Connect with us

Hi, what are you looking for?


Network Security

DNS-over-HTTPS Coming to Firefox

Mozilla this week announced plans to gradually roll-out DNS-over-HTTPS (DoH) in Firefox starting this month, though only users in the United States will receive it in the beginning.

Mozilla this week announced plans to gradually roll-out DNS-over-HTTPS (DoH) in Firefox starting this month, though only users in the United States will receive it in the beginning.

The DoH protocol was designed to enhance overall security of Internet users by sending DNS queries and getting DNS responses over HTTP using TLS security, which improves both integrity and confidentiality.

Mozilla first started working on the DoH protocol in 2017 and has been experimenting the protocol’s deployment in Firefox since June 2018. At the moment, over 70,000 users have already enabled DoH in their stable versions of Firefox, the browser maker says. 

The Internet organization also notes that experiments have demonstrated that their service is reliable and delivers good performance, that deployment problems can be detected and mitigated, and that most users will benefit from the greater protections of encrypted DNS traffic. 

“We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out,” Mozilla notes. 

What the browser maker has learned was that Firefox users in the United States rarely configured OpenDNS’ parental controls and Google’s safe-search feature (only 4.3% of users in the study did) and that 9.2% of users triggered a split-horizon heuristics (accessed websites had domains with non-public suffixes or domain lookups returned both public and private IP addresses).

Moving forth, Mozilla plans on deploying DoH in fallback mode, meaning that Firefox will fall back and use the default operating system DNS if domain name lookups using DoH fail or if heuristics are triggered. 

“This means that for the minority of users whose DNS lookups might fail because of split horizon configuration, Firefox will attempt to find the correct address through the operating system DNS,” the organization says. 

Advertisement. Scroll to continue reading.

Firefox already detects when parental controls are enabled in the operating system, and DoH will be automatically disabled in those instances, to respect user choice. The same will apply if Firefox detects that enterprise policies have been set on the device.

“We’re also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps us in situations where the parental controls operate on the network rather than an individual computer,” Mozilla says. 

Mozilla also notes that it plans on revisiting the use of canary domain and that it will pay close attention to how it is adopted, to learn if it isn’t being abused to disable DoH in situations where users have not explicitly opted in.

Related: Google Makes DNS Over HTTPS Generally Available

Related: Mozilla Brings Encrypted SNI to Firefox Nightly

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.