View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 9, 2019

Firefox Will Default to Cloudflare’s Encrypted DNS-over-HTTPS Service

Cloudflare's DOH by default

By CBR Staff Writer

Mozilla is rolling out DNS-over-HTTPS (DOH) by default in its Firefox browser for a subset of US users this month, in a move likely to trouble UK security officials who held “crisis talks” over DOH earlier this year.

The company plans to deploy the encryption process more broadly, senior director of engineering Selena Deckelmann said in a blog Friday, adding that it will default to using Cloudflare’s at first, but “that may change if other resolvers adopt a comparably strong privacy policy”.

DNS-over-HTTPS: Not an ISP Favourite

Currently, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection: anyone listening to packets on the network knows which website an internet user is attempting visit.

In the UK, this includes all internet service providers (ISPs).

Under the 2016 Investigatory Powers Act, internet service providers (ISPs) are required to store their customers’ communications data for 12 months.  This is made easy by the fact that DNS queries are a) not typically encrypted, and b) are generally managed by default by ISPs/mobile network providers.

DNS encryption – particularly if made the default by Firefox (Chrome is also reported to be planning to bundle DOH as an easily configurable offering in Chrome) would cut local ISPs out of their role resolving requests and critically undermine their ability to track user activity.

To ISPs, the further worries include them bearing the brunt of calls from unhappy customers when third-party DNS servers fall over.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

Firefox: Cloudflare First

The move to default to commercial DNS resolution service Cloudflare was not met with universal approval, with many arguing that it should be an opt-in rather than a default configuration.

As one critic noted in a Twitter thread about the new offering, however: “By default, cloudflare (1 corporation) gets all of firefox users’ lookups. How is that good for privacy or decentralization?”

Mozilla’s Decklemann said: “After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic. We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.”

She added: “We’re also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps us in situations where the parental controls operate on the network rather than an individual computer. If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically.”

Read this: Cloudflare Announces WireGuard-Based “” Mobile VPN


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.