Firefox began the rollout of encrypted DNS over HTTPS (DoH)

Topic

New Reply

Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users..

Firefox continues push to bring DNS over HTTPS by default for US users

Outside the US? you can switch on DNS over HTTPS manually.

Firefox > Preferences
Scroll down to Settings
Click the Settings… button
At the bottom, check Enable DNS over HTTPS
Optionally, use the pull-down menu to change the provider

3 users thanked author for this post.

Elly, Nathan Parker, Lars220

Reply | Quote

Replies

Have you noticed any positive difference during look up requests?

Reply | Quote

anonymous wrote:

Have you noticed any positive difference during look up requests?

I use Portable Firefox ESR that doesn’t have this option.
One positive point with DoH is that your ISP can’t track your surfing/URLs.

1 user thanked author for this post.

Elly

Reply | Quote

They can still track by IP.
URL tracking is always limited in an HTTPS  session because you only need one DNS lookup to go to a site and then it’s internal references. And the DNS results are cached locally so one DNS lookup may be accessed many times without the ISP knowing, apart from IP address.

cheers, Paul

Reply | Quote

If I’m reading things correctly then DoH is a good thing.  I’m wondering if this is the reason I see a lot of things happening at the bottom left of my FF browser.  To give you a for instance:  I click on my Askwoody bookmark and nothing comes up in the address bar, but down at the bottom left I see “Looking for Askwoody” followed by “Handshaking with Gravitar” and other things that flash by too quickly to read. By now Askwoody is in the address bar.

All this takes somewhere around 8 to 10 seconds and then the webpage comes up.  I’m not sure if DoH is responsible for this, but I never saw it prior to about 3 to 4 weeks ago.  Has anyone else noticed this or have any comments?

If it ain't broke, it soon will be, so be prepared.

Reply | Quote

Response times might be slower.

I don’t understand how Mozilla in their commit message can state it’s more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don’t trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to “work around using one protocol instead of multiple”. If you suffer from DNS poisoning, then pick better resolvers to use.

I don’t see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.

2 users thanked author for this post.

Elly, Charlie

Reply | Quote

Been using DoH since it was introduced in FF here in the UK months ago, and if there is any slowdown, I can’t say i’ve noticed it. One plus is, it’s also far more difficult for your ISP to track your internet site visits.
Nice to get some internet privacy back..(OS dependant) well done Mozilla 🙂

| Quality over Quantity |

1 user thanked author for this post.

Charlie

Reply | Quote

I’ve been using DNS over HTTPS for a while (in Linux), thinking probably over a year on my Swift laptop, not just in the browser, but for all DNS resolution.  I haven’t noticed any latency change.  I don’t see how it would be any faster than standard DNS, but the increase in time to transmit the extra overhead can’t be much.

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
Dell G3 15/3579, i7-8750H/16GB, KDE Neon
Asus P8P67 Deluxe, i5-2500k/16GB, KDE Neon

Reply | Quote

I’ve been using DoH (Cloudfare – IPv6) for well over a year without issue. I’ve not noticed any performance impact.

You can also enable server name identification (SNI) encryption by typing “about:config” in the address bar and locating the setting:

network.security.esni.enabled

You can test your settings and browser security by visiting this Cloudfare test page:
Browsing Experience Security Check

You are not restricted to using Mozilla DoH servers. For example, the Mozilla Cloudfare server is “https://mozilla.cloudflare-dns.com/dns-query”, but you can use this “https://cloudflare-dns.com/dns-querythat”. Some other Doh providers can be found here:

1) Github wiki list (curl documentation)
2) AdGuard Known DNS Providers
3) Privacy Tools – Encrypted Domain Name System (DNS) Resolvers

CleanBrowsing also has 3 public DoH endpoints that provide filtering (family, adult, or security).

Microsoft is planning to include DoH in Windows 10 at some point. Note the Firefox implementation may not be suitable for enterprise use since it ignores whatever settings the admin may have set in the router(s) or at the adapter level.

Some argue that ISPs can still spy on you because they still know the IP address you’re visiting even if using DoH and ESNI. Knowing an IP address, however, isn’t as valuable as it once was since a single IP can map to multiple domains. I’m of the opinion that anything that makes life harder for those that wish to spy on me is a good thing.

2 users thanked author for this post.

Elly, Lars220

Reply | Quote

“DoH support is already present in all major browsers. Users just have to enable it and configure it.”

By Catalin Cimpanu for Zero Day | February 26, 2020

“Here’s how to enable DoH in each browser, ISPs be d***ed”

https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/

1 user thanked author for this post.

Elly

Reply | Quote

[Paul T]

Microfix wrote:

One plus is, it’s also far more difficult for your ISP to track your internet site visits

No it’s not, but it limits the tracking to IP addresses rather than URLs. And URL tracking via DNS is only ever the base domain, e.g. http://www.askwoody.com.

Your browser can and probably does track full URLs.

cheers, Paul

• This reply was modified 1 year, 9 months ago by Paul T.

1 user thanked author for this post.

Elly

Reply | Quote

FYI. There is a topic on Encrypted DNS (which is bot DoH and DoT) here

https://defensivecomputingchecklist.com/#dohdot

There are two ways to enable this in the Chrome browser, one that is straight forward and one that is not. I document the straightforward one.

FYI: Encrypted DNS is also available system-wide on Android 9 and 10.

If you want to see what DNS servers your browser is using, there are many tester pages listed here

https://routersecurity.org/testdns.php

We need this because DNS server can come from 1 of 4 sources (that I know of).

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

AlexEiffel, Elly

Reply | Quote