Firefox Developers Announced Completion of DNS Support Testing Over HTTPS (DoH) as well as the intention at the end of September to enable this technology by default for Firefox users in the United States.
The inclusion will be carried out progressively since initially there will be only a few users, after that, in the absence of problems, it will gradually increase until 100% of users in the United States have this feature. But this is not unique to the region as after completing the US coverage. implementation in other countries will also be considered.
The tests carried out during the year showed the reliability and good performance of the service and they also revealed some situations in which DoH can generate problems and develop solutions to circumvent them (for example, problems with traffic optimization in content delivery networks, parental control and corporate internal control).
The importance of encrypting DNS traffic is evaluated as a fundamentally important factor in protecting users, so it was decided to enable DoH by default, but in the first stage only for US users.
After activating DoH, a warning will be issued to the user, which will allow you to refuse to contact centralized DoH DNS servers and revert to the traditional scheme of sending unencrypted requests to the provider's DNS server (instead of the distributed infrastructure of DNS resolvers, DoH uses binding to a DoH service which can be considered as a single point of failure).
When DoH is activated, parental control systems and corporate networks can be affected, using the DNS name structure available only for the internal network to translate intranet addresses and corporate hosts.
To solve problems with similar systems, a verification system has been added that automatically disables DoH. Checks are performed each time the browser is started or when a change in the subnet is detected.
An automatic return to using a standard solver is also provided of the operating system in case of failures when resolving through DoH (for example, if there is a violation of the availability of the network with the DoH provider or if there are failures in its infrastructure).
The meaning of such checks is doubtful, since no one interferes with the attackers who control the resolver or can interfere with the traffic, they simulate that behavior to disable encryption of DNS traffic.
The problem was solved by adding the element "DoH always" to the configuration (by default it is not active), when it is configured, automatic shutdown is not applied, which is a reasonable compromise.
To determine the corporate solvers, checks for outlier top-level domains (TLDs) and return of intranet addresses by the system solver are performed.
To determine if parental control is enabled, an attempt is made to resolve the name exampleadultsite.com and if the result does not match the actual IP, the adult content is considered to be blocked at the DNS level.
Work through a single DoH service can also lead to traffic optimization problems on content delivery networks that balance traffic using DNS (the CDN's DNS server generates a response based on the resolver address and broadcasts the closest host to receive the content).
Sending a DNS query from the resolver closest to the user on such CDNs will return the address of the host closest to the user, but sending a DNS query from the central resolver will return the address of the host closest to the DNS server over HTTPS .
Practice tests showed that using DNS over HTTP when using CDN led to virtually no delays before content transfer (for fast connections, delays did not exceed 10 milliseconds, and even slower operation was observed in slow communication channels).