1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling Firefox's automatic switch to DoH

Discussion in 'Asuswrt-Merlin' started by RMerlin, Sep 10, 2019.

  1. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    Considering all the dinosaurs involved in US politics (who could forget the "The Internet is a series of tubes, and my emails can get stuck in there because of your traffic clogging them"?), be scared whenever politicians get involved in anything related to technology...

    Or Zuckerberg's hearing - that was another priceless gem.

    The first sign that they once again are completely clueless: Google offers DNS over TLS in Android, not DNS over HTTPS...
     
  2. gattaca

    gattaca Regular Contributor

    Joined:
    Feb 18, 2012
    Messages:
    186
    Not being cynical, just trying to understand both sides.

    I am sure FF/Chrome/Brave are doing DoH under the guise of privacy. With ABC, it's never really what they say... but what their business model is... (but I digress).

    Consider travelers connecting to any wi-fi in coffee shops... (that's a bad idea but another thread). At least with DoH, there's some inkling of not having the "connection provider" snooping on your DNS traffic but the DOH provider... well there you go!

    Or suppose you connect to a coffee shop with malicious intent or that had been compromised and it was redirecting your DNS and other traffic to rogue collections sites... It's a 10x edged sword or see-saw with no easy answer. These moves are trying to help the "general public" who have absolutely NO CLUE about what a DNS is or DoH or TLS or anything else.. they just want the crap to work... Those of us trying to tread the tech waves just happen to care a bit more about these details. go figure..
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    The main issue there is they are fixing A by breaking B. This is why it must be an opt-in feature, not an opt-out feature, so people will be aware that if B is being broken, it might be because they just accepted to enable a specific feature.

    "B" being things like DNS-based parental control, ad blocking, malware detection, CDN optimization, etc... If you set up DNS-based parental control to protect your kids, and their Firefox just updated to a new version that bypasses it BY DEFAULT (and not by user choice), wouldn't that be potentially serious?

    Also note that DoH is just a small portion of the privacy puzzle. DoH won't prevent snooping if you access to a web site that doesn't support encrypted SNI (and so far, almost none of them does). Instead of snooping at the DNS query, they can just snoop at the HTTP query (currently, TLS only encrypts the data in the connection, the SNI which contains the website address to which you wish to connect is generally still sent in the clear).

    The only reliable protection there when connecting to a suspicious access point is through a complete VPN.
     
  4. cmkelley

    cmkelley Very Senior Member

    Joined:
    Aug 11, 2015
    Messages:
    1,027
    Location:
    Greater Los Angeles Area, California, USizicstania
    The idea behind DoH is when you are behind a firewall that filters based on DNS resolution. Not some crappy coffee shop, but in a country (e.g. China) where the internet is severely restricted; part of their firewall involves sending all DNS requests to government-approved or run DNS servers that won't return a valid IP if the destination isn't approved by the government. DoH can't be intercepted like regular DNS or DoT because it looks like regular web traffic. The theory is that the only way to block DoH is to blacklist the IP entirely, even if you do figure out that a specific IP is running DoH in addition to a regular webserver. This is where IMHO the theory falls off the rails - I would assume anyone caught running a DoH server in such a country would be subject to prosecution, so that leaves those willing to risk prosecution and sites outside the country. Sure it becomes a game of whack a mole for the state, but I don't think they're going to think twice about banning any external IP found to offer DoH no matter how popular it is. DoH is an interesting idea, and I suppose one more arrow in the quiver, but still in the end it's still security by obscurity.

    The correct way to fix the crappy coffee shop problem is to make VPNs simple and reliable. In the end there obviously is no way to prevent whoever your DNS provider is from finding out what sites you're looking up. That's the nature of the beast.
     
    gattaca likes this.
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    Google (for Chromium) has an interesting take on this IMHO. They will only automatically enable it if you are using a resolver that is known to also support DoH. So for example, if you are using 1.1.1.1 as your system resolver (meaning it won't trigger if your system resolver is using your router), then Chrome will "upgrade" to using DoH.

    https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/5zDcC8uQrqU/discussion

    This sounds more sensible to me than Firefox's approach. Still not totally sold on the idea that browsers start to take over the duties of the resolver. Hopefully they don't also overrule local host files in the process.
     
    QuikSilver, gattaca and cmkelley like this.
  6. Gar

    Gar Senior Member

    Joined:
    Aug 26, 2018
    Messages:
    465
    Location:
    US
  7. gattaca

    gattaca Regular Contributor

    Joined:
    Feb 18, 2012
    Messages:
    186
    Ultimately, ABC is after the DNS data... don't believe anything they write, say or propose otherwise. Your DNS requests are almost as valuable as every page you click on... oops.. it's a precursor to that.
     
  8. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Very Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    531
    Wouldn't this make a Firefox user become more vulnerable to a downgrade attack when this option is used to forcibly downgrade Firefox.
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,340
    Location:
    UK
    I'm not sure what you mean by "downgrade attack". You're just making Firefox work the same way as it did before. So I can't see how it's more vulnerable than it previously was.
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    The default option will be to disable it only if you have DNS over TLS or DNSFilter enabled - both of which are user-configured, generally for security reasons. Firefox's default behaviour would actually REDUCE your security and privacy in many instances, since it would force all your traffic to a DOH server of THEIR choice, rather than whichever server you personally chose to use. So if you configured DNS over TLS to use a malware blocking server, Firefox would bypass that malware blocking service, which is a step backward.
     
    QuikSilver, MDM, skeal and 2 others like this.
  11. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    388
    I just updated Firefox from 69.03 to release 70.0. They did now turn on DoH on default. No problem I thought, I just have to go into about:config and change network.trr.mode from 3 to 5 (disable) to have DoT active again. To my surprise when I restarted Firefox I found that the value have been automatically set back from 5 to 3. Is there another setting I'm missing or does Mozilla now force DoH on us?
     
  12. MDM

    MDM Regular Contributor

    Joined:
    Dec 19, 2018
    Messages:
    180
    Location:
    Belgrade, Serbia
    I do not like how this sound... Hope it is just a missed setting to turn off!
     
  13. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    388
    I found the culprit. I signed up for a beta test of Firefox Private Network. If this new feature is active the settings are automatically changed back to activate DoH. As long as you have FPN off it will not change to DoH, but every time its turned on the settings are activated for DoH. So as long as you stay away from FPN you should be fine.
     
    Kingp1n, jsbeddow and L&LD like this.
  14. Netbug

    Netbug Regular Contributor

    Joined:
    Nov 21, 2014
    Messages:
    163
    Ok i just installed Firefox 69.0.3 (latest version) on my mac. Enabled DoT on router, DNS Privacy Protocol i tried 'Auto' & 'Yes' testing using preset quad9 servers. Chrome/Safari both show quad9 as dns servers which is correct, i opened up Firefox and noticed the setting 'Enable DNS over HTTPS' was unchecked, so before enabling i checked using ipleak.net/dnsleaktest.com & expressvpn dnschecker all showed quad9 servers, great.... i decided to enable DoH in FF and use cloudfare, and even though as mentioned above i have DoT enabled on router and tried DNS Privacy Protocol options 'Auto' & 'Yes' Firefox is still managing to use DoH.

    Am i missing something? or getting the concept wrong :confused: i thought enabling DoT on router and using 'Auto' or 'Yes' FF would not be able to bypass what set on router even with DoH enabled in FF, in this case quad9 dns but it is instead using cloudfare DoH, bypassing DoT on router.
     
    Last edited: Oct 21, 2019
  15. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,865
    Location:
    USA
    The new router setting prevents the automatic enabling of DoH in Firefox, but doesn't prevent manual enabling in the browser.
     
    Netbug likes this.
  16. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    388
    That's the problem, DoH will always go direct to resolve your DNS requests without going through your DoT enabled router since the router doesn't know that this is a DNS request from your browser, it's categorized as HTTPS. I hope this makes sense.
    Btw the latest version is 70.0, came out today.
     
    Netbug likes this.
  17. Netbug

    Netbug Regular Contributor

    Joined:
    Nov 21, 2014
    Messages:
    163
    yeah understand now, makes total sense, Firefox showing as 69.0.3 for me in about.

    oh rite now i understand why, thanks.

    I agree with you all, totally unacceptable what they are doing, i expect people to use what is set on router, now they can easily bypass that, why firefox and other companies think this is acceptable is beyond me.

    What about like people who set kids devices to to something like opendns family, they can enable DoT in FF and bypass what set on router or set at ISP level ie. parental controls, how is that gonna work now? seems like no solution and nothing can be done :eek:
     
    Last edited: Oct 21, 2019
  18. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    This is just one of the numerous reasons why I dislike Mozilla's whole approach to this. It's impossible to accurately predict whether you will be using DoH or not, there are far, far too many variables involved. It makes troubleshooting anything DNS-related a major PITA.
     
  19. pattiri

    pattiri Senior Member

    Joined:
    Dec 27, 2016
    Messages:
    263
    Location:
    Istanbul, Turkey
    I've installed FF 70 and as I check it still gives option to enable or disable DoH;

    Screenshot_2.jpg
     
  20. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    They are not taking the manual option away. Also, the automatic enabling is only for the US.
     
    gfondeur likes this.