{"id":2439,"date":"2019-04-09T07:24:07","date_gmt":"2019-04-09T14:24:07","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2439"},"modified":"2019-04-09T07:24:07","modified_gmt":"2019-04-09T14:24:07","slug":"dns-over-https-policy-requirements-for-resolvers","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/","title":{"rendered":"DNS-over-HTTPS Policy Requirements for Resolvers"},"content":{"rendered":"<p>Over the past few months, we\u2019ve been experimenting with DNS-over-HTTPS (DoH), a protocol which uses encryption to protect DNS requests and responses, with the goal of deploying DoH by default for our users. <a href=\"https:\/\/mailarchive.ietf.org\/arch\/msg\/doh\/po6GCAJ52BAKuyL-dZiU91v6hLw\">Our plan<\/a> is to select a set of Trusted Recursive Resolvers (TRRs) that we will use for DoH resolution in Firefox. Those resolvers will be required to conform to a specific set of policies that put privacy first.<\/p>\n<p>To that end, today we are releasing a <a href=\"https:\/\/wiki.mozilla.org\/Security\/DOH-resolver-policy\">list of DOH requirements<\/a>, available on the Mozilla wiki, that we will use to vet potential resolvers for Firefox. The requirements focus on three areas: 1) limiting data collection and retention from the resolver, 2) ensuring transparency for any data retention that does occur, and 3) limiting any potential use of the resolver to block access or modify content. This is intended to cover resolvers that Firefox will offer by default and resolvers that Firefox might discover in the local network.<\/p>\n<p>In publishing this policy, our goal is to encourage adherence to practices for DNS that respect modern standards for privacy and security. \u00a0Not just for our potential DoH partners, but for all DNS resolvers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the past few months, we\u2019ve been experimenting with DNS-over-HTTPS (DoH), a protocol which uses encryption to protect DNS requests and responses, with the goal of deploying DoH by default &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/\">Read more<\/a><\/p>\n","protected":false},"author":1186,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,847,69],"tags":[200,320803,320802],"coauthors":[311653],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DNS-over-HTTPS Policy Requirements for Resolvers - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Marshall Erwin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/\",\"name\":\"DNS-over-HTTPS Policy Requirements for Resolvers - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2019-04-09T14:24:07+00:00\",\"dateModified\":\"2019-04-09T14:24:07+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8a1933e1bfe286bfb070a3f6cfafcab8\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DNS-over-HTTPS Policy Requirements for Resolvers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8a1933e1bfe286bfb070a3f6cfafcab8\",\"name\":\"Marshall Erwin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/18e19fe15dc8e59067c7ab722aa29f07\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ae44e7353131a4478672767e57312f10?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ae44e7353131a4478672767e57312f10?s=96&d=identicon&r=g\",\"caption\":\"Marshall Erwin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DNS-over-HTTPS Policy Requirements for Resolvers - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/","twitter_misc":{"Written by":"Marshall Erwin","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/","name":"DNS-over-HTTPS Policy Requirements for Resolvers - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2019-04-09T14:24:07+00:00","dateModified":"2019-04-09T14:24:07+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8a1933e1bfe286bfb070a3f6cfafcab8"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/04\/09\/dns-over-https-policy-requirements-for-resolvers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"DNS-over-HTTPS Policy Requirements for Resolvers"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/8a1933e1bfe286bfb070a3f6cfafcab8","name":"Marshall Erwin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/18e19fe15dc8e59067c7ab722aa29f07","url":"https:\/\/secure.gravatar.com\/avatar\/ae44e7353131a4478672767e57312f10?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ae44e7353131a4478672767e57312f10?s=96&d=identicon&r=g","caption":"Marshall Erwin"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2439"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1186"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2439"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2439\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2439"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}