Mozilla plans to integrate Trusted Recursive Resolver (TRR) via DNS over HTTPS in a future version of the Firefox browser. Initial functionality lands in Firefox 60 but further improvements will land in future versions such as Firefox 61.
DNS over HTTPS (DoH) is in draft-status currently. Designed primarily for situations where DNS lookups may fail because of connectivity issues and to prevent interference with DNS operations, it is designed to improve user privacy, security and connection reliability.
Web browsers like Firefox use the DNS service configured on the system by default which in many cases is operated by the Internet Service Provider. You may change the DNS server to private or public ones to improve performance, security or filter out unwanted web content.
DNS over HTTPS runs DNS operations over encrypted HTTPS connections. This is not that different from using DNS Crypt to encrypt DNS traffic, but it is integrated directly in the browser.
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure
transfers and improved performance.
The initial version is disabled by default and users need to change preferences of the browser to enable TRR and set a DNS over HTTPS URI as well.
Mozilla considers running a Shield Study on the Nightly population to gather important data. Firefox Nightly is the cutting edge version of the browser, and a bug on Mozilla's Bugzilla site highlights the plan.
TRR would run in shadow mode (record data but is not used) and use CloudFlare's public DNS over HTTPS server to test the functionality.
Enabling the study in the proposed form would send all DNS lookups to the third-party Cloudflare. Mozilla employee Henri Sivonen expressed concerns:
Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information (what they browse where "they" is identified by IP address and "what" by host name) getting sent to an off-path party without explicit consent.
The policy agreements we have in place with the off-path party won't remove this negative effect, since the way people are known to react this kind of thing isn't in our power to negotiate: people will react to this as a matter of what technically got sent and not as a matter of what the recipient promised not to do. (A browser sending information about what is browsed to an off-path party is the quintessential browser privacy no-no.)
The discussion went back and forth on Bugzilla and the Mozilla Dev Platform group on Google Groups. Some Mozilla employees expressed concern and wanted the study to become opt-in, even on Nightly.
Mozilla has an operational agreement with Cloudflare in regards to the Study which prevents Cloudflare from keeping records or selling/transferring the data to third-parties.
While nothing has been decided yet, it appears as if Mozilla will run the study in the proposed form.
Firefox Nightly users may want to monitor the preference network.trr.mode for changes. Users may set the preference to 0 to disable TRR and leave the study as a consequence.
Mozilla added several configuration parameters to Firefox that configure TRR.
The preference network.trr.mode defines the status of TRR in Firefox.
The preference network.trr.uri needs to be set to the address of a DNS over HTTPS server. Two public servers are available right now:
Other preferences explained:
DNS over HTTPS is a good thing as it improves the privacy and security of DNS lookups provided that a trustworthy provider is used. I think that a Study should be opt-in, or at the very least inform the user that the Study has been enabled in the browser and provide information on how to turn it off.
Now You: What's your take on this?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.