The trade association for internet service providers in the UK has nominated Mozilla for this year’s award of “Internet Villain” because of the browser maker’s plans to support the DNS-over-HTTPS (DoH) protocol in its Firefox browser.
In a statement published this week, the Internet Services Providers Association (ISPAUK) claimed that Mozilla plans to support DNS-over-HTTPS “in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”
What is DoH and why do ISPs hate it?
The DNS-over-HTTPS protocol (IETF RFC8484) works by sending DNS requests via an encrypted HTTPS connection, rather than using a classic plaintext UDP request, as classic DNS works.
The other difference is that besides being encrypted, the DoH protocol also works at the app level, rather than the OS level.
All DNS-over-HTTPS connections take place between an app (like a browser or mobile app) and a secure DoH-compatible DNS server (resolver).
All DoH traffic is basically just HTTPS. DoH domain name queries are encrypted and then hidden in regular web traffic sent to the DoH DNS resolver, which then replies with a domain name’s IP address, also in encrypted HTTPS.
As a side-effect of this design, this also means that each app controls the privacy of its DNS queries, and can hardwire a list of DNS-over-HTTPS servers (resolvers) in its settings, and not depend on the operating system’s default (and most likely DoH-not-compatible) DNS servers.
This protocol design means that a user’s DNS requests are invisible to third-party observers, such as ISPs; and all DoH DNS queries and responses hidden inside a cloud of encrypted connections, indistinguishable from the other HTTPS traffic.
In theory, the protocol is a dream from privacy advocates, but a nightmare for ISPs and makers of network security appliances.
By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench in many ISPs’ ability to sniff on customers’ traffic and filter traffic for government-mandated “bad sites.”