Mozilla’s implementation of DNS over HTTPS in Firefox and their claims are misleading at best…

Several copies of the Firefox logo are spread across a square.

Recently Mozilla finalized their implementation of DNS over HTTPS in Firefox. This protocol would improve internet users’ privacy and security while using Firefox. A change in their implementation means that many of the privacy and security benefits of DNS over HTTPS go away for Firefox users.

A history of DNS over HTTPS

March 2018: Mozilla begins testing an implementation of DNS over HTTPS.

October 2018: RFC8484 was published by the IETF to describe the encrypted DNS System known as DNS over HTTPS.

November 2019: Microsoft announced that they would add support for DNS over HTTPS to the Windows 10 operating system.

February 2020: Mozilla announced the inclusion of DNS over HTTPS in Firefox to the general public and began the rollout.

What’s the issue with DNS over HTTPS?

A criticism of the DNS over HTTPS protocol is that it will break some software products that rely on the information sent in a DNS query to determine whether to allow or block a connection to a website. This affects certain educational institutions, corporations, and totalitarian governments.

Popular web filtering products will check each DNS query against an allow or deny list of websites. An encrypted protocol would break those products in their current form and prevent them from working properly.

The solution is to disable DNS over HTTPS on computers owned by the company. Any company computer could simply install a Firefox Enterprise Policy to disable the system while not affecting personal computers which are owned by private individuals. Mozilla’s finalized solution astounded me and goes against what I thought their values were.

What solution did Mozilla provide to network owners?

Mozilla added a simple test to decide whether to allow DNS over HTTPS. If an unencrypted query to use-application-dns.net returns NXDOMAIN or SERVFAIL then Firefox will disable the DNS over HTTPS system. Mozilla had the following to say on their support website about how this works:

In addition, Firefox will check for certain functions that might be affected if DoH is enabled, including:

* Are parental controls enabled?
* Is the default DNS server filtering potentially malicious content?
* Is the device managed by an organization that might have a special DNS configuration?

If any of these tests determine that DoH might interfere with the function, DoH will not be enabled. These tests will run every time the device connects to a different network.

Mozilla Support https://support.mozilla.org/en-US/kb/firefox-dns-over-https

I hold issue with this approach. As far as I am aware, the user is not informed when DNS over HTTPS is disabled. This may give them a dangerous false sense of security. To add insult to injury, they are not offered a way to use DNS over HTTPS against a network owner’s wishes. I was unable to find an option under network.trr in about:config settings to toggle the test. I did notice that in about:studies there is a DNS over HTTPS US Rollout study. Disabling this study might disable the test of whether to disable DNS over HTTPS. If this works, it is a temporary solution at best. Aside from compiling your own “fork” of Mozilla Firefox, it looks like you are forced to obey their decision. Since when did Mozilla get in the business of taking away the freedom of choice from internet users? I thought that was the job of giant corporations, not the non-profits which are supposed to be on your side.

What should Mozilla have done instead?

I believe that this issue could of been easily resolved by adding an option to Firefox Enterprise Profiles to disable the functionality. This would allow normal users to keep using and benefiting from DNS over HTTPS while corporate computers could be monitored. It is the most reasonable compromise and doesn’t undermine the privacy and security rights of Mozilla users.

How does Mozilla’s solution to corporate network owners affect the average internet user?

The solution Mozilla offered to corporate network owners feels draconian and has potentially chilling effects.

Any ISP or Government on demand could return NXDOMAIN or SERVFAIL to disable DNS over HTTPS. This could be used to target specific users (for example activists) by disabling the additional privacy & security benefits DNS over HTTPS offers them.

Anyone with the ability to intercept wireless network traffic could abuse this solution to disable Firefox’s DNS over HTTPS system, then continue the activities that internet users would otherwise be protected from.

Users are not given a warning message that their traffic may be tampered or spied on like they are if an HTTPS connection is tampered with. This goes against the premises of encrypting DNS queries. What is Mozilla doing about this?

Can an ISP disable DNS over HTTPS and continue selling your data?

It is unclear how much data Mozilla is collecting through their rollout study. If major ISPs choose to return NXDOMAIN or SERVFAIL on queries to use-application-dns.net will Mozilla backtrack on their decision to allow DNS over HTTPS to be disabled by a network administrator? As net neutrality is no longer the law, there is nothing stopping them if they choose to do so.

From a technical standpoint, it currently looks like the answer is yes. Allowing ISPs to do disable the system can make it easier for them to sell your web browsing history. It is unclear if the ISPs will choose to override consumer choice.

I can imagine similar situations with a totalitarian government who uses DNS monitoring and tampering to censor the populous by ordering ISPs to block queries to use-application-dns.net once this rolls outside the United States. If they have not taken proactive measures already.

From an ethical standpoint, will Mozilla do the right thing and backtrack once this becomes an issue?

You cannot make a security feature secure unless it protects all users unconditionally

Growing up I was and still am a very active user in information security and privacy technology communities. If there is one thing at all I have learned as a result of those experiences, it is that you cannot make a security feature secure unless it protects everyone unconditionally.

Mozilla’s implementation of DNS over HTTPS locks traffic from otherwise prying eyes but then publishes the master key allowing any entity to unlock the traffic at will. These actions may have chilling effects.

Imagine if the Tor Project modified Tor, an anti-censorship product, to allow easy blocking of connections to the network and stopped providing bridges. It would affect journalists and political dissidents around the world.

What other solutions exist?

Honestly, it hurts me to have to answer this question. I care about Mozilla, and the Firefox Community as a whole. I wouldn’t want anything to happen to it. If anything, I feel betrayed as a Firefox user and speaking out is the only way I believe change will occur.

There is not an easy replacement at this time. The closest thing I found was cloudflared, a command-line DNS over HTTPS client. As far as I’m aware, it does not disable itself to appease network administrators. If you are feeling up to the challenge, Cloudflare provides instructions to configure it.

Conclusion

I do not trust Mozilla’s implementation of the DNS over HTTPS protocol anymore. I was once a strong advocate for it and thought it would improve the internet for the better. Because of their implementation change I can no longer recommend Mozilla’s implementation of DNS over HTTPS. I feel disappointed and heartbroken because of their decision. What I thought would be Mozilla fighting alongside the Tor Project to stop censorship turned out to be false. I can only hope that Mozilla will change their decision and do what’s best for the Firefox Community.

How to automate your own backups with rclone and crontab on any Unix/Linux based computer

Data is backed up to a tape

I’ve been migrating away from Google’s cloud based software. I have concerns related to the security of my data as well as want access to my documents when the Google Cloud or my internet connection is having issues. I was able to download all of my data from Google Drive easily although this creates a new problem. I’m now responsible again for my own backups. Without a backups solution you risk losing your important documents. This post discusses how I created backups with rclone and how you can do the same.

This tutorial is written with Unix/Linux based computers only in mind. You might be able to get this working on Windows if you do your own research and experiments. This tutorial is not intended for Windows users and I cannot help them once something goes wrong.

Where to store the backups

I performed considerable research as to where to store my backups and decided to choose Backblaze. They provide 10GB of storage for free and then charge just $0.005/GB/month of storage. With a provider choose I installed a free and open source program called rclone. rclone works like rsync except for cloud storage providers. I was able to get started with it in just 15 minutes.

Create a Backblaze account and bucket for use with backups with rclone

To create a Backblaze account visit their signup page. You will need to answer a few questions about yourself and provide an email address, phone number, and a credit card for billing purposes. Once your account is set up and verified, visit the my account area. You’ll need to click create a bucket and choose a name for it. Make sure that the privacy setting is set to “private” or anyone who guesses the bucket name will be able to list and download your documents without needing a valid app key with access to your account. Once your bucket is created visit the App Keys section and create a key with access to your bucket. Write down the key id and secret, you’ll need it later when setting up rclone.

Install and Configure rclone to use your bucket

Visit rclone’s installation page (or on Debian Linux type sudo apt install rclone in a terminal window to save some time) and follow the instructions. Once it’s installed open a terminal. In the terminal run rclone config. It will ask you several questions, I choose the name b2 and then follow the prompts. I would recommend that you DO NOT enable the HARD DELETE option and allow your bucket to keep all object versions. It’s a bit more expensive as you’ll store multiple copies of all documents but is useful in the event you delete a document by mistake and the changes were to sync in error.

Configure crontab for automated backups with rclone

In your terminal type crontab -e and then view the bottom of the crontab file. Type in the string @hourly rclone sync /home/name/Documents/ b2:name/ --verbose replacing the folder path with your documents folder path and the bucket name with your bucket name. Most likely the crontab file will open in nano. You can read how to use the text editor nano on the Gentoo Linux Wiki. If it opens a different text editor then Google is your friend. It will help you find the information you need to use that text editor. Afterward save and close the file and your automatic backups will be in effect. You might want to run your first backup manually. Do this to make sure everything gets synced properly without any issue. Check your backups on a regular basis and ensure that they work as expected. Don’t wait until a data loss incident to find out if your backups work.

Conclusion

You can reduce costs by switching away from G Suite to your own backups solution. With a bit of work on the command line, you can roll your own backups with rclone solution in under an hour.