Mozilla to gradually enable DNS-over-HTTPS for Firefox US users later this month

Mozilla firefox
Mozilla firefox

DoH tests haven’t found any issues. Mozilla to start rolling out DoH to a small set of US users, then gradually roll it out for to more users.

Mozilla plans to allow DNS-over-HTTPS (DoH) protocol assistance for a tiny amount of US users beginning later this month within the Firefox browser.

Since 2017, the browser manufacturer has tested DoH assistance in Firefox. A latest experiment has discovered no problems, and Mozilla plans to allow DoH for a tiny number of consumers in the primary Firefox release and then to allow for a wider crowd if no problems occur. Check for mozilla vulnerability scanner here.

“If that goes well, we will let you know when we’re prepared for 100% use,” said Selena Deckelmann, senior director of Mozilla’s Firefox Engineering.

What is DoH?

DoH (IETF RFC8484) enables Firefox to transmit DNS requests to unique DoH compatible DNS servers, known as DoH resolvers, as standard HTTPS traffic. In general, within the ordinary deluge of HTTPS information, it hides DNS applications. DoH does not encrypt applications for DNS. This is another protocol: DNS-over-TLS, also known as DoT].

Firefox ships with assistance of Cloudflare’s DoH Resolver for relaying encrypted DoH applications by default, but users can alter this to any DoH Resolver they like[ see here].

When DoH support is activated in Firefox, browsers disregard the operating system’s DNS settings, and use the DoH browser set.

DoH actually hides DNS traffic from Internet service suppliers (ISPs), local parent control software, Anti-Virus Software, business firewalls, Traffic Filters and about any other third-party who attempts to intercept and detect user traffic, by shifting DNS server settings from the OS to the browser stage.

DoH disputes

When Mozilla announced it was working on DoH assistance in Firefox, privacy proponents rejoiced and for excellent reasons, as DoH would make it possible to bypass web traffic filters in oppressive regimes.

Because of the problems mentioned above, DoH support in business settings and ISPs was not regarded as a welcome technical alternative.

ISPs monitor DNS traffic to filter poor site traffic, impose legal mandatory website blocks or collect browsing history from customers and re-sell it to advertisers.

With DoH, they can no longer look into DNS traffic.

In July, a UK ISP named Mozilla as an “web villain,” incorporating Firefox’s DoH assistance. The ISP argued that it can not filter child abuse traffic because DoH would allow users to bypass any filters it creates.

The ISP recalled later that Mozilla was called an internet villain after a huge government backlash and Mozilla announced that it would not permit DoH assistance for Firefox users in the UK by default.

The protocol has also been criticized by enterprises that provide traffic filtering alternatives, which they say can behave as a firewall bypass mechanism.

Malware writers have discovered DoH an appealing protocol and have effectively bypassed enterprise safety systems with malicious DNS traffic.

Firefox complies with company filters and parental controls

Mozilla certainly didn’t hear the last talks. The browser developer said that it would attempt to prevent causing issues.

For starters, Mozilla said that Firefox will have a mechanism to detect the existence of any parent control software or business configuration after DoH is enabled by default for US customers.

If discovered, Firefox will automatically disable DoH, thus the browser will not bypass parent controls or business settings or traffic filters deliberately set up to ensure safety for users.

Mozilla also works with ISPs to ensure users do not use DoH to circumvent legally established blocklists.

The organisation has said that it has asked ISPs and suppliers of parental control alternatives based on networks to add a “canary domain” to their blocklists. If Firefox detects that this canary domain is blocked, DoH is disabled to avoid the function from being used as a filter bypass.

Credit: ZDNet

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.