Firefox and DNS-over-HTTPS

2020-02-27 - News - Tony Finch

The latest release of Firefox enables DoH (encrypted DNS-over-HTTPS) by default for users in the USA, with DNS provided by Cloudflare. This has triggered some discussion and questions, so here's a reminder of what we have done with DoH.

Precautionary block

Since September we have blocked, which tells Firefox not to use DoH by default. This is not strictly necessary, since Firefox does not plan to enable DoH for users in the EU and UK, but we set up the block when the Firefox policy seemed to be much more gung-ho, and we have left it in place.

We explained the reasons for blocking on our DNS blog when the block was set up in September. It's a tricky balance of several desirable but conflicting goals, and the outcome is not so great - see the blog for the gory details.

DoH for crypto nuts

Despite that, we are in favour of encrypted DNS and it has been supported on the University's central resolvers for well over a year.

We have instructions for setting up encrypted DNS lookups with Firefox and various DNS resolvers. As a bonus you can also enable encrypted server name indication (ESNI) to reduce information leaks during TLS connection setup.

The main caveat is that our resolvers are only available for use on the CUDN, so you will not be able to use this setup on highly mobile devices.

Other CUDN DNS servers

If you run your own DNS resolvers, there's no particular need to do anything about Firefox and DoH at this time.

If your resolvers forward queries to our central resolvers, then will already be blocked for you. If your server is set up as a stealth secondary, then the sample.named.conf guide includes instructions for subscribing to our DNS RPZ blocks.

Otherwise, it's still OK to leave things as they are, because Firefox is not doing DoH by default for us. (yet?)