Good news for Firefox users interested in turning on the browser’s DNS-over-HTTPS (DoH) privacy feature – they now have two providers to choose from.
The first, of course, is Cloudflare, which Mozilla partnered with during the two-year development and testing of its DoH service, finally turned on for users in September.
Not all Firefox users were at ease with this – entrusting DNS privacy to a single company felt like a risk no matter how many assurances were being offered.
By adding a second provider, startup NextDNS, founded in May 2019, Mozilla has not only added an alternative but got its promised Trusted Recursive Resolver program (TRR) off the ground. The TRR matters because, as Mozilla says:
DoH’s ability to encrypt DNS data addresses is only half the problem we are trying to solve. The second half is requiring that companies with the ability to see and store your browsing history change their data handling practices.
In other words, just encrypting DNS queries to make it more difficult for ISPs and governments to snoop on website visits won’t mean much if the company offering the DoH service hasn’t itself signed up to a robust privacy policy.
It’s rather like VPNs, which many people use for security, privacy and to dodge geo-blocking only to discover that many providers (typically the free ones) are collecting private data to sell on to advertisers.
Mozilla’s TRR program requires that DoH resolvers, among other things:
- Only collect data (e.g. IP addresses) for the purposes of running the service and don’t keep it for longer than 24 hours.
- Publish a privacy policy explaining this.
- Do not block, modify or censor websites unless required to by law.
PiHole-as-a-Service
Interestingly, NextDNS users who sign up for an account are given control over what gets blocked and what doesn’t, including being able to create domain allow/blocklists, and sign up for a range of public advertising/tracking and filtering lists.
They can even block specific applications as well as view traffic logs. This level of control is very unusual for a DNS resolver of any type while ISPs normally do it behind the user’s back.
It looks very like a cloud implementation of the PiHole, a Raspberry Pi-based network adblocker and DNS server but without the technical intrigue of setting that up for yourself.
That NextDNS has built its service this way suggests the company spies the possibility that DNS and DoH resolution could one day become a more general privacy system, competing with things like adblocking.
We noticed some wrinkles.
For example, NextDNS offers apps to configure the service on Windows, macOS, Linux, Android, and iOS, which is impressive. But the apps are so new it caused some security software that hasn’t encountered them before to throw up warnings about installing them.
In Firefox v71, DoH settings can be accessed via Options > type ‘DNS’ in search bar > Connection Settings > Enable DNS over HTTPS.
Chief
Good article,
FYI: your hyperlink in the last paragraph for PiHole is wrong, points to https://dns.nextdns.io/ instead of https://pi-hole.net/
Paul Ducklin
Fixed, thanks!
Steve
“But when we downloaded these we were hit by warnings from Windows Defender and Google’s Play Protect warning us against installing or running them.”
Good article overall, but I wish John would have added a bit more information about those warnings.
Paul Ducklin
The warnings you’re likely to see, including from Defender, don’t actively say, “Watch out! Badware ahead!” but are more along the lines of “unrecognised app” or (in my translation) “not well-known enough to make inferences about yet.”
Generally speaking, apps that are obviously bad will be detected and actively blocked by most security software. Those that seem OK but collect sensitive data or provide controls based on what you do and where you go are tricky to pronounce upon – the app might be written with the best intentions yet, for all we know, might inadvertently have issues in respect of what it collects or how it processes it.
I am not for a moment suggesting that NextDNS has made any sort of blunder like that – just saying that until we’ve all had a chance to see an app in use and correlate its online actions with its claims, it’s hard to know whether it’s neutral, good or potentially risky. (Even if you totally decompile the app to see what it *might* do you can’t judge what it actually does until it’s been out for a while.)
Thus the (admittedly rather non-committal) warning messages that are likely to go away after a while.
I use that sort of warning more as a sort of incentive to “Stop. Think. Connect. Am I really sure?” before approving the app than as a strict warning to avoid it forever.
HtH.
Anonymous
It’s also no surprise that Google and Microsoft apparatuses would even flag that type of detection so readily, given that both are highly centralized organizations with manipulative control over the systems they employ. In terms of true privacy and security, generally speaking, users are better off detaching themselves from the clutches of monopolizing entities such as Google, Facebook, etc.
Contrary to narrative’s promoted by them, those Big Data outfits have historically violated user privacy and have even drafted their ToS and Privacy Policy agreements to reflect such intrusive behavior, albeit under the guise of “third-party” this and “third-party” that. When it comes to conglomerates like Google, their claims of truly respecting a citizen’s privacy really are just smoke and mirrors.