Rated 3.4 out of 5
3.4 Stars out of 5
- by Asclepius, 2 months agoRated 5 out of 5Thank you for this add-on. I just hope (since it isn't a "recommended" extension) that it is trustworthy. Aside from that concern, it serves its purpose. It would be nice if Firefox had built-in DNSSEC validation.
- by Firefox user 15136226, 5 months agoRated 4 out of 5This add on works well, however there are some issues as pointed out by other reviewers. I would like to note that ECDSAP256SHA256 works for me. It would also be nice if the add on verified https sites with DANE pinned certificates.
- by Firefox user 14672905, 6 months agoRated 4 out of 5It's great! And yes, would be even better once we have custom DNS, over TLS or not.
But this is a feature I have been waiting for so long, so I'm not going to hide my current feeling about this extension, it's awesome!!
- by Firefox user 14514156, a year agoRated 2 out of 5I would give at least 4 stars, if it would use my local resolver instead of using google/cloudflare for DNS lookups.
Reason behind the downgrade:
1. it introduces a single point of failure:
if either of those sites can't answer, _ALL_ users of this extension (who have configured that site) can't use it, if it would use the local resolver and that failed it would be just the users of the local machine who experience that problem.
2. it is a privacy hazard:
a hacker needs to crack only a single (ok: two) machine(s) to get a complete log of who on this world tried to communicate with which web server....
if it would use the local configured resolver that _might_ still be a problem, depending on the configuration of said resolver, but mostly (I hope) those will contact multiple authoritative servers to walk from the root to the leaf containing the desired information and only the _last_ server will know which site I wanted to contact, but there it's irrelevant, since _that_ site knows it anyway.... (btw.: _THIS_ is the reason why I disabled this extension)
3. it can't verify local domains
according to 'dig' my own domains are DNSSEC enabled and working correctly, still your extension reports them as unsigned because there is no global glue record, as such while it is reachable from the world (via dyndns), the world doesn't see the DNSSEC information stored on my local dns-server.
- by Firefox user 13220175, 2 years agoRated 3 out of 5Since Mozilla is not interested in developing DNSSEC/DANE validation for the browser this WE is certainly much welcome, however forcing Google or CF resolver leaves a bad taste and offering DoH at some point does not change it if the TRR URI is again limited to Google or CF.
The user should be at liberty to utilize whatever method, as such DoT is absent, and resolver incl. localhost/127.0.0.1
A feature suggestion would be DANE validation (on the heels of DNSSEC)
- by Firefox user 12739246, 2 years agoRated 4 out of 5Great addon !
It just lacks the ability to set a custom DNS resolver, and the TLSA support.
Besides, the UI doesn't integrate well with a dark theme on Linux (KDE here, but I suspect it will be the same for another window manager), as the background of the tooltip gets its color from the system, and the font color seems to be hardcoded in black.
Oh, and I didn't find any link to the sourcecode. Is it available ? :)
- by Firefox user 13854774, 2 years agoRated 5 out of 5You may be able to use this https://dnscrypt.eu/ instead of hard-wiring Google in directly. Also, the Czech fellows who used to make DNSSEC Validator provided 2 IP4 and 2 IP6 machines to go with that. Other that supporting DNSSEC those are simply public DNS servers like Google's and there is nothing to enforce the use of their own plug-in. The addresses are in their documentation. (Actually, they may have a whole bunch more on the account of being people who run .cz TLD registry. AFAIK, the Czechs are the only TLD registry that support regular, documented version of DNSSEC, though there is a whole bunch more using some slightly hacked version of their own)
- by 00dani, 2 years agoRated 2 out of 5Four stars for functionality, minus two because the implementation goes through Google. Yes, much the same as every other review so far - I'm actually writing this review to let you know that you don't actually need to trust any external HTTPS service to handle this!
Specifically, the Chrome version of DNSSEC/TLSA Validator, the extension you're clearly attempting to replicate, suffers from the same WebExtensions restrictions that modern Firefox does. Rather than trust an external service, however, they work around the issue through a WebExtensions feature called native messaging: a compiled binary is installed onto the system, which can do whatever it likes locally including make its own DNS queries, and then the WebExtension can ask that binary to check DNSSEC status when necessary.
Yes, it's a little bit of a hassle to install the necessary binary in the first place, since the browser won't install it automatically, but it's much more secure than trusting any external service - and it's no different to how the Chrome version of DNSSEC/TLSA Validator works right now.
I can confirm that Firefox supports this exact same approach, since I use several WebExtensions in Firefox this way (browserpass and bukubrow, specifically!). I don't know why the folks behind the DNSSEC/TLSA Validator haven't simply released a Firefox 57+ extension that uses native messaging, exactly like their existing Chrome extension, but it's definitely something you could do. :)
- by Bob Smith, 2 years agoRated 2 out of 5I'm with bsiege: I'm looking to replace CZ.NIC Labs' excellent DNSSEC/TLSA Validator. (In use since 188.8.131.52, Nov. 2016, currently 184.108.40.206 in use with Cyberfox x64 52.6.1 portable under Windows 7 and Quad9 DNS.) DNSSEC *and* TLSA validation.
Rating: five stars for proof of concept; minus three for google.
In Mozilla's quest to make its browser more "secure," it disabled the ability to run extensions to make sure it's doing so and the ones to force it to do so if needed.
I'll be revisiting this page to check on your progress. Thanks for your efforts with hopes for success.