Mozilla has started rolling out encrypted DNS-over-HTTPS (DoH) by default for US users of the nonprofit's Firefox browser.
DoH encrypts DNS (Domain Name System) traffic, which has both security and privacy benefits, though use of the DoH protocol itself is not the only issue here. The other question is, whose server do you use for name resolution?
DNS is the process by which internet names are translated into network addresses. The system goes back to the earliest days of the internet and has several security and privacy issues.
Typically the DNS servers you use are provided by the network you connect to: the server that allocates an IP number to your machine also provides the address or addresses of DNS servers, via DHCP (Dynamic Host Configuration Protocol).
DNS has a number of security and privacy weaknesses. A malicious DNS server could direct you to a site you did not request, or someone could eavesdrop or tamper with DNS traffic. Privacy is an issue because the server that resolves your DNS requests has a record of your browsing history, which has commercial value as well as being of potential interest to spies and law enforcement.
Mozilla's answer to the problems thrown up here is to set the DNS resolver in Firefox to Cloudflare by default, with an option for NextDNS or your own custom provider if you're sufficiently techie to dig into the browser's networking settings.
The argument is that the named providers are "trusted recursive resolver" partners, as described here, so that users are assured of encryption as well as protection from malicious redirection. These partners – and currently there are only two – agree to delete all identifiable data within 24 hours, to keep only aggregate data, and not to sell user data to any third party. They also agree "not to block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates".
Today's announcement states: "We're enabling DoH by default only in the US. If you're outside of the US and would like to enable DoH, you're welcome to do so by going to Settings... DoH is just one of the many privacy protections you can expect to see from us in 2020."
DoH combined with a third-party resolver makes it harder for ISPs to filter and block web traffic and is therefore unpopular with those keen on such blocking, such as the UK's Internet Watch Foundation charity and, it seems, the UK government.
Last year, Mozilla's VP of trust and security, Alan Davidson, told the government that it "has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders". Mozilla told us: "We have no immediate plans to roll out DoH outside of the US."
Cloudflare argues that filtering and blocking traffic via DNS is a poor approach. "Application-specific controls such as browser extensions would be more effective since they can actually look into the URLs and selectively prevent content from being accessible," said Peter Wu, part of the Crypto Team at Cloudflare.
Google also has plans to roll out DoH in Chrome, but with an important difference. It will only use DoH if the configured DNS server supports it, saying: "This would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged."
Google said it has no plans to follow Mozilla's approach.
Bert Hubert, founder of PowerDNS, is a vocal opponent of Mozilla's move. He told The Reg today: "I find it highly disappointing that Mozilla decided, on behalf of all users it deems American, that this was a good idea. So while encrypted DNS is great, it matters a great deal who you encrypt your DNS to (since in the end, someone is going to have plaintext).
"Mozilla 'dark-patterned' the choice so almost everyone will take the new default. Essentially they are saying 'we decided it is best that you send all your DNS queries to Cloudflare'."
Hubert said that the issue is centralised DoH rather than DoH as a protocol, but that the two are deliberately confused by proponents. "A lot of people pro-centralisation have attempted to paint detractors as hating encryption," he said. "It is far easier to defend 'DoH the protocol' than to defend 'DoH the landgrab'."
Admins and technical users can easily override Mozilla's choices, but many will likely accept the defaults. One question is who is more trustworthy? Do you choose your ISP's DNS resolver (which might include the DNS provided via Wi-Fi in an airport or café) or Mozilla's chosen partner, currently Cloudflare?
Another relevant question is whether further centralisation of the internet is, inherently, a bad thing. ®