Hello,
A post on the community portal has raised my attention today:
https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1466...
The author links an article that explains how Firefox decides to enable DoH.
I do not want DoH. I do not like it. Mozilla is doing something really really bad here.
We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
Would anybody be against this?
-Michael
Hi,
Gesendet: Dienstag, 03. März 2020 um 12:47 Uhr Von: "Michael Tremer" michael.tremer@ipfire.org An: "IPFire: Development-List" development@lists.ipfire.org Betreff: Should we block DoH by default?
Hello,
A post on the community portal has raised my attention today:
https://community.ipfire.org/t/firefox-doh-and-ipfire-blocked-dns-ports/1466...
The author links an article that explains how Firefox decides to enable DoH.
I do not want DoH. I do not like it. Mozilla is doing something really really bad here.
We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
Would anybody be against this?
No, on the contrary. If we build with much effort an evironment, that does DNS secoure and with minimal overhead in "spying" ( see the excellent blog article by Michael ), DoH would be contraproductive.
- Bernhard
-Michael
On Mar 03 11:47, Michael Tremer (michael.tremer@ipfire.org) wrote:
I do not want DoH. I do not like it.
I want it and I like it and I think it will come anyway.
We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
Would anybody be against this?
I would. I don't want to be *forced* to use IpFire resolver.
If you something like that, at the very least it should be an option that can easily be turned off.
Gesendet: Dienstag, 03. März 2020 um 14:15 Uhr Von: "Tapani Tarvainen" ipfire@tapanitarvainen.fi An: development@lists.ipfire.org Betreff: Re: Should we block DoH by default?
On Mar 03 11:47, Michael Tremer (michael.tremer@ipfire.org) wrote:
I do not want DoH. I do not like it.
I want it and I like it and I think it will come anyway.
Maybe it comes anyway. Just as Google devices want to do DNS resolving on 8.8.8.8, without looking at the rules defined by DHCP etc. Nevertheless this is no reason to allow it. In most countries vigilantism is not allowed, even when weapons are spread very widely in the society.
We could consider always blocking this domain and always return NXDOMAIN or something else that falls into the “negative” category.
That way we can guarantee (at least for now) that Firefox users will still use the IPFire resolver.
Would anybody be against this?
I would. I don't want to be *forced* to use IpFire resolver.
But one task of an internet appliance like IPFire is just to force such local rules.
If you something like that, at the very least it should be an option that can easily be turned off.
This is one aspect. On the other side such a feature like DoH should be turned on "silently".
--- Bernhard
-- Tapani Tarvainen
On Mar 03 14:58, Bernhard Bitsch (Bernhard.Bitsch@gmx.de) wrote:
I don't want to be *forced* to use IpFire resolver.
To clarify: I, *AS A SYSADMIN*, don't want to be forced to do so.
But one task of an internet appliance like IPFire is just to force such local rules.
That is different: again, as sysadmin I may want to enforce such rules inside my net, one way or the other.
Perhaps I should also note that Firefox allows you to choose your own DoH server, you don't have to use Mozilla or Cloudflare or whatever, and at some point it might be good to have DoH server built into IPFire.
Am 2020-03-03 16:55, schrieb Tapani Tarvainen:
On Mar 03 14:58, Bernhard Bitsch (Bernhard.Bitsch@gmx.de) wrote:
I don't want to be *forced* to use IpFire resolver.
To clarify: I, *AS A SYSADMIN*, don't want to be forced to do so.
You are not "forced" to do so. You can always set an alternative DNS resolver via dhcp. But if this is set to the IPFire resolver is configured Firefox has to use it.
Arne
Gesendet: Dienstag, 03. März 2020 um 16:55 Uhr Von: "Tapani Tarvainen" ipfire@tapanitarvainen.fi An: development@lists.ipfire.org Betreff: Re: Re: Should we block DoH by default?
That is different: again, as sysadmin I may want to enforce such rules inside my net, one way or the other.
Perhaps I should also note that Firefox allows you to choose your own DoH server, you don't have to use Mozilla or Cloudflare or whatever, and at some point it might be good to have DoH server built into IPFire.
To clarify from my side. It's not DoH that brought up the discussion, but the decision of Mozilla to enable it by default "silently".
- Bernhard
Thank you everyone for this lively discussion.
So I guess just blocking isn’t acceptable for everyone.
What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
That could then activate the following:
* Filter the domain name that Firefox uses to auto-enable DoH (*)
* Reject any client connecting to any other DNS server on the internet
Then, the only way to get DNS is to use the IPFire resolver. How is that?
-Michael
(*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.
On 3 Mar 2020, at 16:06, Bernhard Bitsch Bernhard.Bitsch@gmx.de wrote:
Gesendet: Dienstag, 03. März 2020 um 16:55 Uhr Von: "Tapani Tarvainen" ipfire@tapanitarvainen.fi An: development@lists.ipfire.org Betreff: Re: Re: Should we block DoH by default?
That is different: again, as sysadmin I may want to enforce such rules inside my net, one way or the other.
Perhaps I should also note that Firefox allows you to choose your own DoH server, you don't have to use Mozilla or Cloudflare or whatever, and at some point it might be good to have DoH server built into IPFire.
To clarify from my side. It's not DoH that brought up the discussion, but the decision of Mozilla to enable it by default "silently".
- Bernhard
Hello Michael,
thanks for your reply.
I like your suggestion, and see something like "reject any client connecting to any other DNS server on the internet" similar to blocking outbound connections to port 25 in order to prevent spamming.
In both cases and for most SOHO networks, there is little legitimate reason to do so. Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
What do we do about any other DoH server on the internet? I guess filtering these is hopeless, as censorship circumvention is one of its design goals, but at least a user has to configure one of these him- or herself.
We have a couple of switches on the firewall options CGI already, so I expect users to be confused where to find switches for DNS and for firewall stuff, as this matter is something in between.
Thanks, and best regards, Peter Müller
Thank you everyone for this lively discussion.
So I guess just blocking isn’t acceptable for everyone.
What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
That could then activate the following:
Filter the domain name that Firefox uses to auto-enable DoH (*)
Reject any client connecting to any other DNS server on the internet
Then, the only way to get DNS is to use the IPFire resolver. How is that?
-Michael
(*) I have absolutely no idea what they were thinking to entirely throw DHCP out of the window and decide that they can configure clients. That is an absolute no go. I think Mozilla opened a very very bad can of worms here and there is no chance to put the lid back on. I find this absolutely ridiculous what we are considering doing, but Mozilla clearly had other priorities. I do get the idea of it, that everyone has access to a free internet, but that is already the case on my network. I have a DNS resolver that does things for me that I want, and they are simply breaking common practise here. And that not even for all users, but only for a random selection. And on top of all of this they partnered up with Cloudflare after self-hosting everything for privacy reasons for years. Absolute bollocks.
On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter Müller (peter.mueller@ipfire.org) wrote:
I like your suggestion, and see something like "reject any client connecting to any other DNS server on the internet" similar to blocking outbound connections to port 25 in order to prevent spamming.
In both cases and for most SOHO networks, there is little legitimate reason to do so. Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them?
On 4 Mar 2020, at 06:00, Tapani Tarvainen ipfire@tapanitarvainen.fi wrote:
On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter Müller (peter.mueller@ipfire.org) wrote:
I like your suggestion, and see something like "reject any client connecting to any other DNS server on the internet" similar to blocking outbound connections to port 25 in order to prevent spamming.
In both cases and for most SOHO networks, there is little legitimate reason to do so. Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them?
Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.
-- Tapani Tarvainen
On Mar 04 10:11, Michael Tremer (michael.tremer@ipfire.org) wrote:
Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them?
Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.
Right. But if some IoT thingy relies on a hard-coded DNS-over-TLS server there's little we can do about it, but redirection could save the day with those that use good old 53.
Hi,
On 4 Mar 2020, at 10:56, Tapani Tarvainen ipfire@tapanitarvainen.fi wrote:
On Mar 04 10:11, Michael Tremer (michael.tremer@ipfire.org) wrote:
Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them?
Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.
Right. But if some IoT thingy relies on a hard-coded DNS-over-TLS server there's little we can do about it, but redirection could save the day with those that use good old 53.
I would never expect any IoT product to use DNS-over-TLS.
-- Tapani Tarvainen
On Tue, Mar 03, 2020 at 05:18:57PM +0000, Michael Tremer (michael.tremer@ipfire.org) wrote:
What we could do instead is adding a checkbox to the new DNS settings section and call it “Enforce using IPFire as DNS resolver”.
That could then activate the following:
Filter the domain name that Firefox uses to auto-enable DoH (*)
Reject any client connecting to any other DNS server on the internet
I would be fine with that, although I'd prefer two separate checkboxes for those. I can imagine situations where I'd want one or the other but not both (admittedly not very likely).
Am 2020-03-03 16:55, schrieb Tapani Tarvainen:
Perhaps I should also note that Firefox allows you to choose your own DoH server, you don't have to use Mozilla or Cloudflare or whatever, and at some point it might be good to have DoH server built into IPFire.
No. Because DoH is a crappy protocol (BASE64 encoded DNS packets) and browsers will not accept self signed TLS certificates.
HTTPS cannot verified without working DNS so the Idea to tunnel DNS over HTTPS is strange...
EHLO
On 03/03/2020 17:17, Michael Tremer wrote:
I do not want DoH. I do not like it. Mozilla is doing something really really bad here.
TL;DR, I saw some mention of cloudflare, so I already don't like this at all, no matter how good others might think it is, for technical reasons or privacy concerns or whatnot .
Does it actually mean that Firefox will try to use cloudflare's DNS by default regardless of the system's resolv.conf cluttering my LAN traffic with denied requests until I patch the firefox config(s)? I'm not directly affected for now, so I have some time to prepare for the next updates. This to me sounds like forcing all users to use a proxy even if the users don't want to and even have the right to decline. They should've stick to pushing Google as default search engine, it really was enough...
What if I use private DNS server(s) in IPFire, or in systems' resolv.conf (especially for privacy concerns)? What if i do that even in systems which are not connected directly behind IPFire or are connected to some VPN that is supposed to push the DNS settings to the clients (again, especially for privacy concerns, but also because behind a VPN you expect to use internal resolving also; I wonder who will benefit from a huge list of internal records if DoH is being used).
I get the need to encrypt the DNS traffic, but this is already done properly with DNSCrypt, but forcing DoH in browser is a bad and wrong decision.
Hello *,
@Sorin-Mihai Vârgolici: EHLO, it's nice to see another Postmaster on this list... :-)
although I basically agree with Michael, Tapani made a point: If we decide to build something that intents to block DoH in Firefox (what about other browsers, anyway?), the administrator of an IPFire machine should be able to turn it off easily - which would be something different than the "turn DNSSEC off" switch requested countless times by now.
Needless to say, if Mozilla decides not to honour use-application-dns[.]net anymore - which I expect to happen as some ISPs probably want to continue snooping on their users DNS traffic -, we are at the very beginning of this battle again.
Besides this canary domain, the links mentioned in https://lists.ipfire.org/pipermail/development/2020-March/007134.html might be helpful, too, but that would require some sort of deep package inspection, which I advise against.
It seems to me like the internet is getting worse all the time, and unfortunately, DoH as used by Mozilla does not make it better...
Thanks, and best regards, Peter Müller
-
Arne Fitzenreiter -
Bernhard Bitsch -
Michael Tremer -
Peter Müller -
Sorin-Mihai Vârgolici -
Tapani Tarvainen