
Mozilla Foundation engineers announced plans over the weekend to test the "DNS over HTTPS" (DoH) fledgling security standard in Firefox Nightly distributions.
The feature will be tested as a Firefox shield study —a browser mechanism that allows engineers to roll out and roll back experimental features at a moment's notice.
High hopes for DoH protocol
DNS over HTTPS is a web protocol that argues for sending DNS requests and receiving DNS responses via HTTPS connections, hence providing query confidentiality.
The standard is still under discussion at the Internet Engineering Task Force (IETF), and should not be confused with DNSSEC, a standard that uses encryption, but not for "confidentiality" but instead for "origin authentication" between DNS client and server.
DNSSEC was developed to combat DNS-based DDoS attacks and origin IP spoofing, while DoH was created to provide query confidentiality against third-party observers —such as ISPs.
Despite being less than a year old, many view DOH as the encrypted version of the DNS standard, similar to how HTTPS is to HTTP [1, 2].
Mozilla tests DoH even before protocol's approval
But even if Mozilla engineers don't have a final version of the DOH standard, they have decided to test-run the protocol and see how it would fare in the real world.
"Soon we'll be launching a Nightly-based pref-flip shield study to confirm the feasibility of doing DNS over HTTPs (DoH)," said Patrick McManus, a Mozilla engineer.
"If all goes well the study will launch Monday (and if not, probably the following Monday)," he added. "It will run <= 1 week. If you're running Nightly and you want to see if you're in the study check about:studies."
If a user has been selected to participate in the Firefox shield study, a new entry will appear in the about:studies page and new preferences will show up in the about:config section.
Unfortunately, Bleeping Computer was not selected for the DoH shield study, but you can check out a list of all the new DoH-related preferences on GitHub or in this Ghacks article.
To keep track of how the experiment goes, you can bookmark this Google Groups discussion and this Mozilla bug tracker entry.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper




Comments
Occasional - 8 years ago
Interesting. Thanks CC for marking the distinction between DoH and DNSSEC. Would seem that their is a rationale for seeking the benefits of each (confidentiality from the former, authenticity from the latter). Are the mechanisms mutually exclusive?
JohnC_21 - 8 years ago
There has already been some blowback.
"Nightly build fans' hostname lookups piped to Cloudflare in limited security feature trial"
https://www.theregister.co.uk/2018/03/20/mozilla_firefox_test_of_privacy_mechanism_prompts_privacy_worries/
campuscodi - 8 years ago
Study participation is disabled by default.
No offense, but you have to be a pretty big moron to purposely enable Firefox studies and then complain about having your browser used for these experiments.
muesli - 8 years ago
Catalin, there are limits as to what is allowed in experiments. Firefox sending user data to third parties is the equivalent of me asking your car for a day, extracting your GPS history and sharing it on Facebook (sic). Firefox is not new to this stunts: after receiving a big grant from Google they had included a fingerprinted beacon towards Google's "secure browsing" servers on browser startup for years.
campuscodi - 8 years ago
Data is anonymized. Firefox studies is off by default. Don't enable it and you'll be just fine.
forum11 - 8 years ago
DoH vs. DNSSEC, also not to be confused with DNSCrypt. There's probably another one we're still not mentioning.