Unsolved
This post is more than 5 years old
3 Apprentice
•
15.3K Posts
1
1229
Be on the lookout for FF 62: new DNS resolution
Mozilla's new DNS resolution is dangerous: All your DNS traffic will be sent to Cloudflare
https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/
FF 62 will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR).
Mozilla will be using a new technique to transport requests over https, which encrypts the data. But doing so overrides [at least, within FF] any user-configured [or ISP-default] DNS server with Cloudflare, effectively sharing all your surfing habits with them! Additionally, should Cloudflare ever be down ["crash"], you won't be able to connect with anything using FF.
----------------------------------------------------------------
Update #1: How to turn TRR off
User rendx nicely described on hackernews how to turn off TRR and we want to share this info with you:
Enter about:config in the address bar
Search for network.trr
- Set network.trr.mode = 5 to completely disable it
----------------------------------------------------------------
[With acknowledgement to Corrine at Landzdown...]
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
August 7th, 2018 04:00
Mozilla’s new Firefox update puts user security at risk with TRR feature
https://news.thewindowsclub.com/mozillas-new-firefox-update-puts-user-security-at-risk-with-trr-feature-92904/
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
August 7th, 2018 15:00
Mozilla faces resistance over DNS privacy test
https://nakedsecurity.sophos.com/2018/08/07/mozilla-faces-resistance-over-dns-privacy-test/
joe53
2 Intern
2 Intern
•
5.8K Posts
0
August 7th, 2018 17:00
This development has got me thinking about DNS servers in general, and OpenDNS in particular (since I use and endorse it). Apart from the default opt-in argument, can any of the concerns expressed over privacy issues not also apply to OpenDNS, as a 3rd party DNS resolver?
RoHe
10 Elder
10 Elder
•
44.6K Posts
0
August 8th, 2018 10:00
There are a number of DNS resolvers that "claim" they don't track, log or filter DNS queries on their system, eg FreeDNS etc, but I have no way to verify those claims.
Your ISP may already be logging your DNS look-ups. And Google DNS more than likely tracks you if you use their DNS server (IP addresses 8.8.8.8 and 8.8.4.4) for your DNS look-ups. :Wink:
Occasionally any DNS server may go down, but Windows lets you specify an alternative DNS so if the primary goes down, you'd probably never know because the OS would automatically switch to the secondary if the primary stops responding.
Now if FF is going to override your Windows DNS settings, there better be a secondary that's independent of the primary server, so FF won't lose DNS look-up capabilities, which would stop that browser from functioning. But in that case you could immediately switch over to an alternative browser which uses your Windows DNS server settings.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
August 8th, 2018 11:00
Like Joe, I've been using (and advocating) OpenDNS. I have no idea if they "track" me, keeping records of my surfing habits. I guess that's a valid question.
I like OpenDNS because:
1) It's had a great track-record of "staying alive"... not being down... which is critical for any DNS server.
2) It's generally among the faster DNS resolvers, meaning you [potentially] connect to websites faster.
3) It offers lots of blocking/protection and customizable-filtering options. For simplicity, I **CHOOSE** to use their "Family Shield", which automatically includes (some degree of) protection/blocking against malware/phishing/"adult" sites.
I also like the basic fact that I was the one who opted-IN to their service... no one imposed it on me "in the background".
joe53
2 Intern
2 Intern
•
5.8K Posts
0
August 8th, 2018 21:00
From the OpenDNS FAQ website:
"Do you share any information? What is your privacy policy?
We take our users' privacy is very seriously. No information will be shared with outside parties. You can read more about our privacy policy at http://www.opendns.com/privacy-policy/ "
- https://support.opendns.com/hc/en-us/articles/227987107-Frequently-Asked-Questions-
However this simplified policy statement is very misleading. If you use the link to actually read the privacy policy, you are taken to the Cisco (owner of OpenDNS) Online Privacy Statement. And as I read it, you have virtually no privacy:
- "We may collect data, including personal information, about you as you use our websites and Solutions and interact with us. "Personal information" is any information that can be used to identify an individual, and may include name, address, email address, phone number, login information (account number, password), marketing preferences, social media account information, or payment card number. If we link other data with your personal information, we will treat that linked data as personal information. We also collect personal information from trusted third-party sources and engage third parties to collect personal information to assist us."
I suspect that most ISPs and other 3rd party DNS resolver providers have similar policies. I don't intend to change from OpenDNS, for the reasons ky331 gave. But I have no illusions of internet privacy. And I will certainly disable the new feature in FF 62, just on principle, because of its default opt-in.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
August 9th, 2018 05:00
And that's just it: are you any better-off with the privacy offered by your ISP?? They certainly can see (and have access to) any sites you surf.
It's not like one can get-by without using a DNS-resolver... you gotta go through one of them (practically speaking).