Starting today, Mozilla will turn on by default DNS over HTTPS (DoH) for Firefox users in the US, the company has announced. DoH is a new standard that encrypts a part of your internet traffic that’s typically sent over an unencrypted plain text connection, and which could allow others to see what websites you’re visiting, even when your communication with the website itself is encrypted using HTTPS. Mozilla says it is the first browser to support the new standard by default, and will be rolling it out gradually over the coming weeks in order to address any unforeseen issues.
Whenever you type a website into your address bar, your browser needs to go through a process to convert it into an IP address using a DNS lookup. However, this traffic is normally not encrypted, meaning that it’s possible for others to see what websites you’re visiting. DoH is an attempt to encrypt this information to protect your privacy. Here’s a more in-depth explanation from Mozilla that explains it in detail.
Mozilla is motivated in part by ISPs who monitor customers’ web usage. US carriers like Verizon and AT&T are building massive ad-tracking networks. DoH won't stop the data collection but it’ll likely make it more difficult.
Although it’s much harder for others to see your DNS lookups with DoH enabled, the websites will still be visible to the DNS server your browser is connecting to. Thus, Mozilla says Firefox will offer a choice of two trusted DNS providers, Cloudflare and NextDNS, and that Cloudflare will be used as the default. Mozilla has outlined a set of privacy requirements that any DoH provider must abide by in order to be considered a trusted resolver.
Mozilla claims that DoH increases the privacy and security of users online, but the technology has faced fierce criticism from lawmakers and security experts who say that it hampers legitimate attempts by enterprise system administrators and lawmakers to block dangerous web content. Experts also claim the technology doesn’t provide the perfect privacy protection that its proponents claim. Only certain parts of the DNS lookup process are encrypted, and internet service providers will still be able to see which IP addresses their users are connecting to, they warn.
When it announced that it would be turning on DoH by default last year, Mozilla said that it would allow for opt-in parental controls and disable DoH if Firefox detects them. It also said that it would disable DoH by default in enterprise configurations.
This controversy means that today’s announcement only concerns US-based Firefox users. Mozilla told ZDNet last year that it wouldn’t be enabling DoH by default in the UK, where the technology has been criticized by the country’s GCHQ intelligence service, child advocacy groups, and ISPs. In an FAQ on its site Mozilla says its current focus is on enabling the feature in the US only. However, users outside the US will be able to manually turn the feature on by heading into Settings, General, and then scrolling down to Networking Settings.
While Firefox is the first browser to start turning on DoH by default, other browsers such as Chrome, Edge Chromium, and Brave have also started supporting the feature. However, in most cases you’ll have to dig through their settings in order to enable the feature. Here’s a guide from last year on how to do so.