[comex]

Indeed, Firefox is prioritizing the interests of users over the interests of sysadmins. Personally, I'm fine with that.

> The basic IT mantra has been 'If it aint broke, don't fix it.'

An unencrypted protocol that compromises privacy may not be "broke" for sysadmins, but it is for users.

[YarickR2]

Well, now CF will know per-organization IT structures. All those LAN-only administrative interfaces, and, with link prefetching, internal resource maps could be built in just a few clicks , using account with sufficient privileges. This is such a security-defying move by Mozilla I can't even start. And CF DNS logs will be the obvious first step for every targeted attack.

[comex]

Sure, if your targeted attacker has managed to compromise Cloudflare first… Not exactly a trivial prerequisite. If you have any kind of VPN or Wi-Fi access to your network, those domain names are already leaking to other DNS providers whenever someone accidentally accesses a URL while on the wrong network.

Also, if your internal resources are using publicly trusted SSL certificates, the domain names are already being broadcast to the public thanks to Certificate Transparency. If you’re sophisticated enough to run a private CA for them, then you’re probably sophisticated enough to set up use-application-dns.net as well – though I still wouldn’t recommend ever treating domain name secrecy as a meaningful security boundary, considering how many ways they can be leaked. The remaining possibility is that your internal resources aren’t using SSL at all... in which case you have bigger problems than domain name leaks.

[roelschroeven]

How is it in the interest of users if they can't access the intranet servers anymore?

[cremp]

They can, it just takes extra steps.

Firefox tries DoH via Cloudflare, for an internal domain that returns NXDOMAIN (Cloudflare can't answer for your internal resolver,) then they fall back to local resolvers, which is OS based (DHCP or statically set.)

The response time to complete the internal request goes up, because you're sending data to Cloudflare, they can't find it, then the 'normal' response time for internal resolvers.

Edit: Made more clear.

[ti_ranger]

> They can, it just takes extra steps.

For 99% of users, that means they can't.

Luckily for them, they probably aren't allowed to use Firefox anyway, and are stuck using Edge or whatever, and the local MCSE will use this as another reason why Firefox may not be used by anyone.