Recently Mozilla finalized their implementation of DNS over HTTPS in Firefox. This protocol would improve internet users’ privacy and security while using Firefox. A change in their implementation means that many of the privacy and security benefits of DNS over HTTPS go away for Firefox users.
A history of DNS over HTTPS
October 2018: RFC8484 was published by the IETF to describe the encrypted DNS System known as DNS over HTTPS.
February 2020: Mozilla announced the inclusion of DNS over HTTPS in Firefox to the general public and began the rollout.
What’s the issue with DNS over HTTPS?
A criticism of the DNS over HTTPS protocol is that it will break some software products that rely on the information sent in a DNS query to determine whether to allow or block a connection to a website. This affects certain educational institutions, corporations, and totalitarian governments.
Popular web filtering products will check each DNS query against an allow or deny list of websites. An encrypted protocol would break those products in their current form and prevent them from working properly.
The solution is to disable DNS over HTTPS on computers owned by the company. Any company computer could simply install a Firefox Enterprise Policy to disable the system while not affecting personal computers which are owned by private individuals. Mozilla’s finalized solution astounded me and goes against what I thought their values were.
What solution did Mozilla provide to network owners?
Mozilla added a simple test to decide whether to allow DNS over HTTPS. If an unencrypted query to
SERVFAIL then Firefox will disable the DNS over HTTPS system. Mozilla had the following to say on their support website about how this works:
In addition, Firefox will check for certain functions that might be affected if DoH is enabled, including:Mozilla Support https://support.mozilla.org/en-US/kb/firefox-dns-over-https
* Are parental controls enabled?
* Is the default DNS server filtering potentially malicious content?
* Is the device managed by an organization that might have a special DNS configuration?
If any of these tests determine that DoH might interfere with the function, DoH will not be enabled. These tests will run every time the device connects to a different network.
I hold issue with this approach. As far as I am aware, the user is not informed when DNS over HTTPS is disabled. This may give them a dangerous false sense of security. To add insult to injury, they are not offered a way to use DNS over HTTPS against a network owner’s wishes. I was unable to find an option under
about:config settings to toggle the test. I did notice that in
about:studies there is a DNS over HTTPS US Rollout study. Disabling this study might disable the test of whether to disable DNS over HTTPS. If this works, it is a temporary solution at best. Aside from compiling your own “fork” of Mozilla Firefox, it looks like you are forced to obey their decision. Since when did Mozilla get in the business of taking away the freedom of choice from internet users? I thought that was the job of giant corporations, not the non-profits which are supposed to be on your side.
What should Mozilla have done instead?
I believe that this issue could of been easily resolved by adding an option to Firefox Enterprise Profiles to disable the functionality. This would allow normal users to keep using and benefiting from DNS over HTTPS while corporate computers could be monitored. It is the most reasonable compromise and doesn’t undermine the privacy and security rights of Mozilla users.
How does Mozilla’s solution to corporate network owners affect the average internet user?
The solution Mozilla offered to corporate network owners feels draconian and has potentially chilling effects.
Any ISP or Government on demand could return
SERVFAIL to disable DNS over HTTPS. This could be used to target specific users (for example activists) by disabling the additional privacy & security benefits DNS over HTTPS offers them.
Anyone with the ability to intercept wireless network traffic could abuse this solution to disable Firefox’s DNS over HTTPS system, then continue the activities that internet users would otherwise be protected from.
Users are not given a warning message that their traffic may be tampered or spied on like they are if an HTTPS connection is tampered with. This goes against the premises of encrypting DNS queries. What is Mozilla doing about this?
Can an ISP disable DNS over HTTPS and continue selling your data?
It is unclear how much data Mozilla is collecting through their rollout study. If major ISPs choose to return
SERVFAIL on queries to
use-application-dns.net will Mozilla backtrack on their decision to allow DNS over HTTPS to be disabled by a network administrator? As net neutrality is no longer the law, there is nothing stopping them if they choose to do so.
From a technical standpoint, it currently looks like the answer is yes. Allowing ISPs to do disable the system can make it easier for them to sell your web browsing history. It is unclear if the ISPs will choose to override consumer choice.
I can imagine similar situations with a totalitarian government who uses DNS monitoring and tampering to censor the populous by ordering ISPs to block queries to
use-application-dns.net once this rolls outside the United States. If they have not taken proactive measures already.
From an ethical standpoint, will Mozilla do the right thing and backtrack once this becomes an issue?
You cannot make a security feature secure unless it protects all users unconditionally
Growing up I was and still am a very active user in information security and privacy technology communities. If there is one thing at all I have learned as a result of those experiences, it is that you cannot make a security feature secure unless it protects everyone unconditionally.
Mozilla’s implementation of DNS over HTTPS locks traffic from otherwise prying eyes but then publishes the master key allowing any entity to unlock the traffic at will. These actions may have chilling effects.
Imagine if the Tor Project modified Tor, an anti-censorship product, to allow easy blocking of connections to the network and stopped providing bridges. It would affect journalists and political dissidents around the world.
What other solutions exist?
Honestly, it hurts me to have to answer this question. I care about Mozilla, and the Firefox Community as a whole. I wouldn’t want anything to happen to it. If anything, I feel betrayed as a Firefox user and speaking out is the only way I believe change will occur.
There is not an easy replacement at this time. The closest thing I found was cloudflared, a command-line DNS over HTTPS client. As far as I’m aware, it does not disable itself to appease network administrators. If you are feeling up to the challenge, Cloudflare provides instructions to configure it.
I do not trust Mozilla’s implementation of the DNS over HTTPS protocol anymore. I was once a strong advocate for it and thought it would improve the internet for the better. Because of their implementation change I can no longer recommend Mozilla’s implementation of DNS over HTTPS. I feel disappointed and heartbroken because of their decision. What I thought would be Mozilla fighting alongside the Tor Project to stop censorship turned out to be false. I can only hope that Mozilla will change their decision and do what’s best for the Firefox Community.