Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this

Good for privacy – or an alarming move towards further internet centralisation?

Mozilla has started rolling out encrypted DNS-over-HTTPS (DoH) by default for US users of the nonprofit's Firefox browser.

DoH encrypts DNS (Domain Name System) traffic, which has both security and privacy benefits, though use of the DoH protocol itself is not the only issue here. The other question is, whose server do you use for name resolution?

DNS is the process by which internet names are translated into network addresses. The system goes back to the earliest days of the internet and has several security and privacy issues.

Typically the DNS servers you use are provided by the network you connect to: the server that allocates an IP number to your machine also provides the address or addresses of DNS servers, via DHCP (Dynamic Host Configuration Protocol).

DNS has a number of security and privacy weaknesses. A malicious DNS server could direct you to a site you did not request, or someone could eavesdrop or tamper with DNS traffic. Privacy is an issue because the server that resolves your DNS requests has a record of your browsing history, which has commercial value as well as being of potential interest to spies and law enforcement.

Mozilla's answer to the problems thrown up here is to set the DNS resolver in Firefox to Cloudflare by default, with an option for NextDNS or your own custom provider if you're sufficiently techie to dig into the browser's networking settings.

The argument is that the named providers are "trusted recursive resolver" partners, as described here, so that users are assured of encryption as well as protection from malicious redirection. These partners – and currently there are only two – agree to delete all identifiable data within 24 hours, to keep only aggregate data, and not to sell user data to any third party. They also agree "not to block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates".

Today's announcement states: "We're enabling DoH by default only in the US. If you're outside of the US and would like to enable DoH, you're welcome to do so by going to Settings... DoH is just one of the many privacy protections you can expect to see from us in 2020."

The DOH setting in Firefox, currently Cloudflare, NextDNS or Custom

The DoH setting in Firefox, currently Cloudflare, NextDNS or Custom

DoH combined with a third-party resolver makes it harder for ISPs to filter and block web traffic and is therefore unpopular with those keen on such blocking, such as the UK's Internet Watch Foundation charity and, it seems, the UK government.

Last year, Mozilla's VP of trust and security, Alan Davidson, told the government that it "has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders". Mozilla told us: "We have no immediate plans to roll out DoH outside of the US."

Cloudflare argues that filtering and blocking traffic via DNS is a poor approach. "Application-specific controls such as browser extensions would be more effective since they can actually look into the URLs and selectively prevent content from being accessible," said Peter Wu, part of the Crypto Team at Cloudflare.

Google also has plans to roll out DoH in Chrome, but with an important difference. It will only use DoH if the configured DNS server supports it, saying: "This would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged."

Google said it has no plans to follow Mozilla's approach.

Bert Hubert, founder of PowerDNS, is a vocal opponent of Mozilla's move. He told The Reg today: "I find it highly disappointing that Mozilla decided, on behalf of all users it deems American, that this was a good idea. So while encrypted DNS is great, it matters a great deal who you encrypt your DNS to (since in the end, someone is going to have plaintext).

"Mozilla 'dark-patterned' the choice so almost everyone will take the new default. Essentially they are saying 'we decided it is best that you send all your DNS queries to Cloudflare'."

Hubert said that the issue is centralised DoH rather than DoH as a protocol, but that the two are deliberately confused by proponents. "A lot of people pro-centralisation have attempted to paint detractors as hating encryption," he said. "It is far easier to defend 'DoH the protocol' than to defend 'DoH the landgrab'."

Admins and technical users can easily override Mozilla's choices, but many will likely accept the defaults. One question is who is more trustworthy? Do you choose your ISP's DNS resolver (which might include the DNS provided via Wi-Fi in an airport or café) or Mozilla's chosen partner, currently Cloudflare?

Another relevant question is whether further centralisation of the internet is, inherently, a bad thing. ®

 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like