Firefox developers announced the expansion of the use of DNS over HTTPS (DoH, DNS over HTTPS) mode, which will be enabled by default for users from Canada (previously DoH was only used by default for the United States). The inclusion of DoH for users from Canada is divided into several stages: on July 20, DoH will be activated for 1% of users from Canada, and if there are no unforeseen problems, coverage will be increased to 100% by the end of September.
The transition of Canadian Firefox users to DoH is carried out with the participation of the CIRA (Canadian Internet Registration Authority), which regulates the development of the Internet in Canada and is responsible for the "ca" top-level domain. CIRA has also joined the Trusted Recursive Resolver (TRR) program and is included among the DNS-over-HTTPS providers available in Firefox.
After activating DoH, a warning will be displayed on the user's system, allowing, if desired, to refuse to switch to DoH and continue using the traditional scheme of sending unencrypted queries to the provider's DNS server. You can change the provider or disable DoH in the network connection settings. In addition to CIRA DoH servers, you can choose Cloudflare and NextDNS services.
The DoH providers offered in Firefox are selected in accordance with the requirements for trusted DNS resolvers, according to which the DNS operator can use the data received for resolution only to ensure the operation of the service, must not store logs for more than 24 hours, and cannot transfer data to third parties and is required to disclose data processing practices. The service must also commit not to censor, filter, interfere with, or block DNS traffic, except as required by law.
Recall that DoH can be useful for preventing leaks of information about requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace VPN in the area of bypassing blocking implemented at the DPI level) or for organizing work in case it is impossible to directly access DNS servers (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
Source: opennet.ru