Firefox turns encrypted DNS on by default to thwart snooping ISPs

Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.

"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.

Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.

ISPs protested encrypted-DNS plans

Mozilla has not been deterred by a broadband-industry lobbying campaign against encrypted DNS. The ISPs' lobbying targeted Google's plan for the Chrome browser, even though Firefox is deploying DNS over HTTPS more aggressively.

With Web users already being tracked heavily by companies like Google and Facebook, Mozilla has said it is embracing DNS over HTTPS because "we don't want to see that business model duplicated in the middle of the network" and "it's just a mistake to use DNS for those purposes."

"Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the Internet to make the shift to more secure alternatives," Mozilla said in its announcement today. "We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, [and] helps prevent data collection by third parties on the network that ties your computer to websites you visit."

While Firefox's encrypted DNS uses Cloudflare by default, users can change that to NextDNS in the Firefox settings or manually enter the address of another encrypted-DNS service. Firefox users can also disable the new default setting if they don't want to use any of the encrypted-DNS options.

Mozilla has said it is open to adding more encrypted-DNS providers as long as they meet a list of requirements for privacy and transparency and don't block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates."

Mozilla isn't turning encrypted DNS on automatically outside the United States. But users outside the US and US-based users who haven't gotten the new default setting yet can enable DNS over HTTPS in the Firefox settings. To do that, go to Firefox "Preferences," then "General," scroll all the way down to "Network Settings," click "Settings," then click "Enable DNS over HTTPS." After clicking that box, you can choose Cloudflare, choose NextDNS, or enter a custom server. There's a list of encrypted-DNS servers at this Github page.

Encrypted DNS will not be turned on by default in certain cases, such as when Firefox detects that enterprise policies have been set on the device or when it detects the presence of parental controls. Those and other questions about how DNS over HTTPS works in Firefox are answered in this FAQ.

Google's plan for encrypted DNS in Chrome—which is still in the experimental phase and hasn't been deployed to everyone—is a little different from Mozilla's. Instead of automatically switching users to a DNS provider chosen by Google, Chrome sticks with whichever DNS provider the user has selected. If the user-selected DNS provider offers encrypted lookups and is in this list of providers, Chrome automatically upgrades the user to that DNS provider's encrypted service. If the user-selected DNS provider isn't in the list, Chrome makes no changes.