Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.
A little over two years ago, we began work to help update and secure one of the oldest parts of the internet, the Domain Name System (DNS). To put this change into context, we need to briefly describe how the system worked before DoH. DNS is a database that links a human-friendly name, such as www.mozilla.org, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1). By performing a “lookup” in this database, your web browser is able to find websites on your behalf. Because of how DNS was originally designed decades ago, browsers doing DNS lookups for websites — even encrypted https:// sites — had to perform these lookups without encryption. We described the impact of insecure DNS on our privacy:
Because there is no encryption, other devices along the way might collect (or even block or change) this data too. DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.
At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.
Since our work on DoH began, many browsers have joined in announcing their plans to support DoH, and we’ve even seen major websites like Facebook move to support a more secure DNS.
If you’re interested in exactly how DoH protects your browsing history, here’s an in-depth explainer by Lin Clark.
We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear. By default, this change will send your encrypted DNS requests to Cloudflare.
Users have the option to choose between two providers — Cloudflare and NextDNS — both of which are trusted resolvers. Go to Settings, then General, then scroll down to Network Settings and click the Settings button on the right. From there, go to Enable DNS over HTTPS, then use the pull down menu to select the provider as your resolver.
Users can choose between two providers
We continue to explore enabling DoH in other regions, and are working to add more providers as trusted resolvers to our program. DoH is just one of the many privacy protections you can expect to see from us in 2020.
You can download the release here.
Source: https://blog.mozilla.org/blog/2020/0...-for-us-users/
Thanks, Shawn! I followed the link and it looks like I have Cloudflare as my default. All I had to do was click the box, so I guess it came preinstalled in FF 73.01, which is on my Production (1909 V 19363.657) machine.
Last edited by Wynona; 27 Feb 2020 at 00:00.
Hi Shawn, Wynona,
Clicking on the down arrow to the right reveals more choices, Wynona, I'm not sure if you missed that in the tutorial:
I left mine with the default, Cloudflare, and checking with Cloudflare's: Browsing Experience Security Check I came up with the same results as shown in the tutorial; First three green, the fourth, encrypted SNI was red.
It's not called for in the tutorial but I restarted Firefox and all is well. I'll give it a few days and switch to NextDNS to see how that works, I don't have a custom provider as of yet.
NextDNS has a 300,000 queries/month limit then pricing kicks in see: Pricing.
I'm not sure how free works in cloudflare.
@Brink: you may want to update the pix in Step 5 enable, of: How to Enable or Disable DNS over HTTPS (DoH) in Firefox It's missing the listing for NextDNS in the drop down, the post / thread in News (here) is okay.
Yes, Cloudflare is the default resolver, and a very good one at that (it is also the default in Chrome). Here is some background on how Mozilla determines which resolver's it uses - I think the list at the bottom will have more added to it as they add new resolvers that meet their criteria:
Security/DOH-resolver-policy - MozillaWiki
Use the extended DNS Leak Test here, to check your DoH connection - you should only see your chosen DNS resolver once it completes:
https://www.dnsleaktest.com/
Last edited by Brink; 26 Feb 2020 at 18:27.
@Anak
Steve, a snip from your post:
NextDNS has a 300,000 queries/month limit then pricing kicks in see: Pricing.
If Firefox has partnered with NextDNS, I wonder if that 300k is a non-issue. I can't imagine Mozilla first throwing it out in Beta, then general public distribution, with a "Gotcha" embedded. Never seen that happen before.
Maybe Shawn can research when he's got nothing to do and bored. That should be around 3rd quarter of 2025.
@Golden: I'm using cloudflare for now and that 's all I did see with the standard and extended testing.
@Brink: You're Welcome!
@f14tomcat: Mite not take that long...
In a 30day month 300,000 would be: 30days x 24hours = 720hours x 60minutes = 1,440minutes x 60seconds = 86,400seconds ÷ into 300,000 = 3.4722222 queries per second. . .
I saw Shawn do 4.8 per second once but he was using two hands, 6 computers, 8 monitors 3 servers, an half the power output of the State of Oklahoma! Nothin' but a blur, yes sir, nothin' but a blur...
Quote
