On 11/09/2019 06:16, Ingo Jürgensmann wrote:
Am 10.09.2019 um 07:50 schrieb Florian Lohoff <f@zz.de>:On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote:I for one, do trust my ISPs a lot more than I trust Cloudflare or Google, simply based on the jurisdiction.There are tons of setups which are fine tuned for latency because they are behind sat links etc or low bandwidth landlines. They have dns caches with prefetching to reduce typical resolve latency down to sub milliseconds although your RTT to google/cloudflare is >1000ms. Switching from your systems resolver fed by DHCP to DoH in Firefox will make the resolve latency go from sub ms to multiple seconds as the HTTP/TLS handshake will take multiple RTT. This will effectively break ANY setup behind Sat links e.g. for example all cruise ships at sea.I can confirm (based on experiences on my day job) that this can be a real problem and affecting thousands and hundredthousands of users. Having the *option* to use DoH is maybe a good idea, but making it the default is not.
I appreciate that Mozilla are trying to enhance privacy by introducing DoH as an option (but clearly not for children! [0][1]), but are we not missing the major point here? DNS does not belong in the browser....
If we wish to deploy DoH (I think it would get my vote) then it should be system wide and transparent to applications, using the same methods already available. If every application were to deploy its own resolver service then total chaos will ensue.
Yes I know browsers offer alternative resolve / and proxy methods already, unfortunately that ship has already sailed. Providing that they are turned OFF by default then that is acceptable. With in-browser DoH again, as long as it is OFF by default I don't see an issue.
/Andy[0] "Respect user choice for opt-in parental controls and disable DoH if we detect them" https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
[1] In browser DoH will break a lot of 'parental control / supervisor' applications that block traffic based on black & white lists. IMO this is another reason why DoH shouldn't be inside the browser - already Mozilla are deploying work arounds for certain use cases...