Should we block DoH by default?

Should we block DoH by default?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

Hello,

A post on the community portal has raised my attention today:

  https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1466/3

The author links an article that explains how Firefox decides to enable DoH.

I do not want DoH. I do not like it. Mozilla is doing something really really bad here.

We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.

That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.

Would anybody be against this?

-Michael

Aw: Should we block DoH by default?

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 1100 bytes --]

Hi,

> Gesendet: Dienstag, 03. März 2020 um 12:47 Uhr
> Von: "Michael Tremer" <michael.tremer(a)ipfire.org>
> An: "IPFire: Development-List" <development(a)lists.ipfire.org>
> Betreff: Should we block DoH by default?
>
> Hello,
> 
> A post on the community portal has raised my attention today:
> 
>   https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1466/3
> 
> The author links an article that explains how Firefox decides to enable DoH.
> 
> I do not want DoH. I do not like it. Mozilla is doing something really really bad here.
> 
> We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
> 
> That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
> 
> Would anybody be against this?
> 

No, on the contrary.
If we build with much effort an evironment, that does DNS secoure and with minimal overhead in "spying" ( see the excellent blog article by Michael ), DoH would be contraproductive.

- Bernhard

> -Michael

Re: Should we block DoH by default?

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 652 bytes --]

On Mar 03 11:47, Michael Tremer (michael.tremer(a)ipfire.org) wrote:

> I do not want DoH. I do not like it. 

I want it and I like it and I think it will come anyway.

> We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
> 
> That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
> 
> Would anybody be against this?

I would. I don't want to be *forced* to use IpFire resolver.

If you something like that, at the very least it should be an option
that can easily be turned off.

-- 
Tapani Tarvainen

Aw: Re: Should we block DoH by default?

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]



> Gesendet: Dienstag, 03. März 2020 um 14:15 Uhr
> Von: "Tapani Tarvainen" <ipfire(a)tapanitarvainen.fi>
> An: development(a)lists.ipfire.org
> Betreff: Re: Should we block DoH by default?
>
> On Mar 03 11:47, Michael Tremer (michael.tremer(a)ipfire.org) wrote:
> 
> > I do not want DoH. I do not like it. 
> 
> I want it and I like it and I think it will come anyway.
> 

Maybe it comes anyway. Just as Google devices want to do DNS resolving on 8.8.8.8, without looking at the rules defined by DHCP etc.
Nevertheless this is no reason to allow it. In most countries vigilantism is not allowed, even when weapons are spread very widely in the society.

> > We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
> > 
> > That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
> > 
> > Would anybody be against this?
> 
> I would. I don't want to be *forced* to use IpFire resolver.
>

But one task of an internet appliance like IPFire is just to force such local rules.
 
> If you something like that, at the very least it should be an option
> that can easily be turned off.
> 

This is one aspect. On the other side such a feature like DoH should be turned on "silently".

---
Bernhard

> -- 
> Tapani Tarvainen
>

Re: Should we block DoH by default?

[Sorin-Mihai Vârgolici]

[-- Attachment #1: Type: text/plain, Size: 1496 bytes --]

EHLO

On 03/03/2020 17:17, Michael Tremer wrote:
> I do not want DoH. I do not like it. Mozilla is doing something really really bad here.

TL;DR, I saw some mention of cloudflare, so I already don't like this at 
all, no matter how good others might think it is, for technical reasons 
or privacy concerns or whatnot .

Does it actually mean that Firefox will try to use cloudflare's DNS by 
default regardless of the system's resolv.conf cluttering my LAN traffic 
with denied requests until I patch the firefox config(s)? I'm not 
directly affected for now, so I have some time to prepare for the next 
updates. This to me sounds like forcing all users to use a proxy even if 
the users don't want to and even have the right to decline. They 
should've stick to pushing Google as default search engine, it really 
was enough...

What if I use private DNS server(s) in IPFire, or in systems' 
resolv.conf (especially for privacy concerns)? What if i do that even in 
systems which are not connected directly behind IPFire or are connected 
to some VPN that is supposed to push the DNS settings to the clients 
(again, especially for privacy concerns, but also because behind a VPN 
you expect to use internal resolving also; I wonder who will benefit 
from a huge list of internal records if DoH is being used).

I get the need to encrypt the DNS traffic, but this is already done 
properly with DNSCrypt, but forcing DoH in browser is a bad and wrong 
decision.

Re: Should we block DoH by default?

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1117 bytes --]

Hello *,

@Sorin-Mihai Vârgolici: EHLO, it's nice to see another Postmaster on this list... :-)

although I basically agree with Michael, Tapani made a point: If we decide to build
something that intents to block DoH in Firefox (what about other browsers, anyway?),
the administrator of an IPFire machine should be able to turn it off easily - which
would be something different than the "turn DNSSEC off" switch requested countless
times by now.

Needless to say, if Mozilla decides not to honour use-application-dns[.]net anymore
- which I expect to happen as some ISPs probably want to continue snooping on their
users DNS traffic -, we are at the very beginning of this battle again.

Besides this canary domain, the links mentioned in https://lists.ipfire.org/pipermail/development/2020-March/007134.html
might be helpful, too, but that would require some sort of deep package inspection,
which I advise against.

It seems to me like the internet is getting worse all the time, and unfortunately,
DoH as used by Mozilla does not make it better...

Thanks, and best regards,
Peter Müller

Re: Re: Should we block DoH by default?

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

On Mar 03 14:58, Bernhard Bitsch (Bernhard.Bitsch(a)gmx.de) wrote:

> >  I don't want to be *forced* to use IpFire resolver.

To clarify: I, *AS A SYSADMIN*, don't want to be forced to do so.

> But one task of an internet appliance like IPFire is just to force
> such local rules.

That is different: again, as sysadmin I may want to enforce such
rules inside my net, one way or the other.

Perhaps I should also note that Firefox allows you to choose your own
DoH server, you don't have to use Mozilla or Cloudflare or whatever,
and at some point it might be good to have DoH server built into
IPFire.

-- 
Tapani Tarvainen

Re: Should we block DoH by default?

[Arne Fitzenreiter]

[-- Attachment #1: Type: text/plain, Size: 425 bytes --]

Am 2020-03-03 16:55, schrieb Tapani Tarvainen:
> On Mar 03 14:58, Bernhard Bitsch (Bernhard.Bitsch(a)gmx.de) wrote:
> 
>> >  I don't want to be *forced* to use IpFire resolver.
> 
> To clarify: I, *AS A SYSADMIN*, don't want to be forced to do so.
> 
You are not "forced" to do so. You can always set an alternative DNS
resolver via dhcp. But if this is set to the IPFire resolver is 
configured
Firefox has to use it.

Arne

Aw: Re: Re: Should we block DoH by default?

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 705 bytes --]



> Gesendet: Dienstag, 03. März 2020 um 16:55 Uhr
> Von: "Tapani Tarvainen" <ipfire(a)tapanitarvainen.fi>
> An: development(a)lists.ipfire.org
> Betreff: Re: Re: Should we block DoH by default?
> 
> That is different: again, as sysadmin I may want to enforce such
> rules inside my net, one way or the other.
> 
> Perhaps I should also note that Firefox allows you to choose your own
> DoH server, you don't have to use Mozilla or Cloudflare or whatever,
> and at some point it might be good to have DoH server built into
> IPFire.
>

To clarify from my side. It's not DoH that brought up the discussion, but the decision of Mozilla to enable it by default "silently".

- Bernhard 

Re: Should we block DoH by default?

[Arne Fitzenreiter]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

Am 2020-03-03 16:55, schrieb Tapani Tarvainen:
> 
> Perhaps I should also note that Firefox allows you to choose your own
> DoH server, you don't have to use Mozilla or Cloudflare or whatever,
> and at some point it might be good to have DoH server built into
> IPFire.
No. Because DoH is a crappy protocol (BASE64 encoded DNS packets)
and browsers will not accept self signed TLS certificates.

HTTPS cannot verified without working DNS so the Idea to tunnel
DNS over HTTPS is strange...

Re: Should we block DoH by default?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2150 bytes --]

Thank you everyone for this lively discussion.

So I guess just blocking isn’t acceptable for everyone.

What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.

That could then activate the following:

* Filter the domain name that Firefox uses to auto-enable DoH (*)

* Reject any client connecting to any other DNS server on the internet

Then, the only way to get DNS is to use the IPFire resolver. How is that?

-Michael

(*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.

> On 3 Mar 2020, at 16:06, Bernhard Bitsch <Bernhard.Bitsch(a)gmx.de> wrote:
> 
> 
> 
>> Gesendet: Dienstag, 03. März 2020 um 16:55 Uhr
>> Von: "Tapani Tarvainen" <ipfire(a)tapanitarvainen.fi>
>> An: development(a)lists.ipfire.org
>> Betreff: Re: Re: Should we block DoH by default?
>> 
>> That is different: again, as sysadmin I may want to enforce such
>> rules inside my net, one way or the other.
>> 
>> Perhaps I should also note that Firefox allows you to choose your own
>> DoH server, you don't have to use Mozilla or Cloudflare or whatever,
>> and at some point it might be good to have DoH server built into
>> IPFire.
>> 
> 
> To clarify from my side. It's not DoH that brought up the discussion, but the decision of Mozilla to enable it by default "silently".
> 
> - Bernhard 
> 

Re: Should we block DoH by default?

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2304 bytes --]

Hello Michael,

thanks for your reply.

I like your suggestion, and see something like "reject any client
connecting to any other DNS server on the internet" similar to blocking
outbound connections to port 25 in order to prevent spamming.

In both cases and for most SOHO networks, there is little legitimate
reason to do so. Regarding external DNS servers, IoT and similar things
come to my mind, which have their resolvers hard-coded in the firmware.

What do we do about any other DoH server on the internet? I guess filtering
these is hopeless, as censorship circumvention is one of its design goals,
but at least a user has to configure one of these him- or herself.

We have a couple of switches on the firewall options CGI already, so
I expect users to be confused where to find switches for DNS and for
firewall stuff, as this matter is something in between.

Thanks, and best regards,
Peter Müller


> Thank you everyone for this lively discussion.
> 
> So I guess just blocking isn’t acceptable for everyone.
> 
> What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
> 
> That could then activate the following:
> 
> * Filter the domain name that Firefox uses to auto-enable DoH (*)
> 
> * Reject any client connecting to any other DNS server on the internet
> 
> Then, the only way to get DNS is to use the IPFire resolver. How is that?
> 
> -Michael
> 
> (*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.
> 

Re: Should we block DoH by default?

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 644 bytes --]

On Tue, Mar 03, 2020 at 05:18:57PM +0000, Michael Tremer (michael.tremer(a)ipfire.org) wrote:

> What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
> 
> That could then activate the following:
> 
> * Filter the domain name that Firefox uses to auto-enable DoH (*)
> 
> * Reject any client connecting to any other DNS server on the internet

I would be fine with that, although I'd prefer two separate checkboxes
for those. I can imagine situations where I'd want one or the other but
not both (admittedly not very likely).

-- 
Tapani Tarvainen

Re: Should we block DoH by default?

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 696 bytes --]

On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter Müller (peter.mueller(a)ipfire.org) wrote:

> I like your suggestion, and see something like "reject any client
> connecting to any other DNS server on the internet" similar to blocking
> outbound connections to port 25 in order to prevent spamming.
> 
> In both cases and for most SOHO networks, there is little legitimate
> reason to do so. Regarding external DNS servers, IoT and similar things
> come to my mind, which have their resolvers hard-coded in the firmware.

Thinking about those, how about an option to *redirect* connections
to port 53 of external servers to IPFire rather than rejecting them?

-- 
Tapani Tarvainen

Re: Should we block DoH by default?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]



> On 4 Mar 2020, at 06:00, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wrote:
> 
> On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter Müller (peter.mueller(a)ipfire.org) wrote:
> 
>> I like your suggestion, and see something like "reject any client
>> connecting to any other DNS server on the internet" similar to blocking
>> outbound connections to port 25 in order to prevent spamming.
>> 
>> In both cases and for most SOHO networks, there is little legitimate
>> reason to do so. Regarding external DNS servers, IoT and similar things
>> come to my mind, which have their resolvers hard-coded in the firmware.
> 
> Thinking about those, how about an option to *redirect* connections
> to port 53 of external servers to IPFire rather than rejecting them?

Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.

> 
> -- 
> Tapani Tarvainen

Re: Should we block DoH by default?

[Tapani Tarvainen]

[-- Attachment #1: Type: text/plain, Size: 630 bytes --]

On Mar 04 10:11, Michael Tremer (michael.tremer(a)ipfire.org) wrote:

> >> Regarding external DNS servers, IoT and similar things
> >> come to my mind, which have their resolvers hard-coded in the firmware.
> > 
> > Thinking about those, how about an option to *redirect* connections
> > to port 53 of external servers to IPFire rather than rejecting them?
> 
> Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.

Right. But if some IoT thingy relies on a hard-coded DNS-over-TLS
server there's little we can do about it, but redirection could
save the day with those that use good old 53.

-- 
Tapani Tarvainen

Re: Should we block DoH by default?

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

Hi,

> On 4 Mar 2020, at 10:56, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wrote:
> 
> On Mar 04 10:11, Michael Tremer (michael.tremer(a)ipfire.org) wrote:
> 
>>>> Regarding external DNS servers, IoT and similar things
>>>> come to my mind, which have their resolvers hard-coded in the firmware.
>>> 
>>> Thinking about those, how about an option to *redirect* connections
>>> to port 53 of external servers to IPFire rather than rejecting them?
>> 
>> Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.
> 
> Right. But if some IoT thingy relies on a hard-coded DNS-over-TLS
> server there's little we can do about it, but redirection could
> save the day with those that use good old 53.

I would never expect any IoT product to use DNS-over-TLS.

> -- 
> Tapani Tarvainen