions like this (re-routing all DNS requests to the US) on their own, without local&#x2F;EU government stepping in to prevent it...

DoH and DoT are very interested technologies, disabling them &#x27;cause Cloudflare is ... strange.<p>From another side, DoH&#x2F;DoT prevents ISPs&#x2F;government from DNS modifying&#x2F;rerouting.

I strongly support DoH as it prevents government snooping on the public. It’s really unhelpful that people like this attack Firefox over this issue.<p>Stand strong Firefox against this.

I think dns (and many other &quot;trivial&quot; to implement sensitive services) should be a gov service. Preferably the eu and idealy made usable for anyone.

OpenBSD folks removed it, and they are always right about security, as they were with disabling Intel hyperthreading.

How decisions are made in Mozilla? By whom? Is there public discussion beforehand?

privacy aside , how about internal hosted zones and stuff that isn&#x27;t resolvable by TLDS or CCTLDS?

My understanding is that the DNS query goes to the closest of the more than 180 Cloudflare servers, not specifically to the US servers. Complete FUD.

&gt; It means people outside the US can now be fully tracked by US government<p>How?

Firefox, wth.<p>Cloudflare is not the internet.

I hope to see a solution from Mozilla, is it known why they choose DoH with Cloudflare? It seems a bit strange from a company always focused on OSS.

I think this article would benefit from not shoehorning politics into the issue. Couldn&#x27;t take this seriously after the irrelevant slight at Trump.

&gt; DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and they send traffic from all their users to one entity.<p>Why does DoH necessarily mean that Cloudflare will be handling the traffic? The article barrels right to that conclusion without explaining why.