Mozilla begins rolling out DNS encryption by default for Firefox users

P

Polycount

Posts: 3,017   +590
Staff
In brief: Those who value their digital privacy are always looking for new ways to block companies, hackers, or government agencies from spying on their online activities. If you're one of those individuals, Mozilla has some good news for you today: the organization has begun to rollout encrypted DNS over HTTPS (DoH) by default for US-based Firefox users.

The rollout will take place over the course of several weeks to ensure stability, but once it's finalized, all Firefox users running the latest version of the browser will have DNS protection. In short, DoH functionality helps to obfuscate and encrypt DNS lookup requests, which can otherwise expose information like the websites you visit.

Obviously, there's nothing inherently malicious about DNS lookups -- they're an essential part of the internet as we know it. Mozilla explains the technology as follows:

DNS is a database that links a human-friendly name, such as www.mozilla.org, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1). By performing a "lookup" in this database, your web browser is able to find websites on your behalf.

With DoH, third parties will have a much more difficult time harvesting your browsing data. "[DoH] helps hide your browsing history from attackers on the network, [and] helps prevent data collection by third parties on the network that ties your computer to websites you visit," Mozilla says.

Right now, Mozilla's DoH implementation supports two "trusted resolvers" for encryption: Cloudflare and NextDNS. Other providers may get official support in the future, but for now, you'll have to rely on a custom alternative if you don't care for Cloudflare or NextDNS.

DoH will only be enabled by default for US-based Firefox users, but everybody can flip the switch manually if they so choose. Just visit Firefox's Options menu, go to General, scroll down to Network Settings, click the "Settings" button," and check the box for "Enable DNS over HTTPS." We're not sure why DoH isn't being turned on by default for non-US residents, but we'll be reaching out to Mozilla for clarification.

Permalink to story.

https://www.techspot.com/news/84157-mozilla-begins-rolling-out-dns-encryption-default-firefox.html

 
  • Like
Reactions: Uncle Al
bviktor said:
I don't get it, we already had DNSSEC...
Click to expand...

That attempts to insure a DNS server against poisoning and provides one level of validity, not security through encryption for name/IP lookups. I already changed my DNS to 1.1.1.1, it's noticeably a faster resolver.

Here's a link to check DNSSEC for this site: Click Techspot (or press enter).
 
CharmsD said:
That attempts to insure a DNS server against poisoning and provides one level of validity, not security through encryption for name/IP lookups. I already changed my DNS to 1.1.1.1, it's noticeably a faster resolver.

Here's a link to check DNSSEC for this site: Click Techspot (or press enter).
Click to expand...
I saw this on Neowin. What say you?
If you shop for a new router make sure it supports strict DNS-over-TLS requests and the ability to force DNS requests to a predetermined DNS host. IMO DoH is a bad implementation since you loose control over your DNS requests.

Seems like that would be faster too. Right?
 
  • Like
Reactions: CharmsD
Check out Richard Bennetts article here.

There's a lot of strum about this from tech writers, each with a unique perspective. In a world of IT discussions over implementations and RFC's there's always been contention, but as long as "something" isn't breaking or 'hurting' another entities ability to do what it does, the cooperative nature of the net should roll on in a working state.

"You run yours your way, and I'll run mine my way". Breaking that credo would be bad, but who does? No one HAS to have DNS. It makes things more readable though.

In this part, it reads like he's carping /because/ it's Google, saying the "application" is somehow being - what? It's software ASKING for the numeric address to "THIS STRING". It seems sketchy to jump that shark. If someone is worrried about Google snooping, the obvious answer seems to be a total avoidance of Googles DNS servers.

"Google is committed to an approach that takes implementation decisions out of the hands of operating systems, network administrators, and local laws. By implementing DoH in browsers, the firms have created a scenario where lookup speed and integrity depend on the applications doing the lookups.
DNS has always been more than an address book; it is currently a distributed database that supports a number of application needs for email, CDNs, video streaming, and a host of other distributed applications with inter-process communication needs. DoH changes all of this by reducing the capacity of DNS, in contradiction to early hopes."
DNS over TLS is no more secure than DNS over HTTPS, the browser, or some other application, encrypts a request to send, then a DNS server (almost transparently in terms of memory/CPU time) encrypts it and sends it back.

Configuring a router like the ones suggested for non-default (or auto-configured) DNS is a matter of entering the IP for the DNS servers manually. If the 'new' servers are fast enough for production those are ones we want to use. I think having a stack of alternates (if supported) is a good idea. Probably.
 
  • Like
Reactions: cliffordcooley and Danny101
Ok the arguments for DNS over TLS versus DNS over HTTPS.
www.thesslstore.com

What is the difference between DNS over TLS & DNS over HTTPS?

While at first glance it might be easy to mistake DNS over TLS and DNS over HTTPS for the same thing. But there's one very controversial difference.
www.thesslstore.com www.thesslstore.com
DNS over TLS is what network administrators prefer because it still allows them to monitor network traffic. DNS over HTTPS is preferred by human rights advocates since it's more user friendly and can disguise comings and goings. So it seems to me that if you work for an organization and want to be able to monitor network traffic then DoT is the rule and everyday browsing or dissidents DoH would be the best method. The hack of Equifix was using DoH, so that seems to be the example that is put forth as disfavor toward DoH. Personally, I think both have their pros and cons and considering situational use would be the determinate factor. Use both and for the situation that calls for it. There's nothing to stop an organization from accepting or not accepting certain connections. Really dependent upon who their clients are.
 
Last edited:
  • Like
Reactions: cliffordcooley
I just ran ping to 100 random hosts, max, min and average times are <40ms, this looks like a done deal.

The EU has complaints over content control and age-appropriate content barriers being broken.. The Firefox 'group' seems to be acceding - a little - meanwhile the software has been deployed, and Microsoft is also onboard. As you said, use both "it's so simple".

As long as it's not breaking anything I don't see a problem, gaining the IETF's blessing though the RFC proposal will happen at some point. Companies (ISP's) operating DNS that see an impact from increased overhead (if there is any) will simply upgrade if they want to continue to provide name server resolution.

I'm just thinking through this myself. I've read along for a bit but it's been several years since I've installed a local DNS server. Google wants to push everything in their general direction, it doesn't look like the rest of the net is going along with their ideas.
 
Danny101 said:
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
Click to expand...

Most likely because DNS contains zero confidential data, it's a lookup of public value pairs. I still fail to see the value. If you want to protect information on your website, you don't protect it on the DNS level. That'd be security through obscurity, which is not real security. That's like a company trying to hide its P.O. box. Why would you do that and what would that accomplish?
 
I fail to see how DNS encryption is a security solution. That is how little I know about the topic. But that is OK as long as I know, there are others that are fighting that fight for me.
 
I'm going to be slow to adopt anything until I get a better understanding and picture of the technologies and what they're doing. It's difficult to decipher between malevolent and benevolent forces when you know they all have an angle, and yes, that includes Mozilla. I can't remember the story or locate it right now, but there was something that came out about all the main browser companies collecting information for trade and sale. Brave browser, to their credit, came out as not one of them. You can't rest on your laurels with any of them. Money talks and BS walks.

There are several technologies to consider here: DNS over TLS; DNS over HTTPS ; DNS Sec, and even VPN as an end attachment. It would be nice if for once a single solid solution can just spring up to the top, but that just never ever seems to be the case. Got to do the work and the research. Initial conclusion? Addresses leak. There's just not much that can be done about that. I think it just a matter on how you parcel out trust that's the key. I generally try to never give a full picture or trust to any single entity for all of my needs as a matter of course. I'm not doing anything wrong, but I'm not giving away a nice neat full package, and I'll gladly exploit any distrust between these companies to further ensure the minimum consolidation of my information. Eeny, meeny, miny, moe, for you a thumb, and for you a toe. For my name is Humpty Dumpty.
 
You must log in or register to reply here.

Similar threads

midian182
Nvidia's stellar performance propels CEO Jensen Huang to 21st spot on global rich list
Replies
9
Views
299
erickmendes
erickmendes
A
ExpressVPN disables security feature that was leaking DNS requests to third-party servers
Replies
2
Views
151
return
return
midian182
Ring subscription price hike: Basic plan jumps to $5 a month, no extra features
Replies
6
Views
235
Axeia
Axeia

Latest posts

Back