In CloudFlare We Trust

So recently on the Fediverse this post has gotten quite a lot of attention.

Firefox admits they will eventually be sending all of your DNS to Cloudflare. Cloudflare will monetize your internet browsing, no matter how much their PR people say they are. If you want to disable that, go to “about:config”, and set “network.trr.mode” to 5. The values are: 0 – default off, 1 – race, 2 TRR first, 3 TRR only, 4 shadow, 5 off by choice – @phessler@bsd.network

Reactions in the thread are quite varied, with some people outright denying that this is even a problem. I want to start from the beginning to unpack what exactly is going on here along with Mozilla's intentions, the technology involved, and the implications for Firefox users (and probably also users of other browsers eventually).

DoH – a.k.a “DNS over HTTPS”

DNS over HTTPS is a technology that has been around for a while now and is starting to get formalized and implemented. The general idea, as you might get from the name, is simply to encrypt your DNS requests in the same way that HTTPS encrypts HTTP traffic protecting users from MITM attacks. There have been several competing technologies to solve the problem of investing trust in your local network when it comes to resolving domain names and this is probably the most mainstream one. There are almost half a dozen alternatives to DoH which attempt to solve this problem while also decentralizing domain name ownership as well, as few of which I will list later. What you need to know about DoH in a nutshell, is that the trust is being transferred from your local network to the remote server which decrypts and replies to your requests instead of either asking your router to resolve the IP (when it will then ask some DNS server) or manually configuring your machine to connect to a particular DNS server. Both of these methods are usually unencrypted and the first relies on trusting the LAN.

The Mozilla Solution

Mozilla has now fully implemented a feature which at some point in the future will by default use DoH to connect to one of a set of pre-configured “Trusted Recursive Resolver”s (TRRs). That's where the “network.trr.mode” comes from. The TRRs are a set of servers, or groups of servers, that “will be required to conform to a specific set of policies intended to protect user privacy” (source). By centralizing trust in these TRRs the idea is that they can be strictly held to this “specific set of policies” (there hasn't been a write-up of the policies yet) and thus everybody else will be better off whenever they connect to sketchy WiFi hotspots. DNS requests being intercepted and modified is a well-known issue, so it makes sense that Mozilla would like some kind of response to it.

I Thought This Was About CloudFlare Though?

Yes. Not directly, but in implementation. CloudFlare from the beginning of the testing of DoH using TRRs in Firefox has been the standard TRR setting the example (they even already have a policy here even if it is not specifically for DoH). If you have a stock(ish) Firefox install right now network.trr.uri is likely already set to https://mozilla.cloudflare-dns.com/dns-query (though who knows by the time you are reading this). So all the idealist talk about securing web access for users aside, in practice right now if network.trr.mode is set to anything other than 5 or (at least while I am posting this) 0 your DNS requests could be being sent to CloudFlare to be decrypted and resolved on their end. Mozilla plans to have the default value, 0 , enable this feature at some point in the future, so by the time you are reading this that might already be the case. That's essentially what this fuss is all about.

There are two ways of looking at this. You could trust in CloudFlare to respect the spirit of their policy, not act maliciously given any loopholes in their policy, and keep the temporary logs of your requests safe from other organizations just like you do with ordinary DNS servers (or more likely, don't). Alternatively, you could say “I Don't Trust CloudFlare” and invest your trust elsewhere or even just admit that the status-quo is probably better than sending all or even some portion of your requests to CloudFlare. It is really up to you either way, but I think I've already made it clear where I stand before.

Can I Just Not Have This?

Yes, and the advice from the original post will disable this, but I have some advice...

Just use a fork of Firefox that disables or removes things like this by default, so you're covered in the future. Below is a little list of ones I'd personally recommend in order of how much you could trust them:

  1. GNU Icecat – The Free Software Foundation's fork which also removes anti-features like DRM, but which may be too “extreme” for some users (except on Android). On Linux and Android.
  2. PaleMoon – An earlier fork of Firefox with it's own rendering engine which is actively maintained. Available on Linux and Winblows.
  3. Fennec F-Droid – Android version of the latest Firefox which is mostly if not entirely deblobbed and has sane profile defaults.

Keeping track of actively maintained forks that are relatively trustworthy is hard these days, there used to be more. If you have an active Firefox fork you recommend which fits the bill I'd be glad to add it to this list.

Wait... So What Could I Be Doing Instead? There's still an issue here!

Yes and there are different approaches which you may even want to use in tandem to resolve this if you really care. Two categories come to mind:

Trusted DNS Providers and DNSSEC

In the words on the Wikipedia entry for DNSSEC: “[DNSSEC provides]... origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”

In other words, your requests can be snooped or blocked, but not tampered with (forged), which was the main problem which DoH aimed to fix in addition to snooping. Though you could definitely argue that the current DoH implementation only centralizes snooping. If you take this approach you still have to find a trustworthy DNS provider which supports DNSSEC, but at least it won't be CloudFlare. Configuring your system's DNS varies by what you are running, or you can only set your browser to use a certain DNS server if you want. One thing to note is that on some networks messing with your DNS could possibly break interoperability with “quirky” (being generous here) systems which rely on trusting their DNS or tampering with your connection to authenticate through a portal instead of using a standard form of network authentication. People have strong opinions about which servers to use, so I will avoid making any recommendations here for now at least, but you can search up servers which don't keep logs and respect your values.

Alternative Domain Name Resolution Methods (for privacy nuts and tech hipsters :P)

If you just want to browse the web absolute confidentiality, without fearing being blocked access, and without your connection being tampered with, there isn't really any alternative to using the Tor browser or plugging a tor daemon into your Firefox (only experienced users who know what they are doing should do this).

If you want to say “FUCK ICANN” and give up on the modern web entirely there are Tor hidden sites accessible via the Tor Browser, IPFS, Beaker Browser (dat://), and even blockchain-based projects like namecoin (wow blockchain not being used for something cancerous!). However I doubt your grandma could use any of these right now and find them useful.

Hopefully sometime not too long from now, there will be TRRs for DoH which we can actually trust as well as an accessible way of running our own as is the case with DNS servers at the moment. But for now at least I'd avoid it.

If you clicked on this post because you don't like CloudFlare, you might be interested in my longer more in-depth post on CloudFlare in general, available here.