New Firefox Proton update enables DNS over HTTPS by default and quietly

No notifications or warnings of any kind. Be careful.

If you update, check over Settings>Network Settings at the bottom of General tab

Can we have this discussion of encrypted DNSes? I am pretty much uneducated with DoH and its alternative/s (its DNS over TLS, right?) and frankly, it feels like splitting hairs for some reason.

Is it something about the centralized DNS server (i.e. Cloudflare) getting control of the encryption or something like it? I mean apart from the usual fear of anything centralized/gatekeeping issues, etc. Am I wrong in thinking that Cloudflare (or insert any DNS - except Google’s DNS) are reasonably private and secure?

It feels better than no encryption of sorts for the DNS query.

It’s not nabled by default, what package/platform are you talking about?

go to 2:00 for DoH info

Mozilla announced they’ll have it enabled by default in the U.S..

This video explains it in a more technical but still easy to follow, and covers a couple of the main complaints about DNS over HTTPS.

DNS Encryption explained - DNS over TLS (DoT) & DNS over HTTPS (DoH)

Disclaimer: I’m not a network engineer and this is based on my own research. Some or all things I talk about here may be inaccurate or just plain wrong. Happy to learn from my mistakes, please do let me know.

In a nutshell, DNS is what allows computers to understand human-friendly names such as “”, “”, etc., and translate them into human-unfriendly numerical IP addresses needed to start the connection.

You may recall from a few years ago there was a strong push for adopting HTTPS. That is because HTTP is an old protocol that was not designed with security nor privacy in mind. HTTPS is the encrypted version of that protocol and addresses both issues related to security and privacy. It’s pretty much the same story with DNS.

Both “DNS over TLS” (DoT) and “DNS over HTTPS” (DoH) attempt to solve this problem with different approaches.

Unfortunately DNS over HTTPS creates new problems, precisely because it masks DNS queries as regular HTTPS connections effectively making them indistinguishable from regular traffic. While this is good for privacy and security it makes it harder for system administrators to create effective filters against known malware and phishing sites. This can be a problem in enterprise environments: imagine an employee that casually opens a link from his personal email that just so happened to make a connection to download some malware. That could cause a lot of trouble and cost a lot of money.

Another scenario where this can be an issue is if you have children but want to restrict what content they access to. A lot of parenting control settings and apps rely on DNS to restrict content, so DoH gets in the way of this.

In addition the effectiveness of encrypting DNS queries using either method for the sake of privacy has been overstated. For one, your ISP just needs to know where to send your connections. The internet is fundamentally public and there’s only so much you can hide away with encryption. This is to say that there are other factors involved when connecting to the internet than the domain name, so as it stands today encrypting DNS queries (at least over HTTPS) creates more problems than it solves.

As for centralization, even considering the DNS providers listed in, that number of servers out there that can decrypt DNS queries is rather small. Since the most popular ones are Google and Cloudflare effectively there’d be a log created of connections from all over the world that would be controlled by these very few and mostly privacy-invasive companies.

To be fair Cloudflare’s privacy policy looks somewhat decent but this is a deal-breaker for me for something as sensitive as your every query:

If you are accessing or using our Application, you are agreeing to the transfer of your limited personal information described in Section 2 of this Application Privacy Policy to the United States and other jurisdictions in which we operate.

1 Like

Interesting, privacy focus is a discussion that can stand in your home usage, at enterprise level, they can use whatever they want, and with Windows GPO, you can actually log everything :smiley: , different is with Linux or MacOS, I’m not aware of an easy way to monitor such requests.
Unless you set a proxy for whatever connection that is not a local enterprise resource, but it’s gonna be slow… The proxy would be able to see your cleartext requests…

Instead, what an AV can do is different, but a good network filter will resolve the issue, it may be only a performance concern if you need to monitor all the ports, that by default is always disabled by pretty much every vendor.

For none US users too?

Encrypted DNS or not?
It’a a choice between a rock and a hard place.
Let me offer you some out of box thinking:
Setup local dns resolver on Raspberry Pi for few bucks

ps. TOR has buildin resolver and VPN will (in most cases) replace
your current dns resolver with their own. I’m not sure how DoT or DoH affect VPN. Worst thing about DoH (not sure for Dot) is not honoring hosts file

This is a good thing and should be enabled by default as it benefits the vast majority. The enterprise argument is debatable at best, since they can still filter through things like Safe Browsing and client-side filters.

For anyone else who isn’t an enterprise admin, you should be enabling it without hesitation. It’s in a pretty good state right now but Firefox could benefit by adding more DNS providers preinstalled, other then just Cloudflare and NextDNS. Perhaps create a small list and randomly choose, and/or occasionally swap between providers.

1 Like