Mozilla increases browser privacy with encrypted DNS
Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox. The desktop version of the browser will soon automatically encrypt your website requests using a feature called DNS-over-HTTPS (DoH), it said on Friday.
DoH lets browsers send Domain Name System (DNS) requests over the encrypted version of the HTTP protocol. DNS is the service that takes a human-readable name like
nakedsecurity.sophos.com and turns it into an IP address a computer can use.
Your browser asks a DNS resolver for this information. In turn, it asks several other DNS servers on your behalf. It then returns the IP address linked to that URL so that a browser like Firefox can contact it to download web pages. Your DNS service provider is usually your ISP, but it doesn’t have to be. There are third party commercial DNS services too.
The problem is that computers normally send DNS requests in the clear. Doing that allows an evil man-in-the-middle sniffing the Wi-Fi in your local coffee shop, or stationed on any of the computers between you and your DNS resolver, can meddle with your DNS. They can spy on it, to see what sites you’re visiting, or change it, to send you somewhere else.
The Internet Engineering Task Force (IETF) has worried about the privacy implications of DNS for years. In 2018, it attempted to solve them by introducing DoH. It handles all DNS queries over the HTTPS protocol, which is protected by TLS encryption. Not only does this encrypt DNS, but it also uses the same ports that handle HTTPS sessions, which are different to the ports used for DNS queries. That makes DoH requests look the same as regular HTTPS traffic and makes it impossible for ISPs to block the use of DoH without also blocking all web access.
The desktop version of Firefox has provided DoH support since Firefox 62, but it was turned off by default. Mozilla had been experimenting with it before switching it on by default to make sure that it didn’t break anything such as parental control systems or the safe search capability on some search engines, like Google.