1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling Firefox's automatic switch to DoH

Discussion in 'Asuswrt-Merlin' started by RMerlin, Sep 10, 2019.

  1. Kingp1n

    Kingp1n Senior Member

    Joined:
    Feb 27, 2018
    Messages:
    370
    Would the fix be to stop using Firefox?
     
    #TY likes this.
  2. MDM

    MDM Regular Contributor

    Joined:
    Dec 19, 2018
    Messages:
    180
    Location:
    Belgrade, Serbia
    No, just be sure it is disabled (anyway others will follow sooner or later...).
     
    gfondeur and Kingp1n like this.
  3. Netbug

    Netbug Regular Contributor

    Joined:
    Nov 21, 2014
    Messages:
    163
    as MDM suggested you can disable the setting. Issue for many i think is those with children who have they're kids devices set to for example opendns family to protect them from adult content, gambling etc. They could easily change to custom and enter dns of an unfiltered dns server and bypass the dns set at router level as DoH is done over HTTPS.

    Mutzil describes it well.
     
    Kingp1n likes this.
  4. AntonK

    AntonK Senior Member

    Joined:
    Apr 10, 2015
    Messages:
    274
    I've installed version 70 and the "Enable DNS over HTTPS" setting remains unchecked.
     
  5. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    238
    Location:
    Oklahoma City, OK
    Updated to 70 Release, 71 Beta, and 72 Nightly. (Yes, I have all three installed with their own profiles).

    Anyway, updating via the internal updater, none of them enabled DoH. Network Settings are still set to No Proxy and nothing else checked there. So, my guess is the automatic enabling happens with a fresh install. Launching 70 using a clean profile also does not enable DoH. Perhaps I'm not in the pool of auto-enabled users yet. More info: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
     
    AntonK likes this.
  6. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    388
    The problem is if you have Firefox Private Network activated, (info over here: https://private-network.firefox.com/ ), it will always switch your Firefox settings to use DoH. I haven't found a way to manually configure the settings. You can go into about:config and make changes to the network.trr settings. But the next time Firefox Private Network is turned on the settings go right back to DoH. I know this is probably needed to have Firefox Private Network work, but it would be nice to have it go back to the old settings once it's turned off.
     
    AntonK likes this.
  7. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    376
    A new feature maybe to handle software restriction policies? Or maybe it can be done with firewall?
    If this is used to bypass routers DNS & parental control and so on..
     
    Last edited: Oct 23, 2019
  8. MDM

    MDM Regular Contributor

    Joined:
    Dec 19, 2018
    Messages:
    180
    Location:
    Belgrade, Serbia
    It has absolutely nothing to do with software and/or firewall..
    I is only browser related and can not be controlled (where the issue), since it is in base just HTTPS trafic.
     
    Netbug likes this.
  9. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    376
    I know my question was off-topic since it`s about DoH problem with Firefox.
    I dont use Firefox myself but i guess it can be used/installed on my network (kids devices) to bypass parental control..
    Guess i could block Firefox and more if needed on every device, But was hoping i could do it on the router
     
    Last edited: Oct 23, 2019
  10. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,865
    Location:
    USA
    I think there's opportunity to hijack the DNS names used for TLS verification of the DoH connection to break DoH locally, and using DNSFilter to ensure the bootstrapping queries go to the router.

    This is written for BIND, but I think the same ideas can be applied to dnsmasq.
    https://github.com/bambenek/block-doh
     
    Zastoff likes this.
  11. bits

    bits Regular Contributor

    Joined:
    Oct 13, 2011
    Messages:
    78
    Firefox has supported users turning on DNS over https for about 18 months now. If you want it off, turn it off but if that is all you did the user could just turn it back on. Just like 18 months ago.

    Chrome now supports DNS over https and the user can just turn it on like in Firefox. There is zero difference between chrome and Firefox abilities to allow the user to bypass a DNS filter with ease.

    If you have concerns about what settings an app has on a local machine like Chrome or Firefox you need a admin/parental app to control that.

    Children bypassing a DNS filter is not at all the concern here. Chrome and Firefox readily let a normal user bypass that, fix = control the machine.

    The complaint in this thread is about Firefox enabling the setting by default, pushing user data towards a Firefox nominated server.


    RMerlin sees this as a privacy concern as many users may not understand their data is centralised for Firefox.
    Firefox claim they will not use or sell user data but RMerlin still has concerns, maybe they lie or get hacked or change their mind without notice.

    I see it as the lesser evil, I trust Firefox but definitely do not trust the random networks like wifi hot spots people connect to.
    I also definitely do not trust the other users that also know the WiFi networks password that can see and log all my traffic.
    People are severely under estimating how compromised almost all users are right when using standard DNS.

    Either the common user is definitely screwed as things are right now with standard DNS vs maybe they get screwed with Firefox's DNS over https.

    PS always remember any savy user can set Firefox to any server of their choice. Firefox isn't enforcing you use their servers they are just pushing users to not be using standard dns. Browsers are slowly killing off http with the exact same intent.
    Simple/majority of users will likely stick with Firefox's initial server offer. But I'm sure Norton will point Firefox to their server when installed, same with every other "antivirus" and browser helper app.
     
    Last edited: Oct 23, 2019
  12. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    376
    Would be an awesome option :)
     
    L&LD likes this.
  13. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,865
    Location:
    USA
    I added these entries to my diversion blacklist. It broke the Firefox DoH when manually enabled.
    Code:
    192.168.1.2 mozilla.cloudflare-dns.com # Block DoH
    192.168.1.2 dns.google # Block DoH
    192.168.1.2 cloudflare-dns.com # Block DoH
    192.168.1.2 dns9.quad9.net # Block DoH
    192.168.1.2 dns10.quad9.net # Block DoH
    192.168.1.2 doh.cleanbrowsing.org # Block DoH
    192.168.1.2 dns.dnsoverhttps.net # Block DoH
    192.168.1.2 doh.crypto.sx # Block DoH
    192.168.1.2 doh.powerdns.org # Block DoH
    192.168.1.2 doh-jp.blahdns.com # Block DoH
    192.168.1.2 dns.dns-over-https.com # Block DoH
    192.168.1.2 doh.securedns.eu # Block DoH
    192.168.1.2 dns.rubyfish.cn # Block DoH
    192.168.1.2 doh.dnswarden.com # Block DoH
    192.168.1.2 doh.captnemo.in # Block DoH
    192.168.1.2 doh.tiar.app # Block DoH
    
     
    L&LD and Zastoff like this.
  14. bits

    bits Regular Contributor

    Joined:
    Oct 13, 2011
    Messages:
    78
    The first Google link I clicked listing public doh servers has about 20 more domains from Cisco, Comcast, etc.
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    To be clear, my privacy concern isn't about Mozilla or Cloudflare's potential use of the data (I'd say I generally trust these two companies not to do anything nefarious with user data), but about the fact that all of this data is aggregated to a single point. If someone ever managed to compromise that one single server address, you can imagine the sheer volume of data they would gain access to.

    However, my primary issue with all of this is the fact that it's automatically enabled, which will bypass any security measure that you, the end-user/network admin, might have in place. Case in point: if you decided to implement a network-wide DNS-over-TLS setup, or use a DNS-based parental filter to protect your kids, then Firefox might transparently, without you even knowing it, bypass those security measures you have put in place, putting your kids at risk of being exposed to inappropriate content.

    While I'm not a fan of the DoH protocol itself (in part because of how easily it can bypass your self-implemented security measures, or your configured network management rules), my biggest beef here is that Firefox will 1) automatically, 2) if it feels like it (i.e. if in the US, but not if another country) enable it. It makes any troubleshooting a pain, because a technician will have to guess whether you are using a public DNS server, or the DoH-selected DNS server. The address you might get by using nslookup might not necessarily be the same as used by Firefox. It's a tech support nightmare. In this regard, I like Chrome's approach, where what they do is just bump the protocol from regular DNS queries to DoH if you are currently using a DNS server known to support it. For example if your network uses Quad9, then it will switch to DoH, still through Quad9. It will have no drawback, beside maybe a slight slowdown in resolution speed.

    In an ideal world...:

    1) Client operating systems would support DNS-over-TLS at their resolver level, with user-configurable servers, not hardcoded ones
    2) Domain owners would secure their zone through DNSSEC
    3) DoH would just go away and die

    Technologies like DoH are just poorly engineered workarounds, and their supporters fail to point out the side-effects caused by their implementation of the technology.
     
    skeal, Gar, octopus and 1 other person like this.
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,864
    Location:
    Canada
    Norton DNS was discontinued in November 2018.
     
  17. Makaveli

    Makaveli Very Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    578
    Location:
    Canada
    I just upgraded to 70

    And I see this

    [​IMG]

    Now is it 5 to disable or 3 to disable?
     
  18. AntonK

    AntonK Senior Member

    Joined:
    Apr 10, 2015
    Messages:
    274
    My FF installation has never shown the DNS over HTTPS setting checked to on. Are you saying that even though it's not checked, it STILL is on under the hood?
     
  19. cmkelley

    cmkelley Very Senior Member

    Joined:
    Aug 11, 2015
    Messages:
    1,027
    Location:
    Greater Los Angeles Area, California, USizicstania
    Are you in the U.S.? I believe it's (currently) only automatically enabled if it thinks you're in the U.S.
     
    AntonK likes this.
  20. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    238
    Location:
    Oklahoma City, OK
    If I turn DoH on then network.trr.mode gets set to 2. With it off, the value is 0. The network.trr.max-fails value does not change. It stays 5. Don't need to go into about:config to change it. Just go to Options -> General -> Network Settings button and look for the checkbox at the bottom. Screenshot: https://i.imgur.com/CA35fAr.png

    Interesting. I turned it on and Imgur would not load.