{"id":1853,"date":"2020-11-18T14:03:58","date_gmt":"2020-11-18T22:03:58","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1853"},"modified":"2021-01-21T00:17:43","modified_gmt":"2021-01-21T08:17:43","slug":"doh-comment-period-2020","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2020\/11\/18\/doh-comment-period-2020\/","title":{"rendered":"Mozilla DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) Comment Period: Help us enhance security and privacy online"},"content":{"rendered":"

Update:<\/strong><\/em> The comment period has now closed. Thank you for everyone who submitted. Please stay tuned for further updates from us in the coming months as we review the comments<\/i>.<\/p>\n

For a number of years now, we have been working hard to update and secure one of the oldest parts of the Internet, the Domain Name System (DNS). We passed a key milestone in that endeavor earlier this year, when we rolled out the technical solution for privacy and security in the DNS – DNS-over-HTTPS (DoH<\/a>) – to Firefox users in the United States. Given the transformative nature of this technology and our mission commitment to transparency and collaboration, we have consistently sought to implement DoH thoughtfully and inclusively. Therefore, as we explore how to bring the benefits of DoH to Firefox users in different regions of the world, we\u2019re today launching a comment period to help inform our plans.<\/p>\n

Some background<\/b><\/p>\n

Before explaining our comment period, it\u2019s first worth clarifying a few things about DoH and how we\u2019re implementing it:<\/p>\n

What is the \u2018DNS\u2019? <\/i><\/b><\/p>\n

The Domain Name System (DNS for short) is a shared, public database that links a human-friendly name, such as www.mozilla.org<\/a>, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1). By performing a \u201clookup\u201d in this database, your web browser is able to find websites on your behalf. Because of how DNS was originally designed decades ago, browsers doing DNS lookups for websites \u2014 even for encrypted https:\/\/ sites \u2014 had to perform these lookups without encryption.<\/p>\n

What are the security and privacy concerns with traditional DNS?<\/i><\/b><\/p>\n

Because there is no encryption in traditional DNS, other entities along the way might collect (or even block or change) this data. These entities could include your Internet Service Provider (ISP) if you are connecting via a home network, your mobile network operator (MNO) if you are connecting on your phone, a WiFi hotspot vendor if you are connecting at a coffee shop, and even eavesdroppers in certain scenarios.<\/p>\n

In the early days of the Internet, these kinds of threats to people\u2019s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is<\/i> being exploited, and so we are helping the Internet to make the shift to more secure alternatives. That\u2019s where DoH comes in.<\/p>\n

What is DoH and how does it mitigate these problems?<\/i><\/b>
\n<\/b><\/p>\n

Following the best practice of encrypting HTTP traffic, Mozilla has worked with industry stakeholders at the Internet Engineering Task Force (IETF) to define a DNS encryption technology called DNS over HTTPS or DoH (pronounced “dough”), specified in RFC 8484<\/a>. It encrypts your DNS requests, and responses are encrypted between your device and the DNS resolver via HTTPS. Because DoH is an emerging Internet standard, operating system vendors and browsers other than Mozilla can also implement it. In fact, Google<\/a>, Microsoft<\/a> and Apple<\/a> have either already implemented or are in late stages of implementing DoH in their respective browsers and\/or operating systems, making it a matter of time before it becomes a ubiquitous standard to help improve security on the web.<\/p>\n

How has Mozilla rolled out DoH so far?<\/i><\/b><\/p>\n

Mozilla has deployed DoH to Firefox users in the United States, and as an opt-in feature for Firefox users in other regions. We are currently exploring how to expand deployment beyond the United States. Consistent with Mozilla’s mission, in countries where we roll out this feature the user is given an explicit choice to accept or decline DoH, with a default-on orientation to protect user privacy and security.<\/p>\n

Importantly, our deployment of DoH adds an extra layer of user protection beyond simple encryption of DNS lookups. Our deployment includes a Trusted Recursive Resolver<\/a> (TRR) program, whereby DoH lookups are routed only to DNS providers who have made binding legal commitments to adopt extra protections for user data (e.g., to limit data retention to operational purposes and to not sell or share user data with other parties). Firefox\u2019s deployment of DoH is also designed to respect ISP offered parental control services where users have opted into them and offers techniques<\/a> for it to operate with enterprise deployment policies.<\/p>\n

The comment period<\/b><\/p>\n

As we explore bringing the benefits of DoH to more users, in parallel, we\u2019re launching a comment period to crowdsource ideas, recommendations, and insights that can help us maximise the security and privacy-enhancing benefits of our implementation of DoH in new regions. We welcome contributions for anyone who cares about the growth of a healthy, rights-protective and secure Internet.<\/p>\n

Engaging with the Mozilla DoH implementation comment period<\/b><\/p>\n