On 9/9/19 7:58 PM, Andy Bradford wrote: > Thus said Michael Torrie on Mon, 09 Sep 2019 15:04:09 -0600: > >> Ostensibly this is to protect users from bad actors who might alter >> the DNS responses and redirect unsuspecting users to bogus sites for >> nefarious purposes. > > And yet, it will funnel all DNS queries through centralized > locations---it's much more difficult to hijack DNS in it's current > distributed form, but funnel it all through DoH and what have you got?
Agreed. > > In the article, it mentions this: > > If a user has chosen to manually enable DoH, the signal from the > network will be ignored and the user's preference will be > honored. > > So, how does a *user* express his preference that this feature not be > enabled? The article suggests DNS tricks, but typical users won't be > doing that. Individual users can turn it off or on in preferences, or they can go into about:config and change "network.trr.mode" to "5." Why Mozilla didn't make this opt-in I don't know. This DNS thing is intended for organizations. But like you say, it's getting hard to keep track of all these canary domains to disable rubbish like this. Certainly if it's in the interests of ISPs to control your DNS they could also implement the canary domain thing. So I'm just not sure the point. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
