who monitor their customers’ Internet usage and who track this kind of data for advertising purposes.
Although it will be more difficult for third parties to see DNS lookups with DoH enabled, the websites will still be visible to the DNS server Firefox connects to. For this reason, Mozilla is working with “trusted DNS providers”, specifically Cloudflare and NextDNS. Mozilla requires that a number of data protection measures be put in place for all their DoH providers in order to get this Mozilla “seal of approval”.
For some governments and companies, these measures go too far. The technology would torpedo legitimate attempts by system administrators and lawmakers to block dangerous Internet content. For others, who applaud the idea, point that the limitations: Doh would not effectively protect privacy because the standard only encrypts certain parts of the DNS lookup process. In other words, ISPs are still able to recognise their customers’ IP addresses – but it makes it a little more difficult to do so. And of course, you now have to “trust” Mozilla’s “trusted DNS partners” who now have the hypothetical ability to bundle and sell your browsing habits.
As Lee Hutchingson, the Senior Technology Editor of Ars Technica explains:
“I am of two minds on the privacy benefits of DoH/DoT, but my current feeling is that it’s not worth bothering with because the benefits don’t fit the common use cases.
On one hand, the idea of concealing your DNS lookups from your ISP feels like a positive one. Your ISP can still sniff your SNI requests and see where you’re browsing, so it doesn’t necessarily gain you any privacy, but it does at least make it more difficult for them to casually spy on you and aggregate your DNS lookups into a [sellable] package.
On the other hand, giving all of your DNS lookups to Cloudflare or NextDNS potentially allows Cloudflare or NextDNS to….casually spy on you and aggregate your DNS lookups into a [sellable] package. And your ISP can still see your SNI requests. So in a way, you’re potentially inviting more people to watch you, not fewer. […]
If you’re worried about protecting your internet activity from your ISP, the solution doesn’t appear to be to screw around with DoH/DoT. The solution is to use a VPN. (Which potentially creates other privacy problems, like now you have to trust your VPN provider.)”
Mozilla admits that DoH does not have the potential to stop data collection completely, but at least makes it significantly more difficult.
If you are in the United States, this feature is currently being roll-ed out by default. If you are outside the US, then these easy steps will enable you to activate it in your browser:
In Firefox, click on the three horizontal lines in the top right and select Preferences . In the General tab, scroll down to the “Network Settings”. Click on Settings .
This will open “Network Settings” in a new window. Check the Enable DNS over HTTPS option . Then check whether Cloudflare is selected as the DNS provider. If so, click OK to close the window.
Restart Firefox. All requests to the DNS service are now encrypted.
Given the limitations of the technology, for those of you particular concerned about protecting the privacy of your web browsing, we strongly recommend using a VPN – either along side the DNS encryption feature or instead. Just make sure you select a VPN provider you can trust.