Firefox has announced it’s making encrypted DNS-over-HTTPS (DoH) the default way of connecting to sites on the web. And this browser tech is coming soon to Google’s Chrome, too. If you’ve got no idea what any of that means, here’s what you need to know about the technology and the future of your browsing.
When you type in “gizmodo.com” (or any other URL) into the address bar of your browser, something called the Domain Name System (DNS) translates the human-friendly URL into a computer-friendly string of numbers (an IP address), that’s used to locate a website and display it in your browser.
It’s a bit like a directory of mailing addresses, but instead of interpreting a set of coordinates to get to a house, it’s interpreting a web address to get to a particular server on the internet.
Most of us are typically assigned a DNS provider by whichever company is selling us internet access, but you can change your DNS service if you want, perhaps because you don’t want your internet service provider (ISP) potentially snooping on the URLs you’ve visiting or potentially selling your browsing history to advertisers.
Switching up DNS providers has other benefits, too: You can often get some speed and reliability improvements along the way, for example. If you live in a part of the world where the government blocks access to certain parts of the web, then a different DNS service is one way you might get around it.
This mapping (from URL to IP address) is typically unencrypted, which means it’s fairly easy for someone with the tools and know-how to spy on which sites you’re visiting. In the worst-case scenarios, the data can be manipulated so that certain URLs don’t point to the sites that they should be and instead direct you to malicious sites—and you’re none the wiser. Mozilla has a fantastic and detailed explainer on how this all works here.
That means DNS remains a weak link in terms of online security, in that this URL-to-IP process is easy to spy on and intercept. The idea behind DoH is to tighten it up, to build on top of the encrypted data coming from the actual sites. What DoH does is encrypt those communications by sending the DNS requests as encrypted HTTPS data: Suddenly your ISP and DNS providers don’t know where you’re going, and the software running on your device doesn’t either.
DoH has been available as an option in Firefox for more than a year but is about to become the default. Google is heading this way too, experimenting with DoH with a subset of users in its upcoming release of Chrome v78. In Chrome’s case, however, the encryption will only be turned on for the more tech-savvy people who’ve already changed their DNS settings.
“After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic,” explains Mozilla’s Selena Deckelmann. “We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.”
So what’s the downside? As in the debate around encrypted instant messaging, secure communications for the average user means secure communications for criminals too. Concerns have been raised—in the UK, for example—that DoH makes it too easy for illegal and unsavoury material to get distributed, and for parental controls and whitelist filters to get bypassed.
Many parental control services, and ISP-run services for blocking adult or illegal material, work by monitoring IP addresses at the DNS level—certain destinations just aren’t available to users subjected to the controls. With DoH enable, no one else knows what destinations you’re trying to get to, so the filters suddenly become ineffective.
Everything considered though, the advantages of DoH for most users far outweigh the disadvantages: Mozilla says Firefox will disable DoH if parental controls are detected on the system, and it’s promised not to make the setting the default in the UK for now due to concerns over unmonitored access to child abuse sites.
For Mozilla, the case is clear—in the tests it’s been running with DoH to this point, it found 4.3 percent of users have some kind of parental control or safe search DNS option set up, and 9.2 percent of users have special kinds of enterprise DNS settings in place (for access to private company web hubs, for example).
That means for the majority of users, the transition to DoH should be safe and seamless, and when it’s going to interfere with some other kind of DNS management, it can be switched off if needed. Mozilla is using the Cloudflare 220.127.116.11 DNS service to help power DoH, in part because of Cloudflare’s tight rules about security and privacy, but more DNS providers might be added over time.
The roll out of DoH-as-default for Firefox users is starting now, but will only involve a “small percentage” of users to begin with, before it comes to everyone. In the meantime, Mozilla will be monitoring for any issues and getting feedback from users. If the DoH default hasn’t been pushed out to you yet, you can enable it manually.