Firefox recently updated their future releases blog with a
long time project that will be added to an upcoming release.
Starting in 2017, Mozilla began working on the
DNS-over-HTTPS (DoH) protocol. Then, in June of 2018, they started running
experiments in Firefox to ensure that the performance and user experience with
DoH were great.
So far, all tests have gone well and more than 70,000 users
have already chosen to explicitly enable DoH in the Firefox Release edition.
At this point, Firefox is close to releasing DoH in the
Their blog states that, “After many experiments, we’ve
demonstrated that we have a reliable service whose performance is good, that we
can detect and mitigate key deployment problems, and that most of our users
will benefit from the greater protections of encrypted DNS traffic. We feel
confident that enabling DoH by default is the right next step. When DoH is
enabled, users will be notified and given the opportunity to opt out.”
Mozilla plans to gradually roll out DoH in the USA starting in
late September. The plan is to start slowly enabling DoH for a small percentage
of users while monitoring for any issues before enabling for a larger audience.
If everything goes well, a statement will be released to let users
know when Mozilla is ready for 100% deployment.
At the present time, they’re encouraging enterprise administrators
and parental control providers to check out Mozilla’s config documentation and
to get in touch with any questions. Their config document can be found here: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
DoH will be deployed in “fallback” mode so that if domain name
lookups using DoH fail or if the heuristics are triggered, Firefox will fall
back and use the default operating system DNS. This means that for the minority
of users whose DNS lookups might fail because of split horizon configuration,
Firefox will automatically attempt to find the correct address through the
operating system DNS.
Firefox also already detects that parental controls are enabled in
the operating system, and if they are in effect, Firefox will disable DoH. DoH will
also be disabled if enterprise policies have been set on the device.
Of course, if an enterprise policy explicitly enables DoH, that
configuration will be respected.
System administrators interested in how to go about configuring
enterprise policies can find documentation at: https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise
Mozilla is also working with providers of parental controls,
including ISPs, to add a canary domain to their blocklists. This helps Mozilla
in situations where the parental controls operate on the network rather than an
individual computer. If Firefox determines that the canary domain is blocked,
that indicates that opt-in parental controls are in effect on the network and
Firefox will disable DoH automatically.
Encrypted DNS-over-HTTPS to become Firefox
Any bugs found in this DoH roll out can be reported here: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Networking%3A%20DNS
if we can be of help with your network or computer, give us a call here at
RHYNO Networks. (855) 749-6648