Mozilla’s New DNS Resolution Is “Dangerous”

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Mozilla is introducing a feature called Trusted Recursive Resolver (TRR) to Firefox, which is meant to enable security, but some believe it does just the opposite. TRR changes how DNS requests are routed: instead of requests going through your ISP (or other designated) server, they will be transported over HTTPS and resolved by Cloudflare. While the encryption of DNS is commendable, outfits such as ungleich are not happy about Mozilla sharing queries with a third-party service by default.

Cloudflare publicly commits to a "pro-user privacy policy" and the deletion of all personally identifiable data after 24 hours, but you never know where your data ends up at the end of the day. What you can do is, you can configure your Firefox not to use this feature. However, it is configured to use the Cloudflare resolver as default. It’s up to you to decide, who you want to trust your data with. My local ISP seems more trustworthy to me than a big US-based corporate which acts under the guise of a selfless privacy rights defender.
 
I've been using Cloudflare since I saw Linus's video on how much faster it is over the ISP version. Plus I found out that my ISP does indeed watch where I go on my browser. So I think FireFox has the right idea. Plus, what's the worst thing that could happen, someone else has info on where you go on the web? ISP's have incentives to use the DNS information against you, while also selling your data. Cloudflare will probably sell your data, but won't use it to slow down YouTube or flag you for something you downloaded.

 
If it was given as an opt-in option I could see this being far less of an issue. The problem is that everyone that is dealing software nowadays is forcing things/settings....

One company does it then the rest start to follow as the masses really don't care. Thank goodness for people that pay attention and inform the rest of us about stuff like this. I prefer Firefox.... I use Firefox because I can adjust it to the way I want it ... supposedly without all the snooping the other browsers are doing. At least now I know and have disabled this "feature" as I use my own DNS servers that I trust.

It's all about preference. Go ahead... tout the new feature but make it an opt in.... not a semi-hidden opt out.
 
This is great , didn't wait for the next patch and modified current firefox. I had to buy a new router to get rid of using dns server from the isp.. what a difference in speed.. wow (i could change my computer of course but cellphone always defaults to the router, and the isp router is no editable)
 
One more reason not to use Firefox. It's been going downhill sine version 3 anyway.
 
So... what? Firefox is doing built in DNSCRYPT with cloudflare built into the browser? Thats what it sounds like to me at least.
 
Megalith said:
Cloudflare publicly commits to a "pro-user privacy policy" and the deletion of all personally identifiable data after 24 hours, but you never know where your data ends up at the end of the day.
Click to expand...
AKA zero privacy concerns.

I'm also sure I would notice 10 ms or whatever speed difference from OpenDNS. It sounds massive! :meh:
 
Yeah, this is going to mean FireFox will get removed from corporate. I don't think Mozilla truly thought this through. It has been hard enough getting FireFox approved in corporate spaces, now it will just blanket rejected.

What fucking moron thought forcing DNS resolution like this was acceptable?
 
This looks like a good way for a state actor to track everything. Who will the highest bidder be?
 
I'm going to switch when I get home.
It's either
a) I continue to let my ISP make money off me
b) use Google's DNS and let them continue to make money off of me
c) use these guys who say they aren't doing it for the money, and, they're faster.

I'll go with speed and the lesser of the 3 evils.
 
I'm dumb but if I'm using a VPN (app, not at the router level) does the VPN handle my DNS?
 
Actually, cloudflare is good on DNS resolutions, sure you think 10ms or so difference is negligibl, though it would be based on what you access (some sites do access multiple urls - CDNs), Though I think I understand Mozilla's stand on implementing this (they just want to make sure that traffic is indeed legit most of the time), it is okay that it is default, but have a wizard at least at first start explaining the feature to the user and if the user really wants to turn it off, then let them turn it off at first start. Depending on the Corporate/Enterprise policies, this may indeed raise eyebrows as well (not much i'm guessing).
 
DukenukemX said:
I've been using Cloudflare since I saw Linus's video on how much faster it is over the ISP version. Plus I found out that my ISP does indeed watch where I go on my browser. So I think FireFox has the right idea. Plus, what's the worst thing that could happen, someone else has info on where you go on the web? ISP's have incentives to use the DNS information against you, while also selling your data. Cloudflare will probably sell your data, but won't use it to slow down YouTube or flag you for something you downloaded.
Click to expand...

scojer said:
I'm going to switch when I get home.
It's either
a) I continue to let my ISP make money off me
b) use Google's DNS and let them continue to make money off of me
c) use these guys who say they aren't doing it for the money, and, they're faster.

I'll go with speed and the lesser of the 3 evils.
Click to expand...

ISP's and Google don't have to use your DNS queries to see where you're going. All the ISP needs is the IP address your packets are being sent to or received from, and all Google needs is the IP address hitting the websites using their ads/analytics services. Oh and Facebook is doing it too. So this does nothing to stop either of them from harvesting your usage data. All you're doing is giving yet another party access to that data.
 
Been using Cloudflare for a while. No issues. They are all as bad as one another.
 
ryan_975 said:
ISP's and Google don't have to use your DNS queries to see where you're going. All the ISP needs is the IP address your packets are being sent to or received from, and all Google needs is the IP address hitting the websites using their ads/analytics services. Oh and Facebook is doing it too. So this does nothing to stop either of them from harvesting your usage data. All you're doing is giving yet another party access to that data.
Click to expand...

Well, at least it's a little faster.
 
ryan_975 said:
ISP's and Google don't have to use your DNS queries to see where you're going. All the ISP needs is the IP address your packets are being sent to or received from, and all Google needs is the IP address hitting the websites using their ads/analytics services. Oh and Facebook is doing it too. So this does nothing to stop either of them from harvesting your usage data. All you're doing is giving yet another party access to that data.
Click to expand...

It's a lot of work to remain anon on the web, in the end it's probably easier to just reduce the amount of advertising with a few browser plugins and a decent host file.
 
BloodyIron said:
Yeah, this is going to mean FireFox will get removed from corporate. I don't think Mozilla truly thought this through. It has been hard enough getting FireFox approved in corporate spaces, now it will just blanket rejected.

What fucking moron thought forcing DNS resolution like this was acceptable?
Click to expand...
How would it not be acceptable to them to simply alter the config to disable it? I can't imagine it's that hard to alter that single config line in a vanilla install then clone the settings to other systems. Or are you saying just having it as a possibility of an employee turning back on would freak out the average company?
 
DedEmbryonicCe11 said:
How would it not be acceptable to them to simply alter the config to disable it? I can't imagine it's that hard to alter that single config line in a vanilla install then clone the settings to other systems. Or are you saying just having it as a possibility of an employee turning back on would freak out the average company?
Click to expand...
They could just not enable it in their ESR release, and that can be locked down/updates bloked easily. Not seeing this as a problem for corporate.

That said, will need to keep an eye out for this in future ESR versions.
 
My local ISP seems more trustworthy to me than a big US-based corporate which acts under the guise of a selfless privacy rights defender.
Click to expand...

I don't get the logic of people being outraged by setting encrypted Cloudflare DNS as default. The way I see it there are two options:

1. Use the ISP's that lobbied for the right to sell your browsing data
(https://www.theverge.com/2017/3/28/15080436/us-house-votes-to-let-isps-share-web-browsing-history).

2. Use a third party like Cloudflare that promises not to keep/share your data. Or if you trust Google or Cisco (OpenDNS) instead you can use those.

I would much rather the default be set to someone that promises not to keep/sell your data rather than someone who is openly looking to sell the data. ATT for example is more than 100x bigger than Cloudflare and as recently as 2016 was selling targeted ads against DNS querys (their Internet Preferences program that you could pay extra to remove). Doesn't make sense to me why anyone would trust the ISP's who were openly selling DNS data until prevented by net neutrality rules they just lobbied so hard to overturn. The accusation that Cloudflare is untrustworthy because it is acting under the "guise of a selfless privacy rights defender" seems silly.

For me at least, I would go with the guy that promises not to sell your data rather than the one that you know is already doing that. Even if it turns out Cloudflare is untrustworthy as you fear, you wouldn't be worse off than with your ISP.
 
Well, I might have missed a detail, but it looks like it was not optional. If there is a setting, well, that's my bad on missing that.

But, you do raise a valid point, it turning back on by mistake can be a security concern too.

I just don't see this flying in corporate, since most that allow FireFox don't even have GPOs setup too manage it (I suspect), or equivalent Configuration Management.

DedEmbryonicCe11 said:
How would it not be acceptable to them to simply alter the config to disable it? I can't imagine it's that hard to alter that single config line in a vanilla install then clone the settings to other systems. Or are you saying just having it as a possibility of an employee turning back on would freak out the average company?
Click to expand...
 
GreenOrbs said:
I don't get the logic of people being outraged by setting encrypted Cloudflare DNS as default. The way I see it there are two options:

1. Use the ISP's that lobbied for the right to sell your browsing data
(https://www.theverge.com/2017/3/28/15080436/us-house-votes-to-let-isps-share-web-browsing-history).

2. Use a third party like Cloudflare that promises not to keep/share your data. Or if you trust Google or Cisco (OpenDNS) instead you can use those.

I would much rather the default be set to someone that promises not to keep/sell your data rather than someone who is openly looking to sell the data. ATT for example is more than 100x bigger than Cloudflare and as recently as 2016 was selling targeted ads against DNS querys (their Internet Preferences program that you could pay extra to remove). Doesn't make sense to me why anyone would trust the ISP's who were openly selling DNS data until prevented by net neutrality rules they just lobbied so hard to overturn. The accusation that Cloudflare is untrustworthy because it is acting under the "guise of a selfless privacy rights defender" seems silly.

For me at least, I would go with the guy that promises not to sell your data rather than the one that you know is already doing that. Even if it turns out Cloudflare is untrustworthy as you fear, you wouldn't be worse off than with your ISP.
Click to expand...
Not everyone has to deal with USA's ISPs. Also, they already have your surfing data. No need to let yet another company log it.
 
Meeho said:
Not everyone has to deal with USA's ISPs. Also, they already have your surfing data. No need to let yet another company log it.
Click to expand...

Fair enough. My perspective is as a US resident. I wish we had trusted ISPs here but sadly we don't in most places.

That said, DNS logs are a lot easier to datamine and monetize. ATT here in the US was specifically using those to sell ads up until 2016. It takes a lot more effort to analyse network traffic.
 
For those that missed it because the original article was updated it's just
Code: 
Set network.trr.mode = 5 to completely disable it
In about:config
 
scojer said:
I'm going to switch when I get home.
It's either
a) I continue to let my ISP make money off me
b) use Google's DNS and let them continue to make money off of me
c) use these guys who say they aren't doing it for the money, and, they're faster.

I'll go with speed and the lesser of the 3 evils.
Click to expand...
They aren't "guys". Corporations are not people. They are an economic device invented to, as Ambrose Bierce put it, provide individual profit without individual responsibility. They're designed to shield people from the consequences of amoral behavior.

It is the height of naiveté to believe anything a corporation says when it comes to morality. Google, for instance, went from its "Don't be evil" propaganda pitch to hiring a core member of staff (Schmidt) who thought that that was the stupidest corporate slogan he had ever heard. He didn't say that on the basis of reality, though. He said it on the basis of him not having any idea what evil is, beyond something that's in the Bible.

Unfortunately for us, the corporation is evil by definition. It exists to:

1) Make profit by selling things for more than they're worth (aka scam/con). Marketing sells people emotional dreams not reality, btw.

2) Funnel a disproportionate share of resources (money, basically) to the rich social class, serving, like law, as a protection mechanism for their privileged status and lifestyle.

3) Shield said class from liability/consequences.

Free speech is often used as misnomer, as if there aren't consequences for actions. However, the corporation is designed to do just that.
 
Last edited:
SIS said:
They aren't "guys". Corporations are not people. They are an economic device invented to, as Ambrose Bierce put it, provide individual profit without individual responsibility. They're designed to shield people from the consequences of amoral behavior.

It is the height of naiveté to believe anything a corporation says when it comes to morality. Google, for instance, went from its "Don't be evil" propaganda pitch to hiring a core member of staff (Schmidt) who thought that that was the stupidest corporate slogan he had ever heard. He didn't say that on the basis of reality, though. He said it on the basis of him not having any idea what evil is, beyond something that's in the Bible.

Unfortunately for us, the corporation is evil by definition. It exists to:

1) Make profit by selling things for more than they're worth (aka scam/con). Marketing sells people emotional dreams not reality, btw.

2) Funnel a disproportionate share of resources (money, basically) to the rich social class, serving, like law, as a protection mechanism for their privileged status and lifestyle.

3) Shield said class from liability/consequences.

Free speech is often used as misnomer, as if there aren't consequences for actions. However, the corporation is designed to do just that.
Click to expand...

I know corporations aren't people, it is a figure of speech.
I used it as guys refers to collection of people who formed the business that is offering the product.
 
scojer said:
I know corporations aren't people, it is a figure of speech.
I used it as guys refers to collection of people who formed the business that is offering the product.
Click to expand...
It's a trap.
 
So block out all intranet and company sites by not using your company dns server anymore. Sounds like a nice feature. Will make sure to have all my employees uninstall this right away and move to a browser that is usable.
 
scojer said:
I know corporations aren't people, it is a figure of speech.
I used it as guys refers to collection of people who formed the business that is offering the product.
Click to expand...

The sad thing is that corporations are legally people according to current law in the US (https://en.wikipedia.org/wiki/Corporate_personhood). According to the latest US Supreme court nominee, ISPs must be allowed to censor the internet since corporations are people and they have the same 1st amendment rights as people. From one of his rulings:

"Therefore, under the Supreme Court's precedents applying the First Amendment, the net neutrality rule violates the First Amendment.... Internet service providers may not necessarily generate much content of their own, but they may decide what content they will transmit"
Click to expand...

https://arstechnica.com/tech-policy...legal-according-to-trumps-supreme-court-pick/
 
Look. Ignore enterprise, looking at home use here.

Use the ISP? Yeah, no way, I ditched ISP DNS years ago and will not look back. It sucks, cause it's slow, and it sucks, because ISPs suck.

Use Google? Yeah, no way, I ditched Google DNS years ago and will not look back. Google is evil.

Use OpenDNS? Yeah, I did. For years. Then Cisco bought them, so now they are a corporation too. "Open"? Not so sure anymore. Also, lately, it kinda of sucks, been getting DNS errors when browsing.

Use CloudFlare? Ok, I made the switch today. Noticeable speed upgrade. They claim they purge my personally identifiable info after 24 hours? Who else is doing that? I'm good with it.
 
I would really like to see some benchmarks of these reported speed increases. I find it odd that people notice a couple of dozen ms saved at best when pages take seconds to load.
 
Meeho said:
I would really like to see some benchmarks of these reported speed increases. I find it odd that people notice a couple of dozen ms saved at best when pages take seconds to load.
Click to expand...
From isp to cloudfare ( non encrypted) the difference is noticeable... I think what you see as "one" page actually requires many DNS queries, and it adds up... When i switched the pages just start loading nearly instant with cloudfare. I do doubt from google to open dns to cloudfare anything is too noticeable.
 
Ok doesn’t hurt me. Cloudflare is doing great for me today. If pages are taking seconds to load maybe you need to get a better DNS.
 
You must log in or register to reply here.
Back
Top