Re: Fedora 32 Firefox and DNS over HTTPS
On 11/28/19 8:36 PM, Jakub Jelen wrote: On Wed, 2019-11-27 at 15:17 -0800, Kevin Fenzi wrote: On Wed, Nov 27, 2019 at 04:43:06PM -0500, Robert Moskowitz wrote: In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)? No. firefox in fedora will not default enable this. https://bugzilla.redhat.com/show_bug.cgi?id=1751410#c2 Great to hear that Fedora is shielding us from these half-baked ideas (or contracts?). Last time it was unsolicited browser extension, now it is DoH to CloudFlare servers. What will be next? I recommend the following thread: https://twitter.com/paulvixie/status/1198013742493028353 Many users are used to Firefox now. But was there some discussion about providing some more privacy-focused browser? But then have you ever been in the privacy debates at the IETF? I have and lost a couple on very stubborn privacy proponents that just don't want to see some tech come to reality because of some vague privacy risk when there are so many worst things (e.g. IDEAS BOF from a few years back). I am having one right now with Unmanned Aircraft RemoteID (see the TM-RID BOF from IETF106). FAA 'owns' all navigable airspace, like maybe 1" above your lawn and roof up to the top of the mesosphere. The craft has to be positively identifiable. No matter what YOU want. Now who the operator is is another matter. Mrs. Bitty can't be allowed to harass the kids down the block for flying a UA in the park behind her home. But an authorized safety official needs to know who to contact to get that UA out of an emergency situation. A tough set of public/privacy issues. Those of us working on this for some time understand this. Grandstanding does not help. Nor do things like DoH 'help'. And btw, this is pretty much the case for ALL Civil Aircraft Administrations (CAA) around the world. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Fedora 32 Firefox and DNS over HTTPS
On Thu, 2019-11-28 at 13:36 +0100, Jakub Jelen wrote: > Great to hear that Fedora is shielding us from these half-baked ideas +1 It does sound like a bad new idea to me. For it to work effectively, you'd have to change every bit of software (not just web browsers) to do DNS look-ups in a different way. And you'd have to trust the new name resolvers to be better than the old system (and who's to say that any new scheme won't have a plethora of faults, too). We already have a DNS resolving system, just improve *it*. We've had authentication schemes for it for ages, but people are slack at using it. Some aren't thrilled about it's effectiveness, either. So, do a better implementation. I'm getting sick of wheel reinventing. -- [tim@localhost ~]$ uname -rsvp Linux 5.0.16-100.fc28.x86_64 #1 SMP Tue May 14 18:22:28 UTC 2019 x86_64 Boilerplate: All mail to my mailbox is automatically deleted. There is no point trying to privately email me, I only get to see the messages posted to the mailing list. Just because nobody complains, it doesn't mean that all parachutes are perfect. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Fedora 32 Firefox and DNS over HTTPS
On Wed, 2019-11-27 at 15:17 -0800, Kevin Fenzi wrote: > On Wed, Nov 27, 2019 at 04:43:06PM -0500, Robert Moskowitz wrote: > > In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS > > (RFC > > 8484)? > > No. firefox in fedora will not default enable this. > > https://bugzilla.redhat.com/show_bug.cgi?id=1751410#c2 Great to hear that Fedora is shielding us from these half-baked ideas (or contracts?). Last time it was unsolicited browser extension, now it is DoH to CloudFlare servers. What will be next? I recommend the following thread: https://twitter.com/paulvixie/status/1198013742493028353 Many users are used to Firefox now. But was there some discussion about providing some more privacy-focused browser? Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Fedora 32 Firefox and DNS over HTTPS
On Wed, Nov 27, 2019 at 04:43:06PM -0500, Robert Moskowitz wrote: > In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC > 8484)? No. firefox in fedora will not default enable this. https://bugzilla.redhat.com/show_bug.cgi?id=1751410#c2 kevin signature.asc Description: PGP signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Fedora 32 Firefox and DNS over HTTPS
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Firefox allows users (via settings) and organizations (*via enterprise policies
and a canary domain lookup*)
to disable DoH when it interferes with a preferred policy.
If you run your own DNS server you can configure the canary hostname lookup to
fail
to prevent Firefox from using DoH:
Put this in named.conf (I use views, so I put this in the 'internal' view):
response-policy { zone "rpz"; };
include "/etc/named/rpz.zones";
/etc/named/rpz.zones:
zone "rpz" {
type master;
file "masters/rpz";
notify no;
allow-transfer { "localhost_net"; };
masterfile-format text;
};
/var/named/masters/rpz (I think I created the 'masters' directory, you may not
have it.
If so, just remove the 'masters/' prefix on the file line (above) and from this
file's name:
$TTL 86400 ; 1 day
@ IN SOA ns1.example.com. bill.example.com. (
2018051701 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
86400 ; expire (1 day)
120 ; minimum (2 minutes)
)
NS ns1.example.com.
use-application-dns.net CNAME .
This will return a NSDOMAIN for the lookup of use-application-dns.net which will
stop DoH.
The rpz SOA is also a good place to translate external host names to internal
ones.
imap.example.com. CNAME imap.lan.example.com.
With this, the an internal lookup won't fail even if the internet is down.
Bill
On 11/27/2019 4:43 PM, Robert Moskowitz wrote:
In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)?
BTW, I am currently on F30 and will skip to F32 when it ships.
If you want a high-level discuss on DNS over TLS or over HTTPS see:
https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over
One thing this article misses is if your company DNS server has an internal view for internal resources, defaulting to some
outside DNS server breaks this. Or at least makes directing things the right way is hard.
So what is happening with Firefox in F32?
Thanks
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Fedora 32 Firefox and DNS over HTTPS
On 2019-11-28 05:43, Robert Moskowitz wrote: > In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)? > > BTW, I am currently on F30 and will skip to F32 when it ships. > > If you want a high-level discuss on DNS over TLS or over HTTPS see: > > https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over > > One thing this article misses is if your company DNS server has an internal > view for internal resources, defaulting to some outside DNS server breaks > this. Or at least makes directing things the right way is hard. > > So what is happening with Firefox in F32? If you want to know what is happening in F32 you should ask on the "test" list where these things are more likely to be discussed by people in the know. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Fedora 32 Firefox and DNS over HTTPS
In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)? BTW, I am currently on F30 and will skip to F32 when it ships. If you want a high-level discuss on DNS over TLS or over HTTPS see: https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over One thing this article misses is if your company DNS server has an internal view for internal resources, defaulting to some outside DNS server breaks this. Or at least makes directing things the right way is hard. So what is happening with Firefox in F32? Thanks ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
