Mozilla's new DNS resolution is dangerous

[tao]

All your DNS traffic will be sent to Cloudflare

A new feature in Firefox

With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially about the TRR. They advertise it as an additional feature which enables security. We think quite the opposite: we think it's dangerous, and here's why.

DNS? What is DNS?

The Domain Name System (DNS) is a service used in converting a computer’s host name or a Top-Level Domain (TLD) into an IP address. When you enter the domain of a website in your browser, you automatically send a request to the DNS server you have configured. The DNS server then looks up the host name and returns an IP address so your browser knows where exactly to connect to.

 

But here begins the problem. Not only your browser knows where exactly to connect to, but also the DNS server knows where YOU connect to. This must not be a problem in every case. Basically most of the ISPs have their own DNS server that is automatically configured. And your ISP knows where you connect to anyways. So the data or information generated by their DNS server provides no additional information to them.

Why would you replace your ISP's DNS server with another one?

There are a variety of problems with the DNS protocol ("the language of DNS"). DNS requests are usually sent unencrypted and potentially everyone between you and the DNS server can read your DNS requests. Mozilla is using a new technique to transport requests over https, which encrypts the data. That is generally speaking a good thing. However usually the DNS servers that you use are local DNS servers (from your ISP) and thus the attack vector (i.e. who can spy on you) is local.

Mozilla wants to override any configured DNS server with Cloudflare

So let’s get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). With the next Mozilla patch in September any DNS change you configure in your network won't have any effect anymore, at least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests. 

 

From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don’t know, it is not true that this increases security in general.

 

It is true when you are somewhere in a network you don’t know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers. 

Sharing data with third parties bears risks

But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP’s default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.  Cloudflare publicly commits to a "pro-user privacy policy" and the deletion of all personally identifiable data after 24 hours, but you never know where your data ends up at the end of the day.

Single point of failure (SPOF)

If you are in IT, you have likely heard already about the SPOF, the single point of failure. If the SPOF breaks (like a router), the whole infrastructure will collapse. What Mozilla effectively does is adding a SPOF for all of their users. But the main problem is not that if cloudflare is down that nobody can surf anymore. No, the real problem is that it fully disables anonymity. Think about a whistleblowler who wants to send information to a newspaper. In the days before Mozilla's change, the DNS resolution was local and could be attacked. However with Mozilla's change, all DNS requests are seen by Cloudflare and in turn also by any government agency that has legal right to request data from Cloudflare.

 

Let's stop here for the moment and repeat: With Mozilla's change, any (US) government agency can basically trace you down.

 

If there is anything wrong with your government (for instance corruption, collusion or fraud) and you have information to publish about it, the government will be able to trace you down. This puts any whistleblower at risk.

 

What you can do is, you can configure your Firefox not to use this feature. However, it is configured to use the Cloudflare resolver as default. It’s up to you to decide, who you want to trust your data with. My local ISP seems more trustworthy to me than a big US-based corporate which acts under the guise of a selfless privacy rights defender.

Update #1: How to turn TRR off

User rendx nicely described on hackernews how to turn off TRR and we want to share this info with you:

• Enter about:config in the address bar

• Search for network.trr

• Set network.trr.mode = 5 to completely disable it

< Here >

[Cruzan]

4 hours ago, tao said:

With the next Mozilla patch in September any DNS change you configure in your network won't have any effect anymore , at least for browsing with Firefox

time to say goodbye to FF, Na Na Na Na Hey Hey-ey Goodbye

 

[stylemessiah]

Cloudflare will then be able to read everyone's DNS requests. 

 

Top tip:

 

Any DNS resolver can read the DNS requests of any user connected to it

 

So why the hysteria here? Sounds like FUD from a Chrome fanboy trying to muddy the waters with (mis)information about how DNS works....

 

Stop the madness, either use it or dont, but DNS works the same from one provider to the next, deal with it

 

A non-article if ever i saw one.....sheesh

 

 

[Karlston]

Why is it every time Mozilla announces some change to Firefox, my first thought is always 'Oh God! What are they ruining now?" and my second thought (after reading what the change is) almost always "How do I disable it?"?

 

This would breaks one of my LAN's layers of ad-blocking... Asus RT-AC86U router running Merlin firmware with AB-Solution/pixelserv combo installed on it. This relies on the router doing the DNS resolution, so there IS at least one good and genuine reason to disable this "feature".

 

(In case anyone's curious... Asuswrt-Merlin  and  Asuswrt-Merlin | SmallNetBuilder Forums  and  AB-Solution: Home - The Ad Blocking Solution)

 

[ben008]

Is there a way to transfer all bookmarks from chrome to firefox? 

[pc71520]

10 hours ago, Karlston said:

Why is it every time Mozilla announces some change to Firefox, my first thought is always 'Oh God! What are they ruining now?"

and my second thought (after reading what the change is) almost always "How do I disable it?"? 

Exactly my thoughts.

[DKT27]

The author would have been far better to write to Mozilla about making it optional or even create a bug in the Bugzilla about it. It's not that a wrong issue is being raised, it's just that it's wrongly sensationalized. Here is the Mozilla article which the author is targeting here. I feel it's an important feature if implemented correctly.

 

It's a lot of mongering anyway. I would rather trust another DNS rather than my ISP's DNS.

 

To add to that, DNS logs itself is quite an unexplored territory. No one has paid attention to how or how well it is saved. Half of the world might be using GoogleDNS by now either willingly or unwillingly - a lot of ISPs indirectly use GoogleDNS rather than using their own. One would imagine, DNS logs are not easy to keep, considering the number of DNS requests are huge in numbers, filling up storages of any servers sooner or later. The company however who has good ability and power to be able to store those DNS requests is Google itself. Here the Google policy on DNS requests:

 

Quote

What information does Google log when I use the Google Public DNS service?

The Google Public DNS privacy page has a complete list of information that we collect. Google Public DNS complies with Google's main privacy policy, available at our Privacy Center.

Your client IP address is only logged temporarily (erased within a day or two), but information about ISPs and city/metro-level locations are kept longer for the purpose of making our service faster, better, and more secure.

Is any of the information collected stored with my Google account?

No.

Does Google share the information it collects from the Google Public DNS service with anyone outside Google?

No, except in the limited circumstances described in Google's privacy policy, such as legal processes and enforceable governmental requests. (See also Google's Transparency Report on user data requests.)

 

 

Does it look highly trustable this. I do not think so. Yet we do not see articles written for it.

 

Also, so many sites are hosted on Cloudflare. Whenever one visits those sites Cloudflare gets their information. Sure, there are methods to avoid this, but there should be methods to avoid the issue raised too.

 

I suggest that Mozilla should, if there is not any other option, bring in more companies - for example, I guess Google itself who can handle this.

[Nastrahl]

This can be summarised by: Cloudflare paid Mozilla to override people’s system DNS.

[DKT27]

40 minutes ago, Nastrahl said:

This can be summarised by: Cloudflare paid Mozilla to override people’s system DNS.

 

It will be interesting if they did. If they did Mozilla would have documented it. They do say they have partnered them but I'm not sure if they have said any money is involved in that.

[Nastrahl]

1 minute ago, DKT27 said:

 

It will be interesting if they did. If they did Mozilla would have documented it. They do say they have partnered them but I'm not sure if they have said any money is involved in that.

 

 

Everytime I read "partner" I think it’s a soft way to says they’ll do business somewhere am I wrong ?

 

Why didn’t they partner with OpenNIC instead if it’s all about security only ?

 

Maybe I’m a bit of a killjoy here.  ?

[Cruzan]

5 hours ago, DKT27 said:

I would rather trust another DNS rather than my ISP's DNS.

yes me too, BUT my VPNs DNS though, NOT Mozilla or Cloudflare.

 

[mkc21]

6 hours ago, DKT27 said:

 

It will be interesting if they did. If they did Mozilla would have documented it. They do say they have partnered them but I'm not sure if they have said any money is involved in that.

 

First the $oros shenanigans, then this? something's going on over there

[stylemessiah]

5 hours ago, Cruzan said:

yes me too, BUT my VPNs DNS though, NOT Mozilla or Cloudflare.

 

 

I still dont know why people continue to think VPN's are safer than a straight connection, for me if i was looking to log someones usage, would i rather log:

 

a) everyday user requests to bog standard boring servers

 

b) everything a VPN user visits because VPN users are  obviously, by simple virtue of using a VPN, trying to hide their connections and traffic

 

I know which id pick if i was a data logger

 

hint: it wouldnt be a)

 

Youre living under a false sense of security if youre using a VPN, just saying, theyre the most logged connections on the interwebs...

 

Ive been on the interwebs since year dot, never used a VPN or proxied connection yet....

[Bizarre™]

I switched to WaterFox the moment Mozilla decided to ditch classic extensions.

As least with WaterFox, some unwanted features/configurations are taken out.