Mozilla still on track to enable DNS-over-HTTPS by default in Firefox
Mozilla published a list of requirements that companies need to meet if they want to be included as Trusted Recursive Resolvers for Firefox's upcoming DNS-over-HTTPS feature.
DNS-over-HTTPS aims to improve user privacy, security and the reliability of connections by sending and receiving DNS information using HTTPS.
Mozilla ran a Shield study in 2018 to test the DNS-over-HTTPS implementation in Firefox Nightly versions. The organization selected Cloudflare as its partner for the study after Cloudflare agreed to Mozilla's requirements to not keep records or sell or transfer data to third-parties.
Firefox users may configure DNS-over-HTTPS in the browser. Mozilla plans to make it the default in Firefox going forward; while that is beneficial overall, doing so comes with its own set of issues and concerns.
- Firefox will use the feature for DNS related activities and not the DNS configured on the computer. Means: local hosts files, resolvers, or custom DNS providers will be ignored.
- The selection of Cloudflare as the first partner was controversial.
Mozilla plans to make DNS-over-HTTPS the default in the Firefox web browser. Firefox users may still disable the feature once Mozilla makes the switch from off to on though.
The organization wants to select a number of companies for use as Trusted Recursive Resolvers in the Firefox web browser. To address concerns in regards to privacy, Mozilla created a list of policies that these organizations need to conform to.
- User data may only be retained for up to 24 hours and that needs to be done "for the purpose of operating the service".
- Aggregate data may be kept for longer.
- Personal information, IP addresses, user query patterns, or other data that may identify users may not be retained, sold, or transferred.
- Data gathered from acting as a resolver may not be combined with other data that "can be used to identify individual users".
- Rights to user data may not be sold, licensed, sublicensed or granted.
- Resolver must support DNS Query Name Minimisation (to improve privacy, the resolver does not send the full original QNAME to the upstream name server).
- The resolver must not "propagate unnecessary information about queries to authoritative name servers".
- Organizations need a "public privacy notice specifically for the resolver service".
- Organizations need to publish a transparency report "at least yearly".
- The company that operates the resolver should not block or filter domains unless required by law.
- Organizations need to maintain public documentation that lists all domains that are blocked and maintain a log that highlights when domains get added or removed.
- The resolver needs to provide an "accurate NXDOMAIN response" when a domain cannot be resolved and not alter the response, e.g. redirect a user to alternative content.
Mozilla's system will be opt-out means that it is enabled by default for all Firefox users if Mozilla does not change that prior to integration in Firefox Stable.
Now Read: Is Mozilla's new DNS feature dangerous?Advertisement