4

So, Firefox 73 rolled out today and with it comes a new DNS option called NextDNS. I thought of giving it a shot and clicked "Enable DNS over HTTPS" and selected NextDNS.

Now, my understanding of HTTPS is that it encrypts the traffic (to provide confidentiality) and prevents tampering (to check integrity). But, when I started snooping on my own traffic using tcpdump, I found entries such as these:

root@Sierra ~ % tcpdump dst port 53

00:16:18.598111 IP 192.168.1.102.57991 > 192.168.1.1.domain: 15871+ A? detectportal.firefox.com. (42)
00:16:18.601087 IP 192.168.1.102.55182 > 192.168.1.1.domain: 44174+ A? www.goodreads.com. (35)
00:16:18.602982 IP 192.168.1.102.57991 > 192.168.1.1.domain: 63750+ AAAA? detectportal.firefox.com. (42)
00:16:18.855488 IP 192.168.1.102.34760 > 192.168.1.1.domain: 7245+ A? mozilla.org. (29)
00:16:18.855976 IP 192.168.1.102.34570 > 192.168.1.1.domain: 17221+ A? mozilla.org. (29)
00:16:18.855998 IP 192.168.1.102.34570 > 192.168.1.1.domain: 24136+ AAAA? mozilla.org. (29)
00:16:18.856830 IP 192.168.1.102.42346 > 192.168.1.1.domain: 52531+ A? detectportal.firefox.com. (42)
00:16:24.097262 IP 192.168.1.102.35499 > 192.168.1.1.domain: 38286+ A? mozilla.org. (29)
00:16:24.097448 IP 192.168.1.102.35499 > 192.168.1.1.domain: 44461+ AAAA? mozilla.org. (29)
00:16:24.451349 IP 192.168.1.102.40330 > 192.168.1.1.domain: 60808+ A? s.gr-assets.com. (33)
00:16:24.456921 IP 192.168.1.102.48310 > 192.168.1.1.domain: 6906+ A? i.gr-assets.com. (33)
00:16:29.106318 IP 192.168.1.102.39619 > 192.168.1.1.domain: 54705+ AAAA? mozilla.org. (29)
00:16:33.269314 IP 192.168.1.102.43004 > 192.168.1.1.domain: 3958+ A? mozilla.org. (29)
00:16:42.515778 IP 192.168.1.102.53688 > 192.168.1.1.domain: 33887+ A? sync-580-us-west-2.sync.services.mozilla.com. (62)
00:16:42.516330 IP 192.168.1.102.59568 > 192.168.1.1.domain: 62418+ A? api.accounts.firefox.com. (42)
00:16:42.889225 IP 192.168.1.102.48174 > 192.168.1.1.domain: 41105+ A? sync-580-us-west-2.sync.services.mozilla.com. (62)
00:16:43.453717 IP 192.168.1.102.60703 > 192.168.1.1.domain: 44380+ A? d3cv4a9a9wh0bt.cloudfront.net. (47)

Apparently, this doesn't look encrypted. When I changed my DNS server to Cloudflare, I could only see the entries for Cloudflare's DNS server (which is what I expect from DoH). So, what's wrong with NextDNS? How is NextDNS different from unencrypted DNS? And, am I missing something here?

Edit: Steffen Ullrich has filed a bug with Mozilla here.

7_R3X
  • 606
  • 3
  • 12
  • 25
  • 2
    This is not traffic to NextDNS, this is traffic to your local DNS server in your router. – Steffen Ullrich Feb 12 '20 at 18:58
  • @SteffenUllrich: But, isn't HTTPS supposed to encrypt this traffic too? Just like all of the content from HTTPS websites is. – 7_R3X Feb 12 '20 at 19:00
  • That is not supposed to happen, should be a glitch. – Rashad Novruzov Feb 12 '20 at 19:10
  • 2
    @7_R3X No - DoH won't encrypt all DNS traffic. Instead the browser will be making DNS requests over HTTPS on port 443. Any DNS traffic going over port 53 will always be unecrypted. Your DoH traffic will be elsewhere. Therefore you have either incorrectly enabled DoH, or you are seeing standard DNS requests from other devices/applications on the network (remember that DoH would only take effect for your browser, so other applications on your computer will still generate unecrypted DNS requests on port 53). – Conor Mancone Feb 12 '20 at 19:17
  • @ConorMancone: I'm pretty sure that these requests are coming from my browser because I could see them being generated in real time when I visited "goodreads.com". And after reading your comment, I double checked that it's browser by hitting other domains. – 7_R3X Feb 12 '20 at 19:20
  • @ConorMancone: I have never contributed to Firefox but, if you believe this is a bug (as mentioned by Rashad before your comment), could you please tell me how do I report it? It seems like a serious issue. – 7_R3X Feb 12 '20 at 19:22
  • 1
    In that case something is wrong and your DoH setup is not working properly with NextDNS. I couldn't say whether that is the result of a bug or not. However, if DoH is enabled and working, your browser should not be generating any traffic on port 53. All DNS traffic (from your browser) should be going through port 443 and fully encrypted. I would just try to reach out to Firefox's support team - presumably there is contact information on their website. It sounds like this is only an issue with NextDNS though, so for now if this is important just use cloudflare... – Conor Mancone Feb 12 '20 at 19:24
  • It's my understanding that normal HTTPS traffic does not encrypt the domain part of your URL. It does encrypt your query values. (just a side note... I don't know much about HTTPS DNS... ) – pcalkins Feb 12 '20 at 21:45
  • @pcalkins: This is not about the visibility of the domain in the HTTPS traffic. It is about the visibility of the DNS lookup. With properly working DoH this is encrypted and only the communication with the DoH provider should be seen but not the DNS queries itself, as it is the case here. – Steffen Ullrich Feb 13 '20 at 06:06
  • The issue was closed by the Firefox team. Is it still reproducible @7_R3X? – Filipe dos Santos Feb 13 '20 at 19:29
  • @FilipedosSantos: I uninstalled FF, deleted all of its configuration and downloaded FF again. It seems to be working fine now. Must be a misconfig. I'll try to reconfigure FF exactly the same way, with all the plugins and settings and see if I can reproduce it. – 7_R3X Feb 17 '20 at 10:21

3 Answers3

1

With tcpdump dst port 53, you select explicitly everything that goes to port 53, the traditional DNS port. DNS over HTTPS uses Port 443, which is the standard port for HTTPS traffic.

Apparently, this doesn't look encrypted.

The tcp-dump shows that you are doing normal DNS requests, not DoH. The DNS requests are resolved by 192.168.1.1, what probably is your router to the Internet. Because you limit your tcp-dump to port 53, we cannot see whether there are any DoH packets; we just see the traditional DNS packets on port 53.

And the DNS packets on port 53 suggest that you are not using DoH.

So, that is why they do not look encrypted.

When I changed my DNS server to Cloudflare, I could only see the entries for Cloudflare's DNS server (which is what I expect from DoH).

So how did you do that? Change it in Firefox? What did you see? DNS packets on port 53? In that case, you are not using DoH. Or port 443 calls to the DoH server from cloudflare?

So, what's wrong with NextDNS?

Nothing. It works (except for some IPv6 issues).

How is NextDNS different from unencrypted DNS?

NextDNS provides (also) DNS over HTTPS. If you have configured your DoH with NextDNS correctly, you should see the DNS requests with 

tcpdump host 45.90.28.0

You will not be able to read the contents of your DNS query, ofcourse

And, am I missing something here?

As I can see it, you are making a number of assumptions that are wrong.

  1. DNS=port 53. Although this is true for traditional DNS, DoH uses, as I stated above, TCP port 443.
  2. 192.169.1.1 is NextDNS. It is not.
  3. You assume your Firefox config is such that it uses DoH with NextDNS. The TCP-dump you provided shows that this is not the case. You probably made a configuration error.

But, why am I not able to intercept my regular traffic when I use Cloudflair?

Apparently, your DoH configuration is correct then. You might be able to see them with

tcpdump host 104.16.249.249

or 

tcpdump host 104.16.248.249

which result will be entrusted by the browser in case they happen to be different?

The first that is used for resolution. Once the hostname is resolved, Firefox will look no further.

Why are unencrypted requests even generated by FF when I've asked it to use DoH?

Seems like a miss-config

And how do I know that my router doesn't forward this unencrypted requests to my ISP if it's not able to resolve the query

I am positive that your router will forward the DNS requests to port 53 unencrypted to whatever DNS resolver you have configured in your router.

Ljm Dullaart
  • 1,897
  • 4
  • 11
  • But, why am I not able to intercept my regular traffic when I use Cloudflair? Which result will be entrusted by the browser in case they happen to be different? Why are unencrypted requests even generated by FF when I've asked it to use DoH? And how do I know that my router doesn't forward this unencrypted requests to my ISP if it's not able to resolve the query (just like it would do in case of Non-DoH)? – 7_R3X Feb 12 '20 at 19:11
  • That are a lot of questions that were not in the original question when I answered it, and are still not in the question. – Ljm Dullaart Feb 13 '20 at 18:09
0

From what I see from the tcp dump listing, I can guess that: You are using the router's DNS The router connects to a DNS server, simply querying it on UDP port 53, as is the case for all DNS servers that do not support DNS over HTTPS. The router will hardly query SSL, as the installed firmware does not allow it. Your browser probably does. You must indicate for which sites your browser will have to contact a specific server in DNS over HTTPS

101
  • 1
0

Update the router firmware, if possible, or instruct your browser to use https://1.1.1.1/dns-query If you use a proxy that queries a DNS server on port 53, indicate in the browser the sites that should not use it. If you use a system-level proxy, install one that can perform DNS over SSL queries.

101
  • 1
  • 2
    Please do not add two answers to the same question. Edit your original answer and include this information. –  Feb 13 '20 at 12:44