Firefox recently updated their future releases blog with a long time project that will be added to an upcoming release.

Starting in 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol. Then, in June of 2018, they started running experiments in Firefox to ensure that the performance and user experience with DoH were great.

So far, all tests have gone well and more than 70,000 users have already chosen to explicitly enable DoH in the Firefox Release edition.

At this point, Firefox is close to releasing DoH in the USA.

Their blog states that, “After many experiments, we’ve demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic. We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.”

Mozilla plans to gradually roll out DoH in the USA starting in late September. The plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience.

If everything goes well, a statement will be released to let users know when Mozilla is ready for 100% deployment.

At the present time, they’re encouraging enterprise administrators and parental control providers to check out Mozilla’s config documentation and to get in touch with any questions. Their config document can be found here:

DoH will be deployed in “fallback” mode so that if domain name lookups using DoH fail or if the heuristics are triggered, Firefox will fall back and use the default operating system DNS. This means that for the minority of users whose DNS lookups might fail because of split horizon configuration, Firefox will automatically attempt to find the correct address through the operating system DNS.

Firefox also already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. DoH will also be disabled if enterprise policies have been set on the device.

Of course, if an enterprise policy explicitly enables DoH, that configuration will be respected.

System administrators interested in how to go about configuring enterprise policies can find documentation at:

Mozilla is also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps Mozilla in situations where the parental controls operate on the network rather than an individual computer. If Firefox determines that the canary domain is blocked, that indicates that opt-in parental controls are in effect on the network and Firefox will disable DoH automatically.

Encrypted DNS-over-HTTPS to become Firefox default

Any bugs found in this DoH roll out can be reported here:

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648