[tor-talk] Mozilla's DNS over HTTPS does not complement Tor

[Ben Tasker]

The canary domain will only disable DoH if you've been defaulted into using
DoH.

If you've actively turned it on, or set network.trr.mode to 3 then the
canary will not disable it.



On Fri, Mar 6, 2020 at 2:58 PM Nathaniel Suchy <
nathanielsuchy at protonmail.com> wrote:

> Even if that option is enabled it is my understanding that a network
> administrator can still override your decision during a man in the middle
> attack well you can imagine how this is problematic. I run a local DNS
> resolver over Tor for my non-Tor traffic as I don’t trust Mozilla’s
> implementation.
>
> Cordially,
> Nathaniel Suchy (they/them)
>
> Sent from ProtonMail Mobile
>
> On Fri, Mar 6, 2020 at 2:07 AM, <hansvader at airmail.cc> wrote:
>
> > You can use network.trr.mode to enforce the use of DoT. IIRC 3 is to
> > enforce it and not using other DNS. When using network.trr.mode Firefox
> > should not do any other DNS than DoH. This should adress your concerns.
> >
> > The best way is to use DoT and to have it directly implemented into your
> > router or locally on your machine. I don´t think the Mozilla approach is
> > useless. It´s a better than nothing approach. Last, but not least you
> > can use different DoH servers in FF. You are not tied to the default.
> > Though the average Joe may not have the ability to use a custom DoH
> > server in their Firefox.
> >
> > BTW, what router manufacturer already has DoT implemented?
> >
> > --
> > tor-talk mailing list - tor-talk at lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


-- 
Ben Tasker
https://www.bentasker.co.uk