CyberWarfare / ExoWarfare

Mozilla’s DNS-over-HTTPS makes surfing safer, and improves performance

Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature

An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.

The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”

Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS.

By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead.

DNS-over-HTTPS also improves performance, making DNS queries — and the overall browsing experience — faster.

But the ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.

Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it’s claimed that it will make it more difficult for internet providers to filter their subscribers’ internet access.

The ISPA isn’t alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.’s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.

The ISPA’s nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. “Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice,” but said it encourages “further debate.”

One internet provider, Andrews & Arnold, donated £2,940 — around $3,670 — to Mozilla in support of the nonprofit. “The amount was chosen because that is what our fee for ISPA membership would have been, were we a member,” said a tweet from the company.

Mozilla spokesperson Justin O’Kelly told TechCrunch: “We’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure.”

“Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS (DoH) would offer real security benefits to UK citizens. Our goal is to build a more secure internet, and we continue to have a serious, constructive conversation with credible stakeholders in the UK about how to do that,” he said.

“We have no current plans to enable DNS-over-HTTPS by default in the U.K. However, we are currently exploring potential DNS-over-HTTPS partners in Europe to bring this important security feature to other Europeans more broadly,” he added.

Mozilla isn’t the first to roll out DNS-over-HTTPS. Last year Cloudflare released a mobile version of its privacy-focused DNS service to include DNS-over-HTTPS. Months earlier, Google-owned Jigsaw released its censorship-busting app Infra, which aimed to prevent DNS manipulation.

Mozilla has yet to set a date for the full release of DNS-over-HTTPS in Firefox.

Seit Firefox 60 beherrscht der Mozilla-Browser DNS over HTTPS.
Wenige Handgriffe schalten es ein.



How To Enable DNS-over-HTTPs on Firefox

Traditionally, DNS queries and responses are sent over the internet without encryption. This could very well lead to tracking and spoofing vulnerabilities that put users data at risk.

There are many servers in between your computer and DNS server. Information travels through these servers, called on-path routers, can be tracked and used to create a profile of you with a record of all the websites that you look up. And that data is valuable and can be sold to other companies with a lot of money.

What’s worse than tracking is spoofing. If any of these servers acts as a bad man in the middle, they can spoof you a wrong address for a site that could potentially steal your credentials instead.

So, what’s the solution?

For starters, make sure you are using a very good and reliable DNS server as the resolver. For example, Google’s Public DNS and Cloudflare’s extremely fast and privacy-minded

But that wouldn’t solve the issue of being tracked and potentially spoofed. You need to encrypt the data before handing them over to the DNS server. The answer to that is DNS-over-HTTPS.

However, no browsers supported this new protocol just yet but they are coming. For example, Mozilla has started to experimenting feature in its Firefox browser.

Manually configure DoH on Firefox

  1. Type about:config in the address bar in Firefox and press Enter.
  2. Type “network.trr” in the search box to narrow down the items.
  3. Change network.trr.mode to 2, and enter the DoH URL into network.trr.uri

There are two DoH compliant endpoints that are available now to use.

Photo credits to Mozilla