Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS

from the encrypt-ALL-the-things! dept

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla last year announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.

As a result, a lot of these folks have been throwing temper tantrums in recent weeks.

The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah, that's an entirely different mess). Mozilla's response to telecoms' face fanning? To first urge Congress to investigate telecom's long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.

In a blog post, Mozilla explains its thinking as such:

"At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit."

While there's a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They'll be quick to note there's several other points at which ISPs can still engage in data surveillance and sales. They'll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.

Mozilla says it's listening to these complaints, so it's starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox's encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla's FAQ here.

Filed Under: browsers, dns, dns-over-https, encryption, firefox, privacy, snooping
Companies: mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    tz1 (profile), 27 Feb 2020 @ 7:59am

    NextDNS (.io) is also a provider, and if you get an account (free for beta and the first 300k queries) you can add custom block, white, and black lists. (Not to mention logs and analytics down to device if you add a few things, I found my webcams were hitting timeservers they shouldn't, so I enabled my own and pointed them at it; they were also pinging their p2p sites which I didn't want or need; when I find something chattering I can't block, I add it to my hosts file as a 0.0.0.0). That is what I'm using and I have several ad, tracking, and malware lists enabled. So "safety" is an excuse. I'm probably safer as I block more things. As to speed, I think some implementations of DoH use persistent connections, so the TCP and TLS overhead only happens once. Also it depends on which server is doing the caching - the "big iron" servers are likely to have most things already cached and a large enough capacity. One problem is bounce pages from wifi portals that want you to click "I agree" or provide a password. Generally using 1.1.1.1 as the site will bounce because IP addresses don't have https or certs.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.