"Enable DNS over HTTPS" and selecting a provider doesn't seem to have any effect

[Rav]

Using Firefox 77.0.1 under Windows 10 Professional. Under General >
Network Settings, I have "Enable DNS over HTTPS" turned on, and have set
the provider to NextDNS. However, even after restarting the browser, if
I go to any number of websites which check which DNS resolver I'm using,
it still says I'm using my internet providers DNS (Comcast, in my case).
For example, at my.nextdns.io/64ee1d/setup, it says "This device is
not using NextDNS. This device is currently using COMCAST-7922 as DNS
resolver." And www.whatsmydnsserver.com/ also says I'm using Comcast's
DNS Server. Am I misunderstanding something? Thanks.

[Millwood]

I think you are misunderstanding. DNS over HTTPS support in firefox
causes firefox to use the interface directly rather than your computer's
DNS services. But your computer still uses the normal services, as will
any program that tests your computer's connection.

I also believe (to be verified) that firefox falls back on the normal
service if the DNS of HTTPS request fails.

[😉 Good Guy 😉]

On 03/06/2020 21:28, Millwood wrote:

On 6/3/2020 3:50 PM, Rav wrote:

Using Firefox 77.0.1 under Windows 10 Professional.  Under General > Network Settings, I have "Enable DNS over HTTPS" turned on, and have set the provider to NextDNS.  However, even after restarting the browser, if I go to any number of websites which check which DNS resolver I'm using, it still says I'm using my internet providers DNS (Comcast, in my case).   For example, at my.nextdns.io/64ee1d/setup, it says "This device is not using NextDNS.  This device is currently using COMCAST-7922 as DNS resolver."  And www.whatsmydnsserver.com/ also says I'm using Comcast's DNS Server. Am I misunderstanding something?  Thanks.

I think you are misunderstanding.  DNS over HTTPS support in firefox causes firefox to use the interface directly rather than your computer's DNS services.  But your computer still uses the normal services, as will any program that tests your computer's connection.

So what is the point of enabling DOH in Firefox?  Why not just use Cloudflare (1.1.1.1) ot Nextdns in your router?  I believe google also has this facility/feature. 

I still don't see the benefit of this in FF.  FF should concentrate on providing a robust browser that people can use and get work done quickly.

--

With over 1.2 billion devices now running Windows 10, customer satisfaction is higher than any previous version of windows.

[WaltS48]

See the benefits
<https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_benefits>

There are also risks.

[Jeff Barnett]

The benefits, according to article: "DoH improves privacy by hiding
domain name lookups from someone lurking on public WiFi, your ISP, or
anyone else on your local network. DoH, when enabled, ensures that your
ISP cannot collect and sell personal information related to your
browsing behavior." Since my COMCAST ISP uses their computers to do DNS
for me, they sure as hell know were I'm browsing. So it seems to enhance
privacy, etc, I would need to use HTTPS and find a more trusted party to
be my DNS. Do I have that right?
--
Jeff Barnett

[Millwood]

DNS of HttPS is private from everyone EXCEPT the DNS provider. So yes,
you have to trust the DNS over HTTPS provider.

Regular DNS is not encrypted so anyone seeing your traffic, which
certainly includes your ISP, can snoop on it.

[WaltS48]

You go to Options > General > Network Setting heading.
Click "Settings"
Select "Enable DNS over HTTPS".
Then select a provider in the "Use Provider" drop-down menu.
Cloudflare is the default.

--
OS: Ubuntu Linux 18.04LTS - Gnome Desktop
https://www.thunderbird.net/en-US/get-involved/
https://give.thunderbird.net/en-US/

[BillH]

From the articles I have been reading, this really doesn't stop the ISP
from seeing what sites you are visiting.

To quote one article:

"DOH DOESN'T ACTUALLY PREVENT ISPS USER TRACKING
One of the main points that DoH supporters have been blabbing about in
the past year is that DoH prevents ISPs from tracking users' DNS
requests, and hence prevents them from tracking users' web traffic habits.

Yes. DoH prevents the ISP from viewing a user's DNS requests.

However, DNS is not the only protocol involved in web browsing. There
are still countless other data points that ISPs could track to know
where a user is going. Anyone saying that DoH prevents ISPs from
tracking users is either lying or doesn't understand how web traffic works.

If a user is accessing a website loaded via HTTP, using DoH is
pointless, as the ISP will still know what URL the user is accessing by
simply looking at the plaintext HTTP requests.

But this is also true even if users are accessing HTTPS websites. The
ISPs will know to what site the user is connecting because the HTTPS
protocol isn't perfect, and some parts of the HTTPS connection are not
encrypted.

Experts say that ISPs won't be inconvenienced by DoH, at all, because
they can easily look at these HTTPS portions that are not encrypted --
such as SNI fields and OCSP connections.

DoH encrypts precisely zero data that is not already present in
unencrypted form. As it stands, using DoH only provides *additional*
leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections
still provide the rest. It is fake privacy in 2019.

— Bert Hubert 🇪🇺 (@PowerDNS_Bert) September 22, 2019
Furthermore, ISPs know everything about everyone's traffic anyway. By
design, they can see to what IP address the user is connecting when
accessing a website.

This IP address can't be hidden. Knowing the final IP destination
reveals to what website a user is connecting, even if everything about
his traffic is encrypted. Research published this August showed that a
third-party can identify with 95% accuracy to which websites users were
connecting just by looking at IP addresses.

Any claims that DoH prevents ISPs from tracking users are disingenuous
and misleading, experts argue. DoH merely inconveniences ISPs by
blinding them to one vector, but they still have plenty of others."

This is from:

https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/#:~:text=DoH%20doesn't%20actually%20prevent%20ISPs%20user%20tracking,-One%20of%20the&text=DoH%20prevents%20the%20ISP%20from,protocol%20involved%20in%20web%20browsing.&text=DoH%20encrypts%20precisely%20zero%20data,*additional*%20leaks%20of%20data.

This is just one article that talks about this. It is one of many. I
wouldn't count on DoH hiding your browsing. If you want to do that you
should probably use a VPN.

Bill

--
If you want to send me an email, you must remove "NOSPAM" from my email
address before replying.

[Jeff Barnett]

So I got it right???
--
Jeff Barnett

[Andrei Z.]

NextDNS was overloaded.

Trusted Recursive Resolver - MozillaWiki
DNS-over-HTTPS Settings in Firefox
https://wiki.mozilla.org/Trusted_Recursive_Resolver#DNS-over-HTTPS_Settings_in_Firefox
"2 - First. Use TRR first, and only if the name resolve fails use the
native resolver as a fallback."

Firefox 77.0.1, ...
https://www.mozilla.org/en-US/firefox/77.0.1/releasenotes/
"Disabled automatic selection of DNS over HTTPS providers during a test
to enable wider deployment in a more controlled way (bug 1642723)"

Bug 1642723 Pref-off automatic TRR-selection by default e.g. so it can
be controlled by Normandy
https://bugzilla.mozilla.org/show_bug.cgi?id=1642723
"We need to be able to roll this out gradually so that we don't overload
any providers. Even the dry-run involves up to 10 requests per client
which can be very significant when the entire release population updates."

[WaltS48]

If you are in the USA.

[Rav]

It says "Disabled /automatic/ selection ...." I enabled it manually.

[Rav]

I appreciate your response but I still don't understand. When you say
"use the interface directly," which interface -- something on my local
machine, or something out on the internet? And if by "still uses the
normal services" you mean (in my case) Comcast, what is the point of
being able to select a different provider if it doesn't end up being
used? Thanks.

[Andrei Z.]

It can be controlled via Normandy

Firefox_Normandy_PreferenceRollout - MozillaWiki
https://wiki.mozilla.org/Firefox/Normandy/PreferenceRollout

I prefer to disable Normandy: app.normandy.enabled set to false

[Andrei Z.]

Firefox 77.0.1 will be released today to fix one issue - gHacks Tech News

https://www.ghacks.net/2020/06/03/firefox-77-0-1-will-be-released-today-to-fix-one-issue/

[Millwood]

First - other posters have pointed out that tracking can be done without
DNS snooping.

Now for some technical stuff.

Programs running on your computer use services provided by the operating
system, so they don't have to re-implement everything from scratch, so
things work uniformly, and so dangerous things can be controlled. One
such service provides DNS lookups. The program passes a name to the
service, and the service returns the IP address or an error (this is an
oversimplification but gets the point across). The operating system is
configured to use a particular set of DNS servers to implement this
service. In windows, if you type

ipconfig /all

in a command windows you will see, among other things, the DNS servers
being used. It is possible to configure your machine to use particular
servers, but normally your machine gets that information from your router.

Firefox DNS over HTTPS does not use the operating system service, but
rather requests DNS information directly, via HTTPS, from the server
configured.

[Andrei Z.]

Andrei Z. wrote:

<snip>

> NextDNS was overloaded.

"Comcast’s Xfinity Internet Service Joins Firefox’s Trusted Recursive
Resolver Program"

https://blog.mozilla.org/blog/2020/06/25/comcasts-xfinity-internet-service-joins-firefoxs-trusted-recursive-resolver-program/

<snip>

[Andrei Z.]

Comcast is the first ISP that joins Firefox's Trusted Recursive Resolver
Program - gHacks Tech News
https://www.ghacks.net/2020/06/26/comcast-is-the-first-isp-that-joins-firefoxs-trusted-recursive-resolver-program/

More details on Comcast as a Trusted Recursive Resolver - The Mozilla Blog
https://blog.mozilla.org/blog/2020/06/26/more-details-on-comcast-as-a-trusted-recursive-resolver/