[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
From: Ben Tasker <ben@xxxxxxxxxxxxxxx>
Date: Fri, 6 Mar 2020 15:10:55 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 08 Mar 2020 17:21:27 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bentasker.co.uk; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1fKMKIdw1D6LAWyjMuSelqP4mDwbOMvk+BI1evlAhWk=; b=EV1Rvlc4z936SwTnuECn+FVYdjJI2XW/KHuVcGa7tn+dGGm+NlT8WwklvnM0FQRUsd oRTstXe2WPu32K8HvuaKR5mRDGpl6XkTEJ6CnBPevySBSydkyq3ACPVZQaBQpj8ql1Qb SLK/2w+xJFOHHtkwJhG/cDBRVskrKsA7OZb40=
In-reply-to: <GYyiRJvUjE_OiRa_y3LnXODOp-yqt0SQhqkUEI7-n6WLQrDv17u_l4gZyio7FaVOgntM9KZYwOW6Acc-Ge6vJZRC7RNTU2k3ZYwNDyqAQ0U=@protonmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <DLn0ieyeNB8Z4LC0rvqJH47hRLIrTZ3vmiPgH94GFAlws0iPA2F2JvD7LTN4PP4_tmbSQEG7LC8JRJ4dn0kXu3Iih72Jkw3RnTO4wjHMVVU=@protonmail.com> <3bbe3c94e9a7d189336a1fa952f03e06@airmail.cc> <GYyiRJvUjE_OiRa_y3LnXODOp-yqt0SQhqkUEI7-n6WLQrDv17u_l4gZyio7FaVOgntM9KZYwOW6Acc-Ge6vJZRC7RNTU2k3ZYwNDyqAQ0U=@protonmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

The canary domain will only disable DoH if you've been defaulted into using
DoH.

If you've actively turned it on, or set network.trr.mode to 3 then the
canary will not disable it.



On Fri, Mar 6, 2020 at 2:58 PM Nathaniel Suchy <
nathanielsuchy@xxxxxxxxxxxxxx> wrote:

> Even if that option is enabled it is my understanding that a network
> administrator can still override your decision during a man in the middle
> attack well you can imagine how this is problematic. I run a local DNS
> resolver over Tor for my non-Tor traffic as I don’t trust Mozilla’s
> implementation.
>
> Cordially,
> Nathaniel Suchy (they/them)
>
> Sent from ProtonMail Mobile
>
> On Fri, Mar 6, 2020 at 2:07 AM, <hansvader@xxxxxxxxxx> wrote:
>
> > You can use network.trr.mode to enforce the use of DoT. IIRC 3 is to
> > enforce it and not using other DNS. When using network.trr.mode Firefox
> > should not do any other DNS than DoH. This should adress your concerns.
> >
> > The best way is to use DoT and to have it directly implemented into your
> > router or locally on your machine. I don´t think the Mozilla approach is
> > useless. It´s a better than nothing approach. Last, but not least you
> > can use different DoH servers in FF. You are not tied to the default.
> > Though the average Joe may not have the ability to use a custom DoH
> > server in their Firefox.
> >
> > BTW, what router manufacturer already has DoT implemented?
> >
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
  - From: Nathaniel Suchy

References:
- [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
  - From: Nathaniel Suchy
- Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
  - From: hansvader
- Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
  - From: Nathaniel Suchy

Next by Author: Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
Previous by thread: Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
Next by thread: Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
Index(es):
- Author
- Thread