About a year ago we have written a post on how Mozilla's new DNS resolution is dangerous. There have been a lively and concerned discussions on this issue since then and we've been hoping that Mozilla makes the right choice and don't go down the wrong way, but our fear is becoming an impending reality: Mozilla announced on its blog that it will roll out DoH(DNS-over-HTTPS) in the US starting in late September. For all of us this is very bad on many levels, let's go through some points now.
Why is DoH bad?
DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and they send traffic from all their users to one entity. So what does that mean? It means people outside the US can now be fully tracked by US government: now some of you might wonder if this is actually in line with GDPR (The EU General Data Protection Regulation). It is indeed very questionable if DoH is rolled out as default, since users do NOT opt in, but have to opt out.
If you are in EU or Switzerland, you're probably already cringing at the idea of handing in your privacy rights to somebody in the US. But does that mean DoH is only bad for non-US people?
No, it's bad for the US citizens too. Because whether you trust Cloudflare or not, you'll end up directly supporting centralisation by using DoH in Firefox. Centralisation makes us depend on one big player, which results in fewer choices and less innovation. Centralisation affects everybody by creating a dangerous power and resource imbalance between the center and the rest.
Applications don't manage the network
As somebody who's been working for internet security over 20 years, we strongly believe that applications should not choose the DNS server. The operating system is designed to manage DNS and network settings for all applications. If other applications follow the footsteps of Mozilla only huge chaos is waiting for us. Just imagine the pure mess if you get different DNS results in different applications. Or even one step further, imagine applications implementing their own IP stack, maybe with different addresses, routing, etc. The chaos will be a perfect Trump made Internet.
A possibly good idea but very wrong approach
DoH and DoT (DNS over TLS) are in general good technologies as they add encryption to an important process of daily life. However the approach Mozilla takes is simply wrong. The correct way would be to standardise DoH and DoT and add support into it into automatic address configurations and operating systems. Not in applications!
What Mozilla can do
It is clear what Mozilla needs to do: Mozilla can and should revert the change and allow users to easily opt-in. And to select or enter the DoH provider instead of defaulting to Cloudflare. Also Mozilla can take real responsibility and work together with the Internet community and create RFCs to make DHCPv4, DHCPv6 and Router Advertisements support DNS URLs instead of just IP addresses. Mozilla could also help developing support in the operating systems, if privacy was really a concern for Mozilla.
What you can do
So, what can we do here? There are in fact many things one can do. The first thing is voicing your concern, like we are doing right now. If you have a blog or any outlet that can reach others, write about this. Let others know the danger we're in so we can change it together.
Another effective way would be complaining directly to Mozilla: they are reachable via Twitter, Facebook, and IRC. If you are software distribution, we absolutely recommend disabling DoH, like a good example of OpenBSD did.
Another way one could do is switching the browser from Firefox, but honestly, we don't know to which. In terms of privacy we haven't found something we can recommend to you out there. In fact that's why this step of Mozilla concerns us so much - they have been the last resort for many of us.
How to turn off DoH in firefox
To turn DoH off in your firefox, go to Settings->Network Settings and untick the Enable DNS over HTTPs checkbox.
Alternatively, go to about:config in the address bar, search for network.trr.mode and set it to 5.
It is basically the opposite process of what zdnet describes for turning it on.
Where to go from here?
Do you have ideas and thoughts to share? You can reach us via Twitter @ungleich or our open chat. We would also appreciate if you can retweet/like our tweet about this issue.
