What's new

Disabling Firefox's automatic switch to DoH

RMerlin

Asuswrt-Merlin dev
Considering all the dinosaurs involved in US politics (who could forget the "The Internet is a series of tubes, and my emails can get stuck in there because of your traffic clogging them"?), be scared whenever politicians get involved in anything related to technology...

Or Zuckerberg's hearing - that was another priceless gem.

The first sign that they once again are completely clueless: Google offers DNS over TLS in Android, not DNS over HTTPS...
 

gattaca

Senior Member
Not being cynical, just trying to understand both sides.

I am sure FF/Chrome/Brave are doing DoH under the guise of privacy. With ABC, it's never really what they say... but what their business model is... (but I digress).

Consider travelers connecting to any wi-fi in coffee shops... (that's a bad idea but another thread). At least with DoH, there's some inkling of not having the "connection provider" snooping on your DNS traffic but the DOH provider... well there you go!

Or suppose you connect to a coffee shop with malicious intent or that had been compromised and it was redirecting your DNS and other traffic to rogue collections sites... It's a 10x edged sword or see-saw with no easy answer. These moves are trying to help the "general public" who have absolutely NO CLUE about what a DNS is or DoH or TLS or anything else.. they just want the crap to work... Those of us trying to tread the tech waves just happen to care a bit more about these details. go figure..
 

RMerlin

Asuswrt-Merlin dev
These moves are trying to help the "general public" who have absolutely NO CLUE about what a DNS is or DoH or TLS or anything else.. they just want the crap to work...
The main issue there is they are fixing A by breaking B. This is why it must be an opt-in feature, not an opt-out feature, so people will be aware that if B is being broken, it might be because they just accepted to enable a specific feature.

"B" being things like DNS-based parental control, ad blocking, malware detection, CDN optimization, etc... If you set up DNS-based parental control to protect your kids, and their Firefox just updated to a new version that bypasses it BY DEFAULT (and not by user choice), wouldn't that be potentially serious?

Also note that DoH is just a small portion of the privacy puzzle. DoH won't prevent snooping if you access to a web site that doesn't support encrypted SNI (and so far, almost none of them does). Instead of snooping at the DNS query, they can just snoop at the HTTP query (currently, TLS only encrypts the data in the connection, the SNI which contains the website address to which you wish to connect is generally still sent in the clear).

The only reliable protection there when connecting to a suspicious access point is through a complete VPN.
 

cmkelley

Very Senior Member
Not being cynical, just trying to understand both sides.

I am sure FF/Chrome/Brave are doing DoH under the guise of privacy. With ABC, it's never really what they say... but what their business model is... (but I digress).

Consider travelers connecting to any wi-fi in coffee shops... (that's a bad idea but another thread). At least with DoH, there's some inkling of not having the "connection provider" snooping on your DNS traffic but the DOH provider... well there you go!

Or suppose you connect to a coffee shop with malicious intent or that had been compromised and it was redirecting your DNS and other traffic to rogue collections sites... It's a 10x edged sword or see-saw with no easy answer. These moves are trying to help the "general public" who have absolutely NO CLUE about what a DNS is or DoH or TLS or anything else.. they just want the crap to work... Those of us trying to tread the tech waves just happen to care a bit more about these details. go figure..
The idea behind DoH is when you are behind a firewall that filters based on DNS resolution. Not some crappy coffee shop, but in a country (e.g. China) where the internet is severely restricted; part of their firewall involves sending all DNS requests to government-approved or run DNS servers that won't return a valid IP if the destination isn't approved by the government. DoH can't be intercepted like regular DNS or DoT because it looks like regular web traffic. The theory is that the only way to block DoH is to blacklist the IP entirely, even if you do figure out that a specific IP is running DoH in addition to a regular webserver. This is where IMHO the theory falls off the rails - I would assume anyone caught running a DoH server in such a country would be subject to prosecution, so that leaves those willing to risk prosecution and sites outside the country. Sure it becomes a game of whack a mole for the state, but I don't think they're going to think twice about banning any external IP found to offer DoH no matter how popular it is. DoH is an interesting idea, and I suppose one more arrow in the quiver, but still in the end it's still security by obscurity.

The correct way to fix the crappy coffee shop problem is to make VPNs simple and reliable. In the end there obviously is no way to prevent whoever your DNS provider is from finding out what sites you're looking up. That's the nature of the beast.
 

RMerlin

Asuswrt-Merlin dev
Google (for Chromium) has an interesting take on this IMHO. They will only automatically enable it if you are using a resolver that is known to also support DoH. So for example, if you are using 1.1.1.1 as your system resolver (meaning it won't trigger if your system resolver is using your router), then Chrome will "upgrade" to using DoH.

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/5zDcC8uQrqU/discussion

This sounds more sensible to me than Firefox's approach. Still not totally sold on the idea that browsers start to take over the duties of the resolver. Hopefully they don't also overrule local host files in the process.
 

gattaca

Senior Member
Hopefully they don't also overrule local host files in the process.
Ultimately, ABC is after the DNS data... don't believe anything they write, say or propose otherwise. Your DNS requests are almost as valuable as every page you click on... oops.. it's a precursor to that.
 

SomeWhereOverTheRainBow

Very Senior Member
In the coming weeks, Mozilla will be enabling DoH by default in Firefox (starting with US-based users). While it can still be manually enabled/disabled, this opt-out behaviour is unacceptable IMHO. For starter, it means that by default, your browser will ignore whatever configuration you have made on your network (if using DNS over TLS at the router level, for example).

Firefox looks for a certain canary domain to disable that automatic feature when using, for example, a parental or ad filter provided by your DNS servers.

For now, you can use that canary domain to prevent that automatic DoH enabling, by creating a /jffs/configs/dnsmasq.conf.add file, with the following entry:

Code:
server=/use-application-dns.net/
Then, restart dnsmasq:

Code:
service restart_dnsmasq

I am currently evaluating how to implement this in the firmware. The initial tentative plan is to have a new switch to enable that "Block Firefox automatic DoH usage", with the following options:

0-Enable killswitch if using DNSPrivacy (the default)
1-Enable killswitch
2-Diasble killswitch

The default value would be to enable the killswitch if you use DNSPrivacy (i.e. DNS over TLS), to ensure that browsers won't automatically bypass it.

This is still all being evaluated on my end.
Wouldn't this make a Firefox user become more vulnerable to a downgrade attack when this option is used to forcibly downgrade Firefox.
 

ColinTaylor

Part of the Furniture
Wouldn't this make a Firefox user become more vulnerable to a downgrade attack when this option is used to forcibly downgrade Firefox.
I'm not sure what you mean by "downgrade attack". You're just making Firefox work the same way as it did before. So I can't see how it's more vulnerable than it previously was.
 

RMerlin

Asuswrt-Merlin dev
Wouldn't this make a Firefox user become more vulnerable to a downgrade attack when this option is used to forcibly downgrade Firefox.
The default option will be to disable it only if you have DNS over TLS or DNSFilter enabled - both of which are user-configured, generally for security reasons. Firefox's default behaviour would actually REDUCE your security and privacy in many instances, since it would force all your traffic to a DOH server of THEIR choice, rather than whichever server you personally chose to use. So if you configured DNS over TLS to use a malware blocking server, Firefox would bypass that malware blocking service, which is a step backward.
 

Mutzli

Very Senior Member
I just updated Firefox from 69.03 to release 70.0. They did now turn on DoH on default. No problem I thought, I just have to go into about:config and change network.trr.mode from 3 to 5 (disable) to have DoT active again. To my surprise when I restarted Firefox I found that the value have been automatically set back from 5 to 3. Is there another setting I'm missing or does Mozilla now force DoH on us?
 

MDM

Senior Member
I just updated Firefox from 69.03 to release 70.0. They did now turn on DoH on default. No problem I thought, I just have to go into about:config and change network.trr.mode from 3 to 5 (disable) to have DoT active again. To my surprise when I restarted Firefox I found that the value have been automatically set back from 5 to 3. Is there another setting I'm missing or does Mozilla now force DoH on us?
I do not like how this sound... Hope it is just a missed setting to turn off!
 

Mutzli

Very Senior Member
I do not like how this sound... Hope it is just a missed setting to turn off!
I found the culprit. I signed up for a beta test of Firefox Private Network. If this new feature is active the settings are automatically changed back to activate DoH. As long as you have FPN off it will not change to DoH, but every time its turned on the settings are activated for DoH. So as long as you stay away from FPN you should be fine.
 

Netbug

Regular Contributor
Ok i just installed Firefox 69.0.3 (latest version) on my mac. Enabled DoT on router, DNS Privacy Protocol i tried 'Auto' & 'Yes' testing using preset quad9 servers. Chrome/Safari both show quad9 as dns servers which is correct, i opened up Firefox and noticed the setting 'Enable DNS over HTTPS' was unchecked, so before enabling i checked using ipleak.net/dnsleaktest.com & expressvpn dnschecker all showed quad9 servers, great.... i decided to enable DoH in FF and use cloudfare, and even though as mentioned above i have DoT enabled on router and tried DNS Privacy Protocol options 'Auto' & 'Yes' Firefox is still managing to use DoH.

Am i missing something? or getting the concept wrong :confused: i thought enabling DoT on router and using 'Auto' or 'Yes' FF would not be able to bypass what set on router even with DoH enabled in FF, in this case quad9 dns but it is instead using cloudfare DoH, bypassing DoT on router.
 
Last edited:

dave14305

Part of the Furniture
Ok i just installed Firefox 69.0.3 (latest version) on my mac. Enabled DoT on router, DNS Privacy Protocol i tried 'Auto' & 'Yes' testing using preset quad9 servers. Chrome/Safari both show quad9 as dns servers which is correct, i opened up Firefox and noticed the setting 'Enable DNS over HTTPS' was unchecked, so before enabling i checked using ipleak.net/dnsleaktest.com & expressvpn dnschecker all showed quad9 servers, great.... i decided to enable DoH in FF and use cloudfare, and even though as mentioned above i have DoT enabled on router and tried DNS Privacy Protocol options 'Auto' & 'Yes' Firefox is still managing to use DoH.

Am i missing something? or getting the concept wrong :confused: i thought enabling DoT on router and using 'Auto' or 'Yes' FF would not be able to bypass what set on router in this case quad9 dns but it is instead using cloudfare DoH.
The new router setting prevents the automatic enabling of DoH in Firefox, but doesn't prevent manual enabling in the browser.
 

Mutzli

Very Senior Member
Ok i just installed Firefox 69.0.3 (latest version) on my mac. Enabled DoT on router, DNS Privacy Protocol i tried 'Auto' & 'Yes' testing using preset quad9 servers. Chrome/Safari both show quad9 as dns servers which is correct, i opened up Firefox and noticed the setting 'Enable DNS over HTTPS' was unchecked, so before enabling i checked using ipleak.net/dnsleaktest.com & expressvpn dnschecker all showed quad9 servers, great.... i decided to enable DoH in FF and use cloudfare, and even though as mentioned above i have DoT enabled on router and tried DNS Privacy Protocol options 'Auto' & 'Yes' Firefox is still managing to use DoH.

Am i missing something? or getting the concept wrong :confused: i thought enabling DoT on router and using 'Auto' or 'Yes' FF would not be able to bypass what set on router even with DoH enabled in FF, in this case quad9 dns but it is instead using cloudfare DoH, bypassing DoT on router.
That's the problem, DoH will always go direct to resolve your DNS requests without going through your DoT enabled router since the router doesn't know that this is a DNS request from your browser, it's categorized as HTTPS. I hope this makes sense.
Btw the latest version is 70.0, came out today.
 

Netbug

Regular Contributor
That's the problem, DoH will always go direct to resolve your DNS requests without going through your DoT enabled router since the router doesn't know that this is a DNS request from your browser, it's categorized as HTTPS. I hope this makes sense.
Btw the latest version is 67.0, came out today.
yeah understand now, makes total sense, Firefox showing as 69.0.3 for me in about.

The new router setting prevents the automatic enabling of DoH in Firefox, but doesn't prevent manual enabling in the browser.
oh rite now i understand why, thanks.

I agree with you all, totally unacceptable what they are doing, i expect people to use what is set on router, now they can easily bypass that, why firefox and other companies think this is acceptable is beyond me.

What about like people who set kids devices to to something like opendns family, they can enable DoT in FF and bypass what set on router or set at ISP level ie. parental controls, how is that gonna work now? seems like no solution and nothing can be done :eek:
 
Last edited:

RMerlin

Asuswrt-Merlin dev
I found the culprit. I signed up for a beta test of Firefox Private Network. If this new feature is active the settings are automatically changed back to activate DoH. As long as you have FPN off it will not change to DoH, but every time its turned on the settings are activated for DoH. So as long as you stay away from FPN you should be fine.
This is just one of the numerous reasons why I dislike Mozilla's whole approach to this. It's impossible to accurately predict whether you will be using DoH or not, there are far, far too many variables involved. It makes troubleshooting anything DNS-related a major PITA.
 

pattiri

Senior Member
I've installed FF 70 and as I check it still gives option to enable or disable DoH;

Screenshot_2.jpg
 

RMerlin

Asuswrt-Merlin dev

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top