Skip to content

OPLIN 4Cast #664: Is this new option from Mozilla actually better for privacy?

Posted in 4cast, and privacy

A few years ago, a library was having trouble implementing Umbrella OpenDNS at a branch. The trouble, we discovered, was that the branch’s ISP was, unannounced, redirecting all DNS queries to its own servers. They may have been doing this for speed, convenience, or security, but it also gave them the ability to reassign names and redirect traffic, or to collect and sell customers’ internet activity.

Recently, Mozilla announced that the Firefox internet browser will soon begin using DNS-over-HTTPS, commonly abbreviated DoH; Google has similar plans for Chrome. DoH hides domain name lookups from your ISP or anyone else on your network, including public WiFi. But the increased privacy comes at a cost (disabling the use of DNS to block malware or manage other filtering policies and preferences), and commentators are ambivalent.

  • Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla’s Faces Criticism [BleepingComputer] “Mozilla is about to ‘break DNS’ because Cloudflare will be used for DNS resolution over what was assigned by system administrator. This will leak the names of all the websites you visit…to Cloudflare.”
  • Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month [Forbes] “Firefox will ‘fallback’ to ‘operating system defaults for DNS’ when there is a user-driven requirement—this would include child protection technology being in place or enterprise controls. So, essentially, if the browser is trying to limit which sites can be visited, Firefox will look to respect that and not override the system.”
  • Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It? [Electronic Frontier Foundation] “EFF is very excited about the privacy protections that DoH will bring, especially since many Internet standards and infrastructure developers have pointed to unencrypted DNS queries as an excuse to delay turning on encryption elsewhere in the Internet. But as with any fundamental shift in the infrastructure of the Internet, DoH must be deployed in a way that respects the rights of the users.”
  • Web Browsers and DNS over HTTPS default [] “To protect your Umbrella deployment, Umbrella has now included DoH providers into the Proxy/Anonymizer content category. When this category is blocked, the browser will fail to resolve the hostname of the DoH server, and revert to standard system DNS where Umbrella is covering your DNS.”

From the Ohio Web Library: