Good news for Firefox users interested in turning on the browser’s DNS-over-HTTPS (DoH) privacy feature – they now have two providers to choose from.
The first, of course, is Cloudflare, which Mozilla partnered with during the two-year development and testing of its DoH service, finally turned on for users in September.
Not all Firefox users were at ease with this – entrusting DNS privacy to a single company felt like a risk no matter how many assurances were being offered.
By adding a second provider, startup NextDNS, founded in May 2019, Mozilla has not only added an alternative but got its promised Trusted Recursive Resolver program (TRR) off the ground. The TRR matters because, as Mozilla says:
DoH’s ability to encrypt DNS data addresses is only half the problem we are trying to solve. The second half is requiring that companies with the ability to see and store your browsing history change their data handling practices.
In other words, just encrypting DNS queries to make it more difficult for ISPs and governments to snoop on website visits won’t mean much if the company offering the DoH service hasn’t itself signed up to a robust privacy policy.
It’s rather like VPNs, which many people use for security, privacy and to dodge geo-blocking only to discover that many providers (typically the free ones) are collecting private data to sell on to advertisers.
Mozilla’s TRR program requires that DoH resolvers, among other things:
- Only collect data (e.g. IP addresses) for the purposes of running the service and don’t keep it for longer than 24 hours.
- Publish a privacy policy explaining this.
- Do not block, modify or censor websites unless required to by law.
PiHole-as-a-Service
Interestingly, NextDNS users who sign up for an account are given control over what gets blocked and what doesn’t, including being able to create domain allow/blocklists, and sign up for a range of public advertising/tracking and filtering lists.
They can even block specific applications as well as view traffic logs. This level of control is very unusual for a DNS resolver of any type while ISPs normally do it behind the user’s back.
It looks very like a cloud implementation of the PiHole, a Raspberry Pi-based network adblocker and DNS server but without the technical intrigue of setting that up for yourself.
That NextDNS has built its service this way suggests the company spies the possibility that DNS and DoH resolution could one day become a more general privacy system, competing with things like adblocking.
We noticed some wrinkles.
For example, NextDNS offers apps to configure the service on Windows, macOS, Linux, Android, and iOS, which is impressive. But the apps are so new it caused some security software that hasn’t encountered them before to throw up warnings about installing them.
In Firefox v71, DoH settings can be accessed via Options > type ‘DNS’ in search bar > Connection Settings > Enable DNS over HTTPS.