Firefox today started the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users, in a move intended to bolster security.
Users globally will also be able to opt in to the service, as Mozilla aims for a growing share of the security-conscious browser market.
The controversial decision began with a trial for a subset of users last September. Users can choose between Cloudflare’s 184.108.40.206 and the NextDNS service.
Currently, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection: anyone listening to packets on the network knows which website a user is attempting visit. (In the UK, this includes all internet service providers (ISPs), who are obliged to do so under counter-terrorism legislation.)
The move could prove a major headache for corporate security teams, with its potential to obfuscate existing passive network detection used for intelligence, metrics, malware domains or data loss prevention (DLP) work. DoH also appears to stymie URL logging in Sysmon; the Windows service to log system activity to the Windows event log.
Mozilla says it is giving organisations the option of blocking DoH use by staff via a so-called “canary domain” (tidily explained here).
DNS over HTTPS: Global Users Also Get the Option
DoH will be enabled by default only in the US, and rolled out to users over the next few weeks. Users outside the US wanting to enable DoH can also do so: they need to go to Settings > General > scroll down to Networking Settings > hit the Settings button on the right: this change will send encrypted DNS requests to Cloudflare by default.
The move may cause challenges for regulators and companies.
The Sunday Times earlier reported that ISPs and the goverment had held “crisis talks” over the technology, as Google also eyes roll-out. (Under the 2016 Investigatory Powers Act, ISPs are required to store their customers’ communications data for 12 months. This is made easy by the fact that DNS queries are a) not typically encrypted, and b) typically managed by default by ISPs/mobile network providers.
In an earlier emailed comment, Paul Gagliardi, Director of Threat Intelligence at SecurityScorecard told us that rollout would not cause huge challenges to ongoing traffic inspection by businesses, other than in certain circumstances.
He said: “Just as companies/organizations inspect their HTTPS traffic, the same needs to happen with encrypted DNS/DoH. Decrypting DoH would be the exact same mechanism as observing HTTPS traffic, using a Man in the Middle proxy to decrypt traffic on the fly and implement security mechanisms.
“There are no shortage of commercial solutions for this, however, things get more complicated in ‘Bring Your Own Device’ environments.”
He added: “DoH forces the privacy vs security defense debate to be more localized. A company or organization can balance those decisions in their network differently than a private individual. Unfortunately for those organizations/companies, the ability to censor traffic is now more technical and requires more investment on their part. In short I think we’ll see more HTTPS MiTM and prohibition of BYoD.”
Not everyone is happy about the move: while some users may trust Cloudflare over their ISP, not all do, and have raised concerns about the centralisation of DNS resolution.