Ahmed Musaad

Writings of an aspiring security architect

DoH with Firefox and dnswarden

| Permalink

Disclaimer: DoH with ad-blocking won’t block 100% of the ads.

A week ago, Mozilla published a blog post outlining the results from experiments they have been running in regards to enabling DNS over HTTPS. At the end of their blog post, they mentioned their decision to enable DoH by default for everyone in the US starting late September. An influx of news articles and blog posts criticized Mozilla’s decision and urged the organization to rethink the possible effects it could have on users’ privacy and internet reliability and openness.

What is DoH?

DNS over HTTPS is (in what might be a gross oversimplification) an encrypted variation of the normal DNS we know and use daily. Instead of sending unencrypted DNS requests that go to a name resolver you don’t even know, DoH allows you to pick a specific name resolver that will answer your query. There are many benefits to this approach. It provides more security, improves privacy and gives users more control over how their name resolution is done. So, why are so many people mad at Mozilla’s decision to enable this by default? The answer to that question is Cloudflare.

Why are some people worried?

Mozilla opted to use Cloudflare name resolver (1.1.1.1) as the default DoH server, this led many people to raise valid concerns regarding privacy, and consolidation of internet infrastructure. Cloudflare is already one of the (if not the) biggest CDN providers in the world. If you block Cloudflare, there is a good chance many of the websites you frequent won’t work or would be broken in one way or another. This level of consolidation of internet resources is worrying on its own and adding another level of dependency might not be the best idea.

People who present this argument are worried Cloudflare (a commercial company) has a lot of power and control over a wide range of the internet underlying infrastructure something that might lead to issues regarding openness, and reliability not to mention the privacy concerns given the company is a US company. Following those arguments, it becomes clear why Mozilla’s decision to use Cloudflare’s DoH server is concerning for many people.

Now, I am a fan of Cloudflare services myself. I use their CND to power many of the websites I administer to make life easier for me and any maintainers who might come after me. Their services are easy to use, reliable and contribute greatly to the fast progression towards a more secure internet. Personally, the only thing I feel worried about is the fact they are becoming deeply rooted within the internet backbone fabric. This worries me because it means there is little chance I can escape their CDN.

Firefox Network Settings Pane

As you can see in the screenshot above, when you navigate to Settings -> Network Settings you will find a new option at the bottom of the pane that allows you to enable DoH. The default resolver is Cloudflare’s DoH server but you can use a custom DoH provider which is what we are going to do in few minutes.

What is dnswarden?

According to their GitHub page, dnswarden is “just a normal privacy oriented dns service with a ability to block ads , trackers and also provides uncensored dns! Servers are hosted in Germany

As someone who hates ads and online trackers, I am always looking for effective ways to block them. Using browser plugins work but those plugins introduce the new risk of someone hijacking the plugin to my threat model and life would be much better if I could just eliminate that looming threat.

I decided to use dnswarden instead of other DoH providers for few reasons, those are:

  1. Their servers are hosted in Germany which makes me more comfortable that my information has better legal and regulatory protections.
  2. It blocks ads, trackers, and “all the random crap on the internet”. This allows me to remove the browser plugins I use to block these types of things. A major win in my books.
  3. It doesn’t log the DNS queries.

Enabling DoH using dnswarden is super simple. Here are the steps:

  1. Navigate to the Network Settings panel in your Firefox browser.
  2. Enable DNS over HTTPS by ticking the checkbox.
  3. Select Custom from the list.
  4. Add this URL in the textbox https://doh.dnswarden.com/adblock
  5. Click Ok.
  6. You are done. Your DNS queries will be encrypted from now on.
DoH Enabled using dnswarden

Whether you like or dislike their decision, it’s clear that Mozilla’s move towards enabling DoH by default is a huge privacy improvement for internet users around the world and while the pessimists in us might paint a gray image of the possible consequences that might come from using Cloudflare as the default option, I still think this is a good move and a step further towards a more secure internet.