Firefox developers announced the completion of DNS support tests through HTTPS (DoH) as well as the intention at the end of September to enable this technology by default for Firefox users in the United States.
The inclusion will be carried out progressively since initially there will be only a few users, after that in the absence of problems, it will gradually increase until 100% of users in the United States have this feature. But this is not exclusive to the region since after completing US coverage. UU. implementation in other countries will also be considered.
The tests carried out during the year showed the reliability and the good performance of the service and also revealed some situations in which DoH can generate problems and develop solutions to avoid them (for example, problems with traffic optimization in content delivery networks, parental control and corporate internal control).
The importance of encrypting DNS traffic is assessed as a fundamentally important factor in the protection of users, so it was decided to activate DoH by default, but in the first stage only for US users. UU.
After activating DoH, a warning will be issued to the user, which will allow you to refuse to contact DoH centralized DNS servers and return to the traditional scheme to send unencrypted requests to the provider's DNS server (instead of the distributed DNS solver infrastructure, DoH uses the link to a DoH service specific, which can be considered as a single point of failure).
When DoH is activated, parental control systems and corporate networks may be affected, using the DNS name structure available only for the internal network to convert intranet addresses and corporate hosts.
To solve problems with similar systems, a verification system has been added that automatically disables DoH. Checks are made every time the browser is started or when a change in the subnet is detected.
An automatic return to the use of a standard solver is also provided. of the operating system in case of failures to resolve through DoH (for example, if there is a violation of the availability of the network with the DoH provider or if there are failures in its infrastructure).
The meaning of such checks is doubtful, since nobody interferes with the attackers who control the resolver or can interfere with traffic, simulate that behavior to disable the encryption of DNS traffic.
The problem was solved by adding the “DoH always” element to the configuration (by default it is not active), when configured, automatic shutdown is not applied, which is a reasonable compromise.
To determine corporate solvers, first level atypical domain (TLD) checks and return of intranet addresses by the system solver are performed.
To determine if parental control is enabled, try to resolve the name exampleadultsite.com and if the result does not match the real IP, adult content is considered to be blocked at the DNS level.
Work through a single DoH service it can also lead to traffic optimization problems on content delivery networks that balance traffic using DNS (the DNS server of the CDN network generates a response based on the resolution address and issues the nearest host to receive the content).
Sending a DNS query from the solver closest to the user on such CDNs will return the address of the host closest to the user, but when sending a DNS query from the central resolver, the address of the host closest to the DNS server over HTTPS will be returned .
Tests in practice showed that the use of DNS over HTTP when using CDN practically did not lead to delays before content transfer (for fast connections, delays did not exceed 10 milliseconds, and even a slower operation was observed in slow communication channels).