And how the hell is split-horizon DNS supposed to work if resolve.conf is ignored?
This may be "fine" for (some) home users, but most organizations have a whole bunch of internal-only records. And even a lot of residences have things like printers and such that live under .local: how is the browser supposed to connect to those?
Who the fsck is Mozilla that they get to dictate policy in my IT organization about how DNS "should" work?
This attitude always amazes me. You have obviously mastered a set of system administration skills over several years, and you are comfortable with a particular way of doing things. When somebody points out a weakness with the status quo and tries to offer something better, though, you react with hostility.
Why do you think that is? I understand that their solution is not perfect (nothing ever starts out that way), but the amount of aggression in your comment suggests that something deeper is going on. Do you feel threatened?
I suspect it's fear of change. As people realize that plain-text DNS is a gaping security hole, they are going to start demanding encryption. This means you, the administrator, will have to learn more skills and do more work to keep things running. Things like `.local:` printers may break, and you may have to upgrade your internal DNS servers to RFC8484 so you can keep your split-horizon stuff working. Security is never free.
Or not. None of this is mandatory, and you can just switch it off (and Mozilla will automatically switch it off if they detect an environment like yours, as it says in TFA). The threat isn't Mozilla "deciding policy" for you (they aren't), the threat is that they are calling the industry out for running old & vulnerable DNS standards, and we all know deep inside that they are right.
I think the underlying issue is absolutely a power struggle.
Until recently, the general understanding was that each network operator was responsible for the clients inside their network - and therefore also had the ability to set the network's configuration.
In 99.99% of the cases, this included access to nonlocal sites on other, public network's, aka "the web", but this was nowhere technically required. Browsers and other DNS-consuming apps were perfectly capable of working within other networks. What a DNS name resolved to was technically a property of the network.
By now, this model is shifted towards the Web as a platform with browsers and DNS as clear parts of it - a platform that is incidentally pay-to-play and centrally controlled by the US because at the very least you need recurring payments for your domain and you need to give companies and institutions located in the US control over your machine.
This shift has been going on for a long time, but I believe HTTPS-everywhere and DoH have served to make this unignorably obvious because those bring the concept of the web platform into the technology stack itself.
To make the tired old car analogy again: In the vast majority of cases, you will drive your car on the public road network and nowhere else. However your car is technically capable of driving off-road or performing highly questionable maneuvers in your backyard because the car itself doesn't have any concept of "public roads", "private roads" or "non-roads". DoH would be adding a device that turns off the engine as soon as you're not on a public road. What exactly constitutes as a "public road" is determined by the car manufacturer.
I do agree that in the long run it might be better for ensuring that "the web" is the same no matter from where you visit, but I think it's definitely more than a simple technical change.
I also think all the heuristics, opt-outs and special rules for corporate network's don't cut it, because they relegate the current default case to an uncommon special case - and developers have a habit of ignoring uncommon special cases. I wouldn't be surprised if we see a lot of non-browser apps and devices in the future that use DoH by default and that an administrator would have to reconfigure by hand for each single installation - or that are simply hardwired to some set of DoH servers without any way to configure them at all.
Wow, I had not considered the deeper power shifts from this perspective.
The root the problem, I suppose, lies with public-key cryptography. We all know encryption is a good thing (unless you want to broadcast private information to the world), but encryption is useless unless you know who you are talking to. When someone comes to you in a ski mask and says, "It's me, your best friend", you probably want to see their face before you tell them any secrets - they could be anybody.
Online, though, how do we know who anybody is? The current answer, for better or worse, is TLS with pay-to-play domain registration and certificate authorities. Decentralized, peer-to-peer systems like PGP have never been easy for consumers to use. You can "off-road" encrypted DNS by running your own DoH server & installing self-signed certificates on your client devices, but that's not an easy option.
"My LAN is my castle" may work for some cases, but most of us conduct business with people all over the world, thanks to the internet. This is the primary use-case for most networks & computer systems.
I'm afraid individuals will continue losing the power struggle as long as decentralized identity systems remain obscure. We need something that's as easy and compelling to use as our current centralized systems. It needs to be something consumers can use it to secure their every-day communications, as easy as visiting an HTTPS web site or chatting with a friend on Facebook. I just don't know how we get from here to there.
> ... but encryption is useless unless you know who you are talking to.
False. Opportunistic encryption is useful even if you don't know the other person's identity. This is because it helps prevent wholesale surveillance and "tapping glass":
For the majority of the website I go to on a casual basis, I don't really care who is behind running them. Certainly I want that for my banks and webmail, but not so much for some random weblog that has an article comparing Rust and C.
I'm all for Let's Encrypt, and pushed for it to be introduced at work (both for internal and external sites), but we could have gotten encryption in more places, a lot sooner if connections over plaint-HTTP (tcp/80) could have been upgraded automatically to encryption:
There would have been no lock icon in web browsers, but it would have scrambled a lot of bits. Yes, MITM would still have been possible, but MITM is a targeted attack that takes way more resources than simply vacuuming up everything that goes across the wire.
The insistence of providing identity, IMHO, delayed the securing (or at least 'confidentializing') of communications by many years. LE/ACME is getting us there, but we could have had a lot more encrypted traffic already but for the desire for the little lock icon.
Sorry, I don't understand why this is. Can you not just set up your own DoH server, or use your ISP's (perhaps automatically via DHCP)? How is that different from what happens now, except the traffic is now encrypted?
To my knowledge, one of the defining characteristics of DoH is that it's not configured by the network.
There is a default setting managed by Mozilla which the vast majority of users are expected to use (currently Cloudflare's resolver). You can choose to disable DoH or set your own resolver - however that has to be done manually for every installation of Firefox.
Mozilla is offering a way for networks to signal "don't use DoH here" as described in this article, but Mozilla is intending this to be used for certain specific scenarios only (parental controls and corporate networks) and reserves the right to ignore the signal if it is misused.
To my knowledge, there is no "DoH" entry in DHCP, where a network could specify a local DoH resolver. All articles I've read about it also very much treat it like an application-level protocol, as opposed to the old mechanism where resolution was done centrally by the OS. If this approach is continued, then every application would have to decide for itself which resolver it uses.
The network administrator shouldn’t be able to change any setting at all on client devices. That’s the point! If you can just direct clients to a malicious DoH server then the project has largely failed.
The device administrator should be the one making the choice about what resolvers to use.
I agree: the device administrator should be in charge. Essentially, I see this conversation as having spun into an awkward regime where there is an implicit and entirely incorrect assumption here that the options are 1) the network configures the DNS setup and 2) individual apps configure their DNS setup; what happened to 3) the owner of the computer (the device administrator) configures their DNS setup?
The status quo implementation has been that the operating system handled DNS, which actually did put the power in the hands of the device administrator: I don't think I have ever seen a device that wasn't clearly owned under some crazy MDM scheme where you couldn't choose your own DNS servers. Sure: recently, it happened to have a default to trust the network... but that was just a convenience, and is a "new phenomenon" brought on by DHCP being widely deployed. All of the software wasn't designed with that as an assumption.
So, if I want DoH, why am I not just setting up a custom resolver on my computer, that all of my apps use, including Firefox? The "power struggle" alluded to up-thread is actually much deeper: it is using network operators as an excuse to take power away from users, by moving what used to be an operating system feature into individual applications in a world where DRM via code signature is being deployed to lock users into curated application domains to prevent them from modifying that software to do what they want.
(That said, I mean... the way Firefox implemented this totally still gives the network administrator control, due to the opt-out provision? So in some sense a lot of this conversation is useless... for now.)
Network administrators don't have power over device administrators, so the premise is a bit false. Device administrators are the network administrators on their own devices.
> Network administrators don't have power over device administrators ...
They (possibly) do when they're both under the same Director of IT.
Security is everyone's responsibility in an organization, and the folks in Helpdesk (ideally) want to prevent intrusions just as much as the NetOps folks.
> The device administrator should be the one making the choice about what resolvers to use.
No, the device owner should be the one. Which could the company/organization that bought the device in the first place, in which case that is delegated to the IT team.
And if the IT team does not want DoH, it is the IT team that gets the final word.
Mozilla has been nice enough to give options to disable that, and that can easily be done with GPOs on Windows, but not all the world is Windows, and if you have a large Mac or Linux use base that uses Firefox, how will disabling DoH be automated there?
And just because Mozilla has been nice enough, does not mean that other developers will be.
Right? Because the core issue is that browser vendors (and eventually probably OS vendors) do not trust the local network operator. There will be GPO’s and Jamf profiles, and Ansible playbooks to configure this setting for the swarm of machines you ‘own’ but you are simply not a trusted party to any person that connects to your Wi-Fi access point.
> I do agree that in the long run it might be better for ensuring that "the web" is the same no matter from where you visit, but I think it's definitely more than a simple technical change.
Tell that to the health and financial regulatory regimes that us some of have to work under to ensure people's privacy is respected. I work in health care, and we have data-at-rest and -in-motion encryption and firewalls and application-level ACLs & permissions all over the place in our internal network.
Not being able to resolve internal-only systems, which have absolutely no need/business being in external DNS, because of a change in behaviour in client software is just dumb.
People complain about the stupidity of (e.g.) power plant controls being directly connected to the Internet, or not being air gapped from the folks in Accounting, but then we seem to have developers writing software that will not work very well in these isolated/island networks.
I'm all for the general end-to-end principal (that IPv6 may help bring back) with protection being done by stateful firewalls, but there are all sorts of use cases for private, isolated networks that are behind NAT/NPT gateways that are given ULA addresses.
It's amazing that you have such strong opinions about an article you didn't even bother to read.
First, they detect split horizon situations and explain how.
Second, if you as an admin want to force disable DoH across the network, they've provided a DNS-based way to do so.
Third, if this really bothers you, Mozilla provides GPO templates (and JSON based methods for other OSes) to configure all of these settings at an application level.
Maybe focus that outrage energy on reading the article before posting?
Mozilla may be kind enough to have those settings, but that doesn't mean other software will do the same thing.
It's nice that Mozilla may allow setting other DNS servers for DoH, and perhaps will eventually use OS-level settings, but what happens when some dumb ass developer does not?
Perhaps if they implemented DNS-over-TLS (DoT) instead/as well, then we could have encrypted DNS that is still monitorable.
I'm waiting for the day when malware will start using DoH and use Cloudflare as the DNS server. As someone who works in IT, will I have to block CF to prevent that possibility? How many bots have been taken down over the years because their C&C domains were taken over?
The silly assumption being made here is that "DoH" = "talk HTTPS to Cloudflare". I want DoH, but I need private domains. I would like to talk DoH to a thing I control.
This may be "fine" for (some) home users, but most organizations have a whole bunch of internal-only records. And even a lot of residences have things like printers and such that live under .local: how is the browser supposed to connect to those?
Who the fsck is Mozilla that they get to dictate policy in my IT organization about how DNS "should" work?