Mozilla: Cloudflare doesn't pay us for any DoH traffic

Mozilla publishes FAQ document detailing its DNS-over-HTTPS implementation plans in greater detail.

Mozilla logo

Mozilla said today that "no money is being exchanged to route DNS requests to Cloudflare" as part of the DNS-over-HTTPS (DoH) feature that is currently being gradually enabled for Firefox users in the US.

The browser maker has been coming under heavy criticism lately for its partnership with Cloudflare.

Many detractors say that by using Cloudflare as the default DoH resolver for Firefox, Mozilla will help centralize a large chunk of DNS traffic on Cloudflare's service.

Critics of this decision include regular users, but also ISP-backed lobby groups, according to a recent report citing leaked documents.

Preparing for the DoH rollout in the US

Mozilla disclosed the fact that its Cloudflare partnership doesn't include a financial incentive in an FAQ page it published today, shared with ZDNet by a Firefox engineer.

The FAQ page was published to help users understand how the DoH feature works.

In the coming days, Firefox US users will see the following popup, asking them if they want to keep DoH enabled once Mozilla enables the feature inside Firefox, our source told us.

firefox-doh-warning.png

Image: Mozilla

The DoH feature works by taking DNS queries made when users are trying to access a website inside Firefox, encrypting the DNS query, and sending it to a DoH DNS resolver, but disguised as regular-looking HTTPS traffic -- hence the name DNS-over-HTTPS.

Because the DNS query is both encrypted and hidden inside HTTPS (port 443, not port 53), the user's DNS queries are hidden from third-party observers, such as ISPs, security products, firewalls, and others.

Privacy advocates have raved about DoH, but networking and cybersecurity experts have raised multiple issues about the protocol, once Google also enables it in Chrome.

Mozilla addressed a large chunk of this criticism in the FAQ page it published today, such as:

  • Why Mozilla choose DoH instead of DoT (DNS-over-TLS), a similar protocol
  • How Mozilla plans to handle situations where DoH might bypass parental controls or enterprise security policies
  • Why it chose to support DoH even if SNI leaks leak user traffic destinations anyway
  • DoH's impact on CDNs (content delivery networks), and more...

Other DoH resolvers to be added in the future, besides Cloudflare

But most importantly, the FAQ explains why Mozilla choose Cloudflare as its initial default DoH resolver and said that it plans to add other DoH resolvers in the future, as long as they adhere to the same requirements that Cloudflare also agreed.

These requirements include a series of rules about user privacy and security, including a clause that "explicitly forbids" DoH resolvers like Cloudflare from monetizing DoH data they receive from Firefox users.

"Cloudflare was able to meet the strict policy requirements that we currently have in place," Mozilla said. "These requirements are backed up in our legally-binding contract with Cloudflare and have been made public in a best in class privacy notice that documents those policies and provides transparency to users."

If this FAQ will be enough to silence the browser maker's critics is yet to be seen, but, according to Mozilla, nobody is or will be making any money from Firefox's DoH integration.