Why Mozilla’s DNS over HTTPS proposal is a bad idea

A couple of months ago, Mozilla posted A cartoon intro to DNS over HTTPS, which outlines their plans to enable support routing DNS queries over a secure connection.

Initially this seems like a good idea, as DNS traffic is not encrypted by default and therefore can in theory be read by anyone sitting between your machine and your DNS resolver. However, Mozilla have said that they would like to switch this functionality on for all users, and to use Cloudflare as their Trusted Recursive Resolver.

This is a bad idea, for several reasons.

Applications should respect local network settings: I have, via my router and the magic of DHCP/RA, set up the appropriate settings for my local network. This allows me to control how traffic is routed and makes life easier for debugging, e.g. if DNS requests start to fail, I can test to see if my ISP’s servers are down. I might also want to use a local DNS resolver for caching or filtering purposes. If Firefox side-steps my network settings, all this effort goes to waste.

Single point of failure: One of the strengths of the design of DNS is that it is, by and large, decentralised. Anyone can run a recursive resolver — most ISPs do this for their customers but there is nothing to stop me running one on my local network as well. Sending all traffic to a single provider — even if that provider runs multiple servers — creates an attractive target for malicious users and makes it more likely that a failure can disrupt significant numbers of users.

Privacy and security: Whilst I don’t entirely trust my ISP, they are at least based in the UK and have to abide by our reasonably strong privacy rules – although of course they can always have a secret warrant served on them to log all DNS traffic and hand it over to a government agency. Cloudflare on the other hand is a US company, and the US has extremely poor privacy regulations compared with the EU.

To be fair to Mozilla, this functionality isn’t yet enabled by default for regular users, and they may change their mind. You can also change your Trusted Recursive Resolver away from Cloudflare, although you will have to make this change on every installation of Firefox.

Finally, if you want to keep up to date with DNS news, you should follow Jan-Piet Mens and Bert Hubert on Twitter.


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.