Mozilla begins rolling out DNS encryption by default for Firefox users


Posts: 2,844   +575
Staff member

The rollout will take place over the course of several weeks to ensure stability, but once it's finalized, all Firefox users running the latest version of the browser will have DNS protection. In short, DoH functionality helps to obfuscate and encrypt DNS lookup requests, which can otherwise expose information like the websites you visit.

Obviously, there's nothing inherently malicious about DNS lookups -- they're an essential part of the internet as we know it. Mozilla explains the technology as follows:

DNS is a database that links a human-friendly name, such as, to a computer-friendly series of numbers, called an IP address (e.g. By performing a "lookup" in this database, your web browser is able to find websites on your behalf.

With DoH, third parties will have a much more difficult time harvesting your browsing data. "[DoH] helps hide your browsing history from attackers on the network, [and] helps prevent data collection by third parties on the network that ties your computer to websites you visit," Mozilla says.

Right now, Mozilla's DoH implementation supports two "trusted resolvers" for encryption: Cloudflare and NextDNS. Other providers may get official support in the future, but for now, you'll have to rely on a custom alternative if you don't care for Cloudflare or NextDNS.

DoH will only be enabled by default for US-based Firefox users, but everybody can flip the switch manually if they so choose. Just visit Firefox's Options menu, go to General, scroll down to Network Settings, click the "Settings" button," and check the box for "Enable DNS over HTTPS." We're not sure why DoH isn't being turned on by default for non-US residents, but we'll be reaching out to Mozilla for clarification.

Permalink to story.



Posts: 404   +562


Posts: 411   +255
I don't get it, we already had DNSSEC...

That attempts to insure a DNS server against poisoning and provides one level of validity, not security through encryption for name/IP lookups. I already changed my DNS to, it's noticeably a faster resolver.

Here's a link to check DNSSEC for this site: Click Techspot (or press enter).


Posts: 1,617   +693
That attempts to insure a DNS server against poisoning and provides one level of validity, not security through encryption for name/IP lookups. I already changed my DNS to, it's noticeably a faster resolver.

Here's a link to check DNSSEC for this site: Click Techspot (or press enter).
I saw this on Neowin. What say you?
If you shop for a new router make sure it supports strict DNS-over-TLS requests and the ability to force DNS requests to a predetermined DNS host. IMO DoH is a bad implementation since you loose control over your DNS requests.

Seems like that would be faster too. Right?


Posts: 411   +255
Check out Richard Bennetts article here.

There's a lot of strum about this from tech writers, each with a unique perspective. In a world of IT discussions over implementations and RFC's there's always been contention, but as long as "something" isn't breaking or 'hurting' another entities ability to do what it does, the cooperative nature of the net should roll on in a working state.

"You run yours your way, and I'll run mine my way". Breaking that credo would be bad, but who does? No one HAS to have DNS. It makes things more readable though.

In this part, it reads like he's carping /because/ it's Google, saying the "application" is somehow being - what? It's software ASKING for the numeric address to "THIS STRING". It seems sketchy to jump that shark. If someone is worrried about Google snooping, the obvious answer seems to be a total avoidance of Googles DNS servers.

"Google is committed to an approach that takes implementation decisions out of the hands of operating systems, network administrators, and local laws. By implementing DoH in browsers, the firms have created a scenario where lookup speed and integrity depend on the applications doing the lookups.
DNS has always been more than an address book; it is currently a distributed database that supports a number of application needs for email, CDNs, video streaming, and a host of other distributed applications with inter-process communication needs. DoH changes all of this by reducing the capacity of DNS, in contradiction to early hopes."
DNS over TLS is no more secure than DNS over HTTPS, the browser, or some other application, encrypts a request to send, then a DNS server (almost transparently in terms of memory/CPU time) encrypts it and sends it back.

Configuring a router like the ones suggested for non-default (or auto-configured) DNS is a matter of entering the IP for the DNS servers manually. If the 'new' servers are fast enough for production those are ones we want to use. I think having a stack of alternates (if supported) is a good idea. Probably.


Posts: 1,617   +693
Ok the arguments for DNS over TLS versus DNS over HTTPS.
DNS over TLS is what network administrators prefer because it still allows them to monitor network traffic. DNS over HTTPS is preferred by human rights advocates since it's more user friendly and can disguise comings and goings. So it seems to me that if you work for an organization and want to be able to monitor network traffic then DoT is the rule and everyday browsing or dissidents DoH would be the best method. The hack of Equifix was using DoH, so that seems to be the example that is put forth as disfavor toward DoH. Personally, I think both have their pros and cons and considering situational use would be the determinate factor. Use both and for the situation that calls for it. There's nothing to stop an organization from accepting or not accepting certain connections. Really dependent upon who their clients are.
Last edited:


Posts: 411   +255
I just ran ping to 100 random hosts, max, min and average times are <40ms, this looks like a done deal.

The EU has complaints over content control and age-appropriate content barriers being broken.. The Firefox 'group' seems to be acceding - a little - meanwhile the software has been deployed, and Microsoft is also onboard. As you said, use both "it's so simple".

As long as it's not breaking anything I don't see a problem, gaining the IETF's blessing though the RFC proposal will happen at some point. Companies (ISP's) operating DNS that see an impact from increased overhead (if there is any) will simply upgrade if they want to continue to provide name server resolution.

I'm just thinking through this myself. I've read along for a bit but it's been several years since I've installed a local DNS server. Google wants to push everything in their general direction, it doesn't look like the rest of the net is going along with their ideas.


Posts: 379   +678
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.

Most likely because DNS contains zero confidential data, it's a lookup of public value pairs. I still fail to see the value. If you want to protect information on your website, you don't protect it on the DNS level. That'd be security through obscurity, which is not real security. That's like a company trying to hide its P.O. box. Why would you do that and what would that accomplish?


Posts: 12,696   +6,055
I fail to see how DNS encryption is a security solution. That is how little I know about the topic. But that is OK as long as I know, there are others that are fighting that fight for me.


Posts: 1,617   +693
I'm going to be slow to adopt anything until I get a better understanding and picture of the technologies and what they're doing. It's difficult to decipher between malevolent and benevolent forces when you know they all have an angle, and yes, that includes Mozilla. I can't remember the story or locate it right now, but there was something that came out about all the main browser companies collecting information for trade and sale. Brave browser, to their credit, came out as not one of them. You can't rest on your laurels with any of them. Money talks and BS walks.

There are several technologies to consider here: DNS over TLS; DNS over HTTPS ; DNS Sec, and even VPN as an end attachment. It would be nice if for once a single solid solution can just spring up to the top, but that just never ever seems to be the case. Got to do the work and the research. Initial conclusion? Addresses leak. There's just not much that can be done about that. I think it just a matter on how you parcel out trust that's the key. I generally try to never give a full picture or trust to any single entity for all of my needs as a matter of course. I'm not doing anything wrong, but I'm not giving away a nice neat full package, and I'll gladly exploit any distrust between these companies to further ensure the minimum consolidation of my information. Eeny, meeny, miny, moe, for you a thumb, and for you a toe. For my name is Humpty Dumpty.