Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I thought it was enabled by default, although this is a new FF install and it wasn't. I did enable it. My opinion, somewhat uninformed, is that it is a good thing. Mozilla has added another provider, and you can now also add your own, assuming they do DNS over HTTPS that is.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
As long as it uses the defaults you send one DNS-provider all your requests. In my eyes a gaping hole in privacy. Mayby DoT (DNS over TCP) will handle this better. I'll wait for that.
I’d note that unless one does something to avoid it all DNS requests are (usually) sent to a single provider....the one the ‘puter is configured use. On my home network, that’d be the Cox Communications name server. On my server, I use a name server provided by the data center.
According to the link posted,
Quote:
Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
I wonder if the servers I use, or Google‘S 8.8.8.8 name server, for example, have such policies in place.
That said, and as the linked page points out, DoH prevents third party sniffing by encrypting, but will defeat things like using DNS to filter website access.
Does not address my question.
So, let me google that for you: https://www.thesslstore.com/blog/dns...ns-over-https/
.. reads ...
OK, I'm a little wiser now.
Apparently there’s a debate, and I’ll trust the technical specialists when they say that DNS over TLS is a better implementation of what in its intent is the same as DNS over HTTPS: to encrypt DNS requests while they travel through the web.
But AFAICS this still does not address the issue of having to entrust whoever runs your DNS server with all your requests.
Alas, I fear you will just throw me another LMGTFY, but it would be nice to actual engage in a discussion about this.
Thanks to all who replied. Personally I don't understand the DNS over TLS vs DNS over Https. I read the linked article but at the end it there was no clear winner. Anyways I will keep using DoH until Firefox offers something better.
TLS is the encryption method used to achieve HTTPS so they are synonymous, at least with respect to how Mozilla implements the traffic in Firefox. Outside of the browser, I suppose you could encrypt DNS traffic using TLS but I do not know enough about that.
Last edited by sevendogsbsd; 03-24-2020 at 09:54 AM.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Quote:
Originally Posted by ondoho
Does not address my question.
Why do you ask when you are aware of the issue and discussion? You probably understand more of the questions than I. All I gleaned so far, was that DoH has more issues than DoT. That lets me wait until the better wins (hopefully). I just wanted to point out to the OP that not all is resolved.
Distribution: Ubuntu based stuff for the most part
Posts: 1,172
Rep:
I disabled DoH in Firefox since it would by-pass my Pi-Hole DNS server and start serving up tracking tokens and ads. I have facebook and twitter domains blocked since I don't use them and I don't want them to track me, DOH has no way to block domians.
DoH does not address tracking, and any filtering a provider may have is not as comprehensive as it could be (except for maybe Quad9).
I disabled DoH in Firefox since it would by-pass my Pi-Hole DNS server and start serving up tracking tokens and ads. I have facebook and twitter domains blocked since I don't use them and I don't want them to track me, DOH has no way to block domians.
DoH does not address tracking, and any filtering a provider may have is not as comprehensive as it could be (except for maybe Quad9).
My Raspberry Pi went bad after running for three years so I have no hardware to run Pi-Hole but I use the following Firefox extensions to block ads
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.