cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hijacking DNS is NOT ok

mister_snrub
Making moves

I came back to my computer, brought Firefox into the foreground, opened a new tab and was greeted by a notification that my DNS settings had been changed. This is not ok, ever.

I understand why you would want to encourage people to migrate to using DoH, I really do. But changing user settings, even with an "opt-out" button (presented in a narrow banner that is easy to click past, which for non-technical users is going to be the default behavior) is a terrible way to go about it. I already have DoH enabled at the router level and rely on local DNS caching to improve performance; why should I expect my browser to one day, with no notice, change this for me?

I mostly use Firefox as I would like to see a world without browser engines solely controlled by Apple and Google, but actions like this make it incredibly difficult to justify that choice (and even more difficult to recommend Firefox, already a niche choice, to my non-technical friends and family).

And yes, I made an account just to complain about this. I've been using Firefox for nearly 20 years and this is finally the thing that is making me question why.

4 REPLIES 4

JRod761
Making moves

Likewise. I use Firefox as my preferred browser both at home and work. This isn't as much a problem at home, but my work network settings disallow any changes and immediately shut down the browser, rendering it unusable. I don't even have the opportunity to "decline" this anonymous (and suspicious) service that my personal traffic is being routed through. Firefox may have finally updated themselves into being irrelevant, despite being, in my opinion, superior to Edge or Chrome which are the preferred and supported browsers for my workplace.

FFuser23
Making moves

Likewise.   Changing DNS and how data is resolved requires a TRUSTED partner.   Stating that a third-party provides this service to Firefox community without identifying this upfront, and further, stating that they have access to information in DNS requests, is an invasion of privacy.   Privacy includes disclosure of information collected, how used, stored, how managed, protected, and how users can manage this information.   This is not provided.   There is HUGE value in understanding user's DNS requests for profiling, advertising, etc ... as well as using to enhance DNS protection (their own products)... for FREE.   Further, DNS is a common attack vector whereby, if compromised, can be disasterous to the end user ... redirect to malicious sites, fake sites that mimic legitimate sites to access user credentials (eg banking site).   It's dangerous... and the Firefox user should have an awareness and understanding before implicit opt-in is offered.   It suggests Firefox does not understand security and privacy... concerning.  Sometimes a "free service" comes at a price.   And although CloudFlare and others may be legitimate, they have their solutions in corporate enterprises... perhaps with COVID and more people working from home, they want visibility from home-office users.   Whatever the reason, I shouldn't be having to guess at motives.   I opted out.  Disappointed.

chromiumisbest
Making moves

Yep... did a dns test and saw this weird nameserver of ISP called TekkSavvy, I truly thought I had been hacked. I formatted my PC and secured my network. 2 weeks of paranoia later to come to find out that it was just FireFox.............. unacceptable.

I can't believe FireFox, the apparently "privacy-driven" browser, does something like this. More like piracy-driven... Nuff said.

I will switch to Chromium and never look back. 😁

drurb75
Making moves

I agree with mister_snrub 100%

I also reactivated a firefox account just to complain about this.

Defaulting DoH to ON in Firefox is an arrogance. Not only does it assume users are too stupid to take care of their own privacy, but it thwarts the very intentional actions of people who have advanced privacy measures in place.

I run my own recursive DNS servers that employ DNSSEC because I don't trust CloudFlare any more than I trust Google or Cloud9 or my ISP not to monetize my browsing habits. I also have tuned my environment to increase performance and employed PiHole to block requests to spurious sites and trackers. I do NOT want to find my browser thwarting those measures.

I understand Firefox is checking Canary domains to see if systems are using a specific filtered DNS service and (allegedly) honoring such configurations, however that measure is prone to failure and the fact remains, you are making decisions for people, instead of empowering them to make decisions for themselves.

DoH in a browser should be an option. By all means, advertise the option - heavily even - until a user explicitly chooses their preference, but until then, don't assume to know better than the user ... leave that degree of arrogance to Microsoft and Google.  For Firefox to remain a "people's choice" browser it must leave those choices to the people.

Also, for those who enable DoH, you need to explicitly state what service providers you are using and present the user with the risks associated with trusting said service provider, so they get to choose whether to accept that risk.