Browser heavyweight Mozilla is asking for public comments as it continues its international rollout of DNS over HTTPS (DoH) as a simplified browser setting – a rare move for a security feature that launched with minimal incident with a near-complete rollout in United States.
“We’re in listening mode. When you do anything affecting the basic architecture of the internet, some people will see it as radical,” said Owen Bennett, senior policy manager at Mozilla.
As the name implies, DoH uses the HTTPS to perform traditionally unencrypted DNS lookups. It means that third parties can’t eavesdrop on addresses of the websites a person visits. It is a leap forward for privacy, but it faced criticism from various groups that depend on access to those URLs.
The primary opposition came from internet service providers, who commodify browsing data or inject advertisements.
Bennett says Mozilla is taking the step of requesting public comment — a move more typical for government standards than browser designers — before continuing the rollout beyond the United States to address the complicated mixture of use cases for DNS.
On the government level, DNS is used for monitoring and filtering web traffic. Regions like the United Kingdom, which rely on DNS to filter child exploitation material, required a more deliberate, opt-in approach to incorporating DoH in the browser. The United States is the only country where DoH is set “on” by default (users are explicitly asked if they would like to turn it off). The U.S. approach is the one Mozilla would like to export.
Criticism also came from some network defenders worried about losing the ability to monitor DNS requests, which would impact their abilities to oversee and deny malicious traffic. Mozilla has stated that its DoH by default performs checks to make sure it doesn’t interfere with those programs. And after a slow, uneventful rollout of the U.S. DoH product, which Bennett says has reached more than 90 percent of users, that appears to be the case.
But Bennett says Mozilla wants to give defenders and anyone with insight on how DNS is used differently around the world a more formal chance to weigh in. Users can submit comments until January 4.
Those comments can also address Mozilla’s bespoke Trusted Recursive Resolver program, which selects which DoH providers are included in the default offerings. Mozilla has privacy requirements for those providers.
In the end, said Bennett, the goal is to roll the feature out uneventfully around the world.
“It’s really important to us for DoH to become as common as HTTPS by default,” he said.
