Avatar for Username

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

Learn More

이 쓰레드는 보존되었습니다. 만약 도움이 필요하시면 새로운 질문을 올려주세요.

Can DNS over HTTPS settings be fixed to provide support for authentication via client certificates?

  • 3 답장
  • 1 이 문제를 만남
  • 33 보기
  • 최종 답변자: Scott S

Scott S
Scott S
more options

DoH is being configured by default in the US in the near future. While a great tool, I believe the companies can benefit as well. Most users have laptops. Laptops leave the confines of the office regularly. Why not have laptops configured so that they point to a companies DNS infrastructure when not in the office? The benefit would be that any filtering/monitoring being done via DNS no longer is limited to when devices are on the company network!

This would require companies exposing DNS to the internet which is considered a bad idea. DNS will expose internal secrets and let the bad guys probe the architecture of the network for information they can use later. Adding authentication to the DoH solution would allow companies to leverage their internal certificate infrastructure and already deployed client certificates to protect that DNS information.

TLS mutual auth via client certificates is part of the SSL/TLS protocol already in use by DoH and there is nothing in the RFC to prevent this from being a possibility.

Is this something that can be added to the roadmap (or is it already on the roadmap)?

Thanks!

DoH is being configured by default in the US in the near future. While a great tool, I believe the companies can benefit as well. Most users have laptops. Laptops leave the confines of the office regularly. Why not have laptops configured so that they point to a companies DNS infrastructure when not in the office? The benefit would be that any filtering/monitoring being done via DNS no longer is limited to when devices are on the company network! This would require companies exposing DNS to the internet which is considered a bad idea. DNS will expose internal secrets and let the bad guys probe the architecture of the network for information they can use later. Adding authentication to the DoH solution would allow companies to leverage their internal certificate infrastructure and already deployed client certificates to protect that DNS information. TLS mutual auth via client certificates is part of the SSL/TLS protocol already in use by DoH and there is nothing in the RFC to prevent this from being a possibility. Is this something that can be added to the roadmap (or is it already on the roadmap)? Thanks!

모든 댓글 (3)

Scott S
Scott S 질문자
more options

In looking at the other responses from that user, that is a spam phone number and unrelated to Firefox

글쓴이 Scott S 수정일시

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Hi Scott, I think your suggestion may be over my head!

I do see a page for how companies qualify as a trusted resolver for inclusion in Firefox, but that might not be needed:

https://wiki.mozilla.org/Security/DOH-resolver-policy

Instead it sounds as though if Firefox cannot currently use a client certificate to connect to a resolver for DoH, that needs to be added.

I'm not sure where would be the best place to work out the details of that. Maybe

https://discourse.mozilla.org/c/firefox-development

Or you could file a new but, although new feature requests tend to get a low priority if they aren't part of a roadmap:

Scott S
Scott S 질문자
more options

Thanks! Yeah, the resolver policy page is more about companies that want to provide the service to consumers. This is more about companies doing it for their employees to get consistancy wherever laptops are in the world.

I'll try discourse next. That might get some results or people interested.

Thanks!