It’s from Mozilla itself.
They will be setting their browser to use Cloudflare and ignore the resolvers your system is set to use.
All in the name of privacy, yet I find this interesting;
Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties.
Why keep it for 24h? they could mask the IPs in their records or flush them automatically on their dns servers reply to the request.
Or am I missing something?
Looks like it’s mostly related to debug logs and determining sources of abuse. Like they need to know if they’re getting hammered by an IP 20k times a second to be able to block it and keep quality of service up. Those are flushed within 24 hours and all the other data they keep is anonymized.
As part of the agreement w/ APNIC (who gave them the IP ranges) they provide anonymized non-user identifiable data for them to study. I think they mentioned that these specific IPs weren’t used previously because they just get hammered with tons of traffic from shitty software over the years that used it as like a local IP or something. So they want to understand that data.
Looks like Cloudflare will be the default because they’re supporting DoH. But literally the next line:
But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them.
Yeah, you can have any color car you want, as long as it’s black. I run my own DNS servers and I know what is secure and what isn’t. If FF has decided that they know better than I with regards to my personal information, then it’s time to move on to another browser. Chrome is trying to pull the same stuff with DNS over QUIC protocol and it’s crap. I’d like to know how much more secure I can get over running my own cluster of Unbound servers with IPSec between myself and the resolvers?
$5 says there will be a way to disable it somewhere deep in the options. It’s a good broad-sweeping change/default option though, helps protect a lot of folks seamlessly.
I doubt it’ll be the only option, someone will just fork it if they don’t have a way to disable it.
I hope so, otherwise it’s going to break in AD forests. Or any other place that has local DNS servers. I can set up a couple of IPTables rules to force 53 to any server that needs to answer for clients, but with DoH I don’t think it’s possible to control what servers are answering the queries?
I hope so, otherwise it’s going to break in AD forests. Or any other place that has local DNS servers. I can set up a couple of IPTables rules to force 53 to any server that needs to answer for clients, but with DoH I don’t think it’s possible to control what servers are answering the queries?
That’s a very valid concern. Split-horizon DNS would become unusable. I’ll try to ask around and see what Mozilla devs have to say about this
