Improving DNS security and privacy and upcoming firefox/waterfox changes

SolydXK is too quiet for you? SolydXK Enthusiast Editions, based on Debian Testing is for you! Here you can find news about Debian Testing and Unstable too, and also tests on SolydXK programs.
The support for SolydXK EE is provided by the community.
User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Improving DNS security and privacy and upcoming firefox/waterfox changes

Postby ilu » 12 Jun 2019 13:46

Since Firefox is soon going to enable DoH (DNS over HTTPS) with cloudflare as default we need to decide which defaults we implement. Of course everybody can always change about:config settings to her liking, just the default needs to be discussed.

If I have to trust anybody with DNS resolution - and I have to - I would prefer trusting my local provider and my local authorities over some US company like mitm attacker cloudflare. We all know about US gag orders. But this might be totally different for people in non-EC countries. And somebody might know about a more trustworthy DoH service. So, opinions?

Edit: Corrected the wording since I confused DNSSEC with DoH. Sorry about that.

nuts2u
Posts: 77
Joined: 03 Nov 2013 21:07

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby nuts2u » 12 Jun 2019 15:03

Another reason you should be using a vpn.


Liberalism is the art of standing on your head,
then telling everyone around you that they're upside-down.

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby ilu » 12 Jun 2019 19:16

Edit: Please discuss valid about:config settings only.

nuts2u
Posts: 77
Joined: 03 Nov 2013 21:07

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby nuts2u » 12 Jun 2019 23:02

Vpn is off topic?
You were concerned about dns resolution, I stated that is why you should be using a vpn (which have there own dns servers) and NO they are not all in the USA. the vpn I used is based in Panama so the US has no jurisdiction in Panama, and the provider keeps zero logs which means they do not log any of your dns queries...so no matter which country their dns server is located in they keep NO LOGS.....which would solve your dns privacy concerns.

You want to trust your local provider who most likely is keeping a log of your dns queries...per your government laws.....go right ahead.....but don't say you have concerns about dns privacy then


Liberalism is the art of standing on your head,
then telling everyone around you that they're upside-down.

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby ilu » 12 Jun 2019 23:42

So you trust your vpn provider. That's ok. But this is the "testing zone". I started a discussion about a TECHNICAL DEFAULT SETTING in firefox and waterfox which might not be relevant for anybody using a vpn. "Use vpn" is not a valid entry in about:config. I have edited my previous post.

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby kurotsugi » 13 Jun 2019 00:40

the technology seems good to me, at least on paper. that's it. regardless the technology you'll still need to "trust" on something. it could be either your vpn provider or your dns server. it might be better to put "trust" out of the discussion and only discuss objectively about what we know about the technology.

in layman term, dnssec add security on top of the current dns. it protect us from attacks like dns cache poisoning. IMO it's good for us without any significant negative side. I'm not even sure if there's any of it. that being said, dnssec didn't protect us from "bad" dns server. they key point would be which dns server would you choose.

using a local resolver, vpn, or your provider might sounds good for most of us but I highly doubt it will work on global scale. on global scale we'll need a trustworthy global dns server. sadly there aren't much choice for us. it's either cloudfare, google, and opendns.

on paper...cloudfare beats them all. hence, the reason for mozilla guys picking it for their conf setting

nuts2u
Posts: 77
Joined: 03 Nov 2013 21:07

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby nuts2u » 13 Jun 2019 00:50

I get your point, what I do not understand is why anyone who is concerned with dns privacy would want to fiddle around with their browser, trying to have it use a separate dns resolver, and yet leave their entire system using their local providers dns server.....does not make sense to me......but whatever makes your boat float

I use WaterFox and Flashpeak Slimjet .


Liberalism is the art of standing on your head,
then telling everyone around you that they're upside-down.

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby ilu » 13 Jun 2019 01:46

@nuts2u: most of our users don't use vpn and will never do. The default setting should be the best for most of our users. My boat floating is not relevant.

I have to correct my wording because DNSSEC is done on the server side, the term I should have used is DoH (DNS over HTTPS). But we are talking about the same thing.

Pro:
- national censorship via DNS blocking will become impossible
- no more collecting DNS lookup data at the local service provider
- no more DNS lookup interception
Con:
- censorship via DNS blocking will become possible for the DoH provider
- concentrating DNS lookup data at the DoH provider
- DNS based forensic investigation (f.e. of botnets) becomes practically impossible for all nations except US
- DNS resolve is transferred from the system level to the application level
- no more blocking anything via host files or pihole

I'm trying to understand whether any of these points would be different with DoT.

There's a fourth possibility: keep the setting disabled, which means we keep the present situation without DoH. That might be better for countries with strong and working privacy protection but worse for others. Actually asking the user would be best but probably not possible. Firefox will probably not expose the setting in the interface.
Hopefully we might see more DoH providers in the near future.

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby kurotsugi » 13 Jun 2019 06:52

no more blocking anything via host files or pihole
I don't understand why DoH could interferee with the hosts file blocking mechanism. AFAIK the browser check that file first before anything else. did I missed something here?
perhaps you were reading about DoH makes blocking impossible. I believe that it means that nothing could stop us from visiting any site we want. however, since we control how our system connect to the internet, we still have the ability to block the sites from communicating with us. perhaps I missed something but this is how I understand it. please kindly correct me if I'm wrong
concentrating DNS lookup data at the DoH provider
I see no difference aside from implementing some encryption into DNS communication so the lookup data should be same. I think you mean that the data is more concentrated on DNS provdier. however, the amount of the data should be same. the differences would be that the local provider no longer could see the content of your communication between you and your dns. however, regardless we have DoH or not, the local provider will send the packet to the designated dns. I believe it mean a better privacy for us
DNS based forensic investigation (f.e. of botnets) becomes impossible
in my case and if I understand correctly, that you want better privacy, it should be advantage for us
DNS resolve is transferred from the system level to the application level
I don't even understand whatever it means :lol:

please consider me as a total noobs in this matter. it's not that I want to argue with you but rather because I don't know much about this issue. what I know is that DoH or DoT encrypt the communciation between our device and dns server. and that's it. everything else is _and AFAIK should be_ same. the benefit is that 3rd party should be hard to know what sites did we visit. however, both us and the dns server still know about it. DoH, DoT and DNSSEC secure the communication between us and the dns server but the privacy issue related to the dns server is still there.

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DNSSEC - what default to choose?

Postby ilu » 13 Jun 2019 13:58

I was just collecting arguments. This collection has absolutely nothing to do with my personal opinion or any opinion at all. To be honest I feel torn about it. I see both sides. And I'm really hoping more DoH providers will enter the game.
yes, no more blocking anything via host files or pihole
DoH means that firefox sends the DNS request with the encrypted https-header. No way for the OS or anything outside the browser to interfere. Firefox never read the hosts file, only the OS resolver does and the OS will be out of the picture. See here for example https://www.reddit.com/r/firefox/commen ... y_firefox/
DNS resolve is transferred from the system level to the application level
Up to now the OS did the resolving, protected by the necessary permissions, With the change this will be done by firefox, which runs in the userspace. We'll see a whole new type of attacks against the browser. And we have to rely on the browser security mechanism.
concentrating DNS lookup data at the ISP vs. concentrating data at the DoH provider
The DNS data is collected at the DNS requiry endpoint which is either the ISP (many local units) or the remote DoH provider (centralized worldwide). Which version enhances privacy depends on several factors which are probably different for different people from different areas. Some countries might punish you for using cloudflare/google, others might do exactly the opposite, depending on the position of the surveiller.
Cloudflare is already a very powerful player in the market because they are the endpoint of a high share of the worldwide SSL-connections because they act as a man-in-the-middle for all their clients (which covers, I don't know, 30%? 50%? of the internet traffic - its hard to get numbers).
censorship via DNS blocking will become centralized too
Actually, I have to correct myself, as long as there are only 3 DoH providers (all US) this is not true. Those 3 decide whether anything gets blocked.
Surveillance issues get also centralized
Certain agencies will not just stop doing their work. They will have only 3 endpoints to retrieve all their worldwide metadata, without having to tap into underwater cables or to ask other governments. Since cloudflares already powerful mitm position its the perfect target for a gag order. google is too for obvious reasons.
DNS based forensic investigation (f.e. of botnets) becomes impossible for most countries
Even if privacy is highly valued, criminal intent still exists and needs to be prosecuted. With the proposed change future forensic investigation will worldwide depend on the cooperation of practically only 2 US DoH providers.
kurotsugi wrote:everything else is _and AFAIK should be_ same
Well that's not the case. The security mechanism will change from the OS to the browser. Is that wise? And the whole power system will change towards cloudflare and google. Even if they don't act with malicious intent is it wise to give such a powerful position to just 2 companies that are already powerful? cloudflare and google will become single points of failure and that is never wise in IT.

Edit: AFAIK opendns is cisco and I won't even discuss their service since that company is totally discredited by all their security f..ups in the router business.

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 13 Jun 2019 14:27

I just found this list: https://github.com/curl/curl/wiki/DNS-o ... le-servers
If DOH is not centralized and there's a choice of providers and we pick one from that choice instead of the firefox default, half the arguments against DoH go away.
Con arguments that remain are:
- DNS based forensic investigation (f.e. of botnets) becomes practically impossible (that's bad but nothing we can change)
- DNS resolve is transferred from the system level to the less secure application level (we can only hope that browsers are up to it)
- no more blocking anything via host files or pihole (but as long as we have uBlock origin, we are probably good)

So, does anybody feel up to testing some of the alternative DoH providers? Please share your testing results if you do.

(Info about the conf details: https://daniel.haxx.se/blog/2018/06/03/ ... oh-engine/)

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 13 Jun 2019 21:57

someone actually already busted DoH :lol:
there are three things, the address, the sign/certificate, and the content of message. both the address and the sign are on plain text so anyone actually could easily start from there. decrypting the packet is also possible. though, I never heard that someone actually already did it. perhaps because they shouldn't :lol:

that would be makes the problem into one. the dns resolve mechanism is transferred to app level. we lose the control but not necessarily make it less secure. on a browser we still could use extensions to partially control it so it's not a big issue...at least for me

bin
Posts: 28
Joined: 13 Dec 2013 15:31

Re: Firefox/waterfox and DoH - what default to choose?

Postby bin » 14 Jun 2019 05:08

DNS over HTTPS sounds like a good idea

At a gut level I feel that transferring something as important as name resolution to a browser application is just wrong.

What bothers me is just how resilient it is likely to be and also, given the recent certificate issue that borked FF extensions, is this going to be one more point of failure relying on another certificate for DNS?

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 14 Jun 2019 06:22

AFAIK with DoH the security lies more on the site owner rather than either the browser nor the dns server. this "certificate" stuff should not confused with earlier firefox issue. some people actually prefer DoT instead of DoH since it retain all the control that we have. mozilla's decision to make DoH as default might be annoying but it's not make our system less secure. ilu said that the app level is less secure but I believe it's not. the local resolver by default didn't use any encryption so it's more vulnerable to attacks.

the browser is not _and should not_ resolve the address by itself. what firefox did is forcing us to use cloudflare as the default resolver. it's annoying but it's not less secure by any means.

btw, it seems that the issue is on firefox. it's not a DoH issue. I'm using encrypted dns and both epiphany and chrome respect my hosts file. it seems that firefox opted to ignore my hosts file and won't fix it

bin
Posts: 28
Joined: 13 Dec 2013 15:31

Re: Firefox/waterfox and DoH - what default to choose?

Postby bin » 14 Jun 2019 07:57

kurotsugi wrote:
14 Jun 2019 06:22
the browser is not _and should not_ resolve the address by itself. what firefox did is forcing us to use cloudflare as the default resolver. it's annoying but it's not less secure by any means.
Yes - you are right, what I as thinking was more in the lines of was if firefox forces resolution via cloudflare, how easy could it be for that to be hi-jacked or just changed depending on how it is implemented? Surely it would not available in a :config??

I do get that it should impact on the issue of mitm - but is there a price to pay for that?

I guess to answer the original question - set the browser to maximum security by default and provide the tools and information for users to make a choice. If that max security is ambiguous then I for one have no idea what is the best solution - we're having enough trouble with Brexit as it is :)

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 14 Jun 2019 08:37

it is available on about:config. well...at least for now :lol:
network.trr.mode=0 will disable firefox DoH and it will use whatever in your system instead. since it's using the regular conf method, it's unlikely that someone will hack it.
I do get that it should impact on the issue of mitm - but is there a price to pay for that?
the price is negligible, namely additional resource to encrypt/decrypt the communication and slight delay needed for that process. we are talking about something in milisecs so it would be unnoticeable for us.

I think the best solution would be adding some encryption on our native dns. we can get all the benefit from DoH/DoT while still maintaining control in our system. though, it's not clear how to do it. most provider only say "hey, we support this" but they rarely tell about how to use it.

luckcily, we are in debian realm. you can dot it by simply install dnscrypt-proxy then use 127.0.2.1 as your dns address. the default setting will use cloudflare as the default resolver but you can other's too. AFAIK it's using DoH so technically there's no differences on our implementation

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 14 Jun 2019 11:30

The setting is exposed in about:config and Mozilla does not intend to change that. FF nightly has a GUI interface under network settings. So the user is free to choose another DoH provider or none at all. But most users will not change the default.
I do get that it should impact on the issue of mitm - but is there a price to pay for that?
... the price is negligible ...
There is a price. Cloudflare will get immensely powerful on top of what they already are. Its not only a question of trust but also a question of balance. Relying too much on a single player is never a good idea. A relatively successful economic system called "capitalism" is based on competition for a reason.

Also Cloudflare (as well as google and quad9) will get a US national security letter and a gag order on top of it. I'm quite sure they already have both.

Since this distro is European based I would prefer a european DoH provider as default - or none at all - or a way to make the user choose. It's mandatory that the DoH provider does DNSSEC against spoofing. There is for instance https://appliedprivacy.net/ which I will start testing. If anybody wants to join in testing the setting is under network.trr in about.config and there's a explanation under https://appliedprivacy.net/services/dns/.

If you know any other DoH provider that qualifies post here.

User avatar
grizzler
Posts: 2103
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Firefox/waterfox and DoH - what default to choose?

Postby grizzler » 14 Jun 2019 15:06

Switched it on just now.

What about "Stubby", which is also mentioned on the a Applied Privacy page? There's a package for buster.
Frank

SolydX EE 64 - tracking Debian Testing

kurotsugi
Posts: 2185
Joined: 09 Jan 2014 00:17

Re: Firefox/waterfox and DoH - what default to choose?

Postby kurotsugi » 15 Jun 2019 13:40

there's a DoH list for dnscrypt https://raw.githubusercontent.com/DNSCr ... solvers.md
the technology is still new so there isn't many option. in term of performance and security, the top four would be cloudflare, google, quad9 and opendns. cloudflare is a new player so it's a long way for them to become the market leader. I won't touch trust issue since it's a private and subjective matter

@grizzler : AFAIK technically stubby use DoT while dnscrypt is using DoH. since most of the provider support both DoT and DoH, it's just a matter of personal preferences. more stuffs are implemented on the server side so there won't be any major difference between them. though, I've heard some caveat in the dnscrypt. I haven't investigated deeply yet but it seems to me that it's just a theorical caveat

User avatar
ilu
Posts: 2319
Joined: 09 Oct 2013 12:45

Re: Firefox/waterfox and DoH - what default to choose?

Postby ilu » 15 Jun 2019 16:59

I'm not sure about dnscrypt but I think it's an implementation of the same technique (DoH or DoT) but at system level instead of application level. I've read some caveat about dnscrypt too (uses unorthodox stuff and no audit). Stubby seems to do the same. It would certainly be better to keep DNS revolve on the system level. Also there could probably be several services configured as fallback, which would be good if we don't choose one of the major players. I'm wondering how this lines up with the systemd discussion.

If I understand correctly both require the browser to be configured with trr = 5, which is "permanently off" - otherwise system level services won't work.


Return to “Testing Zone”

Who is online

Users browsing this forum: No registered users and 0 guests