Sure, Firefox introduced a security feature: DNS over HTTPs. So instead if asking some DNS server that is configured on the local system, for the IP that belongs to a Domain name, am external service is asked via HTTPs.
While this is in theory a good idea, and has some benefits, the Firefox implementation was bad:
the external partner was cloudflare. There where no additional informations out at that time.
there where no opt out option
Users, that where forced into DNS over HTTPS could no longer resolve internal hostnames. This was a killer in office environments. And after the fix for that, everything was first submitted to cloudflare and only if cloudflare could not resolve the hostname, the local DNS server was asked, leading to potential information leaks. Also a no go for companies.
Firefox has fixed these issues by providing privacy policies, the option to choose other DNS over HTTPS providers and the option to define what domains should never be resolved externally.
But they lost trust in many professional environments because of that move.
I totally forgot one essential fact: the reason for DNS over HTTPS itself was perfectly valid: ISP’s in the US are using DNS lookups of their customers for advertising. The idea is to prevent this kind of privacy breach. And it is very effective against it.
Could you give me an eli5 on the DNS part?
Sure, Firefox introduced a security feature: DNS over HTTPs. So instead if asking some DNS server that is configured on the local system, for the IP that belongs to a Domain name, am external service is asked via HTTPs.
While this is in theory a good idea, and has some benefits, the Firefox implementation was bad:
Users, that where forced into DNS over HTTPS could no longer resolve internal hostnames. This was a killer in office environments. And after the fix for that, everything was first submitted to cloudflare and only if cloudflare could not resolve the hostname, the local DNS server was asked, leading to potential information leaks. Also a no go for companies.
Firefox has fixed these issues by providing privacy policies, the option to choose other DNS over HTTPS providers and the option to define what domains should never be resolved externally.
But they lost trust in many professional environments because of that move.
Thank you. Yeah that sounds like a really bad move on their part.
I totally forgot one essential fact: the reason for DNS over HTTPS itself was perfectly valid: ISP’s in the US are using DNS lookups of their customers for advertising. The idea is to prevent this kind of privacy breach. And it is very effective against it.
Just rye ideological driven implementation was bs