Firefox, DNS over HTTPS and a controversial Shield Study
Mozilla plans to integrate Trusted Recursive Resolver (TRR) via DNS over HTTPS in a future version of the Firefox browser. Initial functionality lands in Firefox 60 but further improvements will land in future versions such as Firefox 61.
DNS over HTTPS (DoH) is in draft-status currently. Designed primarily for situations where DNS lookups may fail because of connectivity issues and to prevent interference with DNS operations, it is designed to improve user privacy, security and connection reliability.
Web browsers like Firefox use the DNS service configured on the system by default which in many cases is operated by the Internet Service Provider. You may change the DNS server to private or public ones to improve performance, security or filter out unwanted web content.
DNS over HTTPS in Firefox
DNS over HTTPS runs DNS operations over encrypted HTTPS connections. This is not that different from using DNS Crypt to encrypt DNS traffic, but it is integrated directly in the browser.
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure
transfers and improved performance.
The initial version is disabled by default and users need to change preferences of the browser to enable TRR and set a DNS over HTTPS URI as well.
Mozilla considers running a Shield Study on the Nightly population to gather important data. Firefox Nightly is the cutting edge version of the browser, and a bug on Mozilla's Bugzilla site highlights the plan.
TRR would run in shadow mode (record data but is not used) and use CloudFlare's public DNS over HTTPS server to test the functionality.
Enabling the study in the proposed form would send all DNS lookups to the third-party Cloudflare. Mozilla employee Henri Sivonen expressed concerns:
Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information (what they browse where "they" is identified by IP address and "what" by host name) getting sent to an off-path party without explicit consent.
The policy agreements we have in place with the off-path party won't remove this negative effect, since the way people are known to react this kind of thing isn't in our power to negotiate: people will react to this as a matter of what technically got sent and not as a matter of what the recipient promised not to do. (A browser sending information about what is browsed to an off-path party is the quintessential browser privacy no-no.)
The discussion went back and forth on Bugzilla and the Mozilla Dev Platform group on Google Groups. Some Mozilla employees expressed concern and wanted the study to become opt-in, even on Nightly.
Mozilla has an operational agreement with Cloudflare in regards to the Study which prevents Cloudflare from keeping records or selling/transferring the data to third-parties.
While nothing has been decided yet, it appears as if Mozilla will run the study in the proposed form.
Firefox Nightly users may want to monitor the preference network.trr.mode for changes. Users may set the preference to 0 to disable TRR and leave the study as a consequence.
TRR DNS over HTTPS configuration parameters
Mozilla added several configuration parameters to Firefox that configure TRR.
The preference network.trr.mode defines the status of TRR in Firefox.
- A value of 0 means that it is disabled and not used.
- A value of 1 that Firefox uses either native DNS or TRR depending on which is faster.
- A value of 2 uses TRR by default but will fall back to the native resolver if the name resolve fails for whatever reason.
- A value of 3 enables TRR only mode. Only TRR is used and there is no fallback.
- A value of 4 runs it in shadow mode which means that TRR is run in parallel for gathering data but that the native resolver is used.
The preference network.trr.uri needs to be set to the address of a DNS over HTTPS server. Two public servers are available right now:
Other preferences explained:
- network.trr.credentials -- Credentials used in the request to the DNS over HTTPS endpoint (default: none).
- network.trr.wait-for-portal -- Use TRR only if the captive portal detection gives its okay (default: true)
- network.trr.allow-rfc1918 -- Allow RFC 1918 private addresses in TRR responses (default:false).
- network.trr.useGET -- If you want to use GET instead of Post (default:false).
- network.trr.confirmationNS -- Firefox checks the default domain name to verify that TRR works by accepting any positive answer (default: example.com).
- network.trr.bootstrapAddress -- May set this to the IP of the URI under network.trr.uri to bypass using the native system resolver to look it up (default: none)
- network.trr.blacklist-duration -- The number of seconds entries will be kept in the blacklist (default: 259200)
- network.trr.request-timeout -- Requests time out after a number of milliseconds (default: 3000)
- network.trr.early-AAAA -- Firefox checks A and AAAA entries and will use AAAA first only if the preference is set to true (default: false)
DNS over HTTPS is a good thing as it improves the privacy and security of DNS lookups provided that a trustworthy provider is used. I think that a Study should be opt-in, or at the very least inform the user that the Study has been enabled in the browser and provide information on how to turn it off.
Now You: What's your take on this?