1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Disabling Firefox's automatic switch to DoH

Discussion in 'Asuswrt-Merlin' started by RMerlin, Sep 10, 2019.

  1. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    In the coming weeks, Mozilla will be enabling DoH by default in Firefox (starting with US-based users). While it can still be manually enabled/disabled, this opt-out behaviour is unacceptable IMHO. For starter, it means that by default, your browser will ignore whatever configuration you have made on your network (if using DNS over TLS at the router level, for example).

    Firefox looks for a certain canary domain to disable that automatic feature when using, for example, a parental or ad filter provided by your DNS servers.

    For now, you can use that canary domain to prevent that automatic DoH enabling, by creating a /jffs/configs/dnsmasq.conf.add file, with the following entry:

    Code:
    server=/use-application-dns.net/
    
    Then, restart dnsmasq:

    Code:
    service restart_dnsmasq
    

    I am currently evaluating how to implement this in the firmware. The initial tentative plan is to have a new switch to enable that "Block Firefox automatic DoH usage", with the following options:

    0-Enable killswitch if using DNSPrivacy (the default)
    1-Enable killswitch
    2-Diasble killswitch

    The default value would be to enable the killswitch if you use DNSPrivacy (i.e. DNS over TLS), to ensure that browsers won't automatically bypass it.

    This is still all being evaluated on my end.
     
    Last edited: Sep 10, 2019
  2. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    492
    DoH is on Brave's roadmap as well; might I suggest "Block browser auto DoH usage"?
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    Is Brave going to make it opt-in, or opt-out? That's the main difference there.

    It will also depend on whether they will support the same canary domain as Mozilla.
     
    shelbystripes likes this.
  4. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    492
    I'm not sure...but if they implement DoH, it would probably be opt-out because of their privacy focus
     
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    That might be debatable. Opt-out would mean that, by default, they send all your DNS queries to a server of THEIR choice...
     
    shelbystripes and Skeptical.me like this.
  6. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    492
    Last edited: Sep 10, 2019
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    I use the following code instead. The dnsmasq man page says the commands are equivalent for this use case. I don't know if there are any subtle differences but this seems more appropriate and at least gets rid of the slightly annoying "using only locally-known addresses for domain use-application-dns.net" message.
    Code:
    address=/use-application-dns.net/
     
    dave14305 and L&LD like this.
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    spocko, netware5 and L&LD like this.
  9. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    My method was based on a post made by Simon Kelley, the dnsmasq author.
     
  10. CriticJay

    CriticJay Regular Contributor

    Joined:
    May 30, 2018
    Messages:
    116
    Awesome, thanks for looking out for your firmwares' users.
     
    AntonK, Vexira, Gar and 2 others like this.
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
  12. MarkRH

    MarkRH Senior Member

    Joined:
    Oct 1, 2015
    Messages:
    229
    Location:
    Oklahoma City, OK
    So far in 69 release, 70 beta, and 71 Nightly, DoH has remained unchecked in the Network Settings panel.
     
    Vexira likes this.
  13. rk8531

    rk8531 Regular Contributor

    Joined:
    Jan 28, 2019
    Messages:
    93
    DNScrypt already has a fix for it. May I suggest adding it to the Merlin's firmware even though it's not a standard :rolleyes:
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    How does that work? Surely the whole issue is that the client (e.g. Firefox) is bypassing things like DNScrypt on the router. Or have I completely missed the point here?
     
    Vexira and netware5 like this.
  15. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,023
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    EDIT: OK I've just seen the other post here that you responded to. The supposed "solution" is in fact exactly the same thing RMerlin proposed in post #1 (which can be implemented straight away). So there's no need to add DNScrypt instead of just adding one line to a config file.:rolleyes:
     
    Vexira, skeal and L&LD like this.
  17. netware5

    netware5 Senior Member

    Joined:
    Mar 9, 2013
    Messages:
    363
    Location:
    Bulgaria
    I also have the same question.

    BTW I think that due to the recent significant changes in DNS "world" in last years it is a time now to create a sticky post about different options to implement secure DNS in AsusWRT Merlin. The recent Firefox and Chrome move to DoH just demonstrate the need of such guidance. I am sure that many forum users will appreciate the guidance regarding PROS and CONS of different secure DNS options, how to implement them in home network and how to circumvent these, which are enforced by browser vendors like DoH, if the user wish so.

    Now searching the forum shows many posts related to that issue. But bringing them in one single sticky post would be very helpful.
     
  18. HairyA00

    HairyA00 Regular Contributor

    Joined:
    Jul 13, 2019
    Messages:
    85
    Why not make it an always-on feature? Shouldn't be a reason to configure this; if you're on a network like mine, you should be forced to do what my router says you're going to do. I'm not sure why web browsers think they have the right to manipulate traffic, especially in the case of Google... now ALL your traffic can belong to them if you use Chrome and you can be profiled further. This isn't an increase in security, it's an attack on privacy (at least the way I see it). Not that this point is neither here nor there, but the pi-hole guys aren't even going to give the option; if you're on my network, your DNS traffic does what I say it does: https://github.com/pi-hole/pi-hole/pull/2915

    EDIT: Post sounds harsh, I guess I am fired up. It's worth having a 'disable' feature, but it should, as you mentioned, be enabled by default.
     
    Last edited: Sep 11, 2019
    Skeptical.me, Gar and Grisu like this.
  19. Diamond67

    Diamond67 Regular Contributor

    Joined:
    Jul 23, 2015
    Messages:
    179
    What happens if you have some VPN service activated?

    I use PIA (Private Internet Access) Client Application with Windows 10. I haven't configured my router to connect to PIA.

    When I go to PIA Client App Settings - Network - Network Preferences - Name Servers, and choose for example "PIA DNS", will the DoH of Firefox (or Brave or Chrome or whatever in the future) bypass the PIA DNS as well?
     
  20. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    Theoretically yes, unless the PIA DNS servers implement the same canary test/block described in post #1. Of course the traffic between you and PIA is still being encrypted by the tunnel as before, that hasn't changed.
     
    Diamond67 likes this.