Mozilla enables DOH by default for all Firefox users in the US

The rollout begins today and will continue over the next few weeks to confirm no major issues are discovered as DoH is enabled for Firefox's US-based users.

New Firefox logo

Image: Mozilla

Mozilla announced plans today to enable DNS-over-HTTPS (DoH) support for all Firefox users in the US.

Starting today, all new Firefox installs in the US will have DoH enabled by default. Furthermore, Mozilla also plans to silently enable the DoH feature for all Firefox US users in the coming weeks.

The only users who will not receive this update are those who specifically disabled DoH inside Firefox's settings panel.

What is DoH

DoH stands for DNS-over-HTTPS. DoH is not a new DNS protocol, but a privacy-focused improvement that lives on top of the current DNS ecosystem.

Normally, when a user types a domain name inside a browser address bar, the browser queries a DNS resolving server for the IP address where that website is located (hosted).

The problem is that DNS queries are not encrypted and they can be viewed in cleartext by anyone along the DNS query's path -- such as internet service providers, CDN providers, and other internet nodes.

Circa 2015, engineers at Cloudflare and Mozilla joined forces to create DNS-over-HTTPS, as a way to hide DNS queries using encryption.

As they designed the protocol back in 2015, DoH works by taking the DNS query at the browser level, encrypting it, and then hiding it inside all the other HTTPS encrypted web traffic that originates from a browser.

This encrypted DoH query is then sent to a special DoH resolving server. This server aggregates everyone's DoH queries and translates them into regular unencrypted DNS queries. This way, all the DNS queries come from one central server (the DOH resolver), rather than each individual users.

This model, simple in its design, prevents third-party entities from tracking cleartext DNS queries and then linking each query to a specific user.

Gripes and praises

But, ever since Mozilla and Cloudflare began working on DoH, there have been two major camps. One supported the protocol because of all the privacy improvements it was adding, while the other camp criticized it as a way for criminals and malware to evade detection and DNS-based filtering systems.

Those who support DoH view it as a step forward increasing users' privacy on the internet by preventing internet service providers (ISPs) from snooping on users' traffic. ISPs have been heavily relying on DNS monitoring for the past few years. Even if web traffic is encrypted (as HTTPS), DNS queries have remained unencrypted and have been used to determine the destination site a user is trying to access, even for HTTPS connections.

By encrypting DNS queries, Firefox has made tracking users via DNS impossible, something that ISPs, law enforcement, cyber-security firms, and some enterprise software makers have not... appreciated.

Many have pushed back, to various degrees of success. The most concerted effort was in the UK, where an ISP association went as far as to nominate Mozilla for the title of 2019 Internet Villain due to its work on the DoH protocol.

The ISPs warned that rolling out DoH would cripple the UK's national-wide firewall system that ISPs and law enforcement are using to limit access to child abuse websites and copyright infringement domains.

Their lobbying efforts were joined by law enforcement and the British government, and in the face of mounting pressure, Mozilla gave in last July and announced they would not be enabling DoH for UK users for the time being.

DoH sees widespread adoption

But while DoH critics rallied in the UK, and they rallied early on, they didn't have the same success in other countries.

For example, a similar regulatory push from Comcast and a few US senators failed spectacularly last October due to technically incorrect slideshows that misconstrued many DoH-related aspects.

However, by the time ISPs rallied in the US, the DoH protocol had already seen widespread adoption, and the public had clearly embraced its benefits.

Nowadays, all major browsers support DoH. Albeit you have to dig deep in each browser's settings to enable the feature, you can enable DoH support in all major browsers, a huge benefit for users who don't want to switch to Firefox.

Furthermore, even the mighty Microsoft announced plans to add support for DoH in future versions of Windows, the world's most popular operating system.

This is major news, as Windows adding DoH support means that users and system administrators will have a way to manage DoH settings at the OS level, rather than having tens of different DoH settings on a per-browser/app basis.

Today, Mozilla, DoH's primary pioneer, makes the first step toward enabling DoH by default, a well-earned step in a multi-year journey the browser maker has set off almost half-a-decade ago.

However, while this move applies to US users only, Firefox users living outside the US can also enable DoH on their own, and don't have to wait until Mozilla expands this policy to other countries.

They can do this by going to Firefox -> Options -> General -> Network Settings -> Settings -> Enable DNS over HTTPS.

By default, Firefox will use a DoH resolver managed and hosted by Cloudflare. Users also have a second option for the DoH resolver in NextDNS, but they can also add a custom one if they wish to. Publicly available DoH resolvers are listed here.

doh-new.png

Image: ZDNet