[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DOH (was: geolocation services disabled and Gnome maps)

On Sun, Apr 12, 2020 at 12:35:44PM +0200, tomas@tuxteam.de wrote:
> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, tomas@tuxteam.de wrote:
> > > That's why I cringe at the idea that browsers want to start doing
> > > name resolution over HTTPS.
> > 
> > This simple one line of dnsmasq configuration will disable this
> > problematic feature for good for Firefox (basically it creates a bogus
> > NXDOMAIN response for this particular site):
> > 
> > local=/use-application-dns.net/
> 
> I don't quite understand [1] how the dnsmasq config has a say on
> whether the browser resolves things over HTTP (it won't ask the
> resolver in the first place, would it?), but thanks for the pointer
> anyway.
> 
> Cheers
> [1] That's not a rhethorical flourish, it's genuine. I know too
>    little about DNS-over-HTTP to be of any use at this point.

The questionable idea behind DOH is that the browser makers do not trust
your local resolver. As usual, main arguments here are:

1) One can use a local resolver with the ability *not* to resolve
certain DNS queries, which refer to the sites which just happen to
contain advertisements, fingerprinting, tracking, cryptomining etc.
Since all two major browser makers (Google and Mozilla) happen to rely
on revenue generated by advertising *and* users' browsing habits this
obviously can not be tolerated.

2) ISPs can intercept DNS queries, and modify them at their leisure.
Usually considered a first step to a censorship, implemented in this
particular form at certain European countries.

3) Bad guys and gals can hijack DNS too, to the usual hilarious results.

With the advent of HTTPS all this may be seen as moot points (if you're
redirected elsewhere the certificate validation should fail), but
nevertheless DOH is forced upon the collective throat of Firefox users
as we speak (and Chrome users are likely to follow them Soon™).
Currently a Firefox user is supposed to trust Cloudflare to do DNS
queries for them, and HTTPS is used for this purpose because Security™.


In its current form DOH has a huge gaping hole that every system
administrator worthy of the title is familiar with - local name
resolution - because Cloudflare cannot resolve hosts in your Intranet,
although they probably want to. And yes, your dirty /etc/hosts tricks
won't work here, because DOH simply skips parsing the contents of hosts
file.


Hence the trick. What Firefox does first is trying to resolve
use-application-dns.net on the assumption that if it local DNS does the
resolving then the user's host is connected to the Internet.
Because if it does not - then it's most probably a corporate Intranet so
DOH should be disabled for the duration of this browser run.
I won't go into the details here on how many levels this logic is
flawed or outright broken.

I'll just say that it's enough to use it for your own good and to
disable DOH without rebuilding Firefox from the source. So, as I wrote
earlier - if you controlling your network DOH is just another
questionable thing that can be rid of.

Reco
Reply to: