This article is more than 1 year old

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Last November: These ISPs know too much! June: God bless the ISPs

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.

This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.

Last year Comcast and other broadband giants were fiercely against such safeguards, though it appears Comcast has had a change of heart – presumably when it figured it could offer DNS-over-HTTPS services as well as its plain-text DNS resolvers.

At some point in the near future, Firefox users subscribed to Comcast will use the ISP's DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.

"Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program," Firefox CTO Eric Rescorla said on Thursday.

“Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs.”

Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.

ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."

DNS interception

DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers


Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.

That means, according to Moz, Comcast "must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser." Nor can it "combine the data that it collects from queries with any other data in any way that can be used to identify individual end users" nor "sell, license, sublicense, or grant any rights to user data to any other person or entity."

We're told Comcast started testing a DNS-over-HTTPS service in October – at the same time it was lobbying on Capitol Hill against the technology. Now it's rolling out the security mechanism anyway.

If this was TV, this would be the part where Moz turns to the camera, looks straight into the lens, and puts on its best no-really-this-is-a-good-thing voice. "Also in October, Comcast announced a series of key privacy commitments," the Mozilla team said today, "including reaffirming its longstanding commitment not to track the websites that customers visit or the apps they use through their broadband connections. Comcast also introduced a new Xfinity Privacy Center to help customers manage and control their privacy settings and learn about its privacy policy in detail."

Well, at least a broadband provider is now signed up for DNS-over-HTTPS with Firefox rather than fighting to outlaw the tech. And subscribers aren't forced to use Comcast's secure DNS service, though it will be the default. And it's better than using plain old DNS that isn't encrypted. If you trust Comcast to handle your normal plain-text DNS, logically you should trust it for DNS-over-HTTPS.

"We’re proud to be the first ISP to join with Mozilla to support this important evolution of DNS privacy,” said Jason Livingood, Comcast Cable veep of technology policy and standards. "Engaging with the global technology community gives us better tools to protect our customers, and partnerships like this advance our mission to make our customers’ internet experience more private and secure."

Mozilla launched the TRR program in March, and so far Cloudflare and NextDNS have jumped in to provide DNS-over-HTTPS resolvers. Google rolled out its own flavor of the tech for Chrome users in May.

"Adding ISPs in the TRR Program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results," Team Mozilla concluded this week. "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." ®

More about


Send us news

Other stories you might like