1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling Firefox's automatic switch to DoH

Discussion in 'Asuswrt-Merlin' started by RMerlin, Sep 10, 2019.

  1. netware5

    netware5 Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    363
    Location:
    Bulgaria
    Yes, I think. Your browser will just make DoH request to the Cloudflare (or maybe other DoH service in future) and this request will be tunnelled via the PIA VPN. So definitely the browser will bypass the PIA DNS. Unless, as @ColinTaylor said above, the PIA DNS servers implement the canary test/block.
     
    Last edited by a moderator: Sep 11, 2019
    Vexira likes this.
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    I also strongly disagree with Mozilla's decision, and believe a browser should not mess up with a network's established resolving infrastructure. However I'm reticent at also doing the same thing as them, by automatically bypassing a software's expected behaviour, as some users might actually expect Firefox to indeed automatically use DoH without them having to change anything.

    So while I haven't made a final decision yet, I feel that having a third option that automatically kills that feature when the user has a DNSPrivacy configuration might be an acceptable compromise as a default value, since it would serve to ensure that a user configuration (the DoT servers) would not be bypassed by a browser's automated feature.

    Since the next release is probably months away from now, I have time to let it all simmer a bit, also see how Mozilla will react to the public outcry that is starting to come from the technical crowd.
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    If you use an application, then unless the servers used by that application implement the canary domain, you will be automatically redirected to the DOH servers whenever using Firefox.

    Note that Mozilla only implements this (for now) for US users. I don't know how they check that location, so it's also possible that if they rely on an online public IP test, a VPN endpoint being outside of the US might fool the browser into thinking you are not in the US, and disable the feature. Or the opposite might also happen for non-US users connecting to a US server.

    This is yet another reason why Mozilla's implementation is a really, really bad idea. Lack of predictability will make technical support a nightmare. Implementing an important software feature that may or may not be transparently enabled based on a bunch of opaque (to the end-user) criteria makes it hard to troubleshoot anything tied to a feature that may or may not be enabled by default.

    Bottom line, unless someone studies the details behind Mozilla's implementation, there's no way to know for sure short of testing it.
     
  4. CriticJay

    CriticJay Regular Contributor

    Joined:
    May 30, 2018
    Messages:
    116
    But we can do that, right? Since they're open-source?
     
  5. bits

    bits Regular Contributor

    Joined:
    Oct 13, 2011
    Messages:
    60
    I think the concern is that you are controlling the users data.
    You can easily uniquely identify the user and you are the exact risk that is being removed.

    It is the network that is not controlled by the user that privacy apps are trying to remove.
    No different to VPN or even when torrent apps started encrypted or mimicking http.
    You are about to embark on a cat and mouse game because you are the "problem" being "fixed"
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    Sure, if you have the time to spend on it, and assuming that the final code is already on their repo. They could change anything between now and the final release.
     
  7. ironclad

    ironclad Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    17
  8. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    450
    Location:
    Australia
    Once it's implemented as opt-out can't we just about:config and disable it?
     
  9. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    450
    Location:
    Australia
    Good idea, I'm certainly confused about this whole DoH thing.

    I use the OpenVPN clients in Merlin to route ALL network traffic over the VPN tunnel and DNS. I want to keep it that way.
     
  10. Kingp1n

    Kingp1n Senior Member

    Joined:
    Feb 27, 2018
    Messages:
    266
    Good thing I don't use Firefox!
     
    Skeptical.me likes this.
  11. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    229
    Location:
    Oklahoma City, OK
    That or it will still be a check-box option.
     
    heysoundude and Skeptical.me like this.
  12. meistadieb

    meistadieb New Around Here

    Joined:
    Nov 16, 2017
    Messages:
    6
    Skeptical.me likes this.
  13. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    872
    Location:
    пішли на риболовлю
    Marin and Skeptical.me like this.
  14. AntonK

    AntonK Senior Member

    Joined:
    Apr 10, 2015
    Messages:
    240
    Not being a real techie, I'd be keen to hear what some of you think of this Firefox Add-on: Firefox Private Network. I'm trying it now, and Cloudflare is showing as my ISP. Does an add-on like this affect the way I'm interacting with my router settings?

    Anton
     
  15. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    Seems to be some sort of proxy service. So probably not directly related to the DoH issue being discussed in this thread. May be best to create a separate thread if you want to discuss it further.
     
  16. hw1380

    hw1380 Occasional Visitor

    Joined:
    May 9, 2016
    Messages:
    42
    I assume that this approach has no effect as long as any VPN client is configured with DNS mode Exclusive?
    Because AFAIK Exclusive mode bypasses dnsmasq.
     
  17. meistadieb

    meistadieb New Around Here

    Joined:
    Nov 16, 2017
    Messages:
    6
    What's your point? I posted the relevant link with additional information.

    They promise to upgrade the protocol if possible and don't change the dns provider but they still change the technic which is used. DoT and DoH use different ports which could be relevant (which I can't tell). And in addition maybe other users want to ask the chromium project to expand the list with other DNS providers.
     
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    Correct. People should then manually disable DoH support within Firefox.
     
    shelbystripes and Vexira like this.
  19. cmkelley

    cmkelley Very Senior Member

    Joined:
    Aug 11, 2015
    Messages:
    890
    Location:
    Greater Los Angeles Area, California, USizicstania
    Point of interest: the OpenBSD folk have disabled DoH by default in their port. It can still be enabled, if desired.