Improving DNS security and privacy and upcoming firefox/waterfox changes

SolydXK is too quiet for you? SolydXK Enthusiast Editions, based on Debian Testing is for you! Here you can find news about Debian Testing and Unstable too, and also tests on SolydXK programs.
The support for SolydXK EE is provided by the community.
kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 15 Jun 2019 21:31

trr mode in 5 didn't work for my firefox. only zero (disable mode) works. I'm using debian's build so I'm not sure if this behaviour is same across all build. the funny thing is that the default setting is zero. however, I need to set trr mode to something else then reset it to make it work

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Firefox/waterfox and DoH - what default to choose?

Postby Arjen Balfoort » 21 Jun 2019 08:05

Is there something I need to change in the configuration?


SolydXK needs you!
Development | Testing | Translations

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 21 Jun 2019 09:19

currently, no. it seems most of us like to left the configuration to the user. though, since DoT nor DoH doesn't run OOTB in our system, when we decided to turn on DNS encryption, we'll need to decide which provider will be used

User avatar
ilu
Posts: 2493
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 22 Jun 2019 15:36

Not at the moment, this is something that needs to be discussed, because Firefox will change their configuration int the (near?) future and then we'll need to know what to do.

We've had an extensive discussion locally and the common opinion is that

1. The proposed change to use cloudflare is a move to centralize DNS lookup and thus centralize control over the DNS system which everybody thinks is a very bad thing.

2. The average user will not gain much privay-wise. Someone will always see their requests and someone will always be able to censor. Whether its better to use a local provider, a random other provider or one of the big international players very much depends on the users situation. Presetting a privacy-conscious provider who is not an international player will also screw up services depending on geolocation. People who really need savety have to use tor anyway.

3. DoH or DoT do not improve security, DNSSec does. Installing dnssec-trigger (which uses unbound) was recommended, see https://wiki.debian.org/DNSSEC#How_to_b ... rom_DNSSEC. If I understand correctly, all DNS queries that are cached locally by unbound will not get sent to any DNS provider again (which would improve privacy, to some extent).

So, conclusion was:
  • Disable DoH (by setting trr mode to 5 - I will try this on nightly, kurotsugi) and leave everything to the user
  • install dns-trigger
Has anybody ever used dns-trigger/unbound?

User avatar
Arjen Balfoort
Site Admin
Posts: 9282
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Firefox/waterfox and DoH - what default to choose?

Postby Arjen Balfoort » 22 Jun 2019 18:50

Ok, clear.

Do you want me to install dnssec-trigger by default, then?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2493
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 23 Jun 2019 00:31

I'll test it next week on my laptop to see how it behaves in different wireless networks.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 23 Jun 2019 00:41

your tendency to jump into conclusion made me a lil bit worried...like...how come dnssec-trigger comes as conclusion when it's not even mentioned once. that aside, neither dnssec-trigger, unbound or bind9 works with dnscrypt. isn't it already implemented on dnscrypt?

we still have 2 years long to discuss this issue. let's take it slow and easy :3

User avatar
ilu
Posts: 2493
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 23 Jun 2019 16:50

kurotsugi wrote:
23 Jun 2019 00:41
your tendency to jump into conclusion made me a lil bit worried...like...how come dnssec-trigger comes as conclusion when it's not even mentioned once. that aside, neither dnssec-trigger, unbound or bind9 works with dnscrypt. isn't it already implemented on dnscrypt?
I did not jump to any conclusions. Those two points were the conclusion of that discussion I had ("... conclusion was" - not "is"). I actually asked for experiences you or others might already have.

dsnsec-trigger is implementing DNSSEC locally for all providers that support it and since DNSSEC is a standard the support will grow. DNSSEC is a good idea completely independent from DoH or DoT. It actually improves security which DoH and DoT do not, at least not directly. There is no downside to using it as long as it works without disrupting the user and that's what needs testing.

The problem with dnscrypt is that it only works if both endpoints configure it - which they mostly don't. And it will never become a standard. So the gain is limited.

kurotsugi
Posts: 2228
Joined: 09 Jan 2014 00:17

Re: Improving DNS security and privacy and upcoming firefox/waterfox changes

Postby kurotsugi » 23 Jun 2019 21:46

dnssec only validate the dns query to ensure the response comes from valid source. that's the only thing it did. everyone else still could see your dns query and snoop everything between your system and dns server. dnssec only protect you when someone specifically attack you. in normal situation there's no difference with the old system.

you can imagine your dns communication as mail service. dnssec validate the mail so that no one could send a fake mail. however, without encryption you're sending your letter in transparent envelope. everyone between your system and the server could see the content.

that's, I believe, is the reason why the current main concern about dns is how to protect the query. that's why dns encryption comes first. dnssec, eSNI, and other technology comes as complementary later. when someone told you that dnssec is independent it means that it grow independently (i.e : it's not tied with neither DoH and DoT. so you can choose whatever encryption method) but still, you need to encrypt the content of your dns query to get the benefit of dnssec

on technical side, dnssec is immature. it's newer than DoT/H so it's mostly only implemented on server side. lot of things will broke if you use dnssec now. that's why it's not widely used as DoT/DoH. as for dnscrypt, it enable dnssec as default so you only need to pick server with dnssec. dnscrypt's security implementation might not become standard as you've said, but dnscrypt could be used as DoT/H client.

I know it might confusing. there are currently three dns encryption. DoT and DoH which gain lot of traction now, and dnscrypt which not used widely. however, _dnscrypt client_ (dnscrypt-proxy which we discussed in this thread) support all of these technologies. I think you mixed our discussion and something else so that you forgot that we were using dnscrypt only as DoT/H client.

AFAIK dnscrypt is the easiest way to enable both dns encryption (DoT/H) and dns validation (dnssec). I don't know if stubby or other native DoT/H client is using dnssec technology (cloudflare's client is also enable it, along with eSNI, but it's not available for debian and you seems to hate it). if you want DoT/H along with dnssec OOTB, dnscrypt is the only way. bind9 and unbound could be configured to work along with dnscrypt or other DoT/H client but it require some modifications.

the disadvantages? my only concern about dnscrypt is that it doesn't support eSNI yet. but that would be another topic for the discussion :3


Return to “Testing Zone”

Who is online

Users browsing this forum: No registered users and 3 guests