Last year, an IETF working group mulled whether HTTPS is a suitable mechanism to protect internet users' domain name requests from prying eyes. Now Mozilla has decided to lend a hand by testing a DNS-Over-HTTPS (yes, the acronym is DOH) implementation.
Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcryREAD MORE
McManus told us at the time that DOH provides more than just privacy – it also helps guarantee the integrity of the response users receive to their requests. Because the DNS response is invisible between responder and user, ISPs and others in the end-to-end network chain can't interfere in the responses.
The basis of the Mozilla test is a Trusted Recursive Resolver, TRR - the resolver that secures DNS requests and responses. DNS requests will be handled by conventional infrastructure at the same time as over DOH, with results for the latter providing measurement and telemetry before being discarded.
In this Bugzilla post, Daniel Stenberg explained that the developers want to gather information about “resolver timings, connection error rates and http response code changes.”
If possible, Stenberg and McManus hope there's enough data to break the results down geographically, because it would help measure the network topology's impact on performance.
McManus posted a separate announcement about the trial here.
The DOH test responder will be hosted at Cloudflare, which sparked a privacy debate on the two lists relating to user privacy. Both McManus and Stenberg pointed out that today's DNS doesn't protect users at all, and that the contract between Mozilla and Cloudflare ensures that the latter can't make any use of personally-identifiable information (not even the requester's IP address).
The third revision to DOH was published in February, and McManus wrote he expects it to go to a "final call" in the working group soon. ®