But why are they choosing to do this now? And, furthermore,\nwhat is DNS over HTTPS and why should you care? We\u2019ll answer these questions\nand more, including what this rollout means for you and your organization.<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n No matter what you search for online \u2014 whether at home, at\nwork, or on-the-go on your personal device, there\u2019s a virtual trail that\u2019s\navailable to virtually anyone who knows how and where to look. With this in\nmind, Mozilla has been public about trying to increase the privacy of online queries.<\/p>\n\n\n\n In their announcement, Firefox reiterated the importance of\nsecuring the domain name system:<\/p>\n\n\n\n Because there is no encryption, other devices along the way might collect (or even block or change) this data too. <\/em>DNS lookups are sent to servers that can spy on your website browsing history<\/em><\/a> without either informing you or publishing a policy about what they do with that information.\u201d<\/em> <\/p>\n<\/blockquote>\n\n\n\n Now, they could choose to do this using DNS\nover HTTPS or by using DNS over TLS<\/a> (DoT). HTTPS stands for hypertext transfer\nprotocol secure and TLS stands for transport layer security. The difference\nhere would be the type of port that would be used for the transaction. For\nexample, DNS over HTTPS uses port 443 (the standard HTTPS port), whereas DNS\nover TLS uses port 853. Both are viable options, and frankly, many people are\nstill arguing about which method is necessarily better. <\/p>\n\n\n\n However, it appears that Mozilla has decided to roll with DoH instead of DoT<\/a>:<\/p>\n\n\n\n We chose DoH because we believe it is a better fit for our existing mature browser networking stack (which is focused on HTTP) and provides better support for future protocol features such as HTTP\/DNS multiplexing and QUIC.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n So, what this means now is that Mozilla is choosing to enable\nDoH automatically for any Firefox users with U.S. IP addresses. But when we\ntalk about DNS, what exactly are we talking about?<\/p>\n\n\n\n Before we can jump into the nitty-gritty of DNS over HTTPS, let\u2019s briefly review what DNS over UDP (user datagram protocol) is and how it works (in the most basic sense, at least). <\/p>\n\n\n\n Whenever you or one of your employees opens a web client (browser)\nand types in a specific website address, it\u2019s essentially making a plaintext DNS\nrequest to the DNS server to get the numerical IP address for that specific\nwebsite. IP addresses consist of four separate numbers that are up to three\ndigits in length (between 0 and 255) that are separated by periods (for\nexample, 123.123.123.123). In response to the client\u2019s DNS query, the DNS\nserver gets the IP address then sends a response to the client. After that, we\nleave the DNS system and the client connects to the web server via the\ntransmission control protocol (TCP) and HTTP protocol. <\/p>\n\n\n\n Traditionally, this DNS interaction is done through the user datagram protocol, which uses port number 53. UDP and TCP are both non-secure web protocols that are still used by some insecure websites that lack SSL\/TLS encryption. But this isn\u2019t a secure transaction, and here\u2019s why:<\/p>\n\n\n\n The path from the client to the server isn\u2019t exactly that\ndirect \u2014 there are plenty of other hands that the request passes through, such\nas your ISP, before a request reaches the server. However, since the request\nitself is in plaintext, it means that any of those other entities that\nintercepts the request \u2014 or that the message passes through on its way to the\nserver \u2014 can essentially read it.<\/p>\n\n\n\n Now, if you don\u2019t give a hoot about privacy, using the\ninsecure UDP protocol isn\u2019t going to bother you. However, if you\u2019re someone who\nvalues privacy, then DNS over UDP likely isn\u2019t for you. This is where DNS over\nHTTPS comes to the rescue. <\/p>\n\n\n\n In a nutshell, DNS over HTTPS is more secure than the\ntraditional DNS because it\u2019s using a secure, encrypted connection. Using DNS\nover HTTPS means that your ISP \u2014 and any of the other \u201chands\u201d that we mentioned\nearlier \u2014 won\u2019t be able to see certain aspects of the DNS lookup process\nbecause they\u2019ll be encrypted. <\/p>\n\n\n\n As you likely know, UDP has been around for quite a while in \u201cinternet\u201d time \u2014 basically since the mid-90s. But as far as web protocols go, DNS over HTTPS is actually relatively new. The Internet Engineering Task Force (IETF), the international standards body, recommended DNS over HTTPS as a standard back in October 2018 in its request for comments 8484 (RFC 8484)<\/a>. It works similarly to how traditional DNS over UDP works \u2014 it\u2019s just that it does so by encrypting the request by routing it through the HTTPS (the secure version of HTTP) using SSL\/TLS encryption. <\/p>\n\n\n\n My colleagues and I have repeatedly talked about the importance of using HTTPS to protect data<\/a> in transactions to the point that we look like Smurfs, so I\u2019m not going to rehash all of that here. But what I will say is that this move by Mozilla is a win overall for privacy advocates. <\/p>\n\n\n<\/span><\/span>\n\n\n\n In their announcement, Mozilla said that they\u2019ve partnered with Cloudflare as their primary \u201ctrusted recursive resolver<\/a>\u201d (TRR). Resolvers are what resolve domain name queries from users and send responses. So, by using a TRR, what this means is that Mozilla worked out policy requirements that Cloudflare as a TRR must satisfy concerning how data is collected and stored (among other things). <\/p>\n\n\n\n Essentially, Firefox\u2019s recent announcement of their move to\nDNS over HTTPS will involve: <\/p>\n\n\n\n So, by making U.S. users\u2019 DNS queries go through Cloudflare\u2019s\nDNS servers using HTTPS instead of UDP, it means that the domain name queries\nwill be resolved by a trusted entity, and that certain parts of DNS requests\nthemselves will be encrypted. <\/p>\n\n\n\n Remember the process we mentioned earlier about how DNS\nrequests work? Whenever your web browser makes one of those requests, the\nrequest passes through a lot of hands \u2014 but not all of them are necessarily\ngood or secure hands. This means that you have no idea whose hands that information\nwill pass through. So, by encrypting DNS requests, it helps to offer greater\nprotection to Firefox users. <\/p>\n\n\n\n Because DNS over HTTPS essentially encrypts the website\nconnection requests for users using the Firefox browser, it lends itself to\nhelping to increase security for your organization without hamstringing your IT\nsecurity team\u2019s abilities to monitor website network traffic.<\/p>\n\n\n\n In a general sense, DNS lookups via HTTPS essentially hides\nyour browsing history from prying eyes and prevents data from being collected\nby third parties. This can be particularly beneficial for users in countries where\ninternet access is limited or people accessing non-government sanctioned\nwebsites can result in imprisonment or jail. <\/p>\n\n\n\n Don\u2019t like the thought of someone spying in and reading your\nplaintext domain lookups? Then you\u2019ll be happy to know that DNS over HTTPS helps\nto prevent actors who may be hiding on your local network, public Wi-Fi, or\neven at the ISP level from seeing what sites you\u2019re connecting to and any\ninformation you share during the connection. This helps to minimize the risk of\nman-in-the-middle attackers from having a heyday at the expense of your\npersonal information. <\/p>\n\n\n\n DNS spoofing, or DNS server compromise (or DNS\npoisoning<\/a>), occurs when a bad guy (or is a non-trusted resolver) is\ninvolved in the communication between the client and the DNS server and changes\nthe response to a phony IP for the website. This re-directs users to fraudulent\nwebsites that appear to be the real thing, swapping out a legitimate link for\none that\u2019s a scam. <\/p>\n\n\n\n Now, just like how it is with any technology, DoH isn\u2019t\nperfect. While it is useful in trying to mitigate cybercrime through\neavesdropping and spoofing, it also could potentially make it more difficult to\nevade certain risks. For example, the <\/p>\n\n\n\n Here are a few of the potential drawbacks of DNS over HTTPS\nthat you should know:<\/p>\n\n\n\n If you or your organization relies on your DNS to block\nmalware or to carry out specific policies, such as blocking access to specific\nwebsites, then you\u2019ll likely not like what have to say next. That\u2019s because,\nwhen enabled, DoH will automatically bypass your local DNS resolver. There is good\nnews, though. Through your individual browser settings \u2014 or your enterprise policies\n\u2014 you can disable DoH. <\/p>\n\n\n\n Like we said,\nit\u2019s not perfect. When talking about the benefits of DoH, Mozilla also points\nout that one of the risks is that the DNS servers that will be handling the\nrequests will be able to see users\u2019 queries. But there is a catch \u2014 Cloudflare,\nalong with any other DoH partners \u2014 are strictly forbidden from collecting\npersonal identifying information (PII) about those users.<\/p>\n\n\n\n Firefox also reports that queries made via DNS over HTTPS could<\/em> be slower than those made over traditional DNS over HTTP \u2014 but that\u2019s not a guarantee. Of course, Mozilla was quick to say<\/a> that their own tests of this hypothesis indicate that \u201cDoH had minimal impact or clearly improved the total time it takes to get a response from the resolver and fetch a web page.\u201d<\/p>\n\n\n\n So, if you or your customers are in the U.S. and use\nFirefox, this implementation will affect any web individuals using Mozilla\u2019s\nbrowser by default once it rolls out\u2014 with just a couple of notable exceptions:\n<\/p>\n\n\n\n Mozilla said in a previous announcement about DNS over HTTPS<\/a> back in September 2019 that they\u2019ve disabled DoH by default in enterprise configurations to honor their configurations in Firefox. This means that as long as you\u2019ve set policies, the browser won\u2019t enable DoH in ways that will affect it. <\/p>\n\n\n\n For non-enterprise users, there\u2019s good news as well. Mozilla\nalso said they will \u201crespect user choice\u201d concerning opt-in parental controls.\nThis means that if Firefox detects such settings, it\u2019ll leave them alone and\nnot override them. <\/p>\n\n\n\n However, if you don\u2019t want to wait and wish to take\nadvantage of DoH now in Firefox, you can do so by simply enabling it manually. We\u2019ll\ntell you how to do so momentarily. <\/p>\n\n\n\n If you\u2019re outside the U.S. and don\u2019t use Firefox, this won\u2019t automatically affect you when using the browser. However, if you\u2019re outside the U.S. and don\u2019t want to feel left out \u2014 or if you\u2019re in a country with strict censorship and wish to obfuscate your DNS queries due to safety concerns \u2014 then no worries. You can manually enable DoH in your browser right now! <\/p>\n\n\n\n To enable DoH in Firefox, simply go to Options<\/strong> > General<\/strong>\n> Network Settings<\/strong> > and click on the Settings<\/strong> button\nthere. Once there, select the checkbox to enable DNS over HTTPS. <\/p>\n\n\n\n However, maybe rolling with DoH enabled just isn\u2019t for you. If\nyou wish to disable DoH, you can do so by going to Options<\/strong> > General<\/strong>\n> Network Settings<\/strong> and de-select DoH. <\/p>\n\n\n\n It really is that simple!<\/p>\n\n\n\n There are a lot of changes going on right now concerning data privacy and website security. Data privacy laws have been rolling out over the past few years \u2014 GDPR, CCPA<\/a>, NY\u2019s SHIELD Act<\/a>, etc. \u2014 and we recently told you about how Apple will no longer trust websites<\/a> using SSL\/TLS certificates with more than one-year validity. This move by Mozilla seems to be following suit with all of these changes for greater privacy and security. <\/p>\n\n\n<\/span><\/span>","protected":false},"excerpt":{"rendered":" Mozilla announced that the browser will automatically enable domain name system encryption for U.S. users \u2018over the next few weeks\u2019 to increase privacy & security On Feb. 25, Mozilla announced…<\/p>\n","protected":false},"author":17,"featured_media":12134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130,17,10200],"tags":[9104],"class_list":["post-12133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","category-industry-lowdown","category-monthly-digest","tag-dns-over-https","post-with-tags"],"views":26634,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/03\/bigstock-223372084.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12133"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12134"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}DNS Over HTTPS: Why Firefox Is Encrypting DNS Requests<\/h2>\n\n\n\n
\n
\n
What the Domain Name System Is and How It Works <\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/03\/how-dns-request-works.png\")
<\/figure><\/div>\n\n\n\nHow Does \u201cDNS Over HTTPS\u201d Differ from Traditional DNS Requests<\/h2>\n\n\n\n
What Firefox Is Doing to Make DoH Possible<\/h2>\n\n\n\n
\n
The Benefits of DNS Over HTTPS<\/h2>\n\n\n\n
DoH Offers Greater Overall Privacy to Users Concerning Their Queries<\/h3>\n\n\n\n
DoH Mitigates Eavesdropping and MitM Attacks<\/h3>\n\n\n\n
DoH Minimizes the Chances of DNS Spoofing<\/h3>\n\n\n\n
The Drawbacks of DNS Over HTTPS<\/h2>\n\n\n\n
DoH Defaults to Bypassing Your Local DNS\nResolver<\/h3>\n\n\n\n
Trusted Recursive Resolvers Like Cloudflare\nWill See Your Queries<\/h3>\n\n\n\n
Queries Made via DoH May Result in Slower Response Times<\/h3>\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Slow-encryption.png\")
<\/figure>\n<\/div>\n\n\nHow DoH Will Affect You and Your Organization<\/h2>\n\n\n\n
What This Change Means for U.S. Firefox Users and Enterprises<\/h3>\n\n\n\n
Firefox Will Honor Enterprise Configurations<\/h3>\n\n\n\n
Firefox Won\u2019t Override Parental Controls<\/h3>\n\n\n\n
What This Change Means for Non-U.S. Firefox Users<\/h3>\n\n\n\n
Final Wrap Up<\/h2>\n\n\n\n