Firefox starts switching on DNS-over-HTTPS to encrypt lookups, stymie tracking
Credit to Author: Gregg Keizer| Date: Wed, 26 Feb 2020 11:11:00 -0800
Mozilla has started to turn on DNS-over-HTTPS, or DoH, as part of its overall strategy of stressing user privacy.
“We know that unencrypted DNS is not only vulnerable to spying but is being exploited,” wrote Selena Deckelmann, Mozilla’s new vice president of desktop Firefox, in a Feb. 25 post to a company blog. “We are helping…to make the shift to more secure alternatives [and] do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”
The browser — in Mozilla’s case, Firefox — looks up a site’s human-centric address, such as mozilla.com, in the DNS database, then retrieves and uses the computer-centric IP address, like 63.245.208.194, to reach the website. Historically, the lookups have been done over unencrypted connections, even when the desired destination was guarded by HTTPS.
As Deckelmann said, the openness of DNS lookups has been exploited, both by hackers and by entities wanting to track users across the web for commercial gain. The DNS traffic can be read by someone monitoring a public Wi-Fi network or examined by the user’s ISP (Internet service provider). Criminals can intercept the bits flying between the browser and DNS server, then insert bogus addresses that steer the unwary user to a malicious site.
Shifting DNS lookups and their returns to encrypted connections prevents such abuses.
Both Mozilla and Google have been beating the DoH drum, the former for nearly two years. In a September 2019 update on DoH progress, Mozilla said that it would begin enabling DNS-over-HTTPS later that month. Instead, Mozilla did more testing.
“Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for U.S.-based users,” Deckelmann said Tuesday. “The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s U.S.-based users.”
Users not living the U.S., and those who do but want DoH enabled immediately, not on Mozilla’s timetable, can open Settings > Network Settings > Settings…, then check the “Enable DNS over HTTPS” box (users will probably need to scroll down through the Connection Settings frame to find that box), choose “Cloudflare” or “NextDNS” from the list, and finally, click “OK.”
Firefox will automatically disable DoH if it detects that parental browsing controls have been selected in the operating system. Likewise, DoH will disengage if admins have set any enterprise policies for Firefox, unless one of those policies was DNSOverHTTPS.
Google’s DoH plans for Chrome were different. Rather than switch DNS providers — when Firefox enables DoH, it defaults to Cloudflare as the new encrypted-connection “resolver,” with NextDNS as an alternative choice — Chrome instead uses a Google-maintained table to see whether that browser’s current DNS resolver has DoH servers. If it does, Chrome automatically switches to that.
Like Firefox, managed copies of Chrome — those joined to a domain or that have at least one active group policy — won’t auto-upgrade to DoH. Enterprises will also be able to control the DoH experiment through a new policy, DnsOverHttpsMode.
Google has been testing this “same provider, auto upgrade” approach since 2019, but has not yet spun it to the entire Chrome user base. According to this document, Google plans to do so with Chrome 81, currently slated to release March 17.
Google’s approach relies on DNS providers’ motivation to provide DoH servers as alternatives to their non-DoH servers. Not all will want to offer DoH — notably, some ISPs — because they benefit, either directly or indirectly, from the tracking and logging they can conduct on their customers.
Firefox’s way of tackling DoH definitely takes a more aggressive line on user privacy.
More information about DoH in Firefox can be found in this Mozilla-made FAQ.