Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla’s Faces Criticism

Posted by & filed under Security Alerts.

Google has announced that they would soon be performing a trial of utilizing DNS-over-HTTPS (DoH) in the Google Chrome browser. This experiment will be conducted in Chrome 78 and will attempt to upgrade a user’s DNS server to a corresponding DoH server, and if available, use that for DNS resolution.

For those unfamiliar with DoH, it allows DNS resolution to be conducted over encrypted HTTPS connections rather than through the normal plain text DNS lookups.

As some countries and ISPs block connection to sites by monitoring DNS traffic, DoH will allow users to bypass censorship, possible spoofing attacks, and to increase privacy as their DNS requests cannot be as easily monitored.

“As the name implies, the idea is to bring the key security and privacy benefits of HTTPS to DNS, which is how your browser is able to determine which server is hosting a given website. For example, when connected on a public WiFi, DoH would prevent other WiFi users from seeing which websites you visit, as well as prevent potential spoofing or pharming attacks.”

Experiment conducted in Chrome 78

For a small group of users running Chrome 78, which is the upcoming Beta build, Google will be running an experiment that checks if their DNS provider is part of a small list of known DoH-compatible providers.  If a user’s DNS provider is part of the list, Chrome will automatically upgrade to that provider’s DoH server to perform DNS resolution.

On the other hand, if the user’s DNS provider is not part of list, they will fallback to their normal DNS resolution.

The list of DNS providers that will be upgraded as part of this test include:

Cleanbrowsing
Cloudflare
DNS.SB
Google
OpenDNS
Quad9

This experiment will run on all supported platforms other than Linux and iOS. On Android 9 and later, if a user has configured a DNS-over-TLS provider, Chrome will use that instead and only use the ones from their list if there is an error.

By only upgrading DNS Resolution to DoH if the user’s current DNS provider is supported, Google feels that the users DNS resolution experience will stay the same.

By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work. If DoH fails, Chrome will revert to the provider’s regular DNS service. Opting-out of the experiment will be possible from Chrome 78 by disabling the flag at chrome://flags/#dns-over-https.

Mozilla, though, has different plans, which are being met with criticism.

Mozilla DoH plan receives criticism

Mozilla announced last week  that they would be enabling DoH by default in the Firefox browser, but instead of trying to upgrade to a DoH server operated by the user’s DNS provider, they will use Cloudflare’s DoH servers instead.

This push to use Cloudflare’s DoH server rather than one from a user’s existing DNS provider has met with criticism by Linux distribution maintainers and network administrators.

For example, OpenBSD developer Peter Hessler tweeted that OpenBSD has disabled DoH in their Firefox package in the current and future releases as “sending all DNS traffic to Cloudflare by default is not a good idea.”

OpenBSD Tweet

Kristian Köhntopp, a senior scalability engineer, stated that Mozilla is about to “break DNS” because Cloudflare will be used for DNS resolution over what was assigned by system administrator. This will leak the names of all the websites you visit in a corporate environment to Cloudflare.

Kristian Tweet

For those who do not want to use the default DoH Cloudflare server in Firefox, you can go to Options, then Network Settings, and then change the provider under Use Provider to a custom one.

Custom Provider in Firefox
Custom Provider in Firefox

For many users, they will be unaware of any changes and will use Cloudflare’s DoH server by default.

While this may not be a bad thing as they will be using encrypted DNS resolution, data is the Internet’s currency, and Cloudflare will be getting a lot of data.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.