Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)

Posted by msmash on from the closer-look dept.

With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.

From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.

But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.

26 of 301 comments (clear)

  1. I'd want to know how to disable the behavior by cmaurand · · Score: 5, Insightful

    I run my own local recursorsive nameservers even on my portable devices. totally not interested in using anyone's resolvers but my own. I hope they publish instructions on how to bypass the behavior.

    1. Re:I'd want to know how to disable the behavior by Gojira+Shipi-Taro · · Score: 4, Informative

      They did. Well someone did. I believe this came from documentation on the feature when it was in beta:

      https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    2. Re: I'd want to know how to disable the behavior by Anonymous Coward · · Score: 5, Funny

      Will this enable or disable the behavior?

      Yes

    3. Re: I'd want to know how to disable the behavior by fahrbot-bot · · Score: 5, Informative
      From:

      https://blog.nightly.mozilla.o...
      https://wiki.mozilla.org/Trust...

      • 0: Off by default
      • 1: Firefox chooses faster
      • 2: TRR default w/DNS fallback
      • 3: TRR only mode
      • 5: Disabled

      I imagine the setting we're all looking for is: user_pref("network.trr.mode", 5);

      --
      It must have been something you assimilated. . . .
    4. Re:I'd want to know how to disable the behavior by Spamalope · · Score: 4, Interesting

      So when I'm using an internal nameserver that resolves local servers with their local IP address, this thing will force resolve the external address from an external DNS and break local access, won't it? (split brained DNS)

  2. I'm done with Firefox by Anonymous Coward · · Score: 5, Insightful

    Sorry I'll have to pass how Firefox these days. They are making to many decisions that really should be mine not there's. This should be a opt in if it happens at all. A lot of us use chosen DNS servers thank you very much Mozilla but no thanks.

    1. Re:I'm done with Firefox by Billly+Gates · · Score: 3, Interesting

      I suppose you prefer to do yoru forwarding requests to your ISP DNS who sells your browsing information instead hu?

      FYI cloudflare's business model is to help business customers secure their connections. You can read it here which is a plus for grandma. But if you're technical like most of us then I am sure you can disable it.

      --
      http://saveie6.com/
    2. Re:I'm done with Firefox by sexconker · · Score: 3, Insightful

      Have you ever actually tried to help Mozilla / Firefox? Have you ever filed a bug report or commented on one?

      Every time I have, Mozilla's goons either:

      1 - Report it as a dupe of a related issue that was closed (closed as fixed, closed as won't fix / feature request, or closed as being a dupe of yet some other one).

      2 - Close it as fixed without fixing it. Often, the issues marked as fixed are not actually fixed, or were fixed but have reappeared (what you're trying to report before getting marked as a dupe, see above).

      3 - Close it as won't fix / feature request and lock the comments (see above). These are often issues where people are complaining that FF's latest change or injection of some bullshit no one wants has broken basic functionality and the mods on their bug tracker just stick their fingers in their ears and scream "LALALALALALALALA I CAN'T HEAR YOU" before locking the comments and marking everything as dupes that ultimately trace back to some completely unrelated issue.

      4 - Report it as a dupe of a completely unrelated issue and chastise you for not using the broken and unwieldy search to find issues unrelated to what you're trying to report.

  3. Hipster using wifi in fashion coffee shops... by williamyf · · Score: 4, Insightful

    ... need this feature a lot.

    And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.

    All the rest of us, who carefully configured our DNS resolvers (or set up our own DNS servers), get screwed by default. Please tell me how to turn this off in Firefox for Mac/Android...

    All the hipster developers using wifi in starbucks and other hipster coffee shops should be thanking Mozilla right now. All the rest of us, not so much.

    PS: How does this work when one needs to go to a captive web portal in order to authenticate on the Wifi?

    --
    *** Suerte a todos y Feliz dia!
    1. Re:Hipster using wifi in fashion coffee shops... by Greyfox · · Score: 5, Insightful

      I dropped them years ago for their willingness to fuck with standard network behavior. If I put an address in, I want my browser to ask my OS to resolve it. Period. I don't want to search for the thing if it's not found. I don't want someone's re-implemented name service protocol. I certainly don't want some half-assed application written by some half-assed application developer to try to re-invent how networking works, along with all the ways we already figured out that networking could be attacked for the last four decades.

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    2. Re:Hipster using wifi in fashion coffee shops... by williamyf · · Score: 4, Interesting

      As I stated on my original post, I use Firefox ESR 60 on a mac. And Firefox on my android (KeyOne).

      At home I use 9.9.9.9, 8.8.8.8 and 208.67.222.222 since I have better things to do than to set up my Synology to be my DNS server.

      But when I travel, I use public wifi whenever I can get it, be that my hotel, the training centers were I teach, or, god forbid, a hipster coffee shop. And many of those need a captive portal to autenticate to the Wifi, and that depends on using the Network's DNS servers. So, I configured an "Automatic" setting on the network locales of my mac to handle those cases.

      So, as a user of Firefox, I am not happy with this. I am capable enough to configure my DNS settings (or, if push comes to shove, set up a DNS from scratch, not even touching my nas).

      So thank you for the inconvenience mozilla. I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...

      At least, the guys who use Mozilla in corporate networks will get this assinine setting turned off in group policies... as for the rest of us, a quick google and a trip to about::settings shal suffice

      --
      *** Suerte a todos y Feliz dia!
    3. Re:Hipster using wifi in fashion coffee shops... by nmb3000 · · Score: 4, Informative

      You might consider switching to DNS Watch. Instead of providing Google or Cloudflare all your DNS query data (they have fingers in plenty enough other places in my opinion), DNS Watch favors privacy, security, and anonymity.

      Preffered DNS server: 84.200.69.80
      Alternate DNS server: 84.200.70.40

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    4. Re:Hipster using wifi in fashion coffee shops... by mrbobjoe · · Score: 5, Interesting

      Mozilla employee here, though not involved with this project.

      The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails. For a little more detail see: https://wiki.mozilla.org/Trust...

    5. Re:Hipster using wifi in fashion coffee shops... by ArsenneLupin · · Score: 4, Insightful

      The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails.

      ... which negates any purported security benefit from this "feature". All a malicious access point wanting to send you to phishing sites would need to do would be to block TRR.

    6. Re:Hipster using wifi in fashion coffee shops... by thegarbz · · Score: 3, Interesting

      I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...

      I take it you don't realise that Firefox detects captive portals and brings up a bar across the top asking you to sign in, and that since Firefox is in control of when and how it makes requests this functionality is not affected?

      May I recommend another slashdot story, the one suggesting we need more people studying liberal arts because the concept of "critical thinking" seems to be lost.

    7. Re:Hipster using wifi in fashion coffee shops... by WaffleMonster · · Score: 5, Interesting

      Mozilla employee here, though not involved with this project.

      Will Mozilla be disclosing its financial relationship with cloudflare and provide a full accounting of funds it receives as a result of this insanity?

    8. Re:Hipster using wifi in fashion coffee shops... by TFlan91 · · Score: 5, Interesting

      Why trust them? A lot of dead links on their website, GitHub, Facebook, their "network", even their other website ideal-hosting.com isn't resolving.

      All I can find is that they are some IT/Media company from Munich, Germany.

    9. Re:Hipster using wifi in fashion coffee shops... by Deathlizard · · Score: 4, Informative

      This is what is currently on the 1.1.1.1 site (which I'm assuming that's what Firefox is using since it's owned by Cloudflare)

      Privacy First: Guaranteed.
      We will never sell your data or use it to target ads. Period.

      We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

      Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t

      Of course, like any other DNS Resolver, you have to trust what they're saying is true, but vs. your ISP DNS (which most firefox users are using by default) or Google Public DNS, Cloudflare would be a privacy improvement. Not sure if it's better than Quad9 security wise though.

      The biggest issue I have is that the settings aren't exposed by the settings menu and has to be configured using about:config. I would like to see better controls for it and possibly a list of supported DNS providers to choose like how I can choose Search engines.

      --
      In Soviet Russia, Trojan exploits YOU!
  4. Re:Firefox updates, more stuff to disable by Aighearach · · Score: 4, Informative

    Stop updating.

    Block javascript by default.(noscript)

    Block cross-site scripting by default. (uMatrix)

    Block tracking cookies. (Privacy Badger)

    Block advertising. (uBlock Origin)

    Feature thrash does not solve security problems. If you can't get updates that are separate from new features, you can't trust them to reduce the attack surface.

  5. If people want to use an alternate resolver by bobstreo · · Score: 5, Insightful

    They should be allowed to do so, at the OS level.

    The summary didn't mention if this "feature" was possible to disable.

    I DO NOT want every freaking app to use a different DNS to resolve my queries.

    1. Re:If people want to use an alternate resolver by markdavis · · Score: 5, Informative

      >"The summary didn't mention if this "feature" was possible to disable."

      about:config
      network.trr.mode = 5 to completely disable it

      0 Off. To use operating system resolver.
      1 Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
      2 First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
      3 Only. Only use TRR. Never use the native (after the initial setup).
      4 Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
      5 Off by choice This is the same as 0 but marks it as done by choice and not done by default.

      https://blog.usejournal.com/ge...

  6. Agreed, but 99% of users are clueless. Turn it off by raymorris · · Score: 5, Insightful

    > They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers

    Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.

    That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.

  7. Re:Agreed, but 99% of users are clueless. Turn it by gravewax · · Score: 4, Insightful

    It doesn't have to be black and white. Take an approach similar to Microsoft's where they show a screen on first use with all the defaults set but the ability to select your own, clueless users get to click next and keep what Mozilla thinks is best while knowledgeable users can make whatever choice that they see fit as they are being informed.

  8. A load of crap. Cloudflare is secure by Billly+Gates · · Score: 4, Insightful

    First off your ISP guarantees they sell your browser history to advertisers and some EVEN INSERT ads into your browsing experience. Cloudflare who is behind 1.1.1.1 guarantees your privacy as well as gives you the lowest latency if you read the agreement at www.1111.com.

    Cloudflare is used for companies that have been hacked for security as well as CDN services. Experia consulted with them after the scandal.

    --
    http://saveie6.com/
  9. Don't "be done" with software freedom. by jbn-o · · Score: 5, Insightful

    Sorry I'll have to pass how Firefox these days. They are making to many decisions that really should be mine not there's.

    It's a shame you're reaching such a radical decision with no clear indication of how you'll achieve this desired end. The other popular browsers (Edge, Safari, Chrome, or Opera) are proprietary (nonfree software, user-subjugating software). So without more information it seems like you're likely going to choose a browser that will, ironically, give you considerably less control over your browser and you'll end up making a choice to have fewer "decisions that really should be mine not [theirs]". You're overreacting in response to something that is literally a preference change away (as far as we know now). Encrypted DNS lookups could be a very good thing, but pushing users into using a particular DNS server is bad and choosing an organization with a track record for going back on their promises (as Cloudflare is famous for doing) makes this decision worse.

    But regardless of the change or how easy it is to switch the behavior back to using only your preferred DNS server and never informing an unwanted third-party about your browsing, the saving grace of Firefox remains the same: Firefox is licensed such that one can make a free derivative browser (as others have done). We're all allowed to inspect the code, make changes, run the now-trusted version, and help others by distributing a derivative browser. You can't legally do any of that with other popular browsers.

    We make free software better by improving it and using the improved versions, not abandoning free software when it becomes inconvenient or undesirable. The privacy you obviously, and rightly, want to keep depends on software freedom.

    --
    Digital Citizen
  10. Re:Agreed, but 99% of users are clueless. Turn it by AmiMoJo · · Score: 3, Interesting

    That just trains users to blindly click "use recommended settings" all the time. Within about a week of Microsoft rolling that screen out you started seeing malware requesting permissions from the user with "use recommended settings" or "accept (recommended)". Worst of all, having gone with the recommendation the next pop-up from Windows asking them to confirm if they are really really sure also becomes a blind click-through.

    Besides which, I don't see any value in such a screen when the settings menu is two clicks away and power users are going in there anyway.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC