Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this

Good for privacy – or an alarming move towards further internet centralisation?


Mozilla has started rolling out encrypted DNS-over-HTTPS (DoH) by default for US users of the nonprofit's Firefox browser.

DoH encrypts DNS (Domain Name System) traffic, which has both security and privacy benefits, though use of the DoH protocol itself is not the only issue here. The other question is, whose server do you use for name resolution?

DNS is the process by which internet names are translated into network addresses. The system goes back to the earliest days of the internet and has several security and privacy issues.

Typically the DNS servers you use are provided by the network you connect to: the server that allocates an IP number to your machine also provides the address or addresses of DNS servers, via DHCP (Dynamic Host Configuration Protocol).

DNS has a number of security and privacy weaknesses. A malicious DNS server could direct you to a site you did not request, or someone could eavesdrop or tamper with DNS traffic. Privacy is an issue because the server that resolves your DNS requests has a record of your browsing history, which has commercial value as well as being of potential interest to spies and law enforcement.

Mozilla's answer to the problems thrown up here is to set the DNS resolver in Firefox to Cloudflare by default, with an option for NextDNS or your own custom provider if you're sufficiently techie to dig into the browser's networking settings.

The argument is that the named providers are "trusted recursive resolver" partners, as described here, so that users are assured of encryption as well as protection from malicious redirection. These partners – and currently there are only two – agree to delete all identifiable data within 24 hours, to keep only aggregate data, and not to sell user data to any third party. They also agree "not to block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates".

Today's announcement states: "We're enabling DoH by default only in the US. If you're outside of the US and would like to enable DoH, you're welcome to do so by going to Settings... DoH is just one of the many privacy protections you can expect to see from us in 2020."

The DOH setting in Firefox, currently Cloudflare, NextDNS or Custom

The DoH setting in Firefox, currently Cloudflare, NextDNS or Custom

DoH combined with a third-party resolver makes it harder for ISPs to filter and block web traffic and is therefore unpopular with those keen on such blocking, such as the UK's Internet Watch Foundation charity and, it seems, the UK government.

Last year, Mozilla's VP of trust and security, Alan Davidson, told the government that it "has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders". Mozilla told us: "We have no immediate plans to roll out DoH outside of the US."

Cloudflare argues that filtering and blocking traffic via DNS is a poor approach. "Application-specific controls such as browser extensions would be more effective since they can actually look into the URLs and selectively prevent content from being accessible," said Peter Wu, part of the Crypto Team at Cloudflare.

Google also has plans to roll out DoH in Chrome, but with an important difference. It will only use DoH if the configured DNS server supports it, saying: "This would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged."

Google said it has no plans to follow Mozilla's approach.

Bert Hubert, founder of PowerDNS, is a vocal opponent of Mozilla's move. He told The Reg today: "I find it highly disappointing that Mozilla decided, on behalf of all users it deems American, that this was a good idea. So while encrypted DNS is great, it matters a great deal who you encrypt your DNS to (since in the end, someone is going to have plaintext).

"Mozilla 'dark-patterned' the choice so almost everyone will take the new default. Essentially they are saying 'we decided it is best that you send all your DNS queries to Cloudflare'."

Hubert said that the issue is centralised DoH rather than DoH as a protocol, but that the two are deliberately confused by proponents. "A lot of people pro-centralisation have attempted to paint detractors as hating encryption," he said. "It is far easier to defend 'DoH the protocol' than to defend 'DoH the landgrab'."

Admins and technical users can easily override Mozilla's choices, but many will likely accept the defaults. One question is who is more trustworthy? Do you choose your ISP's DNS resolver (which might include the DNS provided via Wi-Fi in an airport or café) or Mozilla's chosen partner, currently Cloudflare?

Another relevant question is whether further centralisation of the internet is, inherently, a bad thing. ®

Similar topics


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head of engineering weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022