Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.
DNS (short for Domain Name System) is the service that takes a human-readable name like
nakedsecurity.sophos.com and turns it into an IP address a computer can use. (Your DNS service provider is usually your ISP, but it doesn’t have to be. There are free and commercial DNS services too.)
The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.
The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.
The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything – such as parental control systems or the safe search capability on some search engines, like Google.
A third thing that Mozilla had to test for was split-horizon DNS resolvers, which companies often use to grant access to both public and non-public web addresses. For example, if you’re working on a company website, you might get the regular public version if you access it from outside the company network, but the split-horizon DNS resolver might show you one that’s in development if you access it from inside the company network.
Mozilla decided that as only 4.3% of users had configured parental control systems or turned on Google Safe Search, it could deal with the issue. It also found only 9.2% of queries handled by split-horizon resolvers. It decided to handle these situations by failing back to regular DNS queries if it detected either of these.
Your DNS queries have to be decrypted at some point by a DNS provider that reads them. In this case, Mozilla’s default provider is Cloudflare, which launched its 220.127.116.11 DNS service in April 2018. Does this present a privacy issue?
Your DNS queries always end up being read by one service provider or another, but Cloudflare has made an agreement with Mozilla to collect what it says is a limited amount of data about the user. The company deletes them from its logs after 24 hours, but will keep anonymous logs aggregating all the domain names requested, it says.
Mozilla also told us:
Any DNS provider that we integrate into Firefox will be required to follow a strict set of policies that prevent them from using DNS request data for anything other than providing the DNS service and that requires them to delete that data after 24 hours.
The Foundation will start rolling out support for US users this month, beginning with a small percentage and ramping up if it goes well. It couldn’t tell us when it might turn it on for people in other countries, and told us by email:
We do not have any current plans to release this feature outside the USA. We’re exploring potential DoH partners in Europe to bring this important security feature to users there. As soon as we have new information to share, we’ll make it available on our Future Releases blog.
Mozilla has drawn flak from the UK Internet Service Providers Association (ISPA), which called it an ‘Internet Villain’ for helping to block internet filtering policies in the UK and interfering with the government’s internet filtering policies.
Users for whom Mozilla enables DoH by default will be able to turn it off.
Or, if it isn’t enabled by default, you can turn it on (only in the desktop version, not on mobile editions. which don’t support it). Go to Options → General → Network Settings. Check the Enable DNS over HTTPS box, and set your own provider (here’s a list) or use Cloudflare as the default.
Google is also backing DoH. It says that it’s planning an experiment with the technology in Chrome 78 “followed by a launch if everything goes well”.