Testing Firefox DoH Without Cloudflare, pfblockerNG, DNS Filtering, and Site Blocking Discussion

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's next in making dns over HTTP the default this is apparently more controversial than I thought and I think some people are overthinking it there is some concerns of course and I found a couple well at least a one weird bug that I just wasn't aware of and let's dive into Firefox has changed to making DNS over HTTPS the default this has got a lot of people up in arms now one of the problems right away is going to be encrypted DNS while you're probably saying isn't that a good thing because things are encrypted but we'll swing all the way over here and point to this discussion going on over here and read it on PF blocker and I've talked about PF blocker before integrating with PF sense and blocking I had sites with it or potentially could block ads with it and this breaks that so there could be a checkmark on the side of a problem with it but if you're someone who's savvy enough to be setting up a pie hole or a PF blocker on a PF sense firewall you're probably someone who knows how to change the default settings as well now where's the other concern with this well the ISPs are less than thrilled UK ISP group names Mozilla's internet villain for supporting dns over HTTP well yes the ISPs are upset because they're used to being able to see the default unencrypted DNS that you send across so as you're sending data across yes they can see it yes they're able to then pop perhaps even monetize it redirect it or in the UK they've had a series of bills that want to block certain websites that the government deems of a nature of something you shouldn't watch therefore easily blocking DNS because they can see the traffic and most people don't bother changing to anything other than whatever the default DNS was so there's back-and-forth concerns over this and of course if you're running a local business network now you've made filtering that much harder because normal DNS goes out over port 53 unencrypted uninhibited and it's easy enough to put a firewall rule that says no don't go out port 53 or redirect that poor and re-direct that information right to the local firewall and therefore changing it to whatever the whoever's managing the network wants it to be the downside of that again though comes back to security if you're somewhere where your DNS can be intercepted you're also somewhere where DNS can be hijacked because it's easily manipulated it's all in clear text so there's all the back-and-forth with DNS over HTTPS putting it all over port 443 also makes it harder to block because any website that's encrypted is also using port 443 well potentially they can use other ones I'm aware but generally speaking most websites using 443 that are encrypted if you just try to block that you didn't up breaking more of the Internet so back to this discussion over here there's a list of servers right here that you can block that are the known lists and here comes the whack-a-mole cat-and-mouse game of trying to block access to any servers that support DNS over HTTPS so you can start eliminating them so you can start filtering your users back to not being able to do it and the cat-and-mouse game begins and that discussion I'll leave links to this you can read through the discussion on here now I did find because this is where people are getting angry like right here the OpenBSD community has disabled do H by default in Firefox packaging this active and current will be in our six point six release disabling do H halt while encrypting DNS might be a good thing sending all DNS traffic to CloudFlare by default is not a good idea and this is the next part where people are found a way to be angry so you normally use oom if the ISPs are angry it's good for the people good rule of thumb on most things but now people are upset because they chose CloudFlare as a default for do H so this is the DNS over h es partnerships what resolve will be using CloudFlare they have policy requirements that player may not monetize this newfound flow of data that is coming at them and then people are you know angry CloudFlare for whatever reason and therefore they don't want come for having their DNS the people who care I don't think are the people who don't know how to change the preferences and change your do H so I figured let's go over here open up the Preferences settings and talk about it a little bit first right now it was not enabled on my Firefox apparently I'm not part of the beta test coming out here of people getting updates it did update but it still isn't enabled by default on either of the computers I set up so you can check the box enable it and if you do check the box yes CloudFlare is there and at some point a new install will automatically have CloudFlare to be the default in my opinion right now it is better to have encrypted dns when you're people who are leaving things that default I would rather have them have some type of encrypted DNS than none so I think that is a step up but yes there is concern they've chose CloudFlare as the single provider and that can be terrible but those of us who care about DNS and think further about it the custom option was really easy to do you click custom and paste in whatever the site is and I chose blog DNS because it was in a list that someone had on this list here and I just like blah DNS seemed good I didn't even check out the other ones and they have a cool little thing it's a small hobby that adblocks and DNS protects with do ECOT dns crypt support pretty cool and I also like the fact that when you're using it it says you're using blog DNS we can go to their site and I bring that up because something I found interesting that maybe I just didn't read through the documentation thoroughly enough but when you do enable it until you restart Firefox stop it and start it again it actually doesn't work so if I were to remove this I can even remove it right now real quick and refresh the page it still thinks I'm using it so yeah until you actually go in and restart Firefox it doesn't change that setting there so it'll still think I'm using it because it didn't change it'll only change them restart I'm not gonna bother restarting X I have a few more pages that I'll go through here now a little bit of housekeeping before we jump into the next part of the test if you can click down below click the like and check out some of the affiliates we have that would be great they're all linked down below and we have an entire page of affiliates over at Lauren systems comm in case you see something you like helps out the channel he gets you a discount on a few different things on there I just like to bring it up once walks it does help us out a lot here a lot of all the content we create and help fund all the content we create with some of those affiliate links it's much appreciated all right back to what we're talking about here the DNS over HTTP and in this particular site because they have ad blocking they have a tool here check domain status and we're going to go ahead and do that and actually paste it back in so let's check this particular status Gemini yahoo.com is the ad server so for Yahoo so we'll check it check Jim calm failed so alright this lookup failed but if we go to like yahoo.com komm is not block but Gemini dot yahoo.com lookup failed or blocked perfectly fine because you would expect that motes and a lot of block list blocked the Yahoo ad server so that means how did I open up this site here I'm using their DNS why does this work well that's actually kind of interesting so one of the things that realized I did a packet trace to figure out what was going on the way the DNS works in Mozilla right now is of the version I'm using which is right here version 70 64-bit what it does when a failed site a failed to resolve site for the do H DNS it then relies on local DNS to start looking at the site now the couple good reasons to do this is sometimes if you're pulling up special sites if here in a business this means it'll reach out to the external sites but if it for example in a business where it's a local only site it can still rely and local DNS to resolve that so I think that's kind of interesting that it does that and but I wanted to dig a little further because it's it obviously completely defeats the purpose of this doing any type of ad blocking over here at blah DNS because well any ad that it finds blocked it just goes around it and tries to resolve it with the local DNS so if your local DNS isn't also blocking this it doesn't work real well so let's go over here and do this from the command line to get a better idea so curl supports toh resolving so you can take curl do each URL so we're gonna do this do H to fi dot blot DNS com DNS query and here's the site we're gonna resolve HEV s Gemini yahoo.com failed to connect refused so if we tell it to do that it just fails to connect to refuse let's do the same command curl but we're gonna use CloudFlare who does not block this so you don't do ad blocking a CloudFlare found in and starts redirecting because it wants to go to the advertiser slash home just like you seen over here it adds that redirect when you take this off redirects you there so it's kind of interesting to me that they did it like this where if the failure goes around it and I make sense why because a lot of like business settings it'll rely on local DNS thinking something must not be in there but the problem you create is how do you do ad blocking if the goal with bloddy NS is ad blocking I didn't again maybe there's another more strict option where you say if ad fails don't use local DNS or maybe you have to have a combination of things a local DNS that also blocks the same ads that the do H blocks which might be a way around it because you know if you had ad blocking turned on in your network and your local DNS is used when the do H fails that would be a solution but I did find it just kind of interesting the way that workaround is now you can also find there's a lot of other places out there and this list is by no means comprehensive because this is October 26th and the last time this I didn't look at the site other than the link they had here the heuristic security option of keeping these sites up to date clearly is not keeping that up two takes I'm willing to bet in the last 26 days since this up last update there were probably a lot more added and this is going to be a game of whack-a-mole as I like to call it where you're just trying to oh here's another one here's another one and I'm trying to corral the users in it's really hard filtering users this is one of the reasons I've talked about doing things like focusing on like an endpoint protection system where you have control over the machine but users who are more transient that wander in and out of your network with their devices it's very difficult to kind to nail them down to try to make sure nothing gets out and only you can filter the DNS this is a common request people have they want to filter everything that their users are doing I'm like you have to get to the device level to really do a good job of it because well well so the Internet's encrypted and with things like this DNS do H with it going over 403 it makes it that much harder you have to constantly keep a list that is probably growing by the day because this is just someone's you know pet project here a hobby and if you don't know about someone's hobby project that pops up or if someone takes and Forks this project and has a name that you're not aware of because well it's on github by the way the whole standing up of it and I thought hey this excite me project maybe for another time but once again tracking all these can be really difficult to do so it's it's interesting um it's I don't know that it's good or bad to me the more things that are encrypted in a transport layer the less their opportunities there are for people to mess with it to DNS hijacking it if you're just an average user who opens our laptop at a coffee house yeah this becomes a challenge right away for that average user because they're not thinking about things that people who think more about security are and at least by default they'll be encrypted and going over to CloudFlare versus relying on whatever DNS was handed to them at the coffee shop which could be disastrously bad very quickly so if they're trying to go to Google and someone tries to hijack Google Google should resolve perfectly fine and they should be I feel a step further in security so for the average users yes for custom deployments when you're doing it within a business yeah there's going to be some concerns on that side but when you're doing a custom deployment or even when we're taking care of things for clients or customize everything and we're loading endpoint protection tools directly on each system that we care about protecting for that client so there's a level customization that goes into those so I the defaults are never left out of the box when you load anything for your clients it's it's never going to leave default so my opinion it's a good thing but obviously some people have some controversies I'll leave links to these things so you can read through and think through this so you have a better understanding of toh and some of the implementations of it but the going around the ads thing makes it kind of interesting and maybe if someone leaves below I don't know if I care enough because where I want to block things I have them blocked with local DNS and I'm still using local DNS but it might be interesting if there's a option in Firefox to only use whatever the resolver says and not rely on local resolver for block sites it might be kind of interesting if there's an option for that but it may break other things doing it that way you know better options just turn it off and only use your trusted DNS server that you're managing with PF Locker re 10 thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to lawrence systems comm fill out our contact page and let us know what we can help you with and what projects you like us to work together on if you want to carry on the discussion hetero to forum style or insistence calm where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 12,001

Rating: undefined out of 5

Keywords: dns over tls, Firefox DoH, firefox doh test, firefox, dns, doh, dns over https, security, https, privacy, browser, dns over https cloudflare

Id: eM8MWtNbcfc

Channel Id: undefined

Length: 14min 49sec (889 seconds)

Published: Sat Oct 26 2019