Friday, November 8, 2019

Firefox Making DNS-over-HTTPS the Default

Selena Deckelmann:

In 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol, and since June 2018 we’ve been running experiments in Firefox to ensure the performance and user experience are great. We’ve also been surprised and excited by the more than 70,000 users who have already chosen on their own to explicitly enable DoH in Firefox Release edition. We are close to releasing DoH in the USA, and we have a few updates to share.


In addition, Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.

Kristian Köhntopp:

Once that happens, the browser will ask Cloudflare over DNS for name resolution instead of whatever your sysadmin configures, leaking the names of all the websites you visit to Cloudflare.


It’s breaking an old contract between OS and application. The browser trying to become an OS, in a way.

It’s also implemented in a way that it is breakable by your ISP (NXDOMAIN on a certain query), so the security improvement doesn’t

Josh Centers:

Cloudflare is slowly gaining a stranglehold over the entire Internet and no one is paying attention.

Firefox: “We’re the privacy browser! Also, we collect absurd amounts of telemetry and now we’re going to route all your DNS requests through one of our partners.”

No one is challenging them on this.


The insecure DNS servers, as set in the network interface settings of your computer, allow the domain name resolution queries sent to DNS servers to be read by someone sitting in the middle such as your ISP. But with secure and encrypted DoH, nobody can know which domain names you are trying to access.

However, some security experts are not happy with Mozilla’s decision to include TRR in the web browser. They are arguing that it should not be enabled for everyone, especially the security conscious users who have configured their network to use trustworthy DNS servers (source: If you are one of those Firefox users who want to use the DNS servers configured with your network interface instead of DoH, then here is how you progress[…]


Many people appear to conflate the concepts of privacy and encryption, which are in fact very different things.

In this post I argue that in September 2019, centralised DoH “by default” is a net-negative for privacy for everyone and that even in later years it will not improve privacy outside of the most privacy hostile environments – where no one should rely on partial measures like DoH to stay secure.

See also: Hacker News.


Comments RSS · Twitter

Leave a Comment