Closed Bug 1458168 Opened 6 years ago Closed 6 years ago

Mozilla can operate a DNS-over-HTTPS server

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: martin.monperrus, Unassigned)

Details

(Keywords: privacy, ux-trust, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/19/6859] [trr])

FF now provides setting a trusted recursive resolver (see bug 1434852) But the only way to use it is through a resolver operated by a private American company, which is debatable from the viewpoint of independence and privacy. It would be great that Mozilla operates its own DNS-over-HTTPS server. It would be better for privacy, it would encourage the use of DNS-over-HTTPS and it would avoid controversy such as the one from bug 1446404.
(In reply to monperrus from comment #0) (I'm not responding to the greater question, just to a remark in the text) > But the only way to use it is through a resolver operated by a private > American company This is not true. There are already several open source implementations of DOH servers so "anyone" can actually run such a server. You can even run a private one for yourself, should you want to.
Assignee: nobody → infra
Component: Networking: DNS → Infrastructure: DNS
Product: Core → Infrastructure & Operations
QA Contact: cshields
Whiteboard: [trr]
If this is going to move forward someone from MoCo will need to support it.
(In reply to monperrus from comment #0) > But the only way to use it is through a resolver operated by a private American company, which is debatable from the viewpoint of independence and privacy. So it can't be on AWS. The Corporation and Foundation would be foreigners in Europe and exposed to our intelligence services. If Mozilla doesn't have a legal person (subsidiary) in Europe (who pays european employees?) it would be better to find some partnering non-profit organization renting a Hetzner Cloud instance (which are connected to DE-CIX and should offer best latencies).
> (who pays european employees?) from what I know, the Swedish Company in its subcompanies dedicated for each country. Personally, I really want what the report says. > it would be better to find some partnering non-profit organization renting a Hetzner Cloud instance (which are connected to DE-CIX and should offer best latencies). Awesome idea!
Today, German News: https://www.heise.de/newsticker/meldung/IETF-DNS-ueber-HTTPS-wird-zum-Standard-4119942.html A risk of bad user impression is known to us (bug 1446404 comment 11). * https://twitter.com/PowerDNS_Bert/status/1011157976361684992 * https://twitter.com/raybellis/status/1020392123064111104 Without knowing I implied that you won't just enable it by default, and will leave choice to the user. I love the idea behind DoH in combination with ESNI for inexperienced users and am grateful to all Mozilians working on this! I hope my Karma is enough to sum this up a bit. ^^ You/We can only legitimately enable DoH in regimes where privacy is not guaranteed by law, like US, Iran etc. You/We can't announce (the amazing) Cloudflare as the only built-in option and threaten users that you/we want to enable it by default, because it is legally based in the US. There is no european trust in secret US courts. You/We should take Decentralization seriosly, otherwise https://internethealthreport.org/2018/category/decentralization/ would be warm words: * DNS over HTTPS inside Firefox * Cloudflare as an option among others * Alternative DoH servers in cooperation with civil-rights organizations or similar (e.g. one small Mozilla-owned VPS on Hetzner Cloud in Germany. One pizza is more expensive.) * Option to keep the system resolver (default) with a link to an article about possible risks/consequences. (Firefox' DNS preferences UI should be able to detect whether the system's default resolver supports DNSSEC and if ESNI is working as expected) * It is difficult to convince users to trust incomplete or threatening announcements when there are other policy issues (recent centralization into AWS, "Open and accessible to ̶a̶̶l̶̶l̶ [IPv4 users]", disregard of DNT:1 on Mozilla websites).
Keywords: privacy, ux-trust
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [trr] → [kanban:https://webops.kanbanize.com/ctrl_board/19/6859] [trr]
Assignee: infra → nobody
Component: DNS and Domain Registration → General
Product: Infrastructure & Operations → Firefox
Moved to a more appropriate queue.
Component: General → Networking: DNS
Product: Firefox → Core
I'm not sure what is the right product/component for this, but definitely not core/networking:DNS.
Assignee: nobody → infra
Component: Networking: DNS → DNS and Domain Registration
Product: Core → Infrastructure & Operations

We have no plans to setup a public dns-over-https service. Closing this out

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.