• Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    Home » Forums » AskWoody support » Questions: Browsers and desktop software » Other browsers » Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    Author
    Topic
    #2171099

    Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users..

    https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/

    Outside the US? you can switch on DNS over HTTPS manually.

    Firefox > Preferences
    Scroll down to Settings
    Click the Settings… button
    At the bottom, check Enable DNS over HTTPS
    Optionally, use the pull-down menu to change the provider

    3 users thanked author for this post.
    Viewing 8 reply threads
    Author
    Replies
    • #2171359

      Have you noticed any positive difference during look up requests?

    • #2171412

      Have you noticed any positive difference during look up requests?

      I use Portable Firefox ESR that doesn’t have this option.
      One positive point with DoH is that your ISP can’t track your surfing/URLs.

      1 user thanked author for this post.
      • #2171452

        They can still track by IP.
        URL tracking is always limited in an HTTPS  session because you only need one DNS lookup to go to a site and then it’s internal references. And the DNS results are cached locally so one DNS lookup may be accessed many times without the ISP knowing, apart from IP address.

        cheers, Paul

    • #2171645

      If I’m reading things correctly then DoH is a good thing.  I’m wondering if this is the reason I see a lot of things happening at the bottom left of my FF browser.  To give you a for instance:  I click on my Askwoody bookmark and nothing comes up in the address bar, but down at the bottom left I see “Looking for Askwoody” followed by “Handshaking with Gravitar” and other things that flash by too quickly to read. By now Askwoody is in the address bar.

      All this takes somewhere around 8 to 10 seconds and then the webpage comes up.  I’m not sure if DoH is responsible for this, but I never saw it prior to about 3 to 4 weeks ago.  Has anyone else noticed this or have any comments?

      Have you seen the price of Tums? It's enough to give you heartburn.
      • #2171666

        Response times might be slower.

        I don’t understand how Mozilla in their commit message can state it’s more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

        This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don’t trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to “work around using one protocol instead of multiple”. If you suffer from DNS poisoning, then pick better resolvers to use.

        I don’t see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.

        2 users thanked author for this post.
    • #2171651

      Been using DoH since it was introduced in FF here in the UK months ago, and if there is any slowdown, I can’t say i’ve noticed it. One plus is, it’s also far more difficult for your ISP to track your internet site visits.
      Nice to get some internet privacy back..(OS dependant) well done Mozilla 🙂

      Win8.1/R2 Hybrid lives on..
      1 user thanked author for this post.
    • #2171699

      I’ve been using DNS over HTTPS for a while (in Linux), thinking probably over a year on my Swift laptop, not just in the browser, but for all DNS resolution.  I haven’t noticed any latency change.  I don’t see how it would be any faster than standard DNS, but the increase in time to transmit the extra overhead can’t be much.

       

      Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
      XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon
      Acer Swift Go 14, i5-1335U/16GB, KDE Neon (and Win 11 for maintenance)

    • #2171725

      I’ve been using DoH (Cloudfare – IPv6) for well over a year without issue. I’ve not noticed any performance impact.

      You can also enable server name identification (SNI) encryption by typing “about:config” in the address bar and locating the setting:

      network.security.esni.enabled

      You can test your settings and browser security by visiting this Cloudfare test page:
      Browsing Experience Security Check

      You are not restricted to using Mozilla DoH servers. For example, the Mozilla Cloudfare server is “https://mozilla.cloudflare-dns.com/dns-query”, but you can use this “https://cloudflare-dns.com/dns-querythat”. Some other Doh providers can be found here:

      1) Github wiki list (curl documentation)
      2) AdGuard Known DNS Providers
      3) Privacy Tools – Encrypted Domain Name System (DNS) Resolvers

      CleanBrowsing also has 3 public DoH endpoints that provide filtering (family, adult, or security).

      Microsoft is planning to include DoH in Windows 10 at some point. Note the Firefox implementation may not be suitable for enterprise use since it ignores whatever settings the admin may have set in the router(s) or at the adapter level.

      Some argue that ISPs can still spy on you because they still know the IP address you’re visiting even if using DoH and ESNI. Knowing an IP address, however, isn’t as valuable as it once was since a single IP can map to multiple domains. I’m of the opinion that anything that makes life harder for those that wish to spy on me is a good thing.

      2 users thanked author for this post.
    • #2171853

      “DoH support is already present in all major browsers. Users just have to enable it and configure it.”

      By Catalin Cimpanu for Zero Day | February 26, 2020

      “Here’s how to enable DoH in each browser, ISPs be d***ed”

      https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/

      “Nothing is impossible. The word itself says ‘I’m possible!'” - Audrey Hepburn
      1 user thanked author for this post.
    • #2171882

      One plus is, it’s also far more difficult for your ISP to track your internet site visits

      No it’s not, but it limits the tracking to IP addresses rather than URLs. And URL tracking via DNS is only ever the base domain, e.g. http://www.askwoody.com.

      Your browser can and probably does track full URLs.

      cheers, Paul

      • This reply was modified 3 years, 9 months ago by Paul T.
      1 user thanked author for this post.
    • #2223803

      FYI. There is a topic on Encrypted DNS (which is bot DoH and DoT) here

      https://defensivecomputingchecklist.com/#dohdot

      There are two ways to enable this in the Chrome browser, one that is straight forward and one that is not. I document the straightforward one.

      FYI: Encrypted DNS is also available system-wide on Android 9 and 10.

      If you want to see what DNS servers your browser is using, there are many tester pages listed here

      https://routersecurity.org/testdns.php

      We need this because DNS server can come from 1 of 4 sources (that I know of).

      Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

      2 users thanked author for this post.
    Viewing 8 reply threads
    Reply To: Firefox began the rollout of encrypted DNS over HTTPS (DoH)

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: