Mozilla plans to roll out DNS over HTTPS to US users in late September 2019
Starting in late September 2019, DNS over HTTPS (DoH) is going to be rolled out to Firefox users in the United States.
DNS over HTTPS encrypts DNS requests to improve security and privacy of these requests. Most DNS requests happen in the open currently; anyone listening to the traffic gets records of site and IP addresses that were looked up while using an Internet connection among other things.
DoH encrypts the traffic and while that looks good on first glance, it needs to be noted that TLS still gives away the destination in plaintext.
One example: Internet providers may block certain DNS requests, e.g. when they have received a court order to block certain resources on the Internet. It is not the best method to prevent people from accessing a site on the Internet but it is used nevertheless.
DoH is excellent against censorship that uses DNS manipulation.
Tip: check out our detailed guide on configuring DNS over HTTPS in Firefox.
Mozilla started to look into the implementation of DoH in Firefox in 2018. The organization ran a controversial Shield study in 2018 to gather data that it needed for the planned implementation of the feature. The study was controversial because Mozilla used the third-party Cloudflare as the DNS over HTTPS service which meant that all user traffic flowed through the Cloudflare network.
Mozilla revealed in April 2019 that its plan to enable DoH in Firefox had not changed. The organization created a list of policies that DoH providers had to conform to if they wanted their service to be integrated in Firefox.
In "What's next in making encrypted DNS-over-HTTPS the Default", Mozilla confirmed that it would begin to enable DoH in Firefox starting in late September 2019. The feature will be enabled for some users from the United States and Mozilla plans to monitor the implementation before DoH is rolled out to a larger part of the user base and eventually all users from the United States.
We plan to gradually roll out DoH in the USA starting in late September. Our plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience. If this goes well, we will let you know when weâ€™re ready for 100% deployment.
While DNS over HTTPS will be the default for the majority of Firefox installations in the United States, it won't be enabled for some configurations:
- If parental controls are used, DoH won't be enabled provided that Mozilla detects the use correctly.
- Enterprise configurations are respected as well and DoH is disabled unless "explicitly enabled by enterprise configuration".
- Fall back option if DNS issues or split horizon configuration cause lookup failures.
Network administrations may configure their networks in the following way to highlight to Firefox that the network is unsuitable for DoH usage:
DNS queries for the A and AAAA records for the domain â€œuse-application-dns.netâ€ must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver.
How to block DNS over HTTPS
You have two options when it comes to DoH in Firefox. You can change the default provider -- Cloudflare is the default -- to another provider (for whatever reason) or block the entire feature so that it won't be used.
If you don't want to use it, set the value of network.trr.mode to 5 on about:config.
Now You: What is your take on DoH and Mozilla's implementation?Advertisement