Firefox Begins Rollout of Encrypted DNS Over HTTPS (DoH)

Posted on February 25, 2020 by Paul Thurrott in Google Chrome, Microsoft Edge, Mozilla Firefox, Web browsers with 10 Comments

Like Opera, Mozilla is adding support for encrypted DNS over HTTPS (DoH) to its flagship web browser for improved privacy and security. But it appears to be taking a slower, more restrained approach.

“Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users,” Mozilla’s Selena Deckelmann writes in the announcement. “The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.”

As Mozilla explains, the Domain Name System (DNS) used by all Internet sites and services is insecure because it uses decades-old technologies and is unencrypted, even for websites that are protected with HTTPS. But DoH forces all DNS lookups—where a friendly URL is translated into a domain name—to occur over an encrypted connection, helping to prevent malicious DNS servers or hackers using man-in-the-middle attacks from seeing or collecting your browsing history.

Though Mozilla is only enabling DoH for its Firefox users in the United States, anyone can manually enable this feature by navigating to Settings > General > Networking Settings; click the Settings button on the right and enable DNS over HTTPS.

Likewise, users of other browsers can also enable this functionality. In addition to Opera, which released a new DoH-backed version of its desktop browser today, Chromium-based browsers support a pre-release “Secure DNS lookups” feature in the flags interface (edge://flags in the new Edge, for example). Only Apple Safari and Microsoft Internet Explorer do not support this feature.

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (11)

11 responses to “Firefox Begins Rollout of Encrypted DNS Over HTTPS (DoH)”

  1. Avatar

    wright_is

    As Mozilla explains, the Domain Name System (DNS) used by all Internet sites and services is insecure because it uses decades-old technologies and is unencrypted, even for websites that are protected with HTTPS.

    Only partly true. I use DNS over TLS, which is encrypted over the standard DNS protocol, not over HTTPS. With DoT and DNSSEC, you are very secure. Breaking DNS to use HTTPS isn't the right way to go, IMHO. This only affects the browser. You should be changing your entire device to use DNS over TLS.

  2. Avatar

    MarkPow

    DNS over HTTPS is easily my most favourite IT acronym so far.

  3. Avatar

    IanYates82

    Good to see.


    One minor nit: "where a friendly URL is translated into a domain name"... Not quite right. It's where a friendly server name is translated into an IP address. EG www.thurrott.com is translated into these IPv4 addresses: 104.26.12.34, 104.26.13.34 via DNS

  4. Avatar

    RonV42

    I have enabled DoH on my DNS server at home to the Cloudflare services. I have been running in this configuration for over a year. I also caputre port 53 DNS lookups and force them to my DNS server since many devices and some apps actually hard code their DNS servers to Google.

  5. Avatar

    youwerewarned

    Most privacy benefits are illusory. Your ISP will still have total access to your browsing activity through rDNS, if they so choose.

  6. Avatar

    beckoningeagle

    Won't this affect internal DNS lookups for enterprises? Especially places where a server has a different address when used by an intranet user?

    • Avatar

      wright_is

      In reply to BeckoningEagle:

      Yes. If the external DoH lookup fails, it is supposed to fall back to the "real" DNS server (i.e. it then does the job properly, going through the operating system's DNS lookup chain - hosts file, primary DNS server, backup DNS server). But this is then, essentially a security leak, in that you are sending the names of your internal servers/devices to an external server, which is BAD™.


      The other problem is that most modern browsers don't like local domain names, instead the address bar ignores the address you have entered and treats it as a search request.

      For example, if you enter "myserver" into the address bar, the browser says, "hmm, no .com etc., must be a search."

      You can override the behaviour by entering "/" at the end of the name. In Firefox, you can also use about:config and then change keyword.enabled to false, then you need to explicitly use the search box for searches.

    • Avatar

      lvthunder

      In reply to BeckoningEagle:

      I would be surprised if there wasn't a way for IT admins to turn this off. I don't know if Firefox can use group policy settings or not.

Leave a Reply