Firefox Developers
After activating DoH, a warning is displayed to the user, which allows, if desired, to refuse to contact centralized DoH DNS servers and return to the traditional scheme of sending unencrypted requests to the provider's DNS server. Instead of a distributed infrastructure of DNS resolvers, DoH uses a binding to a specific DoH service, which can be considered as a single point of failure. Currently, it is offered to work through two DNS providers - CloudFlare (by default) and
Change provider or disable DoH
Recall that DoH can be useful for preventing leaks of information about requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace VPN in the area of ββbypassing blocking implemented at the DPI level) or for organizing work in case it is impossible to directly access DNS servers (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
For the selection of DoH providers offered in Firefox, the
DoH should be used with caution. For example, in the Russian Federation, the IP addresses 104.16.248.249 and 104.16.249.249 associated with the Mozilla.cloudflare-dns.com DoH server offered by default in Firefox,
The application of DoH can also lead to problems in areas such as parental control systems, access to internal namespaces in corporate systems, route selection in content delivery optimization systems, and enforcement of court orders in the field of combating the distribution of illegal content and the exploitation of minors. To circumvent such problems, a system of checks has been implemented and tested that automatically disables DoH under certain conditions.
To identify enterprise resolvers, checks are made for atypical first-level domains (TLDs) and the system resolver returns intranet addresses. To determine whether parental controls are enabled, an attempt is made to resolve the name exampleadultsite.com and if the result does not match the actual IP, it is considered that adult content blocking is active at the DNS level. Google and YouTube IP addresses are also checked as indicators to see if they are spoofed as restrict.youtube.com, forcesafesearch.google.com, and restrictmoderate.youtube.com. These checks allow attackers who control the operation of the resolver or are able to interfere with traffic to simulate such behavior in order to disable encryption of DNS traffic.
Working through a single DoH service can also potentially lead to problems with traffic optimization in content delivery networks that perform traffic balancing using DNS (the DNS server of the CDN network generates a response, taking into account the address of the resolver and issues the nearest host to receive content). Sending a DNS query from the resolver closest to the user in such CDNs returns the address of the host closest to the user, but sending a DNS query from the centralized resolver will return the host address closest to the DNS-over-HTTPS server. Testing in practice showed that the use of DNS-over-HTTP when using a CDN practically did not lead to delays before the start of content transfer (for fast connections, delays did not exceed 10 milliseconds, and even acceleration was observed on slow communication channels). We also considered using the EDNS Client Subnet extension to pass the client location information to the CDN resolver.
Source: opennet.ru