Hacker News new | past | comments | ask | show | jobs | submit login

Why do you think that? My home router will happily resolve sites that only exist on my home server.



Your home router will. However, as the article made clear, you won't be able to open that site in Firefox.

Even if you were, you won't be able to get a public TLS certificate for that site, making you unable to serve the site as HTTPS and locking you out of many current and all(!) futue JS and CSS features.

Yes, you can solve both problems by installing overrides. However, this has to be done separately for every client that you want to use and (potentially) for every app that you want to connect to.

If you want to make an intranet-only web page that "just works" with off-the-shelf clients, you'll have to stick to public domain names.


That's my point. My parent said that private DNS names have been dead for a while, and I said they aren't.


Updated my parent comment to more precisely say what I meant.


Which is clearly bonkers. Why would Firefox deliberately break people who run Nextcloud on a Raspi at home? There must be something missing here.


https://wiki.mozilla.org/Trusted_Recursive_Resolver

>Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback

So regular DNS entries will still resolve after the lookup over DoH failed.


But which user will be able to figure that out?


Maybe all the users that turn TRR on in the first place? It’s default off and you need to enable it in the expert configuration menu. I don’t expect it to be enabled by default without a reasonable config UI.


The article states that DoH will become on-by-default in september.

In general, I find it highly unlikely that it will stay off-by-default forever, because there is no way to have any meaningful adoption of it as an expert-only feature.


The article is wrong.

Nothing in Mozilla’s communication even hints at DoH becoming default on any time in the nearer future. I’m certain Mozilla would like encrypted DNS by default, but not at all cost. It will probably land as a generally available feature in September, but still default to off and still be behind about:config. There are many expert features hidden in about:config that might never become default or only after a substantial shakedown period. Third party isolation, for example. So it would not entirely surprise me if DoH would remain an expert feature for a long time. And I’m certain it won’t become default on without a very clear config UI. Messing with name resolution has massive impact on a lot of setups.


My home router will. My browser will also open the site. My browser might not necessarily be Firefox, though.

For internal sites, you don't need public TLS cert. If your device is joined to a domain, you already have a private CA cert installed, so whoever controls that domain, can make certs for its resources. If you do that at home, it is no problem to make your own CA and use it for your home resources. It is just few commands with openssl, which you have already installed anyway.

> If you want to make an intranet-only web page that "just works" with off-the-shelf clients, you'll have to stick to public domain names.

That's not true at all, see the previous paragraph.


> For internal sites, you don't need public TLS cert. If your device is joined to a domain, you already have a private CA cert installed

Thanks for that info, I wasn't aware of that. However, to my knowledge, Firefox doesn't use the OS trust store but its own. So for clients using Firefox, you'd still have to install the cert, wouldn't you?


For the ESR release, you can use Group policy (Windows only) or policies.json (all systems) to make it accept the system cert store.

For all releases, you can make the process of joining the domain to also include installing the cert into Firefox's store. For example, the Redhat's ipa-client-install does install the certificate into the Firefox store by default.


Does Firefox enforce HTTPS for IPs in the same subnet?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: