Comcast is the first ISP that joins Firefox's Trusted Recursive Resolver Program
Comcast is the first Internet Service Provider that has been accepted into Firefox's Trusted Recursive Resolver Program.
Mozilla, just like Google, Opera and other browser makers, started to integrate DNS-over-HTTPS in the organization's Firefox web browser. DNS-over-HTTPS is one method of securing DNS information; in this particular case, HTTPS encryption is used to defend DNS lookups against attacks and privacy invasions, e.g. attacks that manipulate the data.
Regular DNS lookups are in plain text and that means that it is possible under certain circumstances to monitor or manipulate the information, e.g. to change the target of a request.
Mozilla created the Trusted Recursive Resolver Program early on to ensure that DNS providers would adhere to "modern standards for privacy and security". In particular, joining the program requires the following:
- Limiting data -- DNS data may only be used for "the purpose of operating the service", may not be retained for longer than 24 hours, and cannot be "sold, shared, or licensed to other parties".
- Transparency -- Companies are required to post a public privacy notice that reveals how "data is retained and how it is used".
- Blocking & Modification -- Companies may not block, filter, modify or provide inaccurate responses unless "required by law".
DNS over HTTPS configuration is available in Firefox but the feature is only being tested in the United States at the time of writing. Mozilla's way of working with companies through the Trusted Recursive Resolver Program is different to how companies such as Google handle DNS over HTTPS. Google's Chrome browser will use DNS over HTTPS automatically if the system's DNS provider supports it, Mozilla decided to cooperate with companies that joined its program.
Firefox users may check out DNS over HTTPS configuration guide for instructions on how to set this up in the browser. Comcast customers will benefit from the change automatically provided that they have not changed the DNS provider on the system.
Comcast started DNS over HTTPS tests in October 2019 according to Mozilla. It is the first Internet Service Provider that joins Firefox's program. Two companies joined the program prior to Comcast: Cloudflare and NextDNS. It is likely that additional companies will join the program eventually.
Now You: do you use DNS over HTTPS already?
Cox has an EULA for each service. As for policies with VPNs, their media streaming services involve partners who want to accurately track users, due to licensing of media and such, and VPNs tend to not play well with those services.
Just like other ISPs in the USA, Cox collects data. Cox has some sort of an opt-out, but that may not do much, depending on what services you have with them.
If you just have ISP service with Cox, then I doubt using a VPN is an issue. They at least need to know who their customers are, as with the MAC addresses and such, but VPNs don’t mess with those IDs.
But that’s all old news. The topic now is about “DNS over HTTPS”, and how well that might work with an ISP, or not.
@Benjamin Actually, there is an easy alternative: Stop giving any of these corporations your money and information.
I have never given any of these companies any money and I also use firewalls and other tools to block all of their properties: Google, Facebook (including WhatsApp, Instagram, Oculus, and Messenger), and Twitter.
I also have not given anything to, nor do I ever plan on supporting Philip Morris International, Monsanto, Marriott International, Nike, or The Trump Organization.
And here is a list of companies that I have given money to in the past, and have no intention of ever supporting again: Microsoft, AAA, State Farm, Chick-fil-A, EOS Fitness, 24 Hour Fitness, Ruger, Smith & Wesson, NRA, DNC, RNC, MillerCoors, Anheuser-Busch, T-Mobile, Target, Toyota, Spirit Airlines, Matsushita (Panasonic), Toshiba, and Samsung.
Except to buy just enough food and water to survive, none of us have to buy a single thing. It’s all a choice.
I encourage everyone to speak with their money, and if you live in a democracy, with your vote as well.
@James
Yup, our biggest vote is often with how we spend our money. Also big are where you choose to live, and who you choose to work with or for.
Also, the ultimate boycott is to NOT have children.
I’m sure many corporations love overpopulated slums full of poor folks they can exploit.
Yet how many people who plan to have children ask themselves this question:
“By me having children, will that make the world a better place, or will that make the world worse?”
I think zero people consider such, and those who say they do are rather crazy, as they think they are breeding an army to save the world, move to Mars, or whatever crazy trend supports their carnal desire to breed more.
And that relates to those pro-life extremists, which often have some silly ideas. For example, if you are a man who is truly against abortion, then at least don’t have sex with any woman in a country where it is legal, otherwise you are putting your potential unborn child at risk. But is that a concern with those men? I think not.
Personally, I’m pro-life, but if folks want to kill their unborn children, then I’m not going to try to stop them AT ALL. Buy if they want help to do it, like forcing me to pay taxes for abortions, then they have gone too far IMO. Yet I choose to live I the USA, so I pay my taxes and I don’t fuss with complaining much, as I concede with what our democracy provides.
The sad thing is, that none of us has a real alternative other than the US controlled technologists, capitalists, corporations and politics… if there would be a real alternative we all would soon understand who it might be, because it would be another real bad guy threatening democracy and freedom. We are already in a Dystopia no matter how many words to the opposite are being reinterpreted against it.
@Benjamin
Saying we are in a dystopia is rather moot, as it doesn’t take much to be considered a dystopia.
Humans have always lived in some sort of dystopia, such as with our so-called “human condition” of WHAT IS.
Note that the opposite of dystopia is utopia, yet no society has clearly achieved utopia, yet many have tried and failed.
Furthermore, compared to WHAT IS, utopian ideals are for the most part untested dreams, which can go very bad if implemented without careful consideration. History has shown that many human made disasters (including much war and genocide) started with some good intended idealism, as with dreams of utopia.
This is a bit off topic, and as we know, Comcast has had various issues with customers.. And related to that, Cox on the other hand refused to give up customer data, thus got sued, went to court & lost, and are now facing a 1 billion $ penalty.
But this is the thing, I now see Cox has made some big changed to their user agreements, and it looks bad for its users.
The worst part I found basically says that they now forbid users to use a VPN. I doubt they are enforcing that new policy at all, but the fact it’s there is troubling.
As for privacy concerns, it looks like Cox may be as bad or worse than Comcast now.
You can change the resolvers yourself so what is the big deal.?
if you don’t trust comcast then don’t use them.
As a long time Comcast broadband user (I have no alternatives) I can’t see Comcast doing this without getting something in return. Comcast is benefiting somehow from this agreement. It reminds me of how Google claims they are so concerned about your information and protecting it. Except when it directly benefits them to sift through it at their will.
@johnIL
At the very least, it could just be superficial fluff to help make them look like they care about privacy.
But sure, it’s reasonable to consider this rabbit hole goes deeper, yet I don’t care to speculate with frivolous conspiracy theories.
@No Thanks, CIA:
“The CIA” […] “glow in the dark!” – Terry Davis, author of TempleOS
Yes, YES.. I can FEEL the glow coming from this Recursive Resolver Program.
“Companies may not block, filter, modify or provide inaccurate responses unless ‘required by law’.”
So zero guarantee. Same as before.
Wow! That’s rude.
You blocked/trashed a super informative comment.
Source envy?
@VioletMoon
Well, that sucks. It would have been nice to finally get to read one of your comments that is actually “super informative”.
This article is literally the first time I have ever seen the words “Trust” and “Comcast” used together in the same sentence.
Trusting Comcast makes as little sense as trusting Facebook, Google, Twitter, or anything connected to Rupert Murdoch (such as Fox News).
@Brent
Is that some sort of joke?
If you search for “Trust†with “Comcastâ€, there are millions of articles with those 2 words together.
For any interested, Waterfox (specifically Waterfox Current), is a great alternative to Firefox that strips all of the nonsense from Firefox, while keeping the speed and performance. I’ve been testing it out for a few weeks and it works great.
If it is not about some FF specific addons I would simply avoid gecko based browsers (esp. on Linux) and move on to a more secure engine, you know what I am talking about.
ZDNet had an interesting article a few months ago with a great list of DoH servers to use:
https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/
Why it’s a no go–
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
List–
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
When you live in Hawaii, you have to use your ISP’s DNS servers. They are the ONLY one with servers LOCATED WITHIN THIS STATE. If I used servers from Google or Cloudflare, etc then the expensive connection I pay for would become a much SLOWER connection. I’ve tried Mainland servers and the difference is VERY noticeable. (Steve Gibson’s DNS Resolvers app makes this very clear).
Luckily, I don’t see the point in all this encryption.
“Secret” DNS queries are largely driven by the desire to keep your ISP (Like, ya’know Comcast?!) from tracking where you go and sending a crapload of bandwidth hogging ads you won’t read.
Why does this not make any sense? Does anyone over the age of 12 still work for Mozilla?
Until this DoH mess gets straightened out, if it ever does, our router will still determine who gets DNS queries. Leave it to “tech” to make http more private than https. Duh!
Comcast, Xfinity actually, tracks our TV viewing, which is so lame, we don’t care if they do and will actually remove offensive ads if we change channels enough times immediately when they air. Cool, plus they gave everyone unlimited internet with no upcharge in May and June. Otherwise, SOS Cable…200 channels and 180 are never watched.
You can try PiHole as a self serving DNS server in case you are that concerned.
The fox is in the hen house.
LOL
I don’t get this at all, isn’t one of the primary stated goals of DNS over HTTPS to prevent your ISP from spying on your browsing activities, and in the case of US-based ISPs, from selling this data to third-parties?
This privacy focused browser, by this privacy focused organisation, would not add, or even aknowledge AdGuard DNS. Yet there’s
Cloudflare – by default, and literal spyware
NextDNS – some literal nobody
and Comcast – a company everyone complains about and , by the looks of it, not an end-user ally.
The problem with adding AdGuard is that it’s self-defeating if Mozilla ever wants to partner with other companies – as it would block the tracking… :)
AdGuard===Russia
And..?
I use it often ,its useful override ISP site blocking.And ESNI is also enabled.
But for those who don’t want it,you don’t have to use it.
so basically the key takeaway I get from this, is that Comcast (who already does DNS hijacking and god knows what else) has paid Mozilla so that Comcast can continue its malicious practices, or did Mozilla do it for free?
Mozilla, the supposed privacy advocates have just sold out their users. There is no positive for the consumer to be had from this deal, sad. if anything it proves that DOH+ESNI does protect users from some levels of spying and censorship, so much so that ISP’s and governments must now bribe software to bypass it even if that means they run their own in-house DOH servers, claiming they don’t log anything, but as I’ve said before, this is 2020 and we’re long past “Just trust us bro” in regard to company statements about logging policies.
DoH is complete nonsense and only makes it easier for certain *cough* agencies *cough* to snoop on users, by further centralizing traffic.
I quote from the following article: https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/
“(…) But if we sum it up, pre-DoH, the following parties have access to the names of most of the sites you visit:
1. Your own network provider
2. Your own government, police, intelligence services (through court orders)
3. Anyone capable of snooping your local network
4. Certificate authority providers (through OCSP)
5. Large scale tracking & advertising companies (Google, Facebook)
DNS over HTTPS in browsers is currently exclusively offered by/through American companies. So after switching to DoH, we have to add the following to our list:
Cloudflare / your DoH provider (…)”
Yeah, unnecessarily introducing yet another party to your traffic surely improves privacy. /s Mozilla and Google (and Microsoft) are anti-user here, as always.
In Chromium-based browsers:
chrome://flags/#dns-over-https set to “Disabled”
In Firefox:
about:config –> network.trr.mode set to “0”
Don’t listen to Iron Heart on Firefox matters: he does not use Firefox and has no knowledge on how anything in it works
If you want to make sure DoH is never **offered** to you (it is not changed on you silently: you get a doorhanger notification to accept/decline/change), then the value to use is 5
0 = default off <– the default which means nothing to a rollout
5 = explicitly off <– not default, lets a rollout know you don't want it (to save you getting a prompt)
This setting has been available since FF61, which was released 2018-06-26. That's exactly a whole year before this article was posted, for Iron Heart to get his information correct
Sorry but Comcast and Trusted are not words that should ever be in the same statement (unless Trusted is prefix with “not ” or “un-“.
And “required by law” is truly worrisome as it’s only one step from a government not agreeing with any website for their own agenda to then having it blocked.