Firefox Developers about enabling DNS over HTTPS (DoH, DNS over HTTPS) by default for US users. Encryption of DNS traffic is seen as a fundamental factor in protecting users. Starting today, all new installations made by US users have DoH enabled by default. Existing US users are scheduled to switch to DoH within a few weeks. In the EU and other countries, activate DoH by default for now .
After activating DoH, a warning is displayed to the user, which allows, if desired, to refuse to contact centralized DoH DNS servers and return to the traditional scheme of sending unencrypted requests to the provider's DNS server. Instead of a distributed infrastructure of DNS resolvers, DoH uses a binding to a specific DoH service, which can be considered as a single point of failure. Currently, it is offered to work through two DNS providers - CloudFlare (by default) and .
Change provider or disable DoH in the network connection settings. For example, you can specify an alternative DoH server "https://dns.google/dns-query" to access Google servers, "https://dns.quad9.net/dns-query" - Quad9 and "https://doh .opendns.com/dns-query" - OpenDNS. About:config also provides the network.trr.mode setting, through which you can change the DoH operation mode: a value of 0 disables DoH completely; 1 - DNS or DoH is used, whichever is faster; 2 - DoH is used by default, and DNS is used as a fallback; 3 - only DoH is used; 4 - mirroring mode in which DoH and DNS are used in parallel.
Recall that DoH can be useful for preventing leaks of information about requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace VPN in the area of ββbypassing blocking implemented at the DPI level) or for organizing work in case it is impossible to directly access DNS servers (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
For the selection of DoH providers offered in Firefox, the to trustworthy DNS resolvers, according to which the DNS operator can use the data received for resolving only to ensure the operation of the service, must not store logs for more than 24 hours, cannot transfer data to third parties, and is required to disclose information about data processing methods. The service must also commit not to censor, filter, interfere with, or block DNS traffic, except as required by law.
DoH should be used with caution. For example, in the Russian Federation, the IP addresses 104.16.248.249 and 104.16.249.249 associated with the Mozilla.cloudflare-dns.com DoH server offered by default in Firefox, Π² at the request of the Stavropol court dated 10.06.2013.
The application of DoH can also lead to problems in areas such as parental control systems, access to internal namespaces in corporate systems, route selection in content delivery optimization systems, and enforcement of court orders in the field of combating the distribution of illegal content and the exploitation of minors. To circumvent such problems, a system of checks has been implemented and tested that automatically disables DoH under certain conditions.
To identify enterprise resolvers, checks are made for atypical first-level domains (TLDs) and the system resolver returns intranet addresses. To determine whether parental controls are enabled, an attempt is made to resolve the name exampleadultsite.com and if the result does not match the actual IP, it is considered that adult content blocking is active at the DNS level. Google and YouTube IP addresses are also checked as indicators to see if they are spoofed as restrict.youtube.com, forcesafesearch.google.com, and restrictmoderate.youtube.com. These checks allow attackers who control the operation of the resolver or are able to interfere with traffic to simulate such behavior in order to disable encryption of DNS traffic.
Working through a single DoH service can also potentially lead to problems with traffic optimization in content delivery networks that perform traffic balancing using DNS (the DNS server of the CDN network generates a response, taking into account the address of the resolver and issues the nearest host to receive content). Sending a DNS query from the resolver closest to the user in such CDNs returns the address of the host closest to the user, but sending a DNS query from the centralized resolver will return the host address closest to the DNS-over-HTTPS server. Testing in practice showed that the use of DNS-over-HTTP when using a CDN practically did not lead to delays before the start of content transfer (for fast connections, delays did not exceed 10 milliseconds, and even acceleration was observed on slow communication channels). We also considered using the EDNS Client Subnet extension to pass the client location information to the CDN resolver.
Source: opennet.ru