Doug Lhotka

Mozilla has been overriding network settings for DNS in the browser for a while now, motivated by privacy concerns, but recent actions to default to an ISP DNS service raise questions and seem inconsistent with that design.

DNS over HTTPS is an attempt to block eavesdropping on DNS requests, which is great in theory, but causes a number of problems, especially with the current design in Firefox.  From an architectural standpoint having any application use its own DNS system rather than the network stack’s configuration is poor design.

First, network administrators have real requirements to monitor DNS requests.  For more formal networks, this is often used to block malicious links, track malware, and prevent access to prohibited content.

In my own case, I run a Pi-Hole to block advertising and track across all of the devices on my network, and in turn have that pointed to Quad9 (secure DNS of course) to leverage their block list, with CloudFlare as a backup.  Other home users will have parental control software active.  In both cases, Firefox overrides those settings and bypasses any local blockers.  By default.  With no notification or consent.

Their original argument for making this opt-out was because most users won’t turn it on if it’s opt-in.  I can sort of get that, and previously the default DNS servers were pretty benign.  However, with the announcement recently, Firefox will now default to an ISP’s ‘secure’ server if you’re on their network.  Mozilla claims that making this change is OK because users can opt-out, but again, that’s contradictory to their reasoning for opting users in by default in the first place. In any case, this doesn’t seem exactly in line with their previous position on providing secure DNS to avoid ‘ISP eavesdropping’ is it?

I’m not mentioning the specific ISP, because I expect it’s just the first of several that are going to go down this path.  And while it’s possible that they’ll actually provide secure, private, non-tracked, non-filtered DNS lookups, there are loopholes in the Mozilla DOH Resolver Policy. And when it comes to ISPs, let’s just say that past practices are cause for reasonable concern.

What Firefox should do instead is pop a configuration screen that allows the user to opt-in both to DNS over HTTPS, and then select the server they’d like to use.  No default.  No automatic enablement.  When new server options are added, just pop that screen up again and ask if they’d like to change.   Empower the users to make a choice based on their own priorities and interests.

That’s how you support user privacy.