[syshum]

That will only work for so long, as more and more browsers are forcing DoH for "privacy" on users, making them bypass traditional DNS in-favor of DNS over HTTPS to a provider selected by the Browser removing user control

Mozilla for example is going to force everyone to use CloudFlare as a Resolver

[bscphil]

> Mozilla for example is going to force everyone to use CloudFlare as a Resolver

Do you have any evidence that they're going to force anyone to do that?

[snailmailman]

You can change your DoH resolver, so you could setup a raspberry pi as a DoH server theoretically, and still keep the benefits of a PiHole. Mozilla is making CloudFlare the default but they aren't forcing it, you can use another server.

[syshum]

My Browser should not be doing this at all in the first place,

I should not have to dig deep into the internals of Firefox to opt-out of sending all my traffic to CloudFlare, a company proven time and time again to be pro-censorship and anti-competitive

[freeone3000]

You can change it on web browsers, for now, but not on IoT devices.

[dzhiurgis]

What sort of IoT device uses Firefox???

[joombaga]

I'm not aware of any IoT devices with non-configurable DoH.

[judge2020]

It's coming in the future, likely soon we'll see it in Google hardware since they all auto-update.

[zahllos]

While I agree that Mozilla's by default decision is wrong, this is not actually true of other browsers. Chrome will check your existing DNS provider to see if they support DoH and if they do, query that way. If not DNS proceeds as normal. Microsoft are adding the ability to use DoH in windows, but they won't change your DNS settings, so you'll need to configure it. So other than Firefox there's no "use DoH by default" anywhere.

Firefox's choice isn't the best but you can disable it. Set network.trr.mode to 5 in about: config, which means disabled and deliberately configured as such. Then Firefox won't ever try to use DoH.

As others have pointed out, you can also use other resolvers than cloudflare's, through network.trr options.

[yegle]

Then run your own DoH server, the same way you run your own pihole.

Shameless plug: https://GitHub.com/yegle/your-dns

[uponcoffee]

That's usually easy to opt out of and if bootstrapping fails (e.g. Outbound dns query for DoH provider fails//direct connection by IP is blocked) it falls back to the network/OS defined resolvers.

Even still filtering based on SNI will work for a long time yet. Yes, ESNI is on track to becoming to a standard but support for legacy devices/browsers means it to will rely on network tests for support - so it can also be disabled.

[koolba]

Physical devices already do this: https://mailarchive.ietf.org/arch/msg/dnsop/WCVv57IizUSjNb2R...

At least a browser might have a user setting to disable it.

[bscphil]

This isn't the same thing. That's just a hard-wired DNS server, which can be easily forced to use your own servers at the firewall. GP is talking about DNS over HTTPS, which can't be fixed in this way.

[perspective1]

Just use iptables on your firewall/router to reroute all traffic on port 53 to your DNS server.

[koolba]

I can assure you that the general population has no idea what half the nouns in that sentence mean, let alone how to do any of that.

[Spivak]

I mean the game of controlling 3rd-party devices that we don’t really own via side channels is always gonna be a cat-and-mouse of ever more elaborate hacks.

The next game will probably be mitming these devices by flashing a new CA store.

There is no general solution to running an openly adversarial app/device in your network.

[perspective1]

> I can assure you that the general population has no idea what half the nouns in that sentence mean, let alone how to do any of that.

Keep in mind you're on HN-- we tend to be a more technical population :). If you're interested I found this on StackOverflow via Google: https://unix.stackexchange.com/questions/144482/iptables-to-...

You'll have to Google how to set up iptables/telnet or ssh on your router yourself, assuming it supports it.

[corobo]

Pi-Hole has a fix for this going by Mozilla staff

https://twitter.com/selenamarie/status/1175092910200483840?s...