Advisory – Firefox Browser and DNS over HTTPS

New: Oct. 04, 2019

Recently, Mozilla and Google announced their Firefox and Chrome browsers would begin to use “DNS over HTTPS” (DoH).

The implementation of DoH consists of;

1) encryption of DNS network traffic between the browser and the DNS server

2) the configuration of fixed DNS servers within the browser

DoH improves the security of the user and browser session by preventing surveillance and tampering of the network traffic. However, the use of fixed DNS servers prevents University users of those browsers (Firefox and Chrome) from connecting to University DNS servers.

This introduces the following risks;

• mapping of private IPs to DNS names would fail (thought to be a low risk)
• trustworthiness of DNS servers not managed by the University
• the loss of visibility of information security tools to detect malicious DNS connections

Firefox will soon be implementing DoH usage by default. Chrome is supporting DoH but not by default. Mozilla has released configuration for local DNS servers that Firefox uses to disable DoH (the so-called “Canary Domain”). This has been implemented on institutional DNS servers for the time being.  See the references below for in-depth information.

References

• https://www.ren-isac.net/public-resources/alerts/REN-ISAC_DoH_Advisory_20190920.pdf
• https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet