Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.
DNS (short for Domain Name System) is the service that takes a human-readable name like nakedsecurity.sophos.com and turns it into an IP address a computer can use. (Your DNS service provider is usually your ISP, but it doesn’t have to be. There are free and commercial DNS services too.)
The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.
The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.
The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything – such as parental control systems or the safe search capability on some search engines, like Google.
A third thing that Mozilla had to test for was split-horizon DNS resolvers, which companies often use to grant access to both public and non-public web addresses. For example, if you’re working on a company website, you might get the regular public version if you access it from outside the company network, but the split-horizon DNS resolver might show you one that’s in development if you access it from inside the company network.
Mozilla decided that as only 4.3% of users had configured parental control systems or turned on Google Safe Search, it could deal with the issue. It also found only 9.2% of queries handled by split-horizon resolvers. It decided to handle these situations by failing back to regular DNS queries if it detected either of these.
Your DNS queries have to be decrypted at some point by a DNS provider that reads them. In this case, Mozilla’s default provider is Cloudflare, which launched its 1.1.1.1 DNS service in April 2018. Does this present a privacy issue?
Your DNS queries always end up being read by one service provider or another, but Cloudflare has made an agreement with Mozilla to collect what it says is a limited amount of data about the user. The company deletes them from its logs after 24 hours, but will keep anonymous logs aggregating all the domain names requested, it says.
Mozilla also told us:
Any DNS provider that we integrate into Firefox will be required to follow a strict set of policies that prevent them from using DNS request data for anything other than providing the DNS service and that requires them to delete that data after 24 hours.
The Foundation will start rolling out support for US users this month, beginning with a small percentage and ramping up if it goes well. It couldn’t tell us when it might turn it on for people in other countries, and told us by email:
We do not have any current plans to release this feature outside the USA. We’re exploring potential DoH partners in Europe to bring this important security feature to users there. As soon as we have new information to share, we’ll make it available on our Future Releases blog.
Mozilla has drawn flak from the UK Internet Service Providers Association (ISPA), which called it an ‘Internet Villain’ for helping to block internet filtering policies in the UK and interfering with the government’s internet filtering policies.
Users for whom Mozilla enables DoH by default will be able to turn it off.
Or, if it isn’t enabled by default, you can turn it on (only in the desktop version, not on mobile editions. which don’t support it). Go to Options → General → Network Settings. Check the Enable DNS over HTTPS box, and set your own provider (here’s a list) or use Cloudflare as the default.
Google is also backing DoH. It says that it’s planning an experiment with the technology in Chrome 78 “followed by a launch if everything goes well”.
Simon McAllister
A few thoughts I have here:
– If they need to keep the logs for 24 hours – it could be considered not private enough
– TLS/HTTPS have their privacy weaknesses, so could be considered not as secure as claimed
– Sniffing in-the-clear DNS requests is often performed by the ISP’s, as well as other MITM
– If you’re looking to implement DoH/DoT then I would recommend a system that doesn’t use just one source resolver like Cloudflare – use many to distribute the load (and logging :D). Using a DoH/DoT proxy/gateway can aid that
– If your using a DoH/DoT proxy/gateway (to privatise all your devices DNS traffic on that network) and your browser is defaulting to it’s own DoH/DoT DNS server like Cloudflare, then it will use only that one, bypassing your preferred choice(s)
– It’s ‘interesting’ that mobile devices aren’t supported….
However these are positive enhancements to Firefox.
Sarah
Thanks for reporting on this, Sophos! Keep up the great work, Mozilla!
Bill Justesen
In an Active Directory scenario, I need to enable DoH on the gateway (AD server) and keep the workstations using the gateway. This is required for compliance reasons. At least Mozilla is generous enough to offer direction on how to manage that through their Enterprise policies customization tools.
https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise
Guess I know what I’ll be spending my time doing the next couple of hours…
A side note: I’m not really looking forward to malware starting to use this same strategy. This is going to get real ugly.
Paul Ducklin
+1
Mozilla also explains how to exempt specific domains from being looked up over HTTPS, if you want to do local resolution of just a few domains but go encrypted for the rest. You can also make the setting even stricter if you want – the new default, it seems, is to use DNS-over-HTTPS *unless it fails*, in which case fall back to old-school DNS (presumably the one that the rest of your operating system is using).
So in a coffee shop you do trust, you *won’t* use their DNS servers (even though you wouldn’t mind) but in a rogue coffee shop that deliberately stops your DNS-over-HTTPS working, ironically, you *will* (even though you shouldn’t)…
…unless you go to about:config and set network.trr.mode = 3. There doesn’t seem to be any logic to ‘3’, you just have to memorise the numbers, which seem t mean: 0=use default settings; 1=choose based on speed; 2=use DNS-over-HTTPS unless it breaks, then fall back; 3=force DNS-over-HTTPS only; 4=there is no setting 4; 5=force regular DNS only. So it’s 5 for OFF and 3 for ON, obvs. :-)
In case you are wondering, trr is shorthand for ‘Trusted Recursive Resolver’, although DNS-over-HTTPS is the only protocol currently implemented for talking to trusted resolvers. As @Bill says, you can set your own list of TRRs so you’re not stuck with the big public ones.
Downwind of Seattle.
It already is ugly. And going to get worse. We don’t have our Firefox installs centrally controlled so I’m going to have to go around to every PC while the user is there and manually disable this crud.
Paul Ducklin
As another commenter points out below, if you set your company’s DNS server to return NXDOMAIN for the domain name use-application-dns.net then Firefox will, by default, switch to regular DNS instead of using DNS-over-HTTPS.
That is a centralised way to disable this feature, at least in the short-to-medium term.
Alan
Is this available in the UK?
Paul Ducklin
I forced it on myself in the UK a while ago. I edited/added the following strings in about:config
network.trr.resolvers = [{ "name": "Quad9", "url": "https://9.9.9.9/dns-query" }]
network.trr.uri = https://9.9.9.9/dns-query
network.trr.mode = 3
The first one adds ‘Quad9’ to the Preferences menu for next time. The second one sets the server (or is set from the Preferences menu). The last one sets ‘only use DNS-over-HTTPS mode and never fall back’.
If you have trouble with DNS lookups resolution from time to time, setting mode=2 will use DNS-over-HTTPS if it works, else fall back.
If you decide to suppress fallback, you can verify it’s really off by temporarily setting uri=https://bogus.invalid/ and checking that browsing stops working…
dragoangel
Some Malware already done this. DoH, TOR is common for malware to hide it CnQ servers, so yeah…
And second to globally disable DoH is easier then any thoughts: create in your DNS server domain use-application-dns.net which will have no record (NXDOMAIN).
Paul Ducklin
Good point. It seems that Firefox checks to see if the domain use-application-dns.net works. Mozilla owns that domain so it ought to resolve. If it doesn’t then it apparently assumes that some sort of DNS filtering or other ‘unsuitable for DNS-over-HTTPS’ reason exists to fall back to regular DNS. The check is done at various times as you move around online. So any coffee shop router that blocks that domain automatically blocks DNS-over-HTTPS.
You can avoid this if you set network.trr.mode=3, but that means a coffee shop with a captive portal might not let your DNS-over-HTTPS traffic out (even if you use an IP number in network.trr.url, and with no fallback you could get stuck… and so on). Therefore if you go with superlocked settings, be prepared for occasional hassles and fiddling. None of the coffee shops I frequent bother with captive portals – what for? free Wi-Fi is meant to draw you in and be easy, not to make you jump through hoops and drive you elsehere! – but some hotels in the UK still love their ‘login windows’, although often all they do is try to upsell you to a faster connection instead of the free one, or show you an ad you ignore for 10 seconds and then connect you anyway.
Isaac Thepipe
The instructions “Preferences > Network Settings. Check the Enable DNS” are unclear. To enable DNS over HTTPS in FF 69 on a PC, I have to go to Options > General > Scroll down to Network Settings, then click the Settings button.
ic
same here, no preferences menu on my firefox that i can see(im in UK)
Paul Ducklin
I think that describing the process as Options → General → and so on is more generally clear so I will change the article. Thanks for the comment.
On my Mac, at least, the Preferences option (every app has one) takes you to the right place – you don’t need to choose “General” because you start there, but the DNS setting is in the “General” section and you could select it if you wanted…