DNS-over-HTTPS (DoH) FAQs
Just getting started with DNS over HTTPS (DoH)? No need to worry! We have outlined a list of FAQs here that you may find helpful while getting up to speed with all that DoH has to offer. For additional information, see Firefox DNS-over-HTTPS.
Table of Contents
- 1 How DNS over HTTPS works for Firefox users based in the US
- 1.2 Will users be warned when this is enabled and offered an opt out?
- 1.3 Will users be able to disable DoH?
- 1.4 Can users opt out ahead of time?
- 1.5 How will DoH impact enterprises with custom DNS solutions?
- 1.6 How will DoH impact parental controls?
- 1.7 Can’t networks just trigger the canary domain check all the time and disable DoH?
- 1.8 Will DoH break Content Delivery Networks (CDNs)?
- 1.9 How does Firefox handle split-horizon DNS?
- 1.10 Do you validate DNSSEC?
- 2 DNS over HTTPS partnerships
- 3 More about Firefox's implementation of DNS over HTTPS
How DNS over HTTPS works for Firefox users based in the US
Implementing DoH is part of our work to safeguard users from the pervasive online tracking of personal data. To do that, Mozilla requires all DNS providers that can be selected in Firefox to comply with our resolver policy through a legally-binding contract. These requirements place strict limits on the type of data that may be retained, what the provider can do with that data, and how long they may retain it. This strict policy is intended to protect users from providers being able to collect and monetize their data.
Will users be warned when this is enabled and offered an opt out?
Yes, a pop-up will display and will not disappear until the user makes a decision about enabling or disabling DNS privacy protections.
Will users be able to disable DoH?
Yes, they can disable DoH from Options/Preferences > General > Network Settings. They can disable DoH and/or select their own DoH provider as explained here.
Can users opt out ahead of time?
How will DoH impact enterprises with custom DNS solutions?
We have made it easy for enterprises to disable this feature. In addition, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If you’re a system administrator who is interested in learning how to configure enterprise policies, please review the documentation here.
How will DoH impact parental controls?
We know that some ISPs use DNS to offer a parental control service that blocks adult content. Mozilla’s view is that DNS is not the best approach to parental controls, but we also don’t want to break existing services, so we check a series of canary domains before enabling DoH. If these domains indicate that parental controls are on, then we disable DoH. For additional information, see https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/.
Can’t networks just trigger the canary domain check all the time and disable DoH?
Yes, canary domains are a solution that offers the best security to combat network attackers and prevent breaking existing deployments. We will be monitoring their use, investigating any incidents of abuse and looking at measures to contain those incidents.
Will DoH break Content Delivery Networks (CDNs)?
We are aware that some CDNs use DNS-based traffic steering that may be affected by DoH. However, our measurements show that DoH page load times are competitive compared to ordinary DNS page load times. During and after the rollout period, we will be monitoring Firefox’s performance to see if any defects exist.
How does Firefox handle split-horizon DNS?
If Firefox fails to resolve a domain via DoH, it will fall back to the DNS. This means that any domains that are only available on the ordinary DNS (because they aren’t public) will be resolved that way. If you have a domain that is publicly resolvable but resolves differently internally, then you should use enterprise settings to disable DoH.
Do you validate DNSSEC?
DNSSEC ensures that DNS responses have not been tampered with while in transit, but does not encrypt DNS requests and responses. We have prioritized encryption of DNS using DoH to protect user privacy. We are considering implementation of DNSSEC in the future.
Cloudflare performs DNSSEC validation on queries that Firefox sends to their DoH resolver. However, this does not ensure end-to-end integrity of DNS data. We are currently rolling out DoH in "fallback mode", which means that any error returned by the Cloudflare resolver like a DNSSEC validation failure will cause Firefox to retry the query using the operating system resolver instead of returning an error to the user.
DNS over HTTPS partnerships
What resolver will Firefox be using?
Our initial launch, which is only in the US, designates Cloudflare as the default resolver. We are in active discussions with other providers about joining our Trusted Recursive Resolver program, which requires compliance with our policy requirements regarding user privacy and security. We expect to add more providers to our Trusted Recursive Resolver program. Additionally, our vision is for DoH to be universally adopted and supported by all DNS resolvers.
How did Mozilla choose Cloudflare as a trusted resolver?
Cloudflare was able to meet the strict policy requirements that we currently have in place. These requirements are backed up in our legally-binding contract with Cloudflare and have been made public in a best in class privacy notice that documents those policies and provides transparency to users.
Is Mozilla getting paid to route DNS requests to Cloudflare?
No money is being exchanged to route DNS requests to Cloudflare.
Does Mozilla or Cloudflare monetize this data?
No, our policy explicitly forbids monetizing this data. Our goal with this feature is to provide important privacy protections to our users and to make it harder for existing DNS resolvers to monetize users’ DNS data.
More about Firefox's implementation of DNS over HTTPS
What is your rollout schedule?
We will be starting a gradual rollout in October 2019 in the US only. This means that we will start with a small user population and then gradually roll out to all users while checking for problems as we go. See https://bugzilla.mozilla.org/show_bug.cgi?id=1573840 for additional details about the rollout.
Are you rolling this default out in Europe?
As part of our continuing strategy to carefully measure the benefits and impact of DoH, we are currently focused on releasing this feature in the US only.
Why is Firefox implementing DoH and not DoT?
The IETF has standardized two DNS over secure transport protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These two protocols have broadly similar security and privacy properties. We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP/DNS multiplexing and QUIC.
Is DoT easier for network operators to detect and block?
Yes, we don’t think that this is an advantage. Firefox provides mechanisms for network operators to signal that they have legitimate reasons for DoH to be disabled. We do not believe that blocking the connection to the resolver is an appropriate response.
Doesn’t the Server Name Indication (SNI) leak domain names anyway?
Yes, although not all domain names get leaked through SNI, we are concerned about SNI leaks and have started working on Encrypted SNI.