Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

On Friday, Mozilla said it plans to implement the DNS-over-HTTPS (DoH) protocol by default in its Firefox browser, with a slow rollout starting in late September.

Under development since 2017, DoH transfers domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.

This extra layer of security ideally prevents third-parties, such as network service providers, from easily seeing the websites internet users visit, and prevents miscreants from tampering with domain-name look-ups. Though DoH provides more privacy than the status quo, it's controversial where lack of privacy is assumed or required, such as monitored environments that insist on content filtering, among other reasons.

Back in July, the UK Internet Services Providers’ Association nominated Mozilla for its "internet villain of the year" award because DoH breaks DNS-based content filters put in place to deny access to explicit, obscene or otherwise objectionable websites. A few days later, the trade group reversed itself after online blowback.

The UK ISPA didn't immediately respond to a request for comment. The UK's Digital Economy Act 2017 has an explicit content filtering requirement for websites but that's been delayed until later this year. It's been claimed that DoH will make it easier for people to avoid network-based content filtering; Mozilla maintains that DoH improves overall internet security.

Selena Deckelmann, senior director of engineering for Mozilla, said in a blog post that more than 70,000 Firefox users have already enabled DoH in Firefox and that the browser maker is getting ready to release DoH for general usage.

Firefox's DoH service will be provided through Cloudflare's 1.1.1.1 DNS service, although the list of supported service providers may grow over time. The system will deny third parties access to DNS queries, but in so doing it will give that data to Cloudflare, a decision some people dislike because it amplifies the power of large service providers.

Cloudflare, for its part, has made a privacy commitment (separate from its regular privacy policy) to only use Firefox DNS resolution data "solely to improve the performance of Cloudflare Resolver for Firefox and to assist us in debugging efforts if an issue arises."

DoH won't be everywhere immediately however. The secure query system will be made the default for "a small percentage of users" in the US later this month and will become more widespread over time if all goes well. And when it's activated, Firefox users (if they haven't already set the preference manually) will be notified of the change and asked if they want to opt out.

For users who accept DoH as the default, network service providers and network admins will be allowed to signal that certain capabilities like content filtering would be adversely affected by DoH.

When Firefox receives such signals, it will disable DoH for the rest of the network session, unless the user has manually set the "DoH always" preference.

According to Deckelmann, Mozilla's plan is to respect the choices of users who have opted-in to parental controls and of enterprise administrators and to fallback to operating system DNS defaults when unusual network configurations cause lookup failures.

Mozilla, she said, intends to work with organizations that offer network-based parental controls to add a "canary domain" to their blocklists. "If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically," said Deckelmann. ®