Categories: Privacy

Improving DNS Privacy in Firefox

Domain Name Service (DNS) is one of the oldest parts of internet architecture, and remains one that has largely been untouched by efforts to make the web safer and more private.  On the Firefox network and security teams, we’re working to change that by encrypting DNS queries and by testing a service that keeps DNS providers from collecting and sharing your browsing history.

For more than 30 years, DNS has served as a key mechanism for accessing sites and services on the web. Browsers (including Firefox) use DNS to access a distributed database that turns URLs into TCP/IP addressing information. Firefox cannot do much without the service. DNS hails from the days of a kinder, more gentle Internet where it was normal to make this kind of query using unencrypted protocols and send them to any nearby server who claimed to be able to answer it.

This approach is no longer a fit for the modern Internet.  Because there is no encryption, other devices along the way might collect (or even block or change) this data too.  DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.

While sophisticated users can turn to cloud-based “open resolvers” that offer better privacy controls than what is available by default from most internet service providers (ISPs), these resolvers rely on the same old unencrypted protocols so ISPs can often intercept data anyway.

Our first effort to upgrade the privacy of DNS is to implement the DNS over HTTPS (DoH) protocol, which encrypts DNS requests and responses.  See Lin Clark’s terrific explainer about how DNS over HTTPS can really improve the state of the art.

DoH support has been added to Firefox 62 to improve the way Firefox interacts with DNS. DoH uses encrypted networking to obtain DNS information from a server that is configured within Firefox. This means that DNS requests sent to the DoH cloud server are encrypted while old style DNS requests are not protected. DoH standardization is currently a work in progress and we hope that soon many DNS servers will secure their communications with it.

Firefox does not yet use DoH by default. See the end of this post for instructions on how you can configure Nightly to use (or not use) any DoH server.

Our second effort focuses on building a default configuration for DoH servers that puts privacy first.

We are running a shield study where some Nightly users will participate in one or more experiments to help us build out a secure, cloud-based service that handles DoH requests. All Nightly users will receive an in-product notification about these studies.

Cloudflare is our partner for these experiments. When a shield study is active, Nightly Firefox will automatically use Cloudflare’s secure DNS over HTTPS service (though we aren’t using the famous 1.1.1.1 address). The first study will test whether DoH’s performance is up to the task.

We’ve chosen Cloudflare because they agreed to a very strong privacy agreement that protects your data. TCP/IP requires sharing the name of a website with a third party in order to connect, regardless of whether you’re using DoH or traditional DNS. We want to be confident your DNS operates with strong privacy preserving terms like those we have established with Cloudflare.

We believe that negotiating a privacy first operating agreement is something that Firefox can do for people that is just impractical to ask them to do for themselves. Imagine calling up your residential ISP and asking them to agree to an audit that demonstrates they do not log your IP address on their DNS server. And then repeating the process for your favorite coffee shop, library, friend’s house — anywhere you and your browser go to connect.

Firefox improves user privacy by default by finding good partners, establishing legal agreements that put privacy first, and eventually shipping a default configuration we believe is best.

Shield studies will come and go. If you would like to see what studies you are currently enrolled in simply load about:studies in the location bar. You can also opt out of studies on that page.


How-To Manually Configure DoH

 

Do you want to use (or not use) DoH all the time? Use the configuration editor to configure DoH if you want to test DoH outside of a shield study. DoH support works best in Firefox 62 or newer. Shield studies will not override your manual configuration.

1] Type about:config in the location bar

2] Search for network.trr (TRR stands for Trusted Recursive Resolver – it is the DoH Endpoint used by Firefox.)

3] Change network.trr.mode to 2 to enable DoH. This will try and use DoH but will fallback to insecure DNS under some circumstances like captive portals.  (Use mode 5 to disable DoH under all circumstances.)

4] Set network.trr.uri to your DoH server. Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query but you can use any DoH compliant endpoint.

The DNS tab on the about:networking page indicates which names were resolved using the Trusted Recursive Resolver (TRR) via DoH.

52 comments on “Improving DNS Privacy in Firefox”

Post a comment

  1. Brian Herman wrote on

    Things like this are what makes firefox and cloudflare great!!! Hope to see more of this stuff soon.

    Reply

    1. Byron Goodman wrote on

      This truly is a terrible idea. So now Cloudflare decides what is good and what is bad? This allowes Cloudflare to monopolize DNS traffic, collect that information, and now they don’t even need an end user agreement to sell it. They’re a competitor to OpenDNS, which does sell the information.

      Not only does this open a huge set of legal liability issues, especially for those organizations that have a stack of compliance to deal with, you funneled all DNS requests that might be outside of an organizations acceptable use policy to Cloudflare.

      Anyone thinking this is a good idea isn’t thinking.

      Reply

  2. Max wrote on

    This is bad for DNS-based system-wide ad blocking https://pi-hole.net/

    Reply

    1. thierrybo wrote on

      I dont think so. The links in web pages are still in plain text, so i believe they still can be blocked before encrypted DNS query starts.

      Reply

  3. Mark R wrote on

    Great, so the name requests will now be encrypted when this feature is enabled, it is a shame that a network sniffer can still get host names in the clear from the TLS SNI.

    Even if we magically somehow encrypt SNI

    How do we genuinely prevent an eavesdropper knowing which sites we visit? Or just use a VPN?

    Reply

  4. Ralf wrote on

    I think it’s a bad idea to centralize all of Firefox users’ DNS traffic onto one organization — no matter how strong your agreement with Cloudfare is. Decentralization is important for resilience, in particular against censorship and other policy decisions. I trust Cloudfare they get the technical redundancy right, but that’s not enough.

    This is a HUGE step backwards in terms of decentralization. I think it is a mistake.

    Reply

    1. Fahrenheit 451 wrote on

      Agreed. This is complete madness, and will get shot down by everybody outside the US for good reason.

      “But you can put your own dns resolver url in there”

      So only 99.9% of the userbase will send their dns to a US company by default. That makes it all better. Oh look, I think every European government wants to have a word about this, while the crooks and the security services salivate at the thought of only having to pressure/hack one company to get everyone’s dns lookups.

      Reply

    2. Damon wrote on

      I concede your point, but bear in mind it’s an experiment only available in Nightly at this point (and even then with no UI controlling it). Perhaps intl.accept_languages could be used as a heuristic to determine a more appropriate DoH server for the locality? Selection of the DoH server is also covered in section 4 of the draft RFC linked in the article.

      Reply

  5. Eric wrote on

    UDP must be getting lonely with only SRTP and Chrony left. Does NTP even support PKI?

    Reply

  6. Dennis wrote on

    I believe Mozilla’s stance on closing privacy loopholes – particularly where users have seemingly little control over, as made clear in this article – is commendable and should serve as an example to others. This is not only about the rights of the individual, but also about national and coorporate responsibility.

    Reply

  7. Mike Gale wrote on

    It would be valuable to explain how your resolver works with hosts files (and anything else that impacts the resolution) in this post.

    Reply

  8. Wellington Torrejais da Silva wrote on

    Nice! Using right now.

    Reply

  9. Frank wrote on

    If you want to have encrypted DSN and also a way to choose between different DoH servers it’s simple
    https://github.com/jedisct1/dnscrypt-proxy

    This is just a local proxy (including caching) which sends encrypted DNS requests to various DoH servers in the world, you can either choose on your own or let the proxy decide based on lowest latency (still you can configure the list of servers to use)

    Reply

  10. XCanG wrote on

    I’m curious what in Nightly test what I accept it use mode = 4, what this mean? What is mode 0, 1, 2, 3, 4 (5 – disable as you say).
    DNS URI also set to https://dns.cloudflare.com/.well-known/dns

    Reply

    1. Patrick McManus wrote on

      1: the cloudlfare-mozilla privacy policy applies to the url https://mozilla.cloudflare-dns.com/dns-query so you’re better off using that (the technical bits of the service are the same.

      2: mode.. 0 and 5 are variants of off. 2 is soft-fail (recommend to deal with captive portals, split horizon, cloud downtime, etc..). 3 is hard-fail. 1 is “race” where DoH is raced against the OS resolver and the first one to complete wins, and 4 is “shadow” where DoH and the OS resolver are done in parallel (as with race) but the OS resolver result is always used. Race and Shadow are to help us evaluate the technology – I anticipate it to be deployed in soft-fail mode as an end state.

      Reply

      1. XCanG wrote on

        Thanks for the answer. I think for some time I’ll keep 4 mode, when tests end or result will be positive, I’ll switch to more hard mode.

        Reply

  11. Csaba wrote on

    I was excited to try it out, but it doesn’t honor my Windows hosts file where I have some important work mappings, so can’t really use it.

    Reply

  12. gmelis wrote on

    Now, it’d be nice if it allowed somehow to resolve specific hostnames locally or via the /etc/hosts file. Helps in testing and development. If people have to go through a tedious process every time they want to assign a specific address to a domain name, they’ll end up using chrome.

    Reply

  13. Lord of the flies wrote on

    How does this work with DNS-based Content Distribution Networks (CDNs), which deliver most of the world’s internet sites?

    If Cloudflare does not share the end user’s approximate network location, users will be served from locations far away from them. Then word will spread very quickly on popular blogs and media that “Sites load much faster in Chrome than in Firefox, and Chrome plays videos with much higher qualify.”

    I really hope Cloudflare’s resolver is not the default choice, for Firebox’s sake (we need diversity and competition among browsers).

    P.S.
    Google’s 8.8.8.8 DNS Resolver supplies CDNs with your approximate location in the network, so it works fine.

    Reply

  14. David C. wrote on

    Just want to share that CleanBrowsing DNS is compliant and works with Firefox nightly. We have 3 endpoints with different filters:

    https://doh.cleanbrowsing.org/doh/family-filter/
    (Blocks adult content + Proxies + set search engines to their safe modes)

    https://doh.cleanbrowsing.org/doh/adult-filter/
    (Blocks adult content)

    https://doh.cleanbrowsing.org/doh/security-filter/
    (Blocks phishing + malware)

    That gives the flexibility to parents and schools that also need to block access to adult content. More details:

    https://cleanbrowsing.org/dnsoverhttps

    Reply

  15. Adam wrote on

    well done!

    Reply

  16. LinuxBender wrote on

    How does this work in a corporate environment? How does Firefox know which queries to send over DoH and which to send to the corporate DNS servers? How do you prevent leaking internal information? Traditional DNS already leaks a lot.

    Reply

  17. 22December wrote on

    I run my own NS resolver/validator at home. I prefer not to use this feature.

    At present, I don’t understand why, but cannot disable it (setting 5 in network.trr blocks FF).

    In the future, what happens if Mozilla, for the common good, enforce that feature ? Should I then switch to another browser ? I also understand the need to protect the uneducated user, but it does not look very good in the long run.

    Reply

  18. Filipescu Mircea Alexandru wrote on

    I like the idea of a modern encrypted DNS system, but do not like the idea of Firefox using a centralized service by default. How can you possibly ask us to trust some company called Cloudflare with essentially our entire browsing history?! Who are they, why should we care for them, who asked us if we want to use them? It doesn’t matter how good they are… to be fair I never heard anything bad about them so far: They are still a centralized service that I have no obligation in trusting or working with!

    Making the URL customizable in about:config doesn’t cut it. If you’d actually place it in the preferences menu and make it selectable like the search engine, I might rethink my feelings on this a bit… as the current configuration stands however, I am strongly against the change. Feel free to implement it but do not enable this by default on us… not now and not ever, not until it’s part of a decentralized system that gives the user a choice in provider.

    Reply

  19. Sanity wrote on

    This is pure insanity. I can no longer recommend Firefox to my clients and users.

    It is a shame that Firefox has gone suicidal like this. Quantum won me back. This will lose me and all my users.

    You need to consider national sovereignty. Please do not do this. It is a terrible idea. Terrible.

    Reply

  20. bussdriver wrote on

    This is NOT being handled properly. Once again Mozilla is bungling things in a bad way which slowly alienates it’s shrinking user base… and the diehard promoters like myself as these things continue to pile up.
    DO NOT make obviously objectionable policy changes like this DEFAULT especially without providing an easy way to change the setting for non-technical users. Do you think I want to promote your browser along with a list of repairs to everybody I send your way??
    These things should at minimum require a user to OPT-IN to such changes. Long term you can use stats to decide the defaults; but this behavior continues to undermine the idea that mozilla is for user freedom.

    Reply

  21. Firefox User No more wrote on

    Centralizing DNS requests to a single provider creates a more centralized infrastructure, which is a privacy and availability nightmare. DoH itself is a good idea, but it should be handled by the OS; not the browser.

    I will be switching from Firefox to a different browser.

    Reply

  22. Nathan Hubbard wrote on

    Yet another thing I need to tweak in about:config to turn off because the default is bad.

    God dammit Mozilla, pretty soon even I’ll be using Chrome.

    Reply

  23. Felix wrote on

    Please add a simple config button to remove this behavior! In our environment is a own dns service which is blocking a lot of malware, tracking and ad sites. Which your solution we have to use an other browser.

    — do not be evil; do not track your customers!

    Reply

  24. Mot wrote on

    I don’t get what people are upset about. It’s just support for a standard. It’s not on by default and I would expect an easy way to set your preferred DOH resolver when the feature is on by default.

    Reply

  25. Karel wrote on

    Sending all requests to a third party is really bad idea… Please do not enable this setting by default.

    Reply

  26. Ingo wrote on

    while i welcome adding encryption to dns, this is NOT THE WAY TO DO IT.
    if this trend is going further i soon have to shit over https or what ?
    a browser is not and will never be the only instance of something that needs to resolve names. its the job of the OS and if by some magical event all those OS vendors decide this is a good idea i might have to live with that -or just do it the old way.

    this idea screams government+3-letter-agencies+hackers misuse. a system were the browser may resolve a different adress than my dns is something very scary. a system that introduces a single point of “hack” is even worse. and please dont talk anymore about those privacy policies, we know how it works in real life.

    this idea is imho so bad, that i am wondering if after 20 years i may should try internet explorer, it couldnt get any worse, couldnt it ?

    Reply

  27. Eric wrote on

    Have the devs at Firefox ever set foot in an enterprise environment? Ever? Our enterprise, like many others, use in-house DNS servers that serve up A records not available to the outside. We have to pretty much ban Firefox because of this, and its refusal to use the Windows certificate store. Mozilla has forgotten why we switched to it from IE. They’re pandering to hipster users and refuse to even consider enterprise use.

    Reply

    1. Patrick McManus wrote on

      Hi,

      The expected soft-fail deployment mode will use native DNS to make sure split horizon deployments like you describe continue to work fine.

      Reply

      1. bodo wrote on

        Soft fail will not work for domains having different views for internal and external clients.

        Please Mozilla, make this opt-in only!

        Reply

    2. Bruce wrote on

      Could not agree more, in a corporate environment with private DNS views this will make Firefox unusable, unsupportable and it will have to go.
      This is a really sad development.

      Reply

  28. Ralph Loizzo wrote on

    Wow.

    I guess April Fool’s Day came late this year. Mozilla CAN NOT be seriously considering sending all DNS queries to one company OVER my DHCP-DNS settings and my hosts file. ( as well as those in my house, my company, etc.)

    This should be OPT-IN, not OPT-OUT.

    Reply

  29. Josh wrote on

    I think this is a horrible idea. Putting all DNS requests through a single company is a single point of failure and a security/privacy risk. I’m all for helping out those that have no idea what they are doing be more secure, but not at this cost. If this change is enabled by default, I’ll be switching to another browser as it is a clear indication of Mozilla’s philosophy going forward and I don’t want to have to spend my time researching special about:config tweaks to ensure my privacy/security.

    Reply

  30. Throwaway wrote on

    Auch, this seems like a terrible idea, technical as well as business wise.
    DNS resolvation should not be the responsibility of a browser but the OS’s, not even to mention overriding the default DNS resolver by default.

    – First of all your feature which “enhances privacy and security” might degrade the privacy and security as it will circumvent solutions like PiHole (https://pi-hole.net/) and other defense mechanisms put in place to protect end users and networks.
    – For enterprise environments enabling this feature will leak internal DNS lookups.
    – You are imposing your preference (Cloudflare DNS) upon users which explicitly do not want to use this DNS resolver (either due to privacy concerns or other reasons). If you’re turning on TRR by default they will have to opt-out. Meaning that if I want to continue using your browser I would have to opt-out this setting on every device on my network. Which is not do-able.
    – You are causing all this mayhem for advanced users and administrators while (a) the ‘default’ user does not even care and probably won’t even notice something different or (b) if they did, they would’ve already changed their DNS resolver on OS level.

    So your “solution” will solve a problem that does not exist for the users it is intended for while causing massive headaches for the advanced users and administrators who advocate your browser.

    Please reconsider this feature.

    PS: I welcome the education of users on DNS resolvers and their relation to privacy and freedom. But please do so without breaking the mechanisms put in place by admins who work their asses off every day protecting those very users.

    Reply

  31. Ailothaen wrote on

    Having pretty much the same opinion as all the above comments…

    I initially thought it was a joke… I have to say that the Mozilla Foundation really deceived me with this announcement.

    The Web is meant to be decentralized. It’s a fundamental principle which guarantees privacy, reliability and independance of the users. With this idea, you are doing exactly the opposite thing: jail every Firefox user into Cloudflare, and makes them dependent of this single infrastructure.

    Even if the starting idea is nice (protecting the privacy and security for users), this is really a horrible idea because:
    – even if it’s meant to be “private”, Cloudflare is still a enterprise, and their business model is relying (at least partially) on using and selling data of their customers ;
    – a single failure or downtime from Cloudflare means that potentially all Firefox users could be affected from this (even if Cloudflare has a great reliability, it could still happen because of numerous reasons) ;
    – users may want to use their own DNS servers, especially in the enterprise context.

    And seriously, if people want to use their own DNS at system level, why bypassing the decision? The power does not belong to the user anymore? I feel bad for those who don’t know about this technical stuff and will be under Cloudflare system then.

    I know the DNS system may be not really “safe”, but is this a reason to make decisions like that? If the system is bad, the protocol and standard should more be improved instead of just finding palliative solutions like this one.

    I’m using Firefox (and spitting on Chrome/Edge) because I feel I have the control over my browser, and that my privacy is respected. But if this change makes it to release, I will probably look for an alternative to Firefox, not with a lot of sadness.
    I know you Mozilla are trying to bring more users to Firefox with security and privacy promises, but please, don’t forget the principles and ideology you came from.

    Reply

  32. Robert wrote on

    This is nutz! You want to drive FF further out of the enterprise, keep up this crap.

    We have specific Infoblox DNS firewalls in place to control what gets resolved and what gets dumped. You are circumventing our own policies.

    This should be defaulted to disabled and let those that want their privacy violated opt-in.

    Stupid idea.

    Reply

  33. Clarissa wrote on

    Are you serious? Cloudflare, which is an US company? And then you just hype this by saying “we have made a very strict privacy protection contract”? ARE YOU SERIOUS?

    You know that NSA can send an NSL to ANY US COMPANY, which then not only has to give out informations and work together with the NSA, but at the same time has to DENY any sort of cooperation? Are you TRULY this naive? Cloudflare can do contracts with you as much they want! This has ZERO meaning! If the NSA gives out an NSL because of national security reasons, then you can eat your contract! Since it’s not worth the paper it’s printed on anymore!

    Giving an US company, that is by default NEVER trustable because of this NSL option, a perfect and full overview over every DNS resolve and connection, is NUTS! I’m so switching my browser now and not only for myself alone, but for all my friends I know aswell!

    Reply

  34. PhoenixRevertsToAshes wrote on

    Dangerous, foolish, myopic. While encrypted DNS is a laudable goal, it cannot, it MUST not, be limited to a single provider tied to the browser. It must be configured by the device user/owner.

    As a Firefox feature this should only ever be available as an OPT-IN feature.

    Reply

  35. Caus wrote on

    This is completely crazy. Other have pointed it already, but how can Firefox not only completely disregard the OS settings but also redirecting our DNS queries to a private company?! Shame, we banned every other browser than Firefox at our company, we’ll have to go back on our choice it seems.

    Reply

  36. Jamie wrote on

    I don’t object quite as strongly as some, but I do absolutely refuse to be forced to use someone else’s infrastructure, especially someone like Cloudflare, whom I do not trust[1].

    I love that Mozilla is still experimenting. I’m keen to see more and better privacy protections. But I’m getting increasingly nervous that the only browser I used to feel like I could trust is slowly becoming less trustworthy as they forge these sort of partnerships with orgs whose values are not really aligned with users.

    [1] Why? None of your business. A browser-maker should not be making these choices. But does anyone else find being asked to share one’s DNS traffic with a huge, unaccountable, secretive organization that doesn’t even follow their own policies a bit… special?

    Reply

  37. Enrico Weigelt, metux IT consult wrote on

    Aha, improving “privacy” by routing *ALL* DNS traffic to *ONE SPECIFIC* provider that happens to be one of the biggest data collector around the world.

    This is really insane. We (dist maintainer) have to patch out that spyware.

    Reply

  38. Daniel Brandt, Public Information Research wrote on

    And what if Cloudflare is itself a honeypot, operating as a man-in-the-middle for U.S. intelligence agencies?
    http://www.crimeflare.org:82/honeypot.html

    Reply

  39. Dan wrote on

    This is pure insanity. If DoH servers are implemented by default, I can no longer recommend Firefox to anyone. Did you ever hear anything about data privacy? Why should we trust Cloudflare? I always liked Mozilla, but after even thinking about such a stupid change, I stop my donations to Mozilla right now.

    Reply

  40. Rene wrote on

    At our company, we not only use split-view DNS, we furthermore use DNS-RPZ mechanism (sometimes called DNS firewall) to block malvertised domains, active malware and virus sites in real time. If this mechanism is automatically enabled at some point, not only will all sort of things break and cause support issues on a scale that we cannot manage, but also will actively reduce security of our users.

    If you seriously consider to switch this setting on by default in the future, please prior to do so always poll some service record in the OS’ configured default DNS and in doing so give us tools to signal to the browser that the feature should not be activated at all and at least a warning message displayed to the user. Document and publish how one creates this record AND coordinate this with all other browser vendors so that enterprises have a chance to prevent a support nightmare.

    I understand what this feature is trying to do and I also understand that an user can and must be able to manually override and activate this feature. But give us a chance to preven mayhem here. It simply appears to me that not enough thought went into it so far as split-view DNS is actually quite common and your detection attempt will not be able to catch that. (Hint: if http://www.company.name resolves differently from inside and from outside the company, but yields valid answers either way, you cannot decide properly what the correct course of action is)

    Reply

  41. Kevin Burke wrote on

    I switched to Chromium after I noticed that Firefox was no longer respecting DNS entries in /etc/hosts, which I use to block sites like http://www.facebook.com and pubads.g.doubleclick.net.

    Please add instructions for how Firefox can continue respecting /etc/hosts entries.

    Reply

    1. wrote on

      Have you considered uMatrix? You could host the matrix file on e.g. github.com or gitlab.com. The extension is great because it blocks the traffic before name resolution even starts.

      Reply

  42. wrote on

    For any passersby who are thinking about throwing their baseless outrage on the pile, if you haven’t taken the time to read the agreement that Cloudflare has signed then read it over here: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

    Specifically, logged traffic is only kept for 24h, contains no personal information, and any permanent logs (essentially count of domain names) is anonymized.

    And if you’re still going to complain despite having read it, I’ll paste the final three paragraphs.

    “Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;

    Cloudflare will not combine the data that it collects from such queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; and

    Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission.”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *