Bulletproof TLS Newsletter #57
Mozilla and Chrome about to enable DNS over HTTPS
26 September 2019
Author: Hanno Böck

This issue was distributed to 51,848 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Mozilla and Chrome about to enable DNS over HTTPS
  2. Short news

Mozilla and Chrome about to enable DNS over HTTPS

Both Mozilla and Chrome have announced their first plans to enable DNS over HTTPS (DoH) in some situations. But they will start with a very slow rollout and will disable DoH in many situations.

Mozilla will enable DoH for its US customers in an upcoming version of Firefox, but there will be several exceptions. DoH won’t be enabled when Firefox detects DNS configurations in which the local DNS resolver gives different answers than a remote one, which Mozilla calls split horizon networks. With a canary domain, network operators also can signal the browser that DoH should be disabled. By default, DoH will be disabled in Firefox with enterprise policies. The detection of split horizon will likely mean that DoH also can be force-disabled by a network attacker.

Google will take an even softer route with DoH: Chrome will only enable it when the locally configured DNS server is in a list of servers that are upgradable to DoH.

DNS over HTTPS tunnels DNS queries over an encrypted channel. It’s been criticized for two separate reasons. First, tunneling DNS queries to a centralized DNS server creates a single point where all these queries can be observed. Mozilla right now uses a DoH server provided by Cloudflare. The second reason is that network operators are concerned that DoH takes away control. Some systems use local DNS filtering as parental control or security measures.

Short news