You must Disable Firefox's DNS-over-HTTPS aka Trusted Recursive Resolver

Firefox for some time has been experimenting with something called DNS-over-HTTPS. It's a massive change to one of the most fundamental mechanics of the Internet and could have some seriously devastating effects. Since Firefox 74 it's enabled by default for new users, and since Firefox version 79 existing users that have up till now not enabled it are being asked to opt-in using a misleading popup.

Disable it Now

DNS is literally the most fundamental component of the Internet. Perhaps best described by adapting one of my most favorite lines:

He who controls the DNS controls the Internet.

Yes, it's that level of important.

Before we get into the details of why it's bad and why Mozilla is wrong, here's what you need to do to disable DNS-over-HTTPS (also known as Trusted Recursive Resolver). We'll do this by bypassing the UI and setting the option to Off by choice which should (assuming Mozilla doesn't do any funny business in the future) keep it off permanently and never prompt you again.

Go into Firefox's Configuration Editor by typing about:config into your browser's address bar.

Click on the "Accept the Risk and Continue" button to bring up the list of all advanced preferences. In the search bar that appears on the top of that page type in network.trr.mode to filter the list.

On the right side of the page click the pencil icon to edit the option. Type in the number 5 exactly as shown. Then click the check mark to save the change.

DNS over HTTP is now disabled. You may close or navigate away from this page.

Why it's Bad

It can not be understated just how intrusive of a change this is. DNS's design is elegant, it's decentralized, it's hierarchical, and can be delegated. This lets anyone with enough knowledge to have full control of what DNS does no matter what level of the tree you are on. You as the end user can without any restriction run your own DNS resolver and override where takes you. Indeed there are tools out there that take advantage of this power, like DNS based malware and ad blocking.

DNS over HTTPS basically flattens DNS and removes is delegating abilities. In other words it centralizes it. With DoH enabled Firefox will bypass your ISP's, organization, or your own DNS servers and start resolving host names using DNS infrastructure ran by a single entity. This entity will have the final say on what gets resolved to what. That means any hostnames you or your organization override will be ignored and point to what the central DNS server tells it to point to. This could be absolutely devastating when you have critical overrides in place, especially when those overrides are to internal private hosts.

DoH on the application level can result in fragmentation. With DoH your OS is configured to use one set of DNS servers and your applications use a totally different set. It's Firefox now, but if this precedent is allowed to be set every application on your computer could one day use it's own form of host name resolution to different IP's. This is not how the TCP/IP protocol (or the Internet) was envisioned or meant to be used. DNS is an OS level service and all properly designed applications should respect that.

With all the above said, there is a darker side to the freedom of DNS that DoH attempts to mitigate. Humans are bad and just like you can override host names to your preference, so can anyone else with bad intentions. DNS over HTTPS is a great concept if done correctly. I think it's a great way to finally bypass the restrictive nature of some ISP, mobile providers, and (dare I say) authoritarian governments. When DoH is widely implemented on the OS level I believe it will be fully embraced so long as the end-user retains the ability to configure DNS to their preference.

Why Mozilla is Wrong

Mozilla meant well, but did two things wrong in the way they approached it. First they went and forced it on the application level. Second, which perhaps is the worst, is they themselves decided who/what the DNS resolver should be. The choice of what DNS resolver to use should be left to the end-user, and it should be configured on the OS level without dictating policy.

Mozilla started implementing DoH in Firefox sometime in 2018 and began roll-out with Firefox 74. It's enabled by default for new users, and since Firefox version 79 existing users that have up till now not enabled it are being asked to opt-in with the following popup.

The popup will appear sometime after upgrading to version 79 and won't go away unless you select something. The unsettling part here is how Mozilla presents it. Not only does it mislead the user into a false sense of security, they also highlight the button that enables it, thus directing a negligent user's focus to it (read up on Dark UI patterns, it's really nasty stuff). What do you think someone who doesn't want to be bothered and just wants to login to their favorite social media site will do?

If you get this popup make sure you click on Disable and/or follow the instructions on how to disable DoH above to ensure you are protected.

Mozilla does allow you to change the DNS over HTTPS configuration, but defaults matter. Mozilla ships with a predefined list of services, currently Cloudflare and NextDNS. The default in this case was to have everyone use Cloudflare, a commercial for profit business (that is btw a major sponsor of Mozilla). Mozilla should have left the option off and have only an empty option with instructions directing users to a page with a list of DOH hosts. Ideally they would have worked with some of the major ISP's and helped roll-out local DoH services.

These are things that everyone should be very concerned about with Mozilla. That fact they have made the decision for you and now they are gatekeepers of the shipped list of predefined DNS services. The Internet gets dangerously more centralized each passing day (ie. certificate authorities, certificate pinning, and now DNS). It's ironic given that Mozilla fought against that very situation in the early 2000's when Microsoft Internet Explorer on Windows dominated the Internet.

Do your Part

You as an an informed user have a responsibility to educate or help others who may not be informed. You can help in a few different ways. Give feedback to Mozilla and encourage others to do the same. I believe Mozilla to be a good organization, who have recently lost it's way a bit. I think that with enough feedback Mozilla will re-think this and do the right thing.

Anytime you come across a friend, co-worker, family member, or even complete stranger's computer. Take a minute to talk to the individual if they are using Firefox (which they should be!). Explain to them what Mozilla is is doing and help them fix it. Send them to this page for more information and encourage them to do the same for anyone else they come across.

If you are a sysadmin, take a look at how to setup default prefs in Firefox. It's rather simple, Mozilla has some reference material explaining the basics. If you are not a sysadmin, talk to your sysadmin and make them aware (if they are a good sysadmin, they'll already know).

Finally, if you are an influencer and/or have a large audience and following, I can think of no better topic to put that type of power into some good use. Make social media posts make videos, make noise.

PacyWorld Button
Powered by Pacy