Jump to content
Sign in to follow this  
Karlston

Mozilla still on track to enable DNS-over-HTTPS by default in Firefox

Recommended Posts

Karlston

Mozilla published a list of requirements that companies need to meet if they want to be included as Trusted Recursive Resolvers for Firefox's upcoming DNS-over-HTTPS feature.

 

DNS-over-HTTPS aims to improve user privacy, security and the reliability of connections by sending and receiving DNS information using HTTPS.

 

Mozilla ran a Shield study in 2018 to test the DNS-over-HTTPS implementation in Firefox Nightly versions. The organization selected Cloudflare as its partner for the study after Cloudflare agreed to Mozilla's requirements to not keep records or sell or transfer data to third-parties.

 

Firefox users may configure DNS-over-HTTPS in the browser. Mozilla plans to make it the default in Firefox going forward; while that is beneficial overall, doing so comes with its own set of issues and concerns.

  • Firefox will use the feature for DNS related activities and not the DNS configured on the computer. Means: local hosts files, resolvers, or custom DNS providers will be ignored.
  • The selection of Cloudflare as the first partner was controversial.

Mozilla plans to make DNS-over-HTTPS the default in the Firefox web browser. Firefox users may still disable the feature once Mozilla makes the switch from off to on though.

 

firefox network trr dns over https

 

The organization wants to select a number of companies for use as Trusted Recursive Resolvers in the Firefox web browser. To address concerns in regards to privacy, Mozilla created a list of policies that these organizations need to conform to.

  • User data may only be retained for up to 24 hours and that needs to be done "for the purpose of operating the service".
  • Aggregate data may be kept for longer.
  • Personal information, IP addresses, user query patterns, or other data that may identify users may not be retained, sold, or transferred.
  • Data gathered from acting as a resolver may not be combined with other data that "can be used to identify individual users".
  • Rights to user data may not be sold, licensed, sublicensed or granted.
  • Resolver must support DNS Query Name Minimisation (to improve privacy, the resolver does not send the full original QNAME to the upstream name server).
  • The resolver must not "propagate unnecessary information about queries to authoritative name servers".
  • Organizations need a "public privacy notice specifically for the resolver service".
  • Organizations need to publish a transparency report "at least yearly".
  • The company that operates the resolver should not block or filter domains unless required by law.
  • Organizations need to maintain public documentation that lists all domains that are blocked and maintain a log that highlights when domains get added or removed.
  • The resolver needs to provide an "accurate NXDOMAIN response" when a domain cannot be resolved and not alter the response, e.g. redirect a user to alternative content.

Mozilla's system will be opt-out means that it is enabled by default for all Firefox users if Mozilla does not change that prior to integration in Firefox Stable.

 

Source: Mozilla still on track to enable DNS-over-HTTPS by default in Firefox (gHacks - Martin Brinkmann)

Share this post


Link to post
Share on other sites
steven36

The problem  is DNS over HTTPS  leaks to Cloudflare your connections to non-Cloudflare sites, because it uses their DNS.

 

There are much better  ones to use  for DNS over HTTPS with no logging than Cloudflare.

Foundation for Applied Privacy

SecureDNS.eu

 

i will just disable it  i use my vpns dns most the time  .

 

Im testing in Firefox  now  with Foundation for Applied Privacy 

 

Only this site picks it up im using it.

https://www.dnsleaktest.com/

 

ipleak.net still thinks i'm using my vpn  dns. :tooth:

Edited by steven36

Share this post


Link to post
Share on other sites
DKT27

Should be made optional and should be asked during installation - default settings should be disabled though.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...