Feature | Add Cloudflare's and NextDNS's DoH Mozilla endpoints #2102

Open
opened 2020-10-23 03:10:04 +00:00 by n0toose · 7 comments
n0toose commented 2020-10-23 03:10:04 +00:00 (Migrated from github.com)

Description

Hi, I just found out that the Firefox's "partner services" that provide support for DNS-over-HTTPS are bound to stricter privacy-related contractual agreements, as seen here.

Why I am making the suggestion

I can see that both Cloudflare and NextDNS use different endpoints for the purpose of serving Firefox users, so I was wondering whether it would be a better idea to recommend those endpoints to people instead.

This definitely isn't your average URL correction, so I am just seeking after some feedback before pushing a PR.

  • I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
## Description Hi, I just found out that the Firefox's "partner services" that provide support for DNS-over-HTTPS are bound to stricter privacy-related contractual agreements, as seen [here](https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers). ## Why I am making the suggestion I can see that both Cloudflare and NextDNS use different endpoints for the purpose of serving Firefox users, so I was wondering whether it would be a better idea to recommend those endpoints to people instead. This definitely isn't your average URL correction, so I am just seeking after some feedback before pushing a PR. - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
Mikaela commented 2020-10-23 04:17:46 +00:00 (Migrated from github.com)

I would like more information on how do the privacy policies actually differ and would point out that there are no DoH or DoT endpoints documented directly and the user needs to visit the website by themselves to find out. Do the DoH endpoints also list DoT or what is your intention with it?

In case of NextDNS, it doesn't even advertise any endpoints as it wants you to make your own profile which has it's own endpoints personal to you for you to configure on your devices and their privacy policy isn't that long.

I would like more information on how do the privacy policies actually differ and would point out that there are no DoH or DoT endpoints documented directly and the user needs to visit the website by themselves to find out. Do the DoH endpoints also list DoT or what is your intention with it? In case of NextDNS, it doesn't even advertise any endpoints as it wants you to make your own profile which has it's own endpoints personal to you for you to configure on your devices and their privacy policy isn't that long.
n0toose commented 2020-10-23 10:19:13 +00:00 (Migrated from github.com)

In case of NextDNS, it doesn't even advertise any endpoints as it wants you to make your own profile which has it's own endpoints personal to you for you to configure on your devices and their privacy policy isn't that long.

Will be honest, I wasn't really aware of how NextDNS worked, just that NextDNS offered a specific endpoint for Firefox.

Since that idea came up in my head a bit suddenly, I'll try to conduct some further research and I'll update this issue accordingly.

> In case of NextDNS, it doesn't even advertise any endpoints as it wants you to make your own profile which has it's own endpoints personal to you for you to configure on your devices and their privacy policy isn't that long. Will be honest, I wasn't really aware of how NextDNS worked, just that NextDNS offered a specific endpoint for Firefox. Since that idea came up in my head a bit suddenly, I'll try to conduct some further research and I'll update this issue accordingly.
n0toose commented 2020-10-24 07:18:17 +00:00 (Migrated from github.com)

In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.

Source: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

I believe that we're pretty much only talking about DoH here. To clarify, you're asking me to compare the Trusted Recursive Resolver policy's terms with the actual provider's terms and conditions, correct?

` In the US, Firefox by default directs DoH queries to DNS servers that are operated by CloudFlare, meaning that CloudFlare has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids CloudFlare or any other DoH partner from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy. ` Source: https://support.mozilla.org/en-US/kb/firefox-dns-over-https I believe that we're pretty much only talking about DoH here. To clarify, you're asking me to compare the Trusted Recursive Resolver policy's terms with the actual provider's terms and conditions, correct?
n0toose commented 2020-10-25 03:30:26 +00:00 (Migrated from github.com)

I found a source for Cloudflare that explains a few differences; https://developers.cloudflare.com/1.1.1.1/privacy/firefox

As part of its agreement with Firefox, Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser.

They seem to collect the same sets of data, however, nothing much is mentioned about a couple of extra details that Cloudflare mentions that they collect with their ordinary DNS, but not under the Mozilla DNS. Moreover, the Cloudflare Privacy Policy doesn't apply to the Firefox DNS. One can notice a few minor differences regarding data retention (e.g. Cloudflare promises to retain data for up to 24 hours using the Mozilla endpoint, while it's 25 hours for their own DNS.)

I think that it is being insinuated that they cannot provide data to other third parties (such as APNIC, which is the only third-party they claim to share anonymized logs with) without Mozilla's consent. Since the differences seem to be minor (but more beneficial, comparatively speaking) I think that this is just a matter of whether you'd trust Mozilla over Cloudflare, but still wanting to use Cloudflare's services at the same time.

1.1.1.1

image

Cloudflare's Mozilla DNS

image

I found a source for Cloudflare that explains a few differences; https://developers.cloudflare.com/1.1.1.1/privacy/firefox `As part of its agreement with Firefox, Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser.` They seem to collect the same sets of data, however, nothing much is mentioned about a couple of extra details that Cloudflare mentions that they collect with their ordinary DNS, but not under the Mozilla DNS. Moreover, the Cloudflare Privacy Policy doesn't apply to the Firefox DNS. One can notice a few minor differences regarding data retention (e.g. Cloudflare promises to retain data for up to 24 hours using the Mozilla endpoint, while it's 25 hours for their own DNS.) I think that it is being insinuated that they cannot provide data to other third parties (such as APNIC, which is the only third-party they claim to share anonymized logs with) without Mozilla's consent. Since the differences seem to be minor (but more beneficial, comparatively speaking) I think that this is just a matter of whether you'd trust Mozilla over Cloudflare, but still wanting to use Cloudflare's services at the same time. ### 1.1.1.1 ![image](https://user-images.githubusercontent.com/30193966/97098120-5fd76800-1671-11eb-9614-0cfc2a6f7d42.png) ### Cloudflare's Mozilla DNS ![image](https://user-images.githubusercontent.com/30193966/97098138-809fbd80-1671-11eb-9807-0c66d63a6ed4.png)
n0toose commented 2020-10-25 03:35:14 +00:00 (Migrated from github.com)

I'm assuming that the clause about selling, licensing/sublicensing is possibly a paraphrased clause of one of their seemingly unknown contractual obligations. Not sure if I should assume that the same condition applies to both NextDNS and Xfinity as well.

Obviously, using NextDNS's ad-blocking features under the Firefox endpoint is not feasible, but it still seems like a feasible option for anyone who doesn't want to use an account.

I'm assuming that the clause about selling, licensing/sublicensing is possibly a paraphrased clause of one of their seemingly unknown contractual obligations. Not sure if I should assume that the same condition applies to both NextDNS and Xfinity as well. Obviously, using NextDNS's ad-blocking features under the Firefox endpoint is not feasible, but it still seems like a feasible option for anyone who doesn't want to use an account.
Mikaela commented 2020-10-25 09:05:07 +00:00 (Migrated from github.com)

Obviously, using NextDNS's ad-blocking features under the Firefox endpoint is not feasible, but it still seems like a feasible option for anyone who doesn't want to use an account.

It's also possible to use dns.nextdns.io (DoT) or https://dns.nextdns.io/ (DoH) which just aren't documented anywhere as they attempt to have people register.

In general I am still unsure of this issue, the difference in the policies seems minor and the issue title is about replacing HTTPS Endpoints that PrivacyTools isn't even listing, so how would you change the site?

> Obviously, using NextDNS's ad-blocking features under the Firefox endpoint is not feasible, but it still seems like a feasible option for anyone who doesn't want to use an account. It's also possible to use `dns.nextdns.io` (DoT) or https://dns.nextdns.io/ (DoH) which just aren't documented anywhere as they attempt to have people register. In general I am still unsure of this issue, the difference in the policies seems minor and the issue title is about replacing HTTPS Endpoints that PrivacyTools isn't even listing, so how would you change the site?
n0toose commented 2020-10-25 09:50:57 +00:00 (Migrated from github.com)

Hah, I wasn't aware of the public DoT/DoH endpoint.

I'd add a new small table that explains the subtle, yet still existing differences, and explain that a slightly higher degree of privacy may be achieved that way. Contractual obligations beat volatile privacy policies in the long-term IMHO and there's nothing to lose, right?

Hah, I wasn't aware of the public DoT/DoH endpoint. I'd add a new small table that explains the subtle, yet still existing differences, and explain that a slightly higher degree of privacy may be achieved that way. Contractual obligations beat volatile privacy policies in the long-term IMHO and there's nothing to lose, right?
This repo is archived. You cannot comment on issues.
No Milestone
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#2102
No description provided.