Broadband News

DOH by default on its way to Firefox for USA users first

DNS over HTTPS (DoH) is seen by some as an important privacy measure i.e. hiding your conversion of domain names into an IP address prior to loading the content of a webpage from your Internet Service Provider (ISP), but others see dangers within these changes in that it may break things, or be part of a commercial land grab leading to marketing from browser manufacturers eventually.

A Mozilla blog from 6th September reveals that as part of its ongoing experiments in the USA they are close to releasing DoH by default to USA users. One presumes that if the release goes well a rollout in other countries will quickly follow. At the point when it appears outside the USA questions around where the actual DNS resolution actually takes place become important and whether differences in how different countries handle things like parental controls, IWF watchlist and pornography filters may mean code tweaks are needed.

Where DoH handles the domain name resolution is an important aspect, since if when finally deployed in the UK the DNS lookup ends up going via the United States of America, technically this will be slow due to the distance involved but also outside the GDPR regime and records of what you are doing also become available to federal agencies.

We are at this point presuming that while DoH maybe on by default in some future release of Firefox that this change will be clearly flagged to the public and that options to turn it off will be obvious, and not follow the pattern of some sites like Amazon where the buttons for an Amazon Prime trial can seem designed to make people click yes when they sometimes really meant no.

Concerns over parental controls do seem to being considered as an older blog item does go into a bit more depth and if a specific domain that is already in a number of parental controls lists and marked as an 'adult' site does not resolve to the expected IP address the assumption that opt-in parental controls are enabled is made and the DoH is turned off. First thought here is that this means an ISP or Government could disable DoH by ensuring that this canary domain triggers turning off the DoH and if this all happens seemlessly we may be in a situation where millions think they have a browser with higher levels of privacy compared to others but in reality there is no difference.

The more difficult question is how will the important IWF watchlist work and a myriad of other variations in how DNS is used. Apparently where people are on a corporate network the browser will look for signature network configurations before any DNS look ups happen. Additionally the DoH system will if unable to resolve a domain name fall back to letting the system configured DNS take over, of course one can envisage scenarios where this delay will be annoying, this largely affects the developer community who hopefully if fiddling with custom DNS will be aware enough to set up exceptions in the DoH config or turn it off.

Another area that may cause issues is where an ISP uses DNS to direct users to a more local media CDN, but if you use any external DNS service you get the generic CDN. The effect of this may be sub optimal video streaming especially and if people end up streaming from outside their ISP network the external bandwidth demands may increase for an ISP.

Given public Wi-Fi exists in America we presume that the question over what will happen for Wi-Fi hot spots that need to re-direct you to their landing page to sign in/agree terms has been handled. Of course most regular Wi-Fi users already keep a site to hand that does not auto redirect to https and once signed they turn on a VPN (Virtual Private Network) to safeguard their data from interception.

Big DNS failures at a broadband provider are rare thankfully, and if the blog items are correct it seems that a failure of DoH happens the locally configured DNS will takeover, but if the domains resolved via DoH are poisoned then people will get very confused and as many are not likely to be aware of where the issue lies there will be providers support lines struggling until they figure it out, i.e. site A does not work in Firefox but does work in another browser on the same machine.

The questions over who you trust and how much your browser already knows about you in a world ever more dominated by marketing means that DoH is going to have lots of questions asked and onus is on those implementing it to be open and about what happens with any data generated.


"records of what you are doing also become avoid to federal agencies" should be "available to" as a guess?

  • DanielCoffey
  • about 1 year ago

Can I blame my lack of coffee this morning when I was first writing item?

  • andrew
  • thinkbroadband staff
  • about 1 year ago

I'm quite surprised that they are rolling this out by default.

I already use their DOH service, and it has a reasonably high failure rate.

When using the "fallback to ISP DNS" option (which seems to be the default) it would invariably fall back because the DOH lookup took "too long", which rather defeats the point of having it enabled.

Using the "force DOH only" option DNS fails to resolve randomly, I would say 10% of the time (nothing a refresh wont fix usually, but I can't see "normal" customers being so tolerant of such a high failure rate.

  • severedsolo
  • about 1 year ago

Post a comment

Login Register