Mozilla is rolling out DNS-over-HTTPS (DOH) by default in its Firefox browser for a subset of US users this month, in a move likely to trouble UK security officials who held “crisis talks” over DOH earlier this year.
DNS-over-HTTPS: Not an ISP Favourite
Currently, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection: anyone listening to packets on the network knows which website an internet user is attempting visit.
In the UK, this includes all internet service providers (ISPs).
Under the 2016 Investigatory Powers Act, internet service providers (ISPs) are required to store their customers’ communications data for 12 months. This is made easy by the fact that DNS queries are a) not typically encrypted, and b) are generally managed by default by ISPs/mobile network providers.
DNS encryption – particularly if made the default by Firefox (Chrome is also reported to be planning to bundle DOH as an easily configurable offering in Chrome) would cut local ISPs out of their role resolving requests and critically undermine their ability to track user activity.
To ISPs, the further worries include them bearing the brunt of calls from unhappy customers when third-party DNS servers fall over.
Firefox: Cloudflare First
Awful decision to make this on by default. I run my own resolver, as do a lot of businesses. For internal addresses, sub 1ms cached responses, etc. A lot of businesses use their own resolvers or other DNS servers for filtering. This should be an opt-in, not a default.
— Victor Coss (@GTAXL) September 7, 2019
The move to default to commercial DNS resolution service Cloudflare was not met with universal approval, with many arguing that it should be an opt-in rather than a default configuration.
As one critic noted in a Twitter thread about the new offering, however: “By default, cloudflare (1 corporation) gets all of firefox users’ lookups. How is that good for privacy or decentralization?”
Mozilla’s Decklemann said: “After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic. We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.”
She added: “We’re also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps us in situations where the parental controls operate on the network rather than an individual computer. If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically.”