[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Mozilla's DNS over HTTPS does not complement Tor
Several places, but the main user/admin facing doc is probably this one -
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
> Networks can signal to Firefox that there are special features such as
these in place that would be disabled if DoH were used for domain name
resolution. Checking for this signaling will be implemented in Firefox when
DoH is enabled by default for users. This will first happen for users in
the United States in the Fall of 2019. If a user has chosen to manually
enable DoH, the signal from the network will be ignored and the user’s
preference will be honored.
On Mon, Mar 9, 2020 at 10:21 AM Nathaniel Suchy <
nathanielsuchy@xxxxxxxxxxxxxx> wrote:
> Where is this documented?
>
> Cordially,
> Nathaniel Suchy (they/them)
>
> Sent from ProtonMail Mobile
>
> On Sun, Mar 8, 2020 at 5:21 PM, Ben Tasker <ben@xxxxxxxxxxxxxxx> wrote:
>
> > The canary domain will only disable DoH if you've been defaulted into
> using
> > DoH.
> >
> > If you've actively turned it on, or set network.trr.mode to 3 then the
> > canary will not disable it.
> >
> > On Fri, Mar 6, 2020 at 2:58 PM Nathaniel Suchy <
> > nathanielsuchy@xxxxxxxxxxxxxx> wrote:
> >
> >> Even if that option is enabled it is my understanding that a network
> >> administrator can still override your decision during a man in the
> middle
> >> attack well you can imagine how this is problematic. I run a local DNS
> >> resolver over Tor for my non-Tor traffic as I don’t trust Mozilla’s
> >> implementation.
> >>
> >> Cordially,
> >> Nathaniel Suchy (they/them)
> >>
> >> Sent from ProtonMail Mobile
> >>
> >> On Fri, Mar 6, 2020 at 2:07 AM, <hansvader@xxxxxxxxxx> wrote:
> >>
> >> > You can use network.trr.mode to enforce the use of DoT. IIRC 3 is to
> >> > enforce it and not using other DNS. When using network.trr.mode
> Firefox
> >> > should not do any other DNS than DoH. This should adress your
> concerns.
> >> >
> >> > The best way is to use DoT and to have it directly implemented into
> your
> >> > router or locally on your machine. I don´t think the Mozilla approach
> is
> >> > useless. It´s a better than nothing approach. Last, but not least you
> >> > can use different DoH servers in FF. You are not tied to the default.
> >> > Though the average Joe may not have the ability to use a custom DoH
> >> > server in their Firefox.
> >> >
> >> > BTW, what router manufacturer already has DoT implemented?
> >> >
> >> > --
> >> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> >> > To unsubscribe or change other settings go to
> >> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >> --
> >> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> >> To unsubscribe or change other settings go to
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >>
> >
> > --
> > Ben Tasker
> > https://www.bentasker.co.uk
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
Ben Tasker
https://www.bentasker.co.uk
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk