When typing an Internet address into your web browser’s omnibox, the request to access the desired website gets transmitted to the DNS provider (Domain Name Service), which then converts the request into an IP address. This is done every day, billions of times a day, in all web browsers. And by default, none of this is encrypted. That is, until today, when Firefox launched a new feature, which encrypts these requests by default in all US-based Firefox browsers.
Mozilla improves data protection
Mozilla wants to activate DNS via HTTPS (DoH), which is a new standard that encrypts the part of internet traffic that is normally sent in plain text over an unencrypted connection. This enables others to see which websites you visit, even if your communication with the website itself is encrypted using the HTTPS protocol. DoH is an attempt to encrypt this information to improve privacy. Among other things, Mozilla wants to hamper the ability of Internet Service Providers (ISPs) who monitor their customers’ Internet usage and who track this kind of data for advertising purposes.
Although it will be more difficult for third parties to see DNS lookups with DoH enabled, the websites will still be visible to the DNS server Firefox connects to. For this reason, Mozilla is working with “trusted DNS providers”, specifically Cloudflare and NextDNS. Mozilla requires that a number of data protection measures be put in place for all their DoH providers in order to get this Mozilla “seal of approval”.
Criticism from governments, companies and even privacy activits
For some governments and companies, these measures go too far. The technology would torpedo legitimate attempts by system administrators and lawmakers to block dangerous Internet content. For others, who applaud the idea, point that the limitations: Doh would not effectively protect privacy because the standard only encrypts certain parts of the DNS lookup process. In other words, ISPs are still able to recognise their customers’ IP addresses – but it makes it a little more difficult to do so. And of course, you now have to “trust” Mozilla’s “trusted DNS partners” who now have the hypothetical ability to bundle and sell your browsing habits.
As Lee Hutchingson, the Senior Technology Editor of Ars Technica explains:
“I am of two minds on the privacy benefits of DoH/DoT, but my current feeling is that it’s not worth bothering with because the benefits don’t fit the common use cases.
On one hand, the idea of concealing your DNS lookups from your ISP feels like a positive one. Your ISP can still sniff your SNI requests and see where you’re browsing, so it doesn’t necessarily gain you any privacy, but it does at least make it more difficult for them to casually spy on you and aggregate your DNS lookups into a [sellable] package.
On the other hand, giving all of your DNS lookups to Cloudflare or NextDNS potentially allows Cloudflare or NextDNS to….casually spy on you and aggregate your DNS lookups into a [sellable] package. And your ISP can still see your SNI requests. So in a way, you’re potentially inviting more people to watch you, not fewer. […]
If you’re worried about protecting your internet activity from your ISP, the solution doesn’t appear to be to screw around with DoH/DoT. The solution is to use a VPN. (Which potentially creates other privacy problems, like now you have to trust your VPN provider.)”
Mozilla admits that DoH does not have the potential to stop data collection completely, but at least makes it significantly more difficult.
How to activate this feature in Firefox
If you are in the United States, this feature is currently being roll-ed out by default. If you are outside the US, then these easy steps will enable you to activate it in your browser:
In Firefox, click on the three horizontal lines in the top right and select Preferences . In the General tab, scroll down to the “Network Settings”. Click on Settings .
This will open “Network Settings” in a new window. Check the Enable DNS over HTTPS option . Then check whether Cloudflare is selected as the DNS provider. If so, click OK to close the window.
Restart Firefox. All requests to the DNS service are now encrypted.
What else can you do?
Given the limitations of the technology, for those of you particular concerned about protecting the privacy of your web browsing, we strongly recommend using a VPN – either along side the DNS encryption feature or instead. Just make sure you select a VPN provider you can trust.