>Having the browser change a fundamental behaviour that used to stand for decades is highly problematic.

No, this is far too broad of a statement. Browsers pushing for TLS, deprecating the old SSL versions and now the old TLS versions, deprecating SHA1 use in certificates, going from quirksmode to a living html standard (not without problems such as Google's over-influence), etc all have been a net positive, but there was breakage too.

Now, DNS - a really antiquated protocol written at a time when security played no role and everybody was assumed to be a good actor and (next to) nobody bought shit online or banked online or dated online or got medical advise online - is somehow the holy grail that MUST NEVER change? Because... "it works" (only superficially, without proper security) and status quo. I don't buy it.

We may discuss DNS and alternatives/add-ons (such as DoH, DoTLS, DNSSEC, DNSCrypt, etc) and their pros and cons, but rejecting any kind of innovation isn't something I am willing to do.

> but rejecting any kind of innovation isn't something I am willing to do.

I don't think the post you're replying to is really saying "no innovation". I think it's more subtle.

The "problem" with DoH is that you need to look at it with several different hats, and I feel very few people make it clear how they're complaining about DoH.

* From a consumer perspective DoH is a good thing (mostly)

* From an traditional/enterprise/business-like environment perspective it's inserting itself in the middle of the stack and may cause headaches with a few things (not limited to leaking internal names to external resolvers), unless it's just blanket disabled/forced to a local server (which may not always be practical for different reasons) - currently

Ultimately who do we have to blame for this but ourselves? Organisations have tried to get encrypted DNS off the ground in traditional DNS infrastructure and clearly failed to meet the required timeline.

I personally feel like the problem, just like with IPv4, is that traditional DNS infrastructure is "fine" (i.e. it works). We don't have a great motivation but we do have fear of breaking the many many many boxes which are un-upgradeable/critical.

The elephant in the room is that many networks need to have content filtering, and you are proposing nothing useful. DoH torpedoes content filtering to its very core and, fortunately, the knob Mozilla provides can (hopefully) be utilized. That's all there's to it.

>The elephant in the room is that many networks need to have content filtering

First of all, we're talking about domain filtering, not content filtering.

And no, they want domain filtering, hardly anybody needs it, and there are better solutions than NXDOMAIN, such as actual content filters.

>and you are proposing nothing useful.

Why would I need to provide "something useful"? mozilla already described the many ways this can be disabled, from browser preferences, to automated checks for known disable-me domains, etc.

I need domain filtering: if the domain serves malware I want to block it, not just the known malware coming from it. If a domain serves porn, I want to block it on my kids computers (and mine) not just the content that is recognisable as porn. If a domain is used by malware I want to block it, and probably use the domain to determine the server, and block that too (too because the domain can move IP).

All of that can be implemented on the client (e.g. as a browser extension) without breaking the Internet. That's the only reliable way to do it anyway. MITM DNS filtering is easily bypassed and only effective against lazy malware.

> If a domain serves porn, I want to block it on my kids computers (and mine)

FWIW, my entire peergroup grew up without anyone installing content filters on their computers, and porn was already widely available back then.

This is quite a radical position, but there are no legitimate use cases for content filtering.

What use cases do people have in mind?

* State censorship. Totalitarian.

* "Parental controls". Child abuse. Learn how to build trust in your children instead.

* Corporate filtering. Find other ways to motivate your employees than blocking Facebook.

The problem with this implementation is that it doesn't go far enough. I want software to actively fight against the idea of content filtering.

How about wanting to filter advertising, or filter content for myself - I block imgur via DNS for example, or block domains used by trackers and malware creators?

uBlock Origin works well. But you have a good point — you should be able to impose content filtering on yourself. And Firefox supports that.

This logic makes no sense to me. Can you imagine if AT&T or Spectrum made a statement like this?

The “network administrator” is an untrusted 3rd party who should have basically 0 say in how my device operates.

The device administrator, ie the owner of the machine, is the one who should have the final say over when DoH is used. The use-application-dns record is for businesses that want an easy way to stop DoH on machines they administer. If random “network admins” start deploying it as you say then Mozilla will have no choice but to ignore the record entirely.

So what if I run a Pihole at home as a DNS server and want to stop being able to resolve various domains? I would like to know how to stop all devices (actually worse, individual applications!) on my network deciding to DoH of their own accord (and therefore bypassing my local DNS server).

This kind of centralised ability to block DoH is very useful to me.

There are a couple use-cases here.

* On devices that you own and control you don't need a network level control like this except for convenience. This is when you should be applying the override record.

* On devices that you do not own or control (family/friends/guests) disabling DoH makes you the malicious network operator. Connecting to your Wi-Fi doesn't make you trusted in any sense of the word.

* On devices that you own but do not control (Google Home/Alexa) you make a valid point that techie types have been able to take some level of control by exploiting the fact that DNS is an unencrypted "hole" in the security of the device. You would have a lot more control if the HTTP traffic they sent was unencrypted and inspectable/modifiable but that doesn't mean devices shouldn't be allowed to use HTTPS without your approval.

Thanks. Not to be argumentative, but I find it odd/interesting that guests connecting to my WiFi and using my DNS set up makes me a "malicious network operator" in your eyes. That's a very odd view of the world in my opinion, as it is my WiFi and DNS set up.

That's like saying that me stopping guests taking photos of my daily activities (showering, using the toilet) whilst in my house is a malicious behaviour too. I suppose I should let them post the photos off to whomever they choose?

If someone is in my house and using my WiFi, I don't want their device looking up domains that I choose to block. How do I know that their device is not recording its surroundings and sending them off to the said domain? How do I know that my guest is not up to nefarious/illegal activity using domains that I have blocked? I would be the one prosecuted due to the IP address = a person approach by the law in most circumstances (should they ever deduce the requested domains from the DoH set up). Being that the DoH provider is under law, I am pretty sure that the DoH will have to hand over any records they have, which will lead it back to me and my network.

And then once again we are stuck in a situation where I cannot control what domains are being looked up by devices and applications on my network. My devices are no longer mine. I have handed off control to some company the other side of the planet with employees I will never meet.

How do I stop the 5+ tracking domains that the Instagram app uses on my wife's iPhone, for example? Am I a malicious network operator for stopping that garbage being sent off?

> I cannot control what domains are being looked up by devices and applications on my network.

This is kinda the point. For devices you own you have that control by the virtue of being the device admin. Other people's devices are a different story. You are free to have an acceptable use policy on your own network and require traffic to flow through a proxy or whatever but if you do it without their knowledge or consent you're the bad guy.

How pissed would you be if Xfinity just up and blocked random sites like this?

(sibebar: Just from a politeness perspective why would you give your guests anything other than a clean path to the public internet ?)

> That's like saying that me stopping guests taking photos of my daily activities

Having a rule that applies to your guests -- totally cool. Silently disabling their camera without their consent once they come through your door -- not cool.

> Am I a malicious network operator for stopping that garbage being sent off?

I mean you're modifying the traffic coming off of someone else's device without their knowledge or consent. I would be pissed if by husband did something like this without asking -- leaving me to debug why some sites are mysteriously broken.

I'm _maliciously_ stopping my kids Android apps from connecting to tracking and malware domains. What a tyrant I am - I should have over control to a third-party for profit company??!?

You're kidding, right.

You own and control your child's phone. You're in case #1. Family is meant to mean your spouse, adult children, or relatives.

Of note: PiHole supports DoH, so you point your DoH supporting applications at it. If your OS gets around to adding DoH support you can point your entire OS at it and disable DoH in applications, but until then you'll have to do things the hard way.

At present though devices on the network all for DNS and my network says "use pihole" but applications that implement DoH never ask the network, so I have to have access to all the applications (including those from bad actors).

I block MS telemetry domains for example, where's the config for me to stop them using DoH; what about the trackers on my TV?

Now I need to configure every device - that's capable of using Firefox - rather than configuring the network. Presumably in short shrift there'll be no way to block Google advertising. I guess Google will get their return on funding Firefox.

Not apply the same logic to a network-wide ad-blocking HTTP filter and HTTPS.

AT&T and Spectrum do not administer your home network, you do. You have the freedom to configure whatever DNS settings you want; if you wish to use their DNS servers you may; if you wish not to, then you may not.

DoH is a non-solution to a non-problem which makes privacy strictly worse by leaking information to Cloudflare in addition to one's ISP.

You are a client on AT&T and Spectrum's network. Just because you turn on a router and set up NAT doesn't make this fact any less true. At some point your internet traffic is going to flow AT&T's network where they are the administrators and are free to apply whatever network policy they see fit.

DoH and DoT is a solution to the problem of sending your DNS requests unencrypted, leaking them to everyone in the process, and then opening the door to any malicious network operator in between you and your DNS server the ability to modify the response in-flight.

Your ISP can and should provide DoH servers. Your local network is free to do the same.

How dare an application use a socket to make a network request using an application layer protocol for its own use.

Has anyone verified that this actually works? My company's DNS administrators have already made this change. use-application-dns.net returns SERVFAIL when I run "dig" on my machine on the corporate network.

But if I enable DNS over HTTPS in Firefox, it very clearly still uses the Cloudflare resolvers. We have some split-horizon zones set up (resolve to 10.x IP's internally, and public IP's externally). When I tick the DoH box, Firefox starts resolving the public IP, verified in the Dev Tools network pane.

Curious if the issue lies with us or Mozilla.

If you did it explicitly, I think there are no heuristics.

https://bugzilla.mozilla.org/show_bug.cgi?id=1614751

I'd guess that the overwhelming majority of Mozilla's users do not have a "network administrator" looking after issues like this for them. All they have is an ISP, and the ISP is not on the user's side.

Everyone who uses DNS-based content filtering (OpenDNS, a "Pi Hole", etc) to do filtering on a home network is a "network administrator".

Care to guess what percentage of Mozilla's users are included in that group? The HN crowd is far from being a typical sample.

My point is that the definition of "network administrator" is wider than the corporate network administrator vision the phrase evokes.

A quick search shows me a number of parental control features in routers that use OpenDNS. All of the parents using those features would be "network administrators", too.

I think more people are "network administrators" than the average HN reader realizes.

The ISPs can easily be swapped out, they're was much on the client side as Cloudflare, probably more so.

I wonder if we’ll start to see Comcast and other large snooping ISPs start to filter the resolution of this domain in the name of stability...

If they do that, Mozilla will probably immediately update the check or remove it all together.

I don't understand why systems administrators don't just use their existing policy management to disable DoH if it really causes an issue. There's a group policy specifically for DNS over HTTPS [1]

The only reason I can think of is that they can't because of BYOD or Firefox being part of the company's dark IT. The DNS workaround doesn't help much in those cases because the underlying problem is a lack of oversight, not an issue with Firefox.

[1] https://github.com/mozilla/policy-templates/blob/master/READ...

Can't imagine that will last for long. Otherwise what stops Telcos/ISPs blocking this in their resolvers.