Firefox Begins Rollout of Encrypted DNS Over HTTPS (DoH)

Like Opera, Mozilla is adding support for encrypted DNS over HTTPS (DoH) to its flagship web browser for improved privacy and security. But it appears to be taking a slower, more restrained approach.

“Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users,” Mozilla’s Selena Deckelmann writes in the announcement. “The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

As Mozilla explains, the Domain Name System (DNS) used by all Internet sites and services is insecure because it uses decades-old technologies and is unencrypted, even for websites that are protected with HTTPS. But DoH forces all DNS lookups—where a friendly URL is translated into a domain name—to occur over an encrypted connection, helping to prevent malicious DNS servers or hackers using man-in-the-middle attacks from seeing or collecting your browsing history.

Though Mozilla is only enabling DoH for its Firefox users in the United States, anyone can manually enable this feature by navigating to Settings > General > Networking Settings; click the Settings button on the right and enable DNS over HTTPS.

Likewise, users of other browsers can also enable this functionality. In addition to Opera, which released a new DoH-backed version of its desktop browser today, Chromium-based browsers support a pre-release “Secure DNS lookups” feature in the flags interface (edge://flags in the new Edge, for example). Only Apple Safari and Microsoft Internet Explorer do not support this feature.

Share post

Please check our Community Guidelines before commenting

Conversation 11 comments

  • wright_is

    Premium Member
    25 February, 2020 - 8:58 am

    <p><em>As Mozilla explains, the Domain Name System (DNS) used by all Internet sites and services is insecure because it uses decades-old technologies and is unencrypted, even for websites that are protected with HTTPS.</em></p><p>Only partly true. I use DNS over TLS, which is encrypted over the standard DNS protocol, not over HTTPS. With DoT and DNSSEC, you are very secure. Breaking DNS to use HTTPS isn't the right way to go, IMHO. This only affects the browser. You should be changing your entire device to use DNS over TLS.</p>

    • lvthunder

      Premium Member
      26 February, 2020 - 10:48 am

      <blockquote><em><a href="#522978">In reply to wright_is:</a></em></blockquote><p>The browser makers can't do that though so they are doing what they can.</p>

  • MarkPow

    Premium Member
    25 February, 2020 - 10:27 am

    <p>DNS over HTTPS is easily my most favourite IT acronym so far.</p>

    • wright_is

      Premium Member
      26 February, 2020 - 5:15 am

      <blockquote><em><a href="#522991">In reply to MarkPow:</a></em></blockquote><p>I always have an image of Homer Simpson in my head, when I read about DoH…</p>

  • IanYates82

    Premium Member
    25 February, 2020 - 4:02 pm

    <p>Good to see.</p><p><br></p><p>One minor nit: "<span style="color: rgb(0, 0, 0);">where a friendly URL is translated into a domain name"… Not quite right. It's where a friendly server name is translated into an IP address. EG http://www.thurrott.com is translated into these IPv4 addresses: </span>104.26.12.34, 104.26.13.34 via DNS</p>

  • RonV42

    Premium Member
    25 February, 2020 - 4:23 pm

    <p>I have enabled DoH on my DNS server at home to the Cloudflare services. I have been running in this configuration for over a year. I also caputre port 53 DNS lookups and force them to my DNS server since many devices and some apps actually hard code their DNS servers to Google.</p>

  • youwerewarned

    25 February, 2020 - 8:20 pm

    <p>Most privacy benefits are illusory. Your ISP will still have total access to your browsing activity through rDNS, if they so choose.</p>

  • beckoningeagle

    Premium Member
    26 February, 2020 - 5:04 am

    <p>Won't this affect internal DNS lookups for enterprises? Especially places where a server has a different address when used by an intranet user?</p>

    • wright_is

      Premium Member
      26 February, 2020 - 5:11 am

      <blockquote><em><a href="#523123">In reply to BeckoningEagle:</a></em></blockquote><p>Yes. If the external DoH lookup fails, it is supposed to fall back to the "real" DNS server (i.e. it then does the job properly, going through the operating system's DNS lookup chain – hosts file, primary DNS server, backup DNS server). But this is then, essentially a security leak, in that you are sending the names of your internal servers/devices to an external server, which is <strong><em>BAD</em></strong>™.</p><p><br></p><p>The other problem is that most modern browsers don't like local domain names, instead the <strong>address bar</strong> ignores the address you have entered and treats it as a <em>search request</em>.</p><p>For example, if you enter "myserver" into the address bar, the browser says, "hmm, no .com etc., must be a search."</p><p>You can override the behaviour by entering "/" at the end of the name. In Firefox, you can also use about:config and then change <strong>keyword.enabled</strong> to false, then you need to explicitly use the search box for searches.</p>

    • lvthunder

      Premium Member
      26 February, 2020 - 10:49 am

      <blockquote><em><a href="#523123">In reply to BeckoningEagle:</a></em></blockquote><p>I would be surprised if there wasn't a way for IT admins to turn this off. I don't know if Firefox can use group policy settings or not.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC