 What's next in making DNS over HTTPS the default? This is apparently more controversial than I thought. And I think some people are overthinking it. There is some concerns, of course. And I found a couple, well, at least a one weird bug that I just, well, wasn't aware of. And let's dive into Firefox's change to making DNS over HTTPS the default. This has got a lot of people up in arms. One of the problems right away is going to be encrypted DNS. Well, you're probably saying isn't that a good thing because things are encrypted, but we'll swing all the way over here and point to this discussion going on over here in Reddit on PF Blocker. And I've talked about PF Blocker before integrating with PF Sense and blocking bad sites with it or potentially could block ads with it. And this breaks that. So there could be a check mark on the side of a problem with it. But if you're someone who's savvy enough to be setting up a piehole or a PF Blocker on a PF Sense firewall, you're probably someone who knows how to change the default settings as well. Now, where's the other concern with this? Well, the ISPs are less than thrilled. UK ISP group names Mozilla's internet villain for supporting DNS over HTTPS. Well, yes, the ISPs are upset because they're used to being able to see the default unencrypted DNS that you send across. So as you're sending data across, yes, they can see it. Yes, they're able to then pop, perhaps even monetize it, redirect it. Or in the UK, they've had a series of bills that want to block certain websites that the government deems of a nature of something you shouldn't watch. Therefore, easily blocking DNS because they can see the traffic and most people don't bother changing to anything other than whatever the default DNS was. So there's back and forth concerns over this. And of course, if you're running a local business network, now you've made filtering that much harder because normal DNS goes out over Port 53, unencrypted, uninhibited, and it's easy enough to put a firewall rule that says, no, don't go out Port 53 or redirect that port and redirect that information right to the local firewall and therefore changing it to whatever the, whoever's managing the network wants it to be. The downside of that again, though, comes back to security. If you're somewhere where your DNS can be intercepted, you're also somewhere where DNS can be hijacked because it's easily manipulated and it's all in clear text. So there's all the back and forth with DNS over HTTPS. Putting it all over Port 443 also makes it harder to block because any website that's encrypted is also using Port 443 potentially. They can use other ones I'm aware. But generally speaking, most websites using Fort 443 that are encrypted, if you just try to block that, you'd end up breaking more of the internet. So back to this discussion over here. There's a list of servers right here that you can block that are the known lists. And here comes the whack-a-mole cat and mouse game of trying to block access to any servers that support DNS over HTTPS. So you can start eliminating them so you can start filtering your users back to not being able to do it and the cat and mouse game begins. And that discussion, I'll leave links to this and read through the discussion on here. Now, I did find, because this is where people are getting angry, like right here, the OpenBSD community has disabled DOH by default in Firefox packaging. This active and current will be in our 6.6 release. Disabling DOH while encrypting DNS might be a good thing. Sending all DNS traffic to Cloudflare by default is not a good idea. And this is the next part where people are found a way to be angry. So normally you assume if the ISPs are angry, it's good for the people. Good rule of thumb on most things. But now people are upset because they chose Cloudflare as a default for DOH. So this is the DNS over HHS partnerships. What resolver will they be using? Cloudflare, they have policy requirements that Cloudflare may not monetize this new found flow of data that is coming at them but then people are angry at Cloudflare for whatever reason and therefore they don't want Cloudflare having their DNS. The people who care, I don't think are the people who don't know how to change the preferences and change your DOH. So I figured let's go over here and open up the preferences settings and talk about it a little bit. First right now it was not enabled on my Firefox. I apparently am not part of the beta test coming out here of people getting updates. It did update but it still isn't enabled by default on either of the computers I set up. So you can check the box and enable it. And if you do check the box, yes, Cloudflare is there and at some point, a new install will automatically have Cloudflare to be the default. In my opinion right now, it is better to have encrypted DNS when you're people who are leaving things at default. I would rather have them have some type of encrypted DNS than none. So I think that is a step up but yes, there is concern they've chose Cloudflare as the single provider and that can be terrible but those of us who care about DNS and think further about it, the custom option was really easy to do. You click custom and paste in whatever the site is. And I chose Blah DNS because it was in a list that someone had on this list here and I just like Blah DNS, seemed good. I didn't even check out the other ones and they have a cool little thing. It's a small hobby that ad blocks and DNS protects with DOH, DOT, DNS script support, pretty cool. And I also like the fact that when you're using it, it says you're using Blah DNS when you go to their site and I bring that up because something I found interesting maybe I just didn't read the documentation thoroughly enough but when you do enable it until you restart Firefox, stop it and start it again, it actually doesn't work. So if I were to remove this, I can even remove it right now real quick and refresh the page, it still thinks I'm using it. So yeah, until you actually go in and restart Firefox, it doesn't change that setting there. So it'll still think I'm using it because it didn't change. It'll only change and restart. I'm not gonna bother restarting it because I have a few more pages that I'll go through here. Now, a little bit of housekeeping before we jump into the next part of the test. If you can click down below, click the like and check out some of the affiliates we have that would be great. They're all linked down below and we have an entire page of affiliates over at laurenxsystems.com in case you see something you like. It helps out the channel, can get you a discount on a few different things on there. I'll bring it up once more because it does help us out a lot here a lot of all the content we create and help fund all the content we create with some of those affiliate links. It's much appreciated. All right, back to what we're talking about here. The DNS over HTTPS in this particular site because they have ad blocking, they have a tool here, check domain status. And we're gonna go ahead and do that and actually we paste it back in. So let's check this particular status. Gemini.yahoo.com is the ad server. So for yahoo, so we'll check it. Check. Gemini.yahoo.com failed. So all right, this lookup failed. But if we go to like yahoo.com, yahoo.com is not blocked. But Gemini.yahoo.com, lookup failed or blocked. Perfectly fine because you would expect that. It's in a lot of block lists blocked the yahoo ad server. So that means how did I open up this site here? I'm using their DNS. Why does this work? Well, that's actually kind of interesting. So one of the things I realized, I did a packet trace to figure out what was going on. The way the DNS works in Mozilla right now as of the version I'm using, which is right here, version 7064 bit, what it does when a failed site, a failed to resolve site for the DOH DNS, it then relies on local DNS to start looking up the site. Now, a couple of good reasons to do this is sometimes if you're pulling up special sites, if you're in a business, this means it'll reach out to the external sites, but if it, for example, in a business where it's a local only site, it can still rely on local DNS to resolve that. So I think that's kind of interesting that it does that. And, but I wanted to dig a little further because it obviously completely defeats the purpose of this doing any type of ad blocking over here at Blah DNS because well, any ad that it finds blocked, it just goes around it and tries to resolve it with the local DNS. So if your local DNS isn't also blocking this, it doesn't work real well. So let's go over here and do this from the command line to get a better idea. So curl supports DOH resolving. So you can say curl, DOH URL. So we're gonna do this DOH.fi.blahdns.com, DNS query. And here's the site we're gonna resolve, hpsgemini.aihu.com. Fail to connect, refuse. So if we tell it to do that, it just fails to connect to refuse. Let's do the same command curl, but we're gonna use Cloudflare. Who does not block this? So you don't do ad blocking at Cloudflare. Found and it starts redirecting because it wants to go to advertiser slash home, just like you've seen over here. It adds that redirect when you take this off, redirects you there. So it's kind of interesting to me that they did it like this, where if the failure goes around it, and I make sense why, because in a lot of like business settings, it'll rely on local DNS thinking something must not be in there. But the problem you create is, how do you do ad blocking if the goal with blahdns is ad blocking? I didn't dig in, maybe there's another more strict option where you say if ad fails don't use local DNS, or maybe you have to have a combination of things a local DNS that also blocks the same ads that the DOH blocks, which might be a way around it because if you had ad blocking turned on in your network and your local DNS is used when the DOH fails, that would be a solution. But I did find it just kind of interesting the way that workaround is. Now you can also find there's a lot of other places out there and this list is by no means comprehensive because this is October 26th and the last time this, let me look at the site other than the link they had here. The heuristic security option of keeping these sites up to date clearly is not keeping that up to date because I'm willing to bet in the last 26 days since this last update, there were probably a lot more added. And this is gonna be a game of whack-a-mole as I like to call it where you're just trying to, oh, here's another one, here's another one and I'm trying to corral the users in. It's really hard filtering users. This is one of the reasons I've talked about doing things like focusing on an endpoint protection system where you have control over the machine but users who are more transient that wander in and out of your network with their devices, it's very difficult to kind of nail them down to try to make sure nothing gets out and only you can filter the DNS. This is a common request people have. They wanna filter everything that their users are doing. I'm like, you have to get to the device level to really do a good job of it because well, mostly the internet's encrypted and with things like this DNS DOH with it going over four or three, it makes it that much harder. You have to constantly keep a list that is probably growing by the day because this is just someone's little pet project here, a hobby, and if you don't know about someone's hobby project that pops up or if someone takes and forks this project and has a name that you're not aware of because well, it's on GitHub by the way, the whole standing up of it and I thought, hey, this looks like a neat project maybe for another time but once again, tracking all these can be really difficult to do. So it's interesting. I don't know that it's good or bad. To me, the more things that are encrypted in a transport layer, the less opportunities there are for people to mess with it, to DNS hijack it. If you're just an average user who opens their laptop at a coffee house, yeah, this becomes a challenge right away for that average user because they're not thinking about things that people who think more about security are and at least by default, they'll be encrypted and going over to Cloudflare versus relying on whatever DNS was handed to them at the coffee shop which could be disastrously bad very quickly. So if they're trying to go to Google and someone tries to hijack Google, Google should resolve perfectly fine and they should be, I feel a step further insecurity. So for the average users, yes, for custom deployments when you're doing it within a business, yeah, there's gonna be some concerns on that side but when you're doing a custom deployment or even when we're taking care of things for clients, we're customize everything and we're loading endpoint protection tools directly on each system that we care about protecting for that client. So there's a level of customization that goes into those. So the defaults are never left out of the box when you load anything for clients. It's never gonna leave defaults. So my opinion, it's a good thing but obviously some people have some controversies. I'll leave links to these things that you can read through and think through this so you have a better understanding of DOH and some of the implementations of it but the going around the ads thing makes it kind of interesting and maybe if someone leaves below, I don't know if I care enough because where I wanna block things, I have them blocked with local DNS and I'm still using local DNS but it might be interesting if there's an option in Firefox to only use whatever the resolver says and not rely on local resolvers for block sites. It might be kind of interesting if there's an option for that but it may break other things doing it that way. You know, the better option is just turn it off and only use your trusted DNS server that you're managing with Pia Blocker. All right and thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you and once again, thanks for watching and see you next time.