Firefox Is Rolling Out DNS over HTTPS And The Security Benefits Are Not What You May Think They Are
The Mozilla Corporation is rolling out domain name lookups over HTTPS for American users of their Firefox web browser product in partnership with Internet infrastructure giant Cloudflare. DNS over HTTPS is meant to prevent local attackers and internet service providers from monitoring DNS traffic. It does, in theory, shift the potential points of attack from the local DNS provider to one giant centralized organization running DoH DNS servers. In practice it doesn't, a local attacker can very easily make Firefox disable the DoH functionality.
Mozilla Firefox 73 with the WJSN Happy Moment theme showing their page about DNS over HTTPS.
Several larger GNU/Linux distributions choose to disable the DNS over HTTPS functionality the Mozilla Corporation is in the process of imposing on all Firefox users due to privacy concerns. That is somewhat ironic since the privacy is supposed to be a benefit of using DNS over HTTPS. And it could be, depending on which attacker you are most concerned with. Those who control your local networks DNS servers (your organization or your ISP) will not be able to see DNS traffic when DNS over HTTPS is used. Those who run the DNS over HTTPS servers, on the other hand, get to see a whole lot of DNS traffic from a wide range of users. It is fair to question why Cloudflare is only too eager to provide free public DNS over HTTPS servers everyone can use.
Firefox users can manually enable or disable DNS over HTTPS in the settings or by changing the
network.trr.uri variable in
about:config. GNU/Linux distributions can ship a custom
prefs.js file with their own
network.trr.uri setting and many do. However, there is another sneaky way to disable DoH in Firefox which is not as straight-forward or well-known.
Firefox has a simple test it runs on startup which decides if it will or won't use DNS over HTTPS if it is configured to do so: It does a local unencrypted query for the special domain
use-application-dns.net. Firefox will disable DNS over HTTPS functionality with no user notification or interaction if
SERVFAIL. No security warning or notification is given if that happens. Any network operator, government or coffee-shop providing public wifi can simply block
use-application-dns.net, which normally points to an IP controlled by the Mozilla Corporation (220.127.116.11/20), and disable DNS over HTTPS.
The Mozilla Corporation has a "helpful" web page about "Firefox DNS-over-HTTPS" which states that the "benefits" are:
"DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior."
That same page mentions that there are some "Risks":
"When enabling DoH by default for users, Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy."
"Canary domain lookup" means a query for the
use-application-dns.net domain and it is a real risk if you are in a situation where you want to or need to use DNS over HTTPS because it means that you can not rely on it to provide any security benefits at all. A local attacker who is in control of the local networks domain name servers can block that domain and make Firefox silently disable DoH. Allowing potential attackers in control of the local or upstream network to control whether a "security" feature designed to prevent such attacks is enabled or not is just plain stupid.
The way DNS over HTTPS is implemented in Mozilla Firefox raises the obvious question: What's the point? It provides Cloudflare with massive amounts of user data, so they benefit from it. End-users, on the other hand, do not get the supposed additional security Mozilla promises. Perhaps there is some point to it but we can't seem to find it.