{"id":62619,"date":"2020-06-26T00:00:00","date_gmt":"2020-06-26T00:00:00","guid":{"rendered":"http:\/\/blog.mozilla.org\/foxtail\/2020\/06\/26\/more-details-on-comcast-as-a-trusted-recursive-resolver\/"},"modified":"2021-04-27T17:25:34","modified_gmt":"2021-04-27T17:25:34","slug":"more-details-on-comcast-as-a-trusted-recursive-resolver","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/","title":{"rendered":"More details on Comcast as a Trusted Recursive Resolver"},"content":{"rendered":"<p><img decoding=\"async\" loading=\"lazy\" class=\"alignleft size-thumbnail wp-image-12607\" src=\"https:\/\/blog.mozilla.org\/wp-content\/uploads\/2020\/04\/eric-rescorla-high-res-150x150.jpg\" alt=\"\" width=\"150\" height=\"150\" srcset=\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/eric-rescorla-high-res-150x150.jpg 150w, https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/eric-rescorla-high-res-300x300.jpg 300w, https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/eric-rescorla-high-res.jpg 500w\" sizes=\"(max-width: 150px) 100vw, 150px\" \/>Yesterday Mozilla and Comcast <a href=\"https:\/\/blog.mozilla.org\/blog\/2020\/06\/25\/comcasts-xfinity-internet-service-joins-firefoxs-trusted-recursive-resolver-program\/\">announced<\/a> that Comcast was the latest member of Mozilla\u2019s Trusted Recursive Resolver <a href=\"https:\/\/wiki.mozilla.org\/Security\/DOH-resolver-policy\">program<\/a>, joining current partners <a href=\"https:\/\/www.cloudflare.com\/\">Cloudflare<\/a> and <a href=\"https:\/\/blog.mozilla.org\/blog\/2019\/12\/17\/firefox-announces-new-partner-in-delivering-private-and-secure-dns-services-to-users\/\">NextDNS<\/a>. Comcast is the first Internet Service Provider (ISP) to become a TRR and this represents a new phase in our DoH\/TRR deployment.<\/p>\n<h3>What does this mean?<\/h3>\n<p>When Mozilla first started looking at how to deploy <a href=\"https:\/\/hacks.mozilla.org\/2018\/05\/a-cartoon-intro-to-dns-over-https\/\">DoH<\/a> we quickly realized that it wasn\u2019t enough to just encrypt the data; we had to ensure that Firefox used a resolver which they could trust. To do this, we created the Trusted Recursive Resolver (TRR) program which allowed us to partner with specific resolvers committed to <a href=\"https:\/\/wiki.mozilla.org\/Security\/DOH-resolver-policy\">strong policies<\/a> for protecting user data. We selected <a href=\"https:\/\/www.cloudflare.com\/\">Cloudflare<\/a> as our first TRR (and the current default) because they shared our commitment to user privacy and security because we knew that they were able to handle as much traffic as we could send them. This allowed us to provide secure DNS resolution to as many users as possible but also meant changing people\u2019s resolver to Cloudflare. We know that there have been some concerns about this. In particular:<\/p>\n<ul>\n<li>It may result in less optimal traffic routing. Some ISP resolvers cooperate with CDNs and other big services to steer traffic to local servers. This is harder (though not impossible) for Cloudflare to do because they have less knowledge of the local network. Our <a href=\"https:\/\/blog.mozilla.org\/futurereleases\/2019\/04\/02\/dns-over-https-doh-update-recent-testing-results-and-next-steps\/\">measurements<\/a> haven\u2019t shown this to be a problem but it\u2019s still a possible concern.<\/li>\n<li>If the ISP is providing value added services (e.g., malware blocking or parental controls) via DNS, then these stop working. Firefox tries to avoid enabling DoH in these cases because we don\u2019t want to break services we know people have opted into, but we know those mechanisms are imperfect.<\/li>\n<\/ul>\n<p>If we were able to verify that the ISP had strong privacy policies then we could use their resolver instead of a public resolver like Cloudflare. Verifying this would of course require that the ISP deploy DoH &#8212; which more and more ISPs are doing &#8212; and join our TRR program, which is exactly what Comcast has done. Over the next few months we\u2019ll be experimenting with using Comcast&#8217;s DoH resolver when we detect that we are on a Comcast network.<\/p>\n<h3>How does it work?<\/h3>\n<p>Jason Livingood from Comcast and I have published an <a href=\"https:\/\/www.ietf.org\/id\/draft-rescorla-doh-cdisco-00.html\">Internet-Draft <\/a>describing how resolver selection works, but here\u2019s the short version of what we\u2019re going to be experimenting with. <i>Note:<\/i> this is all written in the present tense, but we haven\u2019t rolled the experiment out just yet, so this isn\u2019t what\u2019s happening now. It\u2019s also US only, because this is the only place where we have DoH on by default.<\/p>\n<p>First, Comcast inserts a new DNS record on their own recursive resolver for a \u201cspecial use\u201d domain called doh.test with a value of doh-discovery.xfinity.com The meaning of this record is just \u201cthis network supports DoH and here is the name of the resolver.\u201d<\/p>\n<p>When Firefox joins a network, it uses the ordinary system resolver to look up doh.test. If there\u2019s nothing there, then it just uses the default TRR (currently Cloudflare). However, if there is a record there, Firefox looks it up in an internal list of TRRs. If there is a match to Comcast (or a future ISP TRR) then we use that TRR instead. Otherwise, we fall back to the default.<\/p>\n<p>What\u2019s special about the \u201cdoh.test\u201d name is that nobody owns &nbsp;\u201c.test\u201d; it\u2019s specifically reserved for local use so it\u2019s fine for Comcast to put its own data there. If another ISP were to want to do the same thing, they would populate doh.test with their own resolver name. This means that Firefox can do the same check on every network.<\/p>\n<p>The end result is that if we\u2019re on a network whose resolver is part of our TRR program then we use that resolver. Otherwise we use the default resolver.<\/p>\n<h3>What is the privacy impact?<\/h3>\n<p>One natural question to ask is how this impacts user privacy? We need to analyze this in two parts.<\/p>\n<p>First, let\u2019s examine the case of someone who only uses their computer on a Comcast network (if you never use a Comcast network, then this has no impact on you). Right now, we would send your DNS traffic to Cloudflare, but the mechanism above would send it to Comcast instead. As I mentioned above, both Comcast and Cloudflare have committed to strong privacy policies, and so the choice between trusted resolvers is less important than it otherwise might be. Put differently: every resolver in the TRR list is trusted, so choosing between them is not a problem.<\/p>\n<p>With that said, we should also look at the technical situation (see <a href=\"https:\/\/blog.mozilla.org\/blog\/2020\/05\/06\/more-on-covid-surveillance-mobile-phone-location\/\">here<\/a> for more thoughts on technical versus policy controls). In the current setting, using your ISP resolver probably results in somewhat less exposure of your data to third parties because the ISP has a number of other &#8212; albeit less convenient &#8212; mechanisms for learning about your browsing history, such as the IP addresses you are going to and the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Server_Name_Indication\">TLS Server Name Indication<\/a> field. However, once <a href=\"https:\/\/tools.ietf.org\/html\/draft-ietf-tls-esni-07\">TLS Encrypted Client Hello<\/a> starts being deployed, the Server Name Indication will be less useful and so there will be less difference between the cases.<\/p>\n<p>The situation is somewhat more complicated for someone who uses both a Comcast and non-Comcast network. In that case, both Comcast and Cloudflare will see pieces of their browsing history, which isn\u2019t totally ideal and is something we otherwise try to avoid. Our current view is that the advantages of using a trusted local resolver when available outweigh the disadvantages of using multiple trusted resolvers, but we\u2019re still analyzing the situation and our thinking may change as we get more data.<\/p>\n<p>One thing I want to emphasize here is that if you have a DoH resolver you prefer to use, you can set it yourself in Firefox Network Settings and that will override the automatic selection mechanisms.<\/p>\n<h3>Bottom Line<\/h3>\n<p>As we said when we started working on DoH\/TRR deployment two years ago, you can\u2019t practically negotiate with your resolver, but Firefox can do it for you, so we\u2019re really pleased to have Comcast join us as a TRR partner.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday Mozilla and Comcast announced that Comcast was the latest member of Mozilla\u2019s Trusted Recursive Resolver program, joining current partners Cloudflare and NextDNS. Comcast is the first Internet Service Provider (ISP) to become a TRR and this represents a new phase in our DoH\/TRR deployment. What does this mean? When Mozilla first started looking at [&hellip;]<\/p>\n","protected":false},"author":1590,"featured_media":12591,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30710,5],"tags":[],"coauthors":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>More details on Comcast as a Trusted Recursive Resolver<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/\",\"url\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/\",\"name\":\"More details on Comcast as a Trusted Recursive Resolver\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg\",\"datePublished\":\"2020-06-26T00:00:00+00:00\",\"dateModified\":\"2021-04-27T17:25:34+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg\",\"width\":1400,\"height\":770},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"More details on Comcast as a Trusted Recursive Resolver\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/en\/\",\"name\":\"The Mozilla Blog\",\"description\":\"News and Updates about Mozilla\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722\",\"name\":\"Eric Rescorla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/1a9b13dd968f9eaf49e0a37dc8195326\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g\",\"caption\":\"Eric Rescorla\"},\"description\":\"Eric is CTO of the Firefox team at Mozilla.\",\"url\":\"https:\/\/blog.mozilla.org\/en\/author\/ekrmozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"More details on Comcast as a Trusted Recursive Resolver","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/","url":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/","name":"More details on Comcast as a Trusted Recursive Resolver","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg","datePublished":"2020-06-26T00:00:00+00:00","dateModified":"2021-04-27T17:25:34+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#primaryimage","url":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg","contentUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2020\/04\/header_blog_EKR_thumbnail_05_1400x770_200422.jpg","width":1400,"height":770},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/more-details-on-comcast-as-a-trusted-recursive-resolver\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/en\/"},{"@type":"ListItem","position":2,"name":"More details on Comcast as a Trusted Recursive Resolver"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/en\/#website","url":"https:\/\/blog.mozilla.org\/en\/","name":"The Mozilla Blog","description":"News and Updates about Mozilla","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722","name":"Eric Rescorla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/1a9b13dd968f9eaf49e0a37dc8195326","url":"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g","caption":"Eric Rescorla"},"description":"Eric is CTO of the Firefox team at Mozilla.","url":"https:\/\/blog.mozilla.org\/en\/author\/ekrmozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/62619"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/users\/1590"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/comments?post=62619"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/62619\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media\/12591"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media?parent=62619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/categories?post=62619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/tags?post=62619"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/coauthors?post=62619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}