Firefox and DNS-over-HTTPS

2019-09-19 - News - Tony Finch

We are configuring our DNS to tell Firefox to continue to use the University's DNS servers, and not to switch to using Cloudflare's DNS servers instead.

Most of this article is background information explaining the rationale for this change. The last section below gives an outline of the implementation details.

• Encrypted DNS
• DNS-over-HTTPS
• DoH in Firefox
• Security bypass
• In an ideal world
• Other DoH breakage
• In Cambridge

Encrypted DNS

There is a widespread effort amongst software developers and network operators to improve DNS privacy. A major part of the work is to encrypt DNS traffic. The University's central DNS resolvers, rec.dns.cam.ac.uk, support encrypted DNS. Recent versions of Android automatically encrypt DNS when the network's DNS servers support DNS-over-TLS, and Firefox can be configured to encrypt its DNS traffic using DNS-over-HTTPS; our documentation for encrypted DNS explains more.

(We have also supported DNSSEC since 2009; DNSSEC is about DNS data authenication and integrity, but it does not provide encryption or privacy.)

DNS-over-HTTPS

DNS-over-HTTPS ("DoH") is a straightforward method for tunnelling DNS queries over HTTPS requests. In isolation it seems to be a ridiculously over-complicated way to encrypt DNS, but there are a couple of contexts where it makes some sense.

• DoH allows applications running in restricted environments (i.e. JavaScript in a web browser) to make DNS queries when the only network requests they can make are some kind of HTTP. This was the main scenario discussed when the DoH specification was being prepared, but in practice almost nobody does this.

• DoH allows you to make encrypted DNS queries when the network doesn't support encrypted DNS and/or blocks port 853 (DNS-over-TLS). This is the way DoH is being deployed in Firefox.

DoH in Firefox

The developers of Firefox are very keen to deploy encrypted DNS as quickly as they can. Their plan is that by default Firefox will use DoH to bypass the network provider's DNS servers and the operating system's DNS configuration and instead use Cloudflare's centralized DNS service. Firefox will start doing this for users in the USA later this month.

The benefits they see are that:

• Your network provider won't be able to use their DNS server traffic to see which web sites you have visited, and sell that data to third parties.

• Your network provider won't be able to redirect DNS answers to different places. (DNSSEC can also prevent that.)

• Your network provider can't censor DNS to block access to sites.

• Firefox can avoid very badly performing DNS servers, although DoH to Cloudflare is slower on average.

The Firefox developers trust Cloudflare's DNS not to misbehave in these ways.

Security bypass

Tunnelling DNS over HTTP(s) in this way is not a new idea. What is different is Firefox's plan to deploy it as a mass-market default. This has caused widespread consternation.

The DNS is a very convenient point of control for network security.

• DNS telemetry can identify infected devices that are trying to contact malware command-and-control servers

• DNS blocks can help to protect against phishing and stop ads.

• The big UK ISPs use the DNS as part of their system for blocking access to child pornography and other officially censored web pages.

The discussion around Firefox's deployment of DoH has been remarkably bad-tempered. Part of the problem is that Firefox is removing a security mechanism without providing a replacement. Network providers and enterprises block malware and phishing on their DNS servers, and home users use software like Pi-Hole or custom hosts files to block malware and ads. Firefox's DoH implementation will stop these blocks from working.

There is also an awkward question about consent. Until now, network providers have relied on the user's sign-up agreement to give consent to the provider's overall approach to managing their network (DNS and everything else) as a bundle. Don't like it? Choose another provider. Firefox is using choice of software as implied consent to change the DNS configuration and bypass existing DNS-related security mechanisms.

More awkwardly, it isn't reasonable to expect the vast majority of people to make an informed choice about their DNS configuration or give meaningful consent to any changes. We can't demand that they spend time learning arcane details so they can understand the implications. Even the experts can't predict the consequences of Firefox's DoH deployment.

In an ideal world

To be honest, the DNS isn't a particularly good place to implement a security policy. For instance, a mobile device can bypass the University's DNS anti-phishing blocks by just switching from eduroam WiFi to 3G/4G cellular.

It would be better if your computer came with software that made it easy to subscribe to block lists, inspect them, edit them, and remove them if they are more annoying than useful. And if it were easy for network providers to publish block lists and make you aware of them. Then your anti-phishing / anti-malware / anti-spam protections would not depend on where you get your DNS from.

Browsers come with a Safe Browsing block list by default, but this is a proprietary Google service which others can't easily contribute to, and it isn't designed to be easily inspected.

Ad blocking software such as uBlock Origin allows you to subscribe to block lists but it isn't easy for network providers to offer their own custom lists.

But this isn't an ideal world, and at present DNS blocks are the most workable way to provide anti-phishing / anti-malware / anti-spam protections to lots of people.

Other DoH breakage

The most recent Firefox blog article about DoH mentions a few of the problems they have encountered with their DoH rollout:

• Cloudflare can't access private DNS and split DNS for private networks.

• Parental controls are broken (along with other DNS blocks, but the article doesn't mention other reasons for blocking sites).

• Managed devices on enterprise networks must not bypass the managed enterprise DNS.

The Firefox developers have decided that other issues are less important to them than encrypted DNS:

• DoH to a distant Cloudflare DNS server is slower than to a local DNS server. On average DoH is slower.

• Centralizing DNS on Cloudflare reduces the healthy diversity of the Internet.

• Redirecting DNS queries to Cloudflare sends web browsing metadata outside the EU to an American company.

In Cambridge

To avoid problems with Firefox's implementation of DoH, network providers can tell Firefox to use the default DNS settings for the network and operating system. This is done by blocking DNS queries for use-application-dns.net.

The University's DNS blocks include use-application-dns.net. This will have no effect in the short term, because Firefox is not yet planning to roll out DoH in the UK, but we think it is worth deploying the change sooner rather than later.

This is regrettable because we would prefer more widespread use of encrypted DNS, but Firefox's default settings are too ham-fisted and problematic. They aren't giving us a nice way to tell Firefox to use our DoH service so all we can do is disable it by default and encourage enthusiastic users to configure it manually.

Addendum (2019-10-01)

After we made this change, the Firefox developers announced that they have no plans to roll out DoH to Cloudflare as the default setting for users in the UK. However they are continuing to consult interested parties so the situation is still in flux.