DNS-over-HTTPS to Be Enabled by Default in Firefox by End of Month
Mozilla developers have announced that testing of the DNS-over-HTTPS (DoH) protocol has revealed no issues, and by the end of this month, DoH will be enabled by default in the main version of Firefox. The rollout will start with users in the United States and will gradually expand to a wider audience.
Development of DoH (IETF RFC8484) began in 2017, with testing starting in 2018. Currently, more than 70,000 users have already enabled DoH in their browsers. The core idea of the new protocol is reflected in its name: it sends DNS queries to special DoH-compatible DNS servers over an encrypted HTTPS connection, rather than using traditional unencrypted UDP queries.
By default, Firefox relays encrypted DoH requests through Cloudflare’s resolver, but users can switch to any other provider. Additionally, DoH operates at the application level, not the operating system level, essentially hiding DNS queries within regular HTTPS data streams.
As a result, DNS requests become “invisible” to third-party observers such as internet service providers, local parental control solutions, antivirus software, corporate firewalls, and so on. DoH DNS communications are nearly indistinguishable from other HTTPS traffic.
Privacy and Criticism
While privacy advocates have welcomed this change, Mozilla has also faced criticism for implementing DoH support in its browser. Earlier this year, the UK’s Internet Services Providers Association (ISPA) even suggested naming Mozilla the “Internet Villain of the Year” because DoH support could allow users to bypass government filters and parental control systems, potentially undermining internet safety standards across the UK. In response, Mozilla stated that it would not enable DoH by default for users in the UK.
Automatic Detection and Parental Controls
After DoH is enabled by default for U.S. users, Firefox will automatically detect any parental control tools or corporate configurations. If such tools are found, the browser will automatically disable DoH to ensure that Firefox does not bypass security solutions and corporate filters used to protect users.
Furthermore, in collaboration with internet service providers and network solution vendors for parental controls, Mozilla has decided to provide a tool to help them prevent circumvention of blocks. They will be able to use a so-called “canary domain” (similar to a “canary certificate”). This domain can be added to their blocklists, and if Firefox detects that this domain is blocked, the browser will disable DoH to prevent the feature from being used to bypass filters.