Mozilla plans to enable support for the DNS-over-HTTPS (DoH) protocol by default inside the Firefox browser for a small number of US users starting later this month.
The browser maker has been testing DoH support in Firefox since 2017. A recent experiment found no issues, and Mozilla plans to enable DoH in the main Firefox release for a small percentage of users, and then enable it for a broader audience if no issues arise.
“If this goes well, we will let you know when we’re ready for 100% deployment,” said Selena Deckelmann, Senior Director of Firefox Engineering at Mozilla.
What is DoH?
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn’t encrypt DNS requests. That’s a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare’s DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver.
By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user’s traffic.
When Mozilla announced it was working for support DoH in Firefox, privacy advocates rejoiced, and for good reasons, as DoH would allow dissidents and other oppressed groups to bypass web traffic filters set in place in oppresive regimes.
But because of the issues listed above, DoH support has not been viewed as a welcomed technical solution in enterprise environments and by ISPs.
ISPs watch DNS traffic in order to filter traffic for bad sites, enforce legal-mandated site blocks, or to collect browsing history on users, to re-sell to advertisers.
With DoH, they can’t peek into DNS traffic anymore.
In July, a UK ISP named Mozilla an “internet villain” for adding DoH support to Firefox. The ISP argued that they couldn’t filter traffic for child abuse sites because DoH would allow users to bypass any filters it put in place.
The ISP later recanted on calling Mozilla an internet villain after a massive public backlash, and Mozilla announced it would not enable DoH support by default for Firefox users in the UK.
Companies that provide enterprise traffic filtering solutions have also criticized the protocol, which they said can act as a firewall bypassing mechanism.
Malware authors have also found DoH to be an attractive protocol, and have started using it to malicious DNS traffic and successfully bypass enterprise-grade security systems.
Firefox to respect enterprise filters and parental controls
Mozilla certainly hasn’t heard the last of these discussions. Moving forward, the browser maker said it would try to avoid causing any problems.
For starters, Mozilla said that after it turns on DoH by default for US users, Firefox will contain a mechanism to detect the presence of any local parental control software or enterprise configurations.
If any are found, Firefox will automatically disable DoH, so the browser won’t bypass parental controls or enterprise configurations and traffic filters that were intentionally set in place for users’ safety.
Additionally, Mozilla is also working with ISPs to make sure users won’t use DoH as a way to bypass legally-set blocklists.
The organization said it’s been asking ISPs and providers of network-based parental control solutions to add a “canary domain” to their blocklists. When Firefox will detect that this canary domain is blocked, it will disable DoH to prevent the feature to be used as a filter-bypassing solution.