Mozilla this week said it is adding two new features to prevent user data leaks online — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH), a new IETF standards effort that the company has championed.
Why is Data Being Leaked?
After being developed in the early 1980’s by internet pioneer Paul Mockapetris, DNS has handled much of web’s traffic by resolving complex IP addresses into human readable URL’s, such as: 127.0.0.1 being converting into cbronline.com, for example.
With this in mind, its sibling protocol HTTP underwent changes to ensure that user data was not easily accessible when in transit – otherwise known as HTTP(S) (the ‘S’ meaning secure). However, until recently DNS (although it is as widely used as HTTP) has surprisingly not adopted this encryption functionality in order to prevent eavesdropping and spoofing of user data.
Safeguarding User Data, What’s Changed?
Mozilla, the creator of Firefox has been at the forefront of changing implementing DNS over HTTPS, otherwise referred to as DoH, alongside the second key component of this change: Trusted Recursive Resolver, which is a new secure way to resolve DNS, created in partnership with the internet services firm Cloudflare.
Mozilla stated in a publication yesterday: “With these two initiatives, we’re closing data leaks that have been part of the domain name system since it was created 35 years ago.”
The tie-up with Cloudflare had caused some privacy issues in a pilot stage in March, but Mozilla’s Lin Clark said today: “Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.
How does DoH and Trusted Recursive Resolver help?
DoH
As suggested in its name, DNS-over-HTTPS helps by performing DNS processing (again, it converts IP addresses into human-readable URL’s) using HTTPS, the web’s current solution to preventing data eavesdropping. This essentially means that data is encrypted by TLS (Transport Layer Security), as opposed to being readable text. As a result, hackers will find it much more difficult to snoop on user data being transmitted.
Content from our partners
There are currently ways to do this without the official DoH solution such as dnscrypt-proxy, however these are interim solutions which require a high level of technical know-how and consequently may now be irrelevant.
Trusted Recursive Resolver
The Mozilla team have identified a key element of DNS vulnerabilities is the lack of knowledge as to how users can protect themselves from untrustworthy DNS resolvers (people that want to snoop your data). As a result, they have partnered with Cloudflare to provide Trusted Recursive Resolver (TRR), which ensures that data is periodically deleted, in an attempt to prevent hackers from gaining access.
Still More Work to Do
Mozilla has been quick to state that although this is a significant step in the right direction, users still have to connect with servers, meaning that ISPs can still monitor what sites have been visited.
However, the data transmitted when connected to a site is now safely encrypted.
“That means that your ISP can still figure out which sites you’re visiting, because it’s right there in the server name indication. Plus, the routers that pass that initial request from your browser to the web server can see that info too. However, once you’ve made that connection to the web server, then everything is encrypted. And the neat thing is that this encrypted connection can be used for any site that is hosted on that server, not just the one that you initially asked for”.
The company said users can enable DNS over HTTPS in Firefox today.
