Mozilla faces resistance over DNS privacy test

Is Mozilla’s enthusiasm for Cloudflare’s DNS-over-HTTPS (DoH) service getting out of hand?

Cloudflare launched its 1.1.1.1 public DNS resolver on 1 April, one of the first anywhere to support DoH, an emerging technology designed to secure Domain Name System (DNS) queries from prying eyes such as governments, ISPs, and the like.

Because browsers as well as DNS resolvers must support the DoH protocol, Mozilla adopted Cloudflare as its test partner with a view to integrating the technology in Firefox 62, due in September.

But supporting DoH in a browser isn’t as simple as just enabling the protocol. Mozilla must also decide whether this support is enabled by default and, if so, which DoH server, or “Trusted Recursive Resolver” (TRR) it points to when the browser launches.

It turns out that Firefox’s DoH Shield test beta has already embedded Cloudflare as the default TRR, which hasn’t gone down well with everyone on several counts:

  • It puts a lot of trust in a company that’s already plugged into a lot of websites.
  • Using one service is an obvious single point of failure (SPOF).
  • DoH resolvers should be opt-in, not opt-out.
  • It silently overrides your existing DNS settings.

From the Ungleich blog:

When Mozilla turns this on by default, the DNS changes you configured in your network won’t have any effect anymore. At least for browsing with Firefox…

The obvious reply is that Mozilla’s developers have set Cloudflare as the default TRR as part of the testing process and are unlikely to impose this setting on users when the capability is offered to the world in Firefox 62.

As Firefox blogger Martin Brinkmann points out, the default TRR can be changed quite easily from about:config:

It is already possible to run custom DNS over HTTPS servers and Firefox’s current implementation allows custom addresses to be used.

But even if Mozilla makes the TRR opt-in, it’s possible to spy the beginnings of a dilemma about how best to implement a technology that ideally should be on all the time without non-expert users having to think too hard about what it is or how it works.

As Mozilla’s Lin Clark wrote in her excellent DoH explainer in May:

We’d like to turn this on as the default for all of our users. We believe that every one of our users deserves this privacy and security, no matter if they understand DNS leaks or not.

Most likely, a decision about which DoH resolver to use in Firefox is some way off but it’s a bridge that won’t be easy to cross in a community as sensitive to privacy as Mozilla’s.

The alternative is to go back to the traditional model of letting people choose for themselves, as they do today for conventional DNS resolvers and search engines.

A reminder of why this less exciting approach might not be a bad idea after all came when Cloudflare’s DNS suddenly stopped resolving on 31 May for 17 minutes because of a configuration cock up. The counter-argument is that this weakness applies to any DNS or DoH provider and could be countered with a backup resolver.

The dream of a private internet might look as if it’s going well with Google’s tough stance on shaming sites that don’t use HTTPS having an effect. But there is still much hard work to do, as the IETF’s work on the related issue of Encrypted Server Name Identification (ESNI) privacy underscores.

That being said, there are always too many privacy holes that need filling at any one time. Doing something about one of the larger ones, DNS privacy, would feel like much-needed progress.