Mozilla’s DNS Single Point of Failure build into Firefox

[German]Firefox developers are starting again a (security) war against it's users by attempting, to implement DNS-over-HTTPS (DoH) and Trusted Recursive Resolver (TRR) into Firefox browser. But Mozilla's way to do that, is a Single Point of Failure  (SPOF). Here is some information on the subject and why this is bad, bad, bad.


Advertising

Security expert Stefan Kanthak sent me an e-mail last Sunday (subject 'The fools at Mozilla has failed again') to draw my attention to the facts. I will try to collect and prepare the various background information.

DNS Services

When you enter an URL containing an internet domain into a browser, the computer contacts a DNS server. The domain part of the URL is then translated into an IP address. This IP address is used to contact the web server with the associated domain. But DNS has two major problems.

  • First, everyone within the communication stream can see the DNS requests send by a users system. This bears the risk of surveillance.
  • Second, it's possible, to send false answers redirecting people to other servers. This may be used to deploy malware or government trojans.

The first problem that someone could read DNS requests is usually not very big if you use the DNS server of a trustable (for instance, in my case a German) Internet provider. But this problem become worse, if you set Google's 8.8.8.8 or Cloudflares 1.1.1.1 DNS server for DNS resolution. The NSA can very easily access both IP addresses (which are subject to US law) and thus intercept and even manipulate DNS requests.

The story within the ungleich blog

The ungleich blog reported that Mozilla will introduce two new features to their Firefox browser (currently these feature are included in nightly builds). One feature is "DNS over HTTPs" (DoH) and the other is Trusted Recursive Resolver (TRR). The good thing: Mozilla intends to transport requests over https, which encrypts the data, so third party can't read the DNS requests.

But there is another aspect. Mozilla likes to override the default DNS service, configured within your network, with it's own DNS service, using the new Firefox feature called "Trusted Recursive Resolver" (TRR). Currently Mozilla turns this on by default in nightly Firefox builds. So all DNS requests are going to the DNS service, Mozilla has pre-configured within Firefox (independent, what you have configured within your network).


Advertising

For Firefox, Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare, located in the United States. Cloudflare will then be able to read everyone's DNS requests, as noted within the ungleich.ch blog post. Mozilla's developers advertising the "Trusted Recursive Resolver" feature as 'increasing security'. But security geeks are seeing the opposite. While TRR raise the security in an untrustworthy network (public Wi-Fi), because the DNS request of websites you call from a random DNS server is not exposed, there is a drawback.

Mozilla attempts to integrate a single point of failure (SPOF) into Firefox. I a SPOF breaks, the whole security infrastructure breaks. The SPOF build into Firefox is using Cloudflare's DNS service to resolve URLs into IP addresses. If Cloudflare's DNS service is down, no Firefox user can surf anymore. But much more critical: If Cloudflare's DNS service is compromised, the whole chain is broken. DNS requests may be directed to malicious sites or government sites, where malware and government trojans may be distributed.

After Mozilla's change, all DNS requests are also recorded by Cloudflare's DNS service. Due to the fact, that Cloudflare is located in the US, any government agency has legal right to request data from Cloudflare. Or as ungleich.ch blog  wrote:

With Mozilla's change, any (US) government agency can basically trace you down. f there is anything wrong with your government (for instance corruption, collusion or fraud) and you have information to publish about it, the government will be able to trace you down. This puts any whistleblower at risk.

So it simply isn't true in general, that TRR increases security. The Mozilla way (currently used in nightly builds) is a wrong way – or a build in SPOF.

Turn TRR off in Firefox

There has been a Hacker News post, describing how to disable TRR in Firefox browser. Just enter about:config in the browsers address bar, press ENTER and search then for the entry network.trr. Set the value to:

network.trr.mode = 5

Then the redirection to Cloudflare's DNS services is switched off. Within the ungleich blog and also at ghacks.net you will find more details. A German blogger describes it as 'Mozilla's developers are again in a war against their users'. So it's time, to dump Firefox.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in browser, Security and tagged , , . Bookmark the permalink.

4 Responses to Mozilla’s DNS Single Point of Failure build into Firefox

  1. wsusu says:

    Hello, are you sure that dns is now SPOF of Firefox?
    Because I read that if cloudfare dns cant find dns name (because is local dns namespace), local dns servers are used.
    Do maybe is cloudfare only 1. first priority, but system dns servers are always there.
    Or did you tested it with blocked dns to cloudfare?
    Thanks

    • guenni says:

      The SPOF has two aspects: One is fail safe (maybe there will be a fail over solution, but I don't know, what's, if Cloudflare's DNS service is down). But the other is surveilance. If all DNS requests worldwide are going to one Service provider in the US, guess, what happens? That's the major concern, security experts here in Europe express (or in other words: It's a no go).

  2. Any American manufacturer of hard- or software needs to be avoided when it comes to network and security equipment, due to the fact that they are by law required to implement backdoors into their products and may not even talk about it due to accompanying gag orders. Even canary statements have recently been forbidden in some cases. The same goes for other five or nine eyes countries (AU, CA, NZ, UK).

    That being said, believing that a German (of all) server would be any better is at best naive and uninformed, and that is putting it diplomatically, because not only has Germany signed treaties to grant the allied secret services nearly unlimited rights (http://www.Sueddeutsche.de/politik/us-geheimdienst-in-der-bundesrepublik-deutschland-erlaubte-den-amerikanern-das-schnueffeln-1.1715355), but German intelligence has traditionally been and basically still is incapable and incompetent on a general level, both when it comes to acquiring information and when it comes to defending and preventing foreign powers or criminals from hacking even their government's and other crucial communication. As a general rule of thumb, having your providers (e-mail, website, whatever) inside your home country/jurisdiction, the country/jurisdiction you live in (DE/EU in your case, http://Medium.com/privacy-international/a-new-era-of-mass-surveillance-is-emerging-across-europe-3d56ea35c48d, http://EDRI.org/leaked-document-eu-presidency-calls-for-massive-internet-filtering/) or in any of the nine eye countries is never a good idea in the first place. European providers are only a good choice for people outside the EU, especially after the European Copyright Directive (article 13) enters into force. As always, Germany is good at controlling and punishing the general citizenship for small trespassings, but the intelligence community's laughingstock when it comes to finding and pursuing well-organised criminals, let alone foreign secret agencies.

    So much for your erroneous implicit premises, now let's return to Trusted Recursive Resolver (TRR): in principle, any effort to increase privacy and security of citizens and consumers can only be applauded, and Cloudflare — the pest of the Internet that harasses us with Google's idiotic ReCaptchas — is on nearly every website anyway these days (just like people giving away the key to their data voluntarily in social crapworks anyway). You are correct in that American companies should be avoided, but just because Mozilla needed a provider that can handle massive amounts of traffic at quick speeds — because nobody will treat privacy for sluggish response times for long — cannot be a reason for bashing Mozilla over this detail as the only reason why it's 'bad'.

    If you do not like Cloudflare, simply enter another DoH capable DNS server's link into network.trr.uri and be done with it.

  3. VP says:

    "Any American manufacturer of hard- or software needs to be avoided when it comes to network and security equipment, due to the fact that they are by law required to implement backdoors into their products and may not even talk about it due to accompanying gag orders"

    What law are you talking about? This is absolutely false.

Leave a Reply

Your email address will not be published. Required fields are marked *