Firefox, DNS over HTTPS and a controversial Shield Study
Mozilla plans to integrate Trusted Recursive Resolver (TRR) via DNS over HTTPS in a future version of the Firefox browser. Initial functionality lands in Firefox 60 but further improvements will land in future versions such as Firefox 61.
DNS over HTTPS (DoH) is in draft-status currently. Designed primarily for situations where DNS lookups may fail because of connectivity issues and to prevent interference with DNS operations, it is designed to improve user privacy, security and connection reliability.
Web browsers like Firefox use the DNS service configured on the system by default which in many cases is operated by the Internet Service Provider. You may change the DNS server to private or public ones to improve performance, security or filter out unwanted web content.
Windows users may use tools like DNS Switch, DNS Benchmark or DNS Jumper for that, but it is also possible to configure servers manually.
DNS over HTTPS in Firefox
DNS over HTTPS runs DNS operations over encrypted HTTPS connections. This is not that different from using DNS Crypt to encrypt DNS traffic, but it is integrated directly in the browser.
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure
transfers and improved performance.
The initial version is disabled by default and users need to change preferences of the browser to enable TRR and set a DNS over HTTPS URI as well.
Shield Study
Mozilla considers running a Shield Study on the Nightly population to gather important data. Firefox Nightly is the cutting edge version of the browser, and a bug on Mozilla's Bugzilla site highlights the plan.
TRR would run in shadow mode (record data but is not used) and use CloudFlare's public DNS over HTTPS server to test the functionality.
Enabling the study in the proposed form would send all DNS lookups to the third-party Cloudflare. Mozilla employee Henri Sivonen expressed concerns:
Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information (what they browse where "they" is identified by IP address and "what" by host name) getting sent to an off-path party without explicit consent.
The policy agreements we have in place with the off-path party won't remove this negative effect, since the way people are known to react this kind of thing isn't in our power to negotiate: people will react to this as a matter of what technically got sent and not as a matter of what the recipient promised not to do. (A browser sending information about what is browsed to an off-path party is the quintessential browser privacy no-no.)
The discussion went back and forth on Bugzilla and the Mozilla Dev Platform group on Google Groups. Some Mozilla employees expressed concern and wanted the study to become opt-in, even on Nightly.
Mozilla has an operational agreement with Cloudflare in regards to the Study which prevents Cloudflare from keeping records or selling/transferring the data to third-parties.
While nothing has been decided yet, it appears as if Mozilla will run the study in the proposed form.
Firefox Nightly users may want to monitor the preference network.trr.mode for changes. Users may set the preference to 0 to disable TRR and leave the study as a consequence.
TRR DNS over HTTPS configuration parameters
Mozilla added several configuration parameters to Firefox that configure TRR.
The preference network.trr.mode defines the status of TRR in Firefox.
- A value of 0 means that it is disabled and not used.
- A value of 1 that Firefox uses either native DNS or TRR depending on which is faster.
- A value of 2 uses TRR by default but will fall back to the native resolver if the name resolve fails for whatever reason.
- A value of 3 enables TRR only mode. Only TRR is used and there is no fallback.
- A value of 4 runs it in shadow mode which means that TRR is run in parallel for gathering data but that the native resolver is used.
The preference network.trr.uri needs to be set to the address of a DNS over HTTPS server. Two public servers are available right now:
- https://dns.cloudflare.com/.well-known/dns
- https://dns.google.com/experimental
Other preferences explained:
- network.trr.credentials -- Credentials used in the request to the DNS over HTTPS endpoint (default: none).
- network.trr.wait-for-portal -- Use TRR only if the captive portal detection gives its okay (default: true)
- network.trr.allow-rfc1918 -- Allow RFC 1918 private addresses in TRR responses (default:false).
- network.trr.useGET -- If you want to use GET instead of Post (default:false).
- network.trr.confirmationNS -- Firefox checks the default domain name to verify that TRR works by accepting any positive answer (default: example.com).
- network.trr.bootstrapAddress -- May set this to the IP of the URI under network.trr.uri to bypass using the native system resolver to look it up (default: none)
- network.trr.blacklist-duration -- The number of seconds entries will be kept in the blacklist (default: 259200)
- network.trr.request-timeout -- Requests time out after a number of milliseconds (default: 3000)
- network.trr.early-AAAA -- Firefox checks A and AAAA entries and will use AAAA first only if the preference is set to true (default: false)
Closing Words
DNS over HTTPS is a good thing as it improves the privacy and security of DNS lookups provided that a trustworthy provider is used. I think that a Study should be opt-in, or at the very least inform the user that the Study has been enabled in the browser and provide information on how to turn it off.
Now You: What's your take on this?
Related articles
- How to configure DNSCrypt on Windows
- How to Speed Up a slow loading website
- Quad9 DNS promises better privacy and security
- Verisign launches Public DNS service that respects user privacy
We need your help
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Interesting. At least with Mozilla there’s a discussion; with Chrome they’d simply enable it and that’s that. Still think it should be opt-in, though…
No they wouldn’t. When was the last time that happened? Again someone mistakenly thinking Mozilla are still the trustworthy company of old.
You want to know which browser is more privacy respecting? Just look at which browser is used for the Tor Browser!
Opt-In! Nothing else …
I do not understand how Cloudflare or Google could improves privacy.
DNS is already plaintext, so it doesn’t matter if it’s Google, Cloudflare, your ISP or the NSA that are snooping on DNS requests. Bringing DNS over HTTPS is definitely something great and I hope this shield study continues in its current form as it would yield better privacy and security for all of us.
Great job Mozilla (this shield study comes right from the creator of cURL, no less!)!
How to make it work? Enabled it in about:config,but not working. What should be the preference of network.trr.uri? Can Anyone make it workable? Can anyone simplify it? Anyone?
I personally trust DNS provided by Quad9 and at this tine would not consider any other service. Its privacy and speed for me in the US is super.
“… people will react to this as a matter of what technically got sent and not as a matter of what the recipient promised not to do.”
Why should I care what your agreement is with any third-party? All that means is they “promised” YOU something, they have promised me nothing (pinky-swear-by-proxy is meaningless) … and that’s only even relevant if you take said third-party at their word. I don’t, no for-profit company does stuff out of the goodness of their hearts. Plus they all have employees who could go rogue, or they could be hacked, etc.
And, isn’t enough of the internet behind CloudFlare’s proprietary, closed-source, service? Do we really need to put DNS there, too? I think not.
Unless you’re using Tor Browser, don’t expect any privacy with regards to your DNS. So this is a nothing-burger after all, and DNS-over-HTTPS may be better after all!
I want to keep filtering adult content from my children via dns filtering witch I do in house and use DNSsec for anything else so my ISP doesn’t spy on me.
I don’t like where this is going and would prefer an opt-in.
As an opt-in option it certainly is a valuable project. I use DNSCrypt-Proxy which offers an experimental DNS-over-HTTPS server, globally cached via Cloudflare as well, which I don’t use by the way, at this time anyway.
DNS is a major security element, encrypting requests is essential, mainly for ‘man in the middle’ attacks (that’s all I know, don’t ask me to elaborate!).
My enthusiasm over DNS encryption made me forget that Cloudflare is itself considered by some as a man-in-the-middle, when accessed as a CDN and therefor moreover when called to resolve DNS queries.. As for little old me I know I keep the distance I can when it comes to Cloudflare, but am I following what I occasionally read on the Web, am I right, is Cloudflare really an issue? How the heck can anyone find the correct balance between caution and paranoia? It’s really hard to have an objective idea and tougher even to set a configuration (take/block) when you’re not a specialist. I even get to read specialists who disagree within themselves. Mama mia, guess once I’ve used all I can of a rational attitude the only remaining helper is intuition, which itself is not a guarantee.
Hey! World! Help us :=)