Broadband ISPs and the Government could clash with Mozilla after the internet technology developer announced that it would move forward with its proposal to enable DNS-over-HTTPS (DoH) by default in their popular Firefox website browser, albeit with tweaks to respect ISP network-level internet filters.
We’ve covered this quite a lot before (here and here), so here’s a shortened recap. At its core DoH is all about protecting user privacy and making internet connections more secure (much like HTTPS has done for websites). As a result DoH – as well as similar solutions like DoT – are often praised by the wider internet community and its support base is growing.
However major UK broadband ISPs and politicians are concerned that large-scale third-party deployments of DoH, which encrypts DNS requests (today most DNS request are still unencrypted) using the common HTTPS protocol for websites (i.e. turning IP addresses into human readable domain names like ISPreview.co.uk and back again), could disrupt their ability to censor, track and control various internet / account services (parental controls etc.).
Advertisement
Obviously doing this on a major browser like Firefox would be a significant change, one that has already caused both ISPs and the Government some concern. At one point it even resulted in the UK Internet Service Providers Association (ISPA) labelling Mozilla as an “Internet Villain“, which was promptly withdrawn following a huge backlash (here). Nevertheless it now appears as if Mozilla will be moving ahead with their proposal.
Selena Deckelmann, Mozilla, said:
“In 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol, and since June 2018 we’ve been running experiments in Firefox to ensure the performance and user experience are great. We’ve also been surprised and excited by the more than 70,000 users who have already chosen on their own to explicitly enable DoH in Firefox Release edition. We are close to releasing DoH in the USA, and we have a few updates to share.
After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic. We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.”
One positive bit of news for ISPs is that Mozilla plans to mitigate at least some, albeit by no means all, of their concerns with a few tweaks to their proposed approach. The tweaks are aimed at supporting ISPs that deploy managed networks and parental controls (e.g. DNS based network-level filtering / website blocking).
Summary of Mozilla’s Approach to DoH by Default
At a high level, our plan is to:
— Respect user choice for opt-in parental controls and disable DoH if we detect them;
— Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration; and
— Fall back to operating system defaults for DNS when split horizon configuration or other DNS issues cause lookup failures.
We’re planning to deploy DoH in “fallback” mode; that is, if domain name lookups using DoH fail or if our heuristics are triggered, Firefox will fall back and use the default operating system DNS. This means that for the minority of users whose DNS lookups might fail because of split horizon configuration, Firefox will attempt to find the correct address through the operating system DNS.
In addition, Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.
Options for Providers of Parental Controls
We’re also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps us in situations where the parental controls operate on the network rather than an individual computer. If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically.
This canary domain is intended for use in cases where users have opted-in to parental controls. We plan to revisit the use of this heuristic over time, and we will be paying close attention to how the canary domain is adopted. If we find that it is being abused to disable DoH in situations where users have not explicitly opted in, we will revisit our approach.
The last point about the feature being “abused to disable DoH in situations where users have not explicitly opted in” could conflict with some of the filtering systems used by ISPs in the United Kingdom, although at present consumers do have the option to disable Parental Controls but the upcoming mandatory porn block (age verification) could be more contentious.
Apparently Mozilla will start rolling out this change gradually “to a small percentage of users” from later this month, albeit initially only in the USA. The not-for-profit company will then take stock of how their initial deployment is going before expanding it out to a much larger audience. Users of Firefox can of course manually enable this feature today if they so wish.
Advertisement
Most people often trust Mozilla more than ISPs to act within their best interests, although it’s worth remembering that the DoH servers may not be UK based (hopefully they do set one up for the UK – given the different data laws between countries). ISPs may also be concerned that if something goes wrong with Firefox’s DoH system then they will be the ones who get the blame via support calls. Likewise there’s a fear that malware using DoH could be harder to tackle.
UPDATE 10:40am
One of our readers, William, has kindly pointed out that Mozilla appear to be using Cloudflare’s public DNS resolver (1.1.1.1), which can answer from their London, Manchester or Edinburgh servers. In benchmarks this can end up being faster than your UK ISP’s own DNS. We’ll have to wait and see how the final implementation of Firefox DoH works for UK users but it may be the same.
UPDATE 11th Sept 2019
Advertisement
Just for some context, Google will also be implementing DoH on their Chrome website browser, but unlike Firefox they’ve chosen a different approach and this will be part of a limited trial in the upcoming v78 release. Essentially Chrome will check to see if you’re already using a compatible DoH server (it sounds like ISPs may need to get on a white list for this) and use that instead of their own DoH solution.
Google’s move should help encourage ISPs to adopt DoH, although those using unencrypted DNS solutions (i.e. not included on the aforementioned list) will fall back to the user’s (insecure) DNS.
Mozilla should not be collaborating with the enemies of liberty, hopefully a Chrom/Firefox fork will properly implement DoH.
Just be aware that Mozilla’s current policies towards DoH are not compliant with either GDPR or ePrivacy. And any US tech companies will not protect the data of non-US citizens – it’s wide open to warrantless access by US law enforcement agencies irrespective of their privacy policies.
Apart from that, the malware using DoH and the prospect of any app using any DNS service that it likes, it’s all good!
Of course any app has always technically had the ability to use a different DNS service, there’s nothing new on that front.
Although capturing DNS on port 53 and redirecting it to a proxy is achievable (and some ISPs do this) its a lot harder to do with HTTPS traffic
@MarkJ
DoH is the first standard from the IETF that moves DNS out of the operating system and into the application layer. Whilst apps could access different DNS resolvers previously, this gives a simpler way to do so and encrypts it, mixing it into the HTTPS traffic.
One side effect is that you will have no idea what apps are accessing DNS, nor how often. Google devices already “call home” to its DNS (eg Chromecast), this has the potential to make that invisible. The attraction of DoH to tech companies wanting more “diagnostic” data is notable, of course none will abuse this to *enhance* their tracking capabilities will they?!
Cloudflare dont collect *ANY* information about DNS queries and have yearly audits from KPMG to prove that. As such they are GDPR compliant as they have no information on anyone one regardless of whether they are residing in the EU or not. Please get your facts straight first before spouting rubbish.
I don’t use Firefox so it’s not a big deal for me but I wonder what this means for people who, like me, use Pi-Hole?
The article talks about scenarios where DoH will be disabled but does not state whether a user could simply just toggle it off manually, unless I missed it.
The fact they say “users will be notified and given the opportunity to opt out” suggests a choice will still remain, but it will be enabled by default.
@Dave
Remember that any application can use DoH, not just browsers, and each of it could have its own policies which may or may not be made public. I suspect many will omit to offer opt-out options, will likely bypass your security policies.
In the latest Firefox, DNS over HTTPS is a switch in the settings. So you can turn it off and on at will. You can also set the DNS server to be either Cloudflare or enter an IP address of your choice.
@Occasionally factual
It’s good that it can be disabled but default behaviour when DoH is switched off should be to use your OS’s DNS resolver, the same as every other bit of software does. Yes I could put the IP of my Pi-Hole into the config but I should not have to!
It seems I shall not be using Firefox anytime soon.
It’s very annoying when software vendors go against decades of accepted (and expected behaviour for usually no good reason. It just stinks of NIH.
Just block the IP addresses of the currently rather limited number of DoH resolvers at your firewall.
@Dave
The DSN input option I mentioned was just for specifying which DoH server to use, not for all DNS requests. (Currently Cloudflare or an address you specify)
If you switch off DoH, it reverts to your system settings by default.
This “disrupt their ability to censor, track and control various internet / account services (parental controls etc.).”
Is correct because the internet and it’s services were never designed to be censored, tracked and controlled by various geographically diverse government agencies.
Any attempt to implement these will be circumvented at every opportunity and the means to do so will be released as FOSS and howto articles.
If your job is to carry out these controls, censorship and tracking expect it to get increasingly harder exponentially.
When I experimented with Firefox’s DoH a while ago the hosts file on my PC was bypassed so I went back to browsing without DoH.
Seems like pi-hole already have a pull request to prevent default behaviour using the canary domain:
https://github.com/pi-hole/pi-hole/pull/2915
On pfsense (which supports dot), it is possible to add this canary to the unbound resolver. Pfblockerng would be bypassed with the default FF behaviour, not what you’d be wanting in the circumstances.
https://forum.netgate.com/topic/133679/heads-up-be-aware-of-trusted-recursive-resolver-trr-in-firefox/11
I think this is browser over-reach.
So, does this mean using VPN such as Windscribe, is now obsolete
No, not at all, DoH does not hide you completely.
I like the idea of DOH, but it doesn’t seem like it should be done at the browser level. Would be much better to have a local DNS server that then resolved all DNS requests over HTTPS to a remote DOH server, that way every application not just Mozilla could benefit from secure encrypted DNS lookups and as the local DOH server would be a small bit of code it would be that much more auditable.
Pi-Hole can be configured to use DNS over HTTPS upstream and then just plain DNS to your local network.
This is one I’ll pass on for now. It breaks CDNs and localised services that use DNS to direct clients to the appropriate cluster.
DNSSEC is also a thing and provides integrity even though it doesn’t provide privacy.
The replies I read here never cease to amuse me.
https://www.bleepingcomputer.com/news/technology/google-unveils-dns-over-https-doh-plan-mozillas-faces-criticism/
If the UK government, GCHQ et. all are so afraid of this, why don’t they just make DNS over HTTPS illegal?
Looking at how much this seems to annoy our government I can’t help but think this is a good thing. I just enabled DNS over TLS and switched my DNS servers to Cloudflair on my router.