Categories: Privacy

Improving DNS Privacy in Firefox

Domain Name Service (DNS) is one of the oldest parts of internet architecture, and remains one that has largely been untouched by efforts to make the web safer and more private.  On the Firefox network and security teams, we’re working to change that by encrypting DNS queries and by testing a service that keeps DNS providers from collecting and sharing your browsing history.

For more than 30 years, DNS has served as a key mechanism for accessing sites and services on the web. Browsers (including Firefox) use DNS to access a distributed database that turns URLs into TCP/IP addressing information. Firefox cannot do much without the service. DNS hails from the days of a kinder, more gentle Internet where it was normal to make this kind of query using unencrypted protocols and send them to any nearby server who claimed to be able to answer it.

This approach is no longer a fit for the modern Internet.  Because there is no encryption, other devices along the way might collect (or even block or change) this data too.  DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.

While sophisticated users can turn to cloud-based “open resolvers” that offer better privacy controls than what is available by default from most internet service providers (ISPs), these resolvers rely on the same old unencrypted protocols so ISPs can often intercept data anyway.

Our first effort to upgrade the privacy of DNS is to implement the DNS over HTTPS (DoH) protocol, which encrypts DNS requests and responses.  See Lin Clark’s terrific explainer about how DNS over HTTPS can really improve the state of the art.

DoH support has been added to Firefox 62 to improve the way Firefox interacts with DNS. DoH uses encrypted networking to obtain DNS information from a server that is configured within Firefox. This means that DNS requests sent to the DoH cloud server are encrypted while old style DNS requests are not protected. DoH standardization is currently a work in progress and we hope that soon many DNS servers will secure their communications with it.

Firefox does not yet use DoH by default. See the end of this post for instructions on how you can configure Nightly to use (or not use) any DoH server.

Our second effort focuses on building a default configuration for DoH servers that puts privacy first.

We are running a shield study where some Nightly users will participate in one or more experiments to help us build out a secure, cloud-based service that handles DoH requests. All Nightly users will receive an in-product notification about these studies.

Cloudflare is our partner for these experiments. When a shield study is active, Nightly Firefox will automatically use Cloudflare’s secure DNS over HTTPS service (though we aren’t using the famous 1.1.1.1 address). The first study will test whether DoH’s performance is up to the task.

We’ve chosen Cloudflare because they agreed to a very strong privacy agreement that protects your data. TCP/IP requires sharing the name of a website with a third party in order to connect, regardless of whether you’re using DoH or traditional DNS. We want to be confident your DNS operates with strong privacy preserving terms like those we have established with Cloudflare.

We believe that negotiating a privacy first operating agreement is something that Firefox can do for people that is just impractical to ask them to do for themselves. Imagine calling up your residential ISP and asking them to agree to an audit that demonstrates they do not log your IP address on their DNS server. And then repeating the process for your favorite coffee shop, library, friend’s house — anywhere you and your browser go to connect.

Firefox improves user privacy by default by finding good partners, establishing legal agreements that put privacy first, and eventually shipping a default configuration we believe is best.

Shield studies will come and go. If you would like to see what studies you are currently enrolled in simply load about:studies in the location bar. You can also opt out of studies on that page.


How-To Manually Configure DoH

 

Do you want to use (or not use) DoH all the time? Use the configuration editor to configure DoH if you want to test DoH outside of a shield study. DoH support works best in Firefox 62 or newer. Shield studies will not override your manual configuration.

1] Type about:config in the location bar

2] Search for network.trr (TRR stands for Trusted Recursive Resolver – it is the DoH Endpoint used by Firefox.)

3] Change network.trr.mode to 2 to enable DoH. This will try and use DoH but will fallback to insecure DNS under some circumstances like captive portals.  (Use mode 5 to disable DoH under all circumstances.)

4] Set network.trr.uri to your DoH server. Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query but you can use any DoH compliant endpoint.

The DNS tab on the about:networking page indicates which names were resolved using the Trusted Recursive Resolver (TRR) via DoH.

15 comments on “Improving DNS Privacy in Firefox”

Post a comment

  1. Brian Herman wrote on

    Things like this are what makes firefox and cloudflare great!!! Hope to see more of this stuff soon.

    Reply

  2. Max wrote on

    This is bad for DNS-based system-wide ad blocking https://pi-hole.net/

    Reply

    1. thierrybo wrote on

      I dont think so. The links in web pages are still in plain text, so i believe they still can be blocked before encrypted DNS query starts.

      Reply

  3. Mark R wrote on

    Great, so the name requests will now be encrypted when this feature is enabled, it is a shame that a network sniffer can still get host names in the clear from the TLS SNI.

    Even if we magically somehow encrypt SNI

    How do we genuinely prevent an eavesdropper knowing which sites we visit? Or just use a VPN?

    Reply

  4. Ralf wrote on

    I think it’s a bad idea to centralize all of Firefox users’ DNS traffic onto one organization — no matter how strong your agreement with Cloudfare is. Decentralization is important for resilience, in particular against censorship and other policy decisions. I trust Cloudfare they get the technical redundancy right, but that’s not enough.

    This is a HUGE step backwards in terms of decentralization. I think it is a mistake.

    Reply

    1. Fahrenheit 451 wrote on

      Agreed. This is complete madness, and will get shot down by everybody outside the US for good reason.

      “But you can put your own dns resolver url in there”

      So only 99.9% of the userbase will send their dns to a US company by default. That makes it all better. Oh look, I think every European government wants to have a word about this, while the crooks and the security services salivate at the thought of only having to pressure/hack one company to get everyone’s dns lookups.

      Reply

  5. Eric wrote on

    UDP must be getting lonely with only SRTP and Chrony left. Does NTP even support PKI?

    Reply

  6. Dennis wrote on

    I believe Mozilla’s stance on closing privacy loopholes – particularly where users have seemingly little control over, as made clear in this article – is commendable and should serve as an example to others. This is not only about the rights of the individual, but also about national and coorporate responsibility.

    Reply

  7. Mike Gale wrote on

    It would be valuable to explain how your resolver works with hosts files (and anything else that impacts the resolution) in this post.

    Reply

  8. Wellington Torrejais da Silva wrote on

    Nice! Using right now.

    Reply

  9. Frank wrote on

    If you want to have encrypted DSN and also a way to choose between different DoH servers it’s simple
    https://github.com/jedisct1/dnscrypt-proxy

    This is just a local proxy (including caching) which sends encrypted DNS requests to various DoH servers in the world, you can either choose on your own or let the proxy decide based on lowest latency (still you can configure the list of servers to use)

    Reply

  10. XCanG wrote on

    I’m curious what in Nightly test what I accept it use mode = 4, what this mean? What is mode 0, 1, 2, 3, 4 (5 – disable as you say).
    DNS URI also set to https://dns.cloudflare.com/.well-known/dns

    Reply

    1. Patrick McManus wrote on

      1: the cloudlfare-mozilla privacy policy applies to the url https://mozilla.cloudflare-dns.com/dns-query so you’re better off using that (the technical bits of the service are the same.

      2: mode.. 0 and 5 are variants of off. 2 is soft-fail (recommend to deal with captive portals, split horizon, cloud downtime, etc..). 3 is hard-fail. 1 is “race” where DoH is raced against the OS resolver and the first one to complete wins, and 4 is “shadow” where DoH and the OS resolver are done in parallel (as with race) but the OS resolver result is always used. Race and Shadow are to help us evaluate the technology – I anticipate it to be deployed in soft-fail mode as an end state.

      Reply

      1. XCanG wrote on

        Thanks for the answer. I think for some time I’ll keep 4 mode, when tests end or result will be positive, I’ll switch to more hard mode.

        Reply

  11. Csaba wrote on

    I was excited to try it out, but it doesn’t honor my Windows hosts file where I have some important work mappings, so can’t really use it.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *