Fenix: DNS over HTTPS

Created on 7 Aug 2019  路  22Comments  路  Source: mozilla-mobile/fenix

Why/User Benefit/User Problem

As a user i want to Protect myself while browsing the web From Man-in-the-middle attack and make sure Attackers cannot trick users into visiting a fake website by manipulating DNS responses for domains that are outside their control.

What/Requirements:

Secure DNS:
To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).
DNSSEC:
DNSSEC allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be.
TLS 1.3 : is Supported In Firefox Fenix 馃憤
Encrypted SNI:
Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser鈥檚 requested hostname from anyone listening on the Internet.

Acceptance Criteria (how do I know when I鈥檓 done?)

Dns-over-Https option in the settings or in about:config like Fennec browser.
You can test your browser here:
https://www.cloudflare.com/ssl/encrypted-sni/

Privacy&Security feature request 馃専 馃檯 waiting
Source
picture jawadalkassim
👍174 👀1

Most helpful comment

@finn0 yes this is something we will be looking into later this year!

picture vesta0 on 6 Jan 2020
👍6

All 22 comments

Why not use DoT instead? It is less complex and has less overhead.

genodeftest picture genodeftest on 8 Nov 2019
👍1

In Firefox Android, we do have support for DoH, but there is no UI to easily configure DoH settings like Firefox Quantum, we've to configure it from about:config settings which make things harder for novice FF users; although from Android 9 pie, we've support for DoT, but using DoH has its own pros like our DNS traffic is hidden inside HTTPS traffic.

@vesta0, Do we've plans for implementing an UI for DoH configuration?

finn0 picture finn0 on 20 Dec 2019

@finn0 yes this is something we will be looking into later this year!

vesta0 picture vesta0 on 6 Jan 2020
👍6

ESNI works well in latest Firefox Beta 75.0.0-beta.6

hansoli68 picture hansoli68 on 5 May 2020

I would like the opposite (ability to turn off the DoT or DoH) as I pihole everything via VPN and my own VPS and I definitely do not trust cloudflare or whoever with my DNS data.

SergeiFranco picture SergeiFranco on 30 Jul 2020

As of 79.0.0 (Build #2015753875) even the ability to turn on this feature without GUI is no longer available since about:config is no longer accessible and essentially completely locked out of using this feature, which is very unfortunate :-(

hsaito picture hsaito on 30 Jul 2020
👍4

Launching on Chrome in 85 https://blog.chromium.org/2020/09/a-safer-and-more-private-browsing.html

yoasif picture yoasif on 2 Sep 2020
👀1

Hi all,

The settings are available in about:config, so is this just a UI thing or is there more to it? I have enabled it in about:config and according to about:networking#dns it's working.

Cheers 馃檪

madb1lly picture madb1lly on 3 Sep 2020

hsaito is correct; this functionality is not available in v80 as about:config is no longer available.

madb1lly: As I understand it, this bug is abiut the UI.
https://github.com/mozilla-mobile/fenix/issues/14261 is _not_ a duplicate; it is a _regression_ - please reopen it.

andrew-aitchison picture andrew-aitchison on 6 Sep 2020
👍1

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

hsaito picture hsaito on 7 Sep 2020
👍3

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

Yeah, I'm also couldn't understand why they dicide to disable about:config, what an awful decision!

0x391F picture 0x391F on 9 Sep 2020
👎1 👍1

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

Yeah, I'm also couldn't understand why they dicide to disable about:config, what an awful decision!

You can still use about:config on the Nightly channel.

valenting picture valenting on 9 Sep 2020
👎2

You can still use about:config on the Nightly channel.

Or beta, if you prefer less possible breakage. :smile:

yoasif picture yoasif on 9 Sep 2020
😄2

You can still use about:config on the Nightly channel.

Or beta, if you prefer less possible breakage. 馃槃

Hmm... How about stable release? Will about:config still exist?

0x391F picture 0x391F on 10 Sep 2020

see also https://bugzilla.mozilla.org/show_bug.cgi?id=1664878

cadeyrn picture cadeyrn on 14 Sep 2020
👍2

cool

minutesinch picture minutesinch on 18 Oct 2020

If you roll this out, please make it an optional Opt-In and not an Opt-Out feature!
I'm more concerned about privacy with using DoH with Cloudflare or Google as with using my provider's regular DNS (Germany has more strict rules about privacy as Cloudflare or Google could offer)

lordgurke picture lordgurke on 9 Nov 2020

@lordgurke Mozilla made it opt-out for US and opt-in for everybody else. US ISPs are really bad with privacy. It's looking into adding more DoH providers. Currently nextdns is an option on desktop. https://wiki.mozilla.org/Security/DOH-resolver-policy

andreicristianpetcu picture andreicristianpetcu on 9 Nov 2020
👍2

There must be a UI option to configure secure dns or dns resolver like other chromium browser..
Esni feature is removed from about:config in latest nightly....not sure why馃槨馃槖

sheikh-azharuddin picture sheikh-azharuddin on 15 Dec 2020
👎1 👍1

ESNI has been deprecated in favour of ECH: https://blog.cloudflare.com/encrypted-client-hello/

valenting picture valenting on 15 Dec 2020
👍1

ESNI has been deprecated in favour of ECH: https://blog.cloudflare.com/encrypted-client-hello/

Thanks for the info... As per article the feature is still in testing and not ready to be deployed.. It also says esni will be supported by cloudflare till ech is ready.. So can you please enable the feature again till ech is fully ready?

Screenshot_20201215-135831561~2

sheikh-azharuddin picture sheikh-azharuddin on 15 Dec 2020
👎1

This issue is not the proper place for these discussions.
https://bugzilla.mozilla.org/show_bug.cgi?id=1667743

valenting picture valenting on 15 Dec 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thelazyoxymoron picture thelazyoxymoron  路  3Comments
softvision-miralobontiu picture softvision-miralobontiu  路  3Comments
topotropic picture topotropic  路  3Comments
abodea picture abodea  路  3Comments
csadilek picture csadilek  路  3Comments