Just to be clear, the authors are wrong? There will not be a September patch that overrides my network DNS settings?
"With the next Mozilla patch in September any DNS change you configure in your network won't have any effect anymore, at least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States."
This is the relevant post from the Mozilla nightly blog: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-pr... It confirms that the default is off. It also gives a much more nuanced view of the level of partnership. CF is currently the partner for a study regarding that feature. That study still requires opt-in (and currently nightly) The patch in September will bring the feature to mainline FF, but it’s still default off and hidden behind “about:config”
Do you seriously believe that Mozilla is issuing a patch in September that will somehow force you to use Cloudflare as a DNS provider? That 'any DNS change you configure in your network won't have any effect anymore'? Do you know many setups that would break?
> We believe that negotiating a privacy first operating agreement is something that Firefox can do for people that is just impractical to ask them to do for themselves. Imagine calling up your residential ISP and asking them to agree to an audit that demonstrates they do not log your IP address on their DNS server. And then repeating the process for your favorite coffee shop, library, friend’s house — anywhere you and your browser go to connect.
Firefox improves user privacy by default by finding good partners, establishing legal agreements that put privacy first, and eventually shipping a default configuration we believe is best.
They know about the power of default settings - and with the current default, they will be unable to roll-out this feature to a meaningful number of users. So at some point, the default will probably change to activate DoH.
Technically, this isn't "force" as you'll probably be able to turn it back off via about:config - if you know which options to change, what to change them to and if you are willing to click past the "if you proceed, you may damage your computer" warning.
Not every random guest that wants to access your local Nexcloud instance will be willing to do this.
And you expect that to happen within the next month? Without any warning that it will happen with the 62 release? After they have just started an experiment intended to shake down the feature on both the server and the client side? Even after having it default off in nightly? With no practical experience of how a large-scale DoH setup behaves in a real-world environment? Breaking all setups that use an internal DNS to resolve internal names (such as any larger-scale corporate setup)?
If you intend to say “sometime in the unspecified future Mozilla will probably default to this.”, then I’d agree but this is not what’s being discussed. At that point in the future, the whole environment in which this is operating in will look different. More DoH-capable providers, a better understanding of the benefits and drawbacks, a config UI,...
Hmm, looks as if the September date was indeed an error - even the article added a correction. (Also a Mozilla representative seemed to post they plan to keep local DNS as fallback)
So I do hope you're right and they will take their time until the ecosystem stabilizes and they found less damaging strategies.
I still think there are general problems with DoH and the assumption that all local networks are hostile. But maybe, there will be more time to discuss those assumptions.
I don't see that they will necessarily add a config GUI though. Most people will likely ignore the feature and the techies already have about: config, so there might be little pressure to add a more accessible UI.
I don't see how they could enable it by default unless they query both local and DoH at the same time .. or perhaps a hybrid model where they only using DoH by default on certain TLD's and / or domains.
Corporate users would be utterly broken unless their IT staff are managing the proxy settings in all their installed browsers, which is often not the case. This would lead to Security and IT staff blocking CF DNS until it was fixed.
I believe this is a good thing to watch for, but I can't imagine Mozilla not having thought this through.
"With the next Mozilla patch in September any DNS change you configure in your network won't have any effect anymore, at least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States."