Categories: privacy

The Facts: Mozilla’s DNS over HTTPs (DoH)

The current insecure DNS system leaves billions of people around the world vulnerable because the data about where they go on the internet is unencrypted. We’ve set out to change that. In 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol to close this privacy gap within the web’s infrastructure. Today, Firefox is enabling encrypted DNS over HTTPS by default in the US giving our users more privacy protection wherever and whenever they’re online.

DoH will encrypt DNS traffic from clients (browsers) to resolvers through HTTPS so that users’ web browsing can’t be intercepted or tampered with by someone spying on the network. The resolvers we’ve chosen to work with so far – Cloudflare and NextDNS – have agreed to be part of our Trusted Recursive Resolver program. The program places strong policy requirements on the resolvers and how they handle data. This includes placing strict limits on data retention so providers- including internet service providers – can no longer tap into an unprotected stream of a user’s browsing history to build a profile that can be sold, or otherwise used in ways that people have not meaningfully consented to. We hope to bring more partners into the TRR program.

Like most new technologies on the web, there has been a healthy conversation about this new protocol. We’ve seen non-partisan input, privacy experts, and other organizations all weigh in. And because we value transparency and open dialogue this conversation has helped inform our plans for DoH. We are confident that the research and testing we’ve done over the last two years has ensured our roll-out of DoH respects user privacy and makes the web safer for everyone. Through DoH and our trusted recursive resolver program we can begin to close the data leaks that have been part of the domain name system since it was created 35 years ago.

Here are a few things we think are important to know about our deployment of DNS over HTTPs.

What are the privacy threats to DNS information that motivate DoH?
DNS requests and responses reveal important information about your activity on the Internet, and that information can be collected and sold by Internet Service Providers (ISPs), Wi-Fi providers, and others without your consent.
How will DoH keep my data from being collected and sold?
Mozilla requires all DNS providers that can be selected in Firefox to comply with our resolver policy through a legally-binding contract. These requirements place strict limits on the type of data that may be retained, what the provider can do with that data, and how long they may retain it. This strict policy is intended to protect users from providers being able to collect and monetize their data.
Why does Mozilla believe switching DoH on by default respects user choice?
Few users understand the role of DNS in their use of the Internet, or the potential for widespread abuse of their DNS information. If users don’t understand, then they can’t make meaningful choices.

Rather than putting the onus on users, Mozilla is taking steps to ensure that personal privacy is the default for all users, and to give users the ability to select non-default options if they so choose.

Why encrypt DNS queries? Aren’t there other mechanisms besides DNS that ISPs can use to collect data about user behavior?
There are many threats to user privacy, and a single technology cannot address them all. The fact that so many privacy risks exist today is a reason to tackle each problem, not a reason to refuse to solve any of them.

That is why Mozilla and others are working to define appropriate methods to prevent leakage of personally identifying information in protocols other than DNS. One example is the proposal for Encrypted Server Name Indication (ESNI) for TLS connections.

Will DoH lead to greater centralization of DNS, which will be bad for the Internet as a whole?
We agree that centralization is bad for the Internet. Today in practice, DNS is centralized because consumer devices are locked to the DNS service of ISPs. And just five companies control over 80% of the US broadband Internet market. The immediate impact of Mozilla enabling DoH in Firefox will be less centralization, not more, because it shifts traffic away from large ISPs, and provides users with more choice, while respecting enterprise DNS configurations.
Does DoH cause harm by preventing parental controls from working?
Numerous ISPs provide opt-in parental control services. Firefox’s deployment of DoH is designed to respect those controls where users have opted into them. Mozilla is working with the industry to define appropriate standards that will enable the smooth functioning of opt-in parental controls.
How does DoH work with enterprise DNS solutions such as “split-horizon” DNS?
We have made it easy for enterprises to disable DoH. In addition, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. System administrators interested in how to configure enterprise policies can find relevant documentation here.
Why deploy DoH when it makes it more difficult for organizations to protect themselves against security threats?
The same argument was made against encrypting HTTP connections and other Internet traffic, yet organizations have adjusted to those advances in user security while protecting organizational assets. Furthermore, organizations can run their own internal DoH services or disable DoH for their users as described above.
Are you turning DoH on by default worldwide for all Firefox users?
As part of our continuing efforts to carefully test and measure the benefits and impact of DoH, we are currently focused on releasing this feature in the United States only. We do not have plans to roll out the feature in Europe or other regions at this time. However, we strongly believe that DNS over HTTPS is good for the privacy of people everywhere.