Mozilla Company agreement with third providers DNS over HTTPS (DoH, DNS over HTTPS) for Firefox. In addition to the previously offered CloudFlare DNS servers ("https://1.1.1.1/dns-query") and (), the Comcast service (https://doh.xfinity.com/dns-query) will also be included in the settings. Activate DoH and choose in the network connection settings.
Recall that in Firefox 77, a DNS over HTTPS test was enabled with 10 test requests sent by each client and automatic selection of a DoH provider. This check had to be disabled in the release , as it turned into a kind of DDoS attack on the NextDNS service, which could not cope with the load.
The DoH providers offered in Firefox are selected according to to trustworthy DNS resolvers, according to which the DNS operator can use the data received for resolving only to ensure the operation of the service, must not store logs for more than 24 hours, cannot transfer data to third parties, and is required to disclose information about data processing methods. The service must also commit not to censor, filter, interfere with, or block DNS traffic, except as required by law.
Of the events related to DNS-over-HTTPS, one can also note Apple to implement DNS-over-HTTPS and DNS-over-TLS support in future releases of iOS 14 and macOS 11, and support for WebExtension extensions in Safari.
Recall that DoH can be useful for preventing leaks of information about requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace VPN in the area of bypassing blocking implemented at the DPI level) or for organizing work in case it is impossible to directly access DNS servers (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
Source: opennet.ru