» ISP News » 

Firefox Says – NO DNS Over HTTPS (DoH) by Default for UK

Wednesday, September 25th, 2019 (7:47 am) - Score 3,641

In a surprise twist Mozilla has informed the Government that they now have “no plans” to enable the DNS-over-HTTPS security feature by default for UK internet users in their popular Firefox website browser, at least not without “further engagement with public and private stakeholders.” Doh!

At present most Domain Name System (DNS) requests, which turn Internet Protocol (IP) addresses into human readable domain names like ISPreview.co.uk and back again, are still unencrypted and this makes it easy for your broadband ISP to snoop, filter (block websites / parental controls etc.) and even optimise some aspects of your internet connectivity (better direction of traffic for Content Delivery Networks etc.).

By comparison the DNS-over-HTTPS (DoH) system encrypts DNS requests by sending them over the common HTTPS protocol for websites. On the one hand this is a welcome security and privacy improvement, although big ISPs and governments are concerned that wide-scale adoption by major third-parties (e.g. website browser software that enables it by default) could disrupt some of their services, particularly snooping and blocking.

We’ve covered this quite a lot before (here and here) and at one point the ISPA even controversially labelled Mozilla as an “Internet Villain” for their aspiration to enable the feature by default (i.e. taking DNS requests away from ISPs and making it harder to intercept them in the traffic flow), which was promptly withdrawn following a backlash (here).

The penny appeared to drop earlier this month after Mozilla announced that they would proceed to enable the feature by default, albeit with a few caveats and starting in the USA (here). However Mozilla has now written to the Culture Secretary, Nicky Morgan MP, and said it “has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders” (The Guardian).

A DCMS Spokesperson said:

“Child sexual exploitation is an abhorrent crime that this Government is committed to tackling. While we look to support security and privacy online, it is vital that all sectors of the digital industry consider child safety when developing their systems and services.

We are working with industry on solutions to any potential problems as part of our ongoing work to make the UK the safest place in the world to be online.”

Admittedly most end-users tend not to enable such features themselves, although the publicity around DoH is sure to have had an impact upon take-up. Indeed enabling DoH in Firefox today is as easy as going to ‘Options‘, scrolling right to the bottom of the new window under ‘General‘ and clicking ‘Settings‘ (Network Settings). The “Enable DNS over HTTPS” feature is at the bottom of that page (assuming you trust Cloudflare – a USA based company – to handle your DNS traffic, although you can pick a different DoH provider – AAISP’s UK example).

Just remember that by enabling DoH you may also break some of the features offered by your ISP, although for the most part you probably won’t notice any difference and can always disable it later.

Leave a Comment
19 Responses
  1. Avatar Aleksandr Metslov says:

    Oh Therese excuses… Government can’t sleep, if people are using internet add freely (and without government control) as it is intended to be used.

    1. Avatar New_Londoner says:

      Yes, it’s a real problem not being able to access child porn, malware etc!

    2. Avatar anon says:

      @Aleksandr: Pretty much.

      @New_Londoner: You’re an idiot.

    3. Mark Jackson Mark Jackson says:

      @New_Londoner. Seriously.. not a particularly clever or knowledgeable remark.

    4. Avatar New_Londoner says:

      To clarify, some of the “features” that DoH can break include malware protection, parental controls, other content filtering including the IWF block list. Don’t take my word for it, take a look at posts from people like Fred Langford, Deputy CEO of the IWF.

      It’s important to understand that at least some so-called “libertarians” do actually think that you shouldn’t block access to child abuse material etc., that parents shouldn’t have any say in the content that their children access. And there are already instances of malware taking advantage of DoH to evade detection.

      Apart from that, oh and gifting yet more personal data to US tech companies, it’s all good!

    5. Avatar edward says:

      “@New_Londoner. Seriously.. not a particularly clever or knowledgeable remark.”

      Typical of his usual posting.

      “parental controls, other content filtering including the IWF block list.”

      Yes it works so well no genuine sites get blocked with those things…

      Good old BT now blocking things like Youtube and websites that sell hair extensions…. Oh god quick save the children from looking at hair ties.

    6. Avatar New_Londoner says:

      What is the ratio of sites blocked in error to those correctly blocked? Do the ISPs that implement such blocks also have an appeals process to allow incorrectly blocked sites to be reinstated? (Hint: small and yes respectively)

      And more to the point, you’d hopefully agree that it is a good thing to block access to sites hosting illegal material such as child abuse content? What alternative method would you propose to use to implement such blocks?

    7. Avatar Timeless says:

      by no means am l against blocking of harmful content, however the way you speak its like you think its someone elses job to protect children online, when in fact protecting children online lays squarely with the parents keeping an eye on their usage not some third party, by all means provide the tools and play a part but at the end of the day it comes down to lazy parenting treating the internet as a daycare.

    8. Avatar edward says:

      “What is the ratio of sites blocked in error to those correctly blocked?”

      I do not care what the ratio is the fact some sites are wrongly blocked means the system is not just blocking all the things you cite as having issues with (IE child porn, malware etc)

      You support a system that does not function as it should and you stupidly state you support it because most of the time it gets it right.

      Lets hope when automated self driving cars become a thing like automatic internet site blocking for the likes of BT has became a thing that the automated car does not make a wrong decision and accidentally cause you injury… Then again it should not matter, you will be fine and secure in the knowledge that most of the time the automated self driving car does not make wrong decisions.

      You were just one of the small statistics it got wrong and your blinkered world of ‘oh its ok most of the time it gets it right’ is still intact.

      Meanwhile in the logical world which the sensible people live they wont walk out in front of cars automatically thinking it will stop, because the human element of error has been removed, and decent parents do not let little fred use the internet alone if they are worried that will likewise do it harm.

      See how that works do you?

    9. Avatar beany says:

      Defending ISP filtering is maddness. It does not protect children in any way shape or form.

      When i had BT about a year ago i found the following…

      Turn on BTs Strict parental controls and type “tits” into googles image search and YES it will block what you would normally expect to get from that result and only at best display birds of the feathered variety.

      Type in “boobs” though (a term children are more likely to use) into the same BT strict filtering and google image search and yep there they are in all their unfiltered glory.

      Arguing filtering is there to stop bad things or protect children is idiotic, when A) It is not protecting children and B) bad people will know how to beat any filter to view the bad things anyway. Which makes it utterly pointless.

  2. Avatar John Elvin says:

    “Just remember that by enabling DoH you may also break some of the features offered by your ISP”

    It doesn’t for AAISP users who can use the ISP’s DNS servers via DoH!

    1. Avatar John says:

      Not sure what the point of this comment is?

      AAISP don’t have parental controls or filtering so obviously using DOH wouldn’t break features for their users who use it.

      However if I’m with another ISP who offer parental controls, filtering and run blacklists, then using DOH over AAISP’s DNS servers could break these features.

      AAISP don’t have a magic incarnation of DOH that doesn’t stop things working.

  3. Avatar johnf says:

    I personally use and recommend DNSCrypt. Which is very easy to configure using the program “Simple DNSCrypt”. This means that all DNS queries are encrypted and private, not just the ones in Firefox.

  4. Avatar Mike says:

    Mozilla should be Internet Villain for failing to stand up to censorship.

    1. Avatar edward says:

      Yep obviously caved to government and lobby groups like the ISPA pressure.

  5. Avatar ComicBook says:

    personally I’m running Dns over TLS as i do whole network adblocking so need to have some idea what is coming in on the network, as its my my network its not a issue seeing what’s going on there just means my ISP can’t as I’m not using there DNS. So i think i have it pretty much sorted. What are you guys view on this?

  6. Avatar Richard says:

    This doesn’t block filtering just yet, it just means that they have to move from filtering through DNS, which probably has less overhead, to filtering based on SNI, which will be broken by ESNI in the future (at which point you will have end to end encrypted traffic and only the IP address will give any idea about what sites you’re visiting).

    What they are not saying here is that if you turn this on manually, or have already configured DNS over TLS (simple on Android Pie/9) for you networks or on your devices none of their blocking works.

    So they are actually telling everyone how to get to terrorist content etc. right now, by making such a big deal out of this.

  7. Avatar captain cretin says:

    ALL governments block sites they dont like, regardless of the legality of the content; just compare a few google.com searches done in the UK v identical searches done at the same time in the US.

    A real eye opener for “The Land Of The Free” ™; how many things vanish from their Google results.

    I have been running this feature since FF first announced it, not had any part of any website I care to visit fail.
    It IS common for them to fail because I refuse to run Google ad trackers.

  8. Avatar Fred says:

    Censorship is always going to be a divisive issue. I can understand why some folks would want ISP filtering as a tool to help protect children for example. Of course a tech savvy child might well know how to circumvent.

    At the same time I don’t want my ISP and the government, Google etc to be able to monitor my traffic.

    The danger of enabling DoH by default is many parents may not realize it breaks filtering they believe is protecting their children.

    I’m surprised that there are not (maybe there are and I don’t know about them) DoH providers that are offering user defined filtering. That way you could restrict access to your DNS queries to a trusted provider and still have some of the benefits of filtering. This is obviously not cast iron – vpns and TOR could still be used of course but it would offer some protection for vulnerable people whilst also providing more privacy.

    Personally I just use a trusted VPN provider and use Firefox to minimise the likelihood of digital fingerprinting. A VPN provider that offered filtering would be useful. As the VPN client is on my router I still do some filtering of traffic on the router – for example I don’t accept connections from countries like China and Russia.


Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Onestream £22.49 (*29.99)
    Avg. Speed 45Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • Plusnet £22.99 (*36.52)
    Avg. Speed 36Mbps, Unlimited
    Gift: £55 Reward Card
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. FTTP (2817)
  2. BT (2793)
  3. FTTC (1792)
  4. Building Digital UK (1760)
  5. Politics (1689)
  6. Openreach (1642)
  7. Business (1456)
  8. FTTH (1341)
  9. Mobile Broadband (1253)
  10. Statistics (1252)
  11. 4G (1079)
  12. Fibre Optic (1072)
  13. Wireless Internet (1036)
  14. Ofcom Regulation (1028)
  15. Virgin Media (1019)
  16. EE (710)
  17. Vodafone (681)
  18. Sky Broadband (675)
  19. TalkTalk (673)
  20. 5G (536)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact