Firefox continues push to bring DNS over HTTPS by default for US users

Antus67

Level 9
Thread author
Verified
Well-known
Nov 3, 2019
413
oday, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.

A little over two years ago, we began work to help update and secure one of the oldest parts of the internet, the Domain Name System (DNS). To put this change into context, we need to briefly describe how the system worked before DoH. DNS is a database that links a human-friendly name, such as www.mozilla.org, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1). By performing a “lookup” in this database, your web browser is able to find websites on your behalf. Because of how DNS was originally designed decades ago, browsers doing DNS lookups for websites — even encrypted https:// sites — had to perform these lookups without encryption. We described the impact of insecure DNS on our privacy:

Because there is no encryption, other devices along the way might collect (or even block or change) this data too. DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.

At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.

Since our work on DoH began, many browsers have joined in announcing their plans to support DoH, and we’ve even seen major websites like Facebook move to support a more secure DNS.

If you’re interested in exactly how DoH protects your browsing history, here’s an in-depth explainer by Lin Clark.

We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear. By default, this change will send your encrypted DNS requests to Cloudflare.

Users have the option to choose between two providers — Cloudflare and NextDNS — both of which are trusted resolvers. Go to Settings, then General, then scroll down to Network Settings and click the Settings button on the right. From there, go to Enable DNS over HTTPS, then use the pull down menu to select the provider as your resolver.

Source: Firefox continues push to bring DNS over HTTPS by default for US users – The Mozilla Blog
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
I see this push by Mozilla and M$ as positive, but find it annoying since my router uses DNS based filtering for security. I have even inquired what their plan is once M$ pushes it out in Win10, as they have said they plan to, and they don’t have an answer to it yet. Those devices just won’t be protected by the network filtering.

And just as @silversurfer pointed out, there is little privacy gained from ISPs by using this. The better way, if this is a concern, is a VPN.
 
Last edited:

Stas

Level 10
Verified
Well-known
Feb 21, 2015
456
My chrome doesn't have dns-over-https flag(n)
scr.jpg
 
F

ForgottenSeer 85179

Enforce encrypted DNS / using a defined DNS is good for average Joe but not for us power users.
For example such a enforcement circumstances solutions like PiHole which can also combined with Unbound so usage of authority root server as source is possible. No external DNS provider is then needed!
(I use also this solution)
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044

F 4 E

Level 3
Verified
Jan 27, 2019
103
Thanks Antus67 for above info. (y)

We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear. By default, this change will send your encrypted DNS requests to Cloudflare.

Users have the option to choose between two providers — Cloudflare and NextDNS — both of which are trusted resolvers. Go to Settings, then General, then scroll down to Network Settings and click the Settings button on the right. From there, go to Enable DNS over HTTPS, then use the pull down menu to select the provider as your resolver.

Source: Firefox continues push to bring DNS over HTTPS by default for US users – The Mozilla Blog

I've set this up in my Firefox, so it will be interesting to see if there are any problems.

So far, browsing speed seems unaffected.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Reaction from AdGuard:
Firefox now defaults to Cloudflare DNS, what if you're using AdGuard DNS or AdGuard Home?

I have to agree with Adguard on this one. Concentration of providers does not bode well. Mozilla should be more transparent about DOH options in its browser. The customization options are there in the UI but the user has to dig. And we all know the story about the infamous "Average Joe". I wonder how many of them are FF users? 🤔
 

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
I have to agree with Adguard on this one. Concentration of providers does not bode well. Mozilla should be more transparent about DOH options in its browser. The customization options are there in the UI but the user has to dig. And we all know the story about the infamous "Average Joe". I wonder how many of them are FF users? 🤔
I am the famous "Average Joe". :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top