[cremp]

I hardly see how the OP is FUD. What the article states is true; just because you can opt-out doesn't mean it's wrong.

Where you are drawing the line is the opt-out to disable it, as opposed to the convention of opt-in.

Think about companies in the 50-200 employee range; As a sysadmin, I have to purposefully go out of my way to put that domain (use-application-dns.net)[1] in my root resolver, and point it to NXDOMAIN.

I can't do it if another provider is managing my DNS (ISP, cloud service...); it also doesn't actually guarantee that it is off.

> If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

The basic IT mantra has been 'If it aint broke, don't fix it.' Mozilla itself is moving fast and breaking things; which is why we have standards in the first place.

For god sake, there isn't even a proper RFC to select yes or no to DoH.

I, as a sysadmin, must not only implement the domain in my resolver, but I also must keep in my mind that if a user is using Firefox, that there are things it does internally that are not right, and it is easier for me to have my users on Chrome, because it is less of a headache for me.

[1] https://support.mozilla.org/en-US/kb/configuring-networks-di...

[comex]

Indeed, Firefox is prioritizing the interests of users over the interests of sysadmins. Personally, I'm fine with that.

> The basic IT mantra has been 'If it aint broke, don't fix it.'

An unencrypted protocol that compromises privacy may not be "broke" for sysadmins, but it is for users.

[YarickR2]

Well, now CF will know per-organization IT structures. All those LAN-only administrative interfaces, and, with link prefetching, internal resource maps could be built in just a few clicks , using account with sufficient privileges. This is such a security-defying move by Mozilla I can't even start. And CF DNS logs will be the obvious first step for every targeted attack.

[comex]

Sure, if your targeted attacker has managed to compromise Cloudflare first… Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi access to your network, those domain names are already leaking to other DNS providers whenever someone accidentally accesses a URL while on the wrong network.

Also, if your internal resources are using publicly trusted SSL certificates, the domain names are already being broadcast to the public thanks to Certificate Transparency. If you’re sophisticated enough to run a private CA for them, then you’re probably sophisticated enough to set up use-application-dns.net as well – though I still wouldn’t recommend ever treating domain name secrecy as a meaningful security boundary, considering how many ways they can be leaked. The remaining possibility is that your internal resources aren’t using SSL at all... in which case you have bigger problems than domain name leaks.

[roelschroeven]

How is it in the interest of users if they can't access the intranet servers anymore?

[cremp]

They can, it just takes extra steps.

Firefox tries DoH via Cloudflare, for an internal domain that returns NXDOMAIN (Cloudflare can't answer for your internal resolver,) then they fall back to local resolvers, which is OS based (DHCP or statically set.)

The response time to complete the internal request goes up, because you're sending data to Cloudflare, they can't find it, then the 'normal' response time for internal resolvers.

Edit: Made more clear.

[ti_ranger]

> They can, it just takes extra steps.

For 99% of users, that means they can't.

Luckily for them, they probably aren't allowed to use Firefox anyway, and are stuck using Edge or whatever, and the local MCSE will use this as another reason why Firefox may not be used by anyone.

[m-p-3]

You know that Chrome is also planning a similar switch?

https://www.silicon.co.uk/workspace/browser/google-chrome-do...

[cremp]

Yes, however the difference here is that Chrome is looking at the OS resolver itself first; not just disregarding it, or looking for a magic domain. Chrome is being opt-in, Firefox is being opt-out.

Chrome DoH use cases:

For the average home user, fine; they're either using what the ISP DNS is, or the public ones (1.1.1.1, 8.8.8.8 ....) If those are on the 'accepts DoH from us', then it'll use DoH to the appropriate destination.

For the corporate environment, their internal DNS might not support DoH, and as such, Chrome will not even try to use DoH.

The key is that it is respecting the OS DNS settings, not the ability to not resolve a magic domain. If I opt to setup DoH internally, the understanding is that I know what I'm getting into.