Firefox Developers on the completion of testing support for DNS over HTTPS (DoH, DNS over HTTPS) and the intention to enable this technology by default for US users at the end of September. The inclusion will be carried out progressively, initially for a few percent of users, and in the absence of problems, gradually increasing to 100%. After covering the US, the possibility of including DoH in other countries will be considered.
Tests conducted throughout the year showed the reliability and good performance of the service, and also made it possible to identify some situations where DoH can lead to problems and develop solutions to bypass them (for example, dismantled with traffic optimization in content delivery networks, parental control and corporate internal DNS zones).
The importance of DNS traffic encryption is regarded as a fundamentally important factor in protecting users, so it was decided to enable DoH by default, but at the first stage only for users from the United States. After activating DoH, a warning will be displayed to the user, which will allow, if desired, to refuse access to centralized DoH DNS servers and return to the traditional scheme of sending unencrypted queries to the provider's DNS server (instead of a distributed infrastructure of DNS resolvers, DoH uses binding to a specific DoH service , which can be considered as a single point of failure).
When DoH is activated, parental control systems and corporate networks that use the internal network-only DNS name structure for resolving intranet addresses and corporate hosts can be disrupted. To solve problems with such systems, a system of checks has been added that automatically disables DoH. Checks are performed each time the browser is launched or when a subnet change is detected.
Automatic return to use of the standard resolver of the operating system is also provided in case of failures during resolving via DoH (for example, in case of network availability violation with the DoH provider or failures in its infrastructure). The meaning of such checks is doubtful, since no one prevents attackers who control the operation of the resolver or are able to interfere with traffic from simulating such behavior in order to disable encryption of DNS traffic. The problem is solved by adding the item "DoH always" (default is not active) to the settings, when set, automatic shutdown is not applied, which is a reasonable compromise.
To identify enterprise resolvers, checks are made for atypical first-level domains (TLDs) and the system resolver returns intranet addresses. To determine whether parental controls are enabled, an attempt is made to resolve the name exampleadultsite.com and if the result does not match the actual IP, it is considered that adult content blocking is active at the DNS level. Google and YouTube IP addresses are also checked as indicators to see if they are spoofed as restrict.youtube.com, forcesafesearch.google.com, and restrictmoderate.youtube.com. More Mozilla implement a single test host , which can be used by ISPs and parental control services as a flag to disable DoH (if the host is not found, Firefox disables DoH).
Working through a single DoH service can also potentially lead to problems with traffic optimization in content delivery networks that perform traffic balancing using DNS (the DNS server of the CDN network generates a response, taking into account the address of the resolver and issues the nearest host to receive content). Sending a DNS query from the resolver closest to the user in such CDNs returns the address of the host closest to the user, but sending a DNS query from the centralized resolver will return the host address closest to the DNS-over-HTTPS server. Testing in practice showed that the use of DNS-over-HTTP when using a CDN practically did not lead to delays before the start of content transfer (for fast connections, delays did not exceed 10 milliseconds, and even acceleration was observed on slow communication channels). We also considered using the EDNS Client Subnet extension to pass the client location information to the CDN resolver.
Recall that DoH can be useful to prevent leaks of information about the requested host names through the DNS servers of providers, to combat MITM attacks and DNS traffic spoofing, to resist blocking at the DNS level, or to organize work in case of impossibility of direct access to DNS servers. (for example, when working through a proxy). While normally DNS requests are sent directly to the DNS servers defined in the system configuration, in the case of DoH, the request to determine the host IP address is encapsulated in HTTPS traffic and sent to the HTTP server, on which the resolver processes requests via the Web API. The current DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests.
To enable DoH in about:config, change the value of the network.trr.mode variable, which has been supported since Firefox 60. A value of 0 disables DoH completely; 1 - DNS or DoH is used, whichever is faster; 2 - DoH is used by default, and DNS is used as a fallback; 3 - only DoH is used; 4 - mirroring mode in which DoH and DNS are used in parallel. CloudFlare's DNS server is used by default, but it can be changed via the network.trr.uri parameter, for example, you can set "https://dns.google.com/experimental" or "https://9.9.9.9/dns-query ".
Source: opennet.ru