:: Re: [DNG] Mozilla and cloudflare to…
Top Page
Delete this message
Reply to this message
Author: Arnt Karlsen
Date:  
To: dng
Subject: Re: [DNG] Mozilla and cloudflare to hijack all your DNS requests - for your own good of course
On Sun, 9 Sep 2018 10:19:04 -0400, Steve wrote in message
<20180909101904.15e47591@???>:

> Hi Taiidan,
>
> I wouldn't use Firefox if it were the last browser on earth. If you
> take Firefox out of the equation, are the Cloudflare public DNS
> servers any less secure or more problematic than the Google ones or
> the Hurricane electric ones, etc?
>
> https://www.lifewire.com/free-and-public-dns-servers-2626062


..interesting, with chromium --proxy-server="socks://127.0.0.1:9050",
I only get:
"Error 405 Not allowed.
Not allowed.

Guru Mediation:
Details: cache-abc0000-ABC XXXXXXXXXX XXXXXXXXXX

Varnish cache server "

..dropping my Tor proxy, I get there, but I also get
there on my first reload with my Tor proxy, probably
from my chromium cache.
A second reload brings us back to:
"Error 405 Not allowed.
Not allowed.

Guru Mediation:
Details: cache-def2345-DEF YYYYYYYYYY YYYYYYYYYY

Varnish cache server"

..we probably should have our Tor proxy servers set up to block
chromium, firefox etc POST etc method attempts to call home.


..do we have a set of recommendations on DNS servers, and,
on DNS "with" Tor?
2 very different but also related issues, IMHO...
https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks
https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers
https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver
https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry
https://www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks


>
> Thanks,
>
> SteveT
>
>
> On Tue, 7 Aug 2018 07:51:40 -0400
> "Taiidan@???" <Taiidan@???> wrote:
>
> > Yet another great choice by mozilla
> >
> > Cloudflare is such an incredibly obvious intelligence agency ploy to
> > gather data but no one talks about this.
> >
> > https://yro.slashdot.org/story/18/08/05/2353249/security-researchers-express-concerns-over-mozillas-new-dns-resolution-for-firefox
> >
> > Article included for your security pleasure
> >
> > "With their next patch Mozilla will introduce two new features to
> > their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted
> > Recursive Resolver (TRR). Mozilla says this is an additional feature
> > which enables security. Researchers think otherwise. From a report:
> > So let's get to the new Firefox feature called "Trusted Recursive
> > Resolver" (TRR). When Mozilla turns this on by default, the DNS
> > changes you configured in your network won't have any effect
> > anymore. At least for browsing with Firefox, because Mozilla has
> > partnered up with Cloudflare, and will resolve the domain names
> > from the application itself via a DNS server from Cloudflare based
> > in the United States. Cloudflare will then be able to read
> > everyone's DNS requests.
> >
> > From our point of view, us being security geeks, advertising this
> > feature with slogans like "increases security" is rather misleading
> > because in many cases the opposite is the case. While it is true
> > that with TRR you may not expose the websites you call to a random
> > DNS server in an untrustworthy network you don't know, it is not
> > true that this increases security in general. It is true when you
> > are somewhere in a network you don't know, i. e. a public WiFi
> > network, you could automatically use the DNS server configured by
> > the network. This could cause a security issue, because that
> > unknown DNS server might have been compromised. In the worst case
> > it could lead you to a phishing site pretending to be the website
> > of your bank: as soon as you enter your personal banking
> > information, it will be sent straight to the attackers.
> >
> > But on the other hand Mozilla withholds that using their Trusted
> > Recursive Resolver would cause a security issue in the first place
> > for users who are indeed in a trustworthy network where they know
> > their resolvers, or use the ISP's default one. Because sharing data
> > or information with any third party, which is Cloudflare in this
> > case, is a security issue itself."
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng



--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.