Firefox DOH question

I’ve read this on Slashdot:

I don’t understand this all too well.
Can somebody explain what the difference is between the protocol and a vpn, when it comes to keeping you anonymous?

The good:

The benefit of DoH is domain ip requests are normally made without encryption… so for example if you go to tuxmystool.com, anyone between you and it’s domain host (ex: namecheap.com) or more likely your ISP (which caches DNS) can swap the IP you get back to something else.

So your browser would say you’re at tuxmystool.com but it’s delivering a website from an attackers server.

It also hides which domain’s IP you’re looking for (think of it like a VPN for asking where tuxmystool.com is) although that you’re going there will be revealed once you start pulling data from that IP via reverse IP lookup so that part isn’t much benefit.

For Firefox you’ll also be able to turn it off or edit the address it uses for resolving domains. By default it’ll be CloudFlare and free.

The bad:

It’ll be on by default and most users won’t know or they’ll forget to adjust it on new installs.

Because it’s implemented within Firefox, it’ll skip over local IP filteration such as PiHoles, firewalls and non-browser based adblocking.

Some VPNs like protonvpn.com enforce their own DNS so the domain requests never leave their encrypted tunnel. With DoH, that can’t be enforced and you’ll be resolving that domain request at wherever Firefox sets it to after exiting that tunnel which is slower and arguably less secure.

The ugly:

Firefox added Comcast to a trusted program which’ll funnel the DoH requests of Xfinity Internet users to Comcast servers instead of CloudFlare. While that’s still higher security it defeats one of the benefits of not trusting your ISP as a resolver.

It hands the whole domain request cookie jar to CloudFlare which is already extremely dominant on the Web. While the company has a steller record, it’s located in Israel which has looser privacy laws and a history of intimate cooperation with the NSA which shares it’s data with other agencies/countries/ect. How that relates to CloudFlare is purely speculative though.

2 Likes