View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 25, 2020

Firefox Moves to Encrypt DNS by Default: Businesses Need to Be Paying Attention

Global users also get to opt-in if desired...

By CBR Staff Writer

Firefox today started the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users, in a move intended to bolster security.

Users globally will also be able to opt in to the service, as Mozilla aims for a growing share of the security-conscious browser market.

The controversial decision began with a trial for a subset of users last September. Users can choose between Cloudflare’s and the NextDNS service.

Currently, even if users are visiting a site using HTTPS, their DNS query is sent over an unencrypted connection: anyone listening to packets on the network knows which website a user is attempting visit. (In the UK, this includes all internet service providers (ISPs), who are obliged to do so under counter-terrorism legislation.)

The move could prove a major headache for corporate security teams, with its potential to obfuscate existing passive network detection used for intelligence, metrics,  malware domains or data loss prevention (DLP) work. DoH also appears to stymie URL logging in Sysmon; the Windows service to log system activity to the Windows event log.

Mozilla says it is giving organisations the option of blocking DoH use by staff via a so-called “canary domain” (tidily explained here).

DNS over HTTPS: Global Users Also Get the Option 

DoH will be enabled by default only in the US, and rolled out to users over the next few weeks. Users outside the US wanting to enable DoH can also do so: they need to go to Settings > General > scroll down to Networking Settings > hit the Settings button on the right: this change will send encrypted DNS requests to Cloudflare by default.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The move may cause challenges for regulators and companies.

The Sunday Times earlier reported that ISPs and the goverment had held “crisis talks” over the technology, as Google also eyes roll-out. (Under the 2016 Investigatory Powers Act, ISPs are required to store their customers’ communications data for 12 months. This is made easy by the fact that DNS queries are a) not typically encrypted, and b) typically managed by default by ISPs/mobile network providers.

In an earlier emailed comment, Paul Gagliardi, Director of Threat Intelligence at SecurityScorecard told us that rollout would not cause huge challenges to ongoing traffic inspection by businesses, other than in certain circumstances.

He said: “Just as companies/organizations inspect their HTTPS traffic, the same needs to happen with encrypted DNS/DoH. Decrypting DoH would be the exact same mechanism as observing HTTPS traffic, using a Man in the Middle proxy to decrypt traffic on the fly and implement security mechanisms.

“There are no shortage of commercial solutions for this, however, things get more complicated in ‘Bring Your Own Device’ environments.”

He added: “DoH forces the privacy vs security defense debate to be more localized. A company or organization can balance those decisions in their network differently than a private individual. Unfortunately for those organizations/companies, the ability to censor traffic is now more technical and requires more investment on their part. In short I think we’ll see more HTTPS MiTM and prohibition of BYoD.”

Not everyone is happy about the move: while some users may trust Cloudflare over their ISP, not all do, and have raised concerns about the centralisation of DNS resolution.

What are your thoughts on Firefox’s move? Let us know by emailing our editor


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.