Mozilla has announced plans to start rolling out DNS-over-HTTPS (DoH) by default to US users from the end of September, in a bid to improve cybersecurity across the web.
The Firefox browser-maker’s senior director of engineering, Selena Deckelmann, explained in a blog post that only a small percentage of users would see the new feature at first, while the changes are monitored.
DoH should in theory make the web safer and improve user privacy by encrypting DNS query traffic so that third parties cannot eavesdrop on a user’s connection and/or redirect them to phishing/malware sites via man-in-the-middle attacks.
However, because the connection becomes encrypted, concerns have been raised that it prevents ISPs from applying content filters requested by parents to protect their children’s browsing. Similarly, enterprise admins may find it interferes with their own network configurations.
To take account of this, Deckelmann said Mozilla plans to disable DoH if it detects opt-in parental controls, and to respect enterprise configuration unless DoH is explicitly enabled.
“Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH,” she explained. “Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.”
Kevin Bocek, VP of security strategy & threat intelligence at Venafi, broadly welcomed the move as improving online security, adding that many privacy-conscious users already employ widely available DNS encryption services.
However, he argued that criticism of DoH for weakening ISPs’ ability to filter harmful material misses a potentially more concerning issue.
“Proposals to encrypt DNS as standard would mean all traffic on browsers that use it will bypass locally held DNS nameservers, and go straight to a central server under the control of Mozilla, Google or one of its peers,” Bocek explained.
“In effect, this gives these companies control over our search information and internet activity, which in turn gives them a greater level of control over the internet itself. So while these changes are a boost for online privacy advocates, the prospect of a small number of for-profit firms having such influence is worrying.”