SecurityTrails Blog · Aug 23 · by Esteban Borges

Firefox DNS over SSL and Cloudflare public resolvers: What you need to know

Reading time: 6 minutes

The net neutrality is dead. It is sad, but true. With this new regulation, ISPs are able to manage customer traffic as they like, and this has raised many questions and concerns over users privacy in the past months.

As we all know, DNS is the heart and soul of the internet, without it and its DNS records, we would not be able to send an email, or browse a webpage, among other things.

When you connect from your home computer to the internet, it will ask the DNS servers provided by your ISP about the location of any remote server you need to connect (email server, web server, etc), then the ISP answers back and you can go directly to the server destination to request the information you need.

When this happens, DNS servers can log and collect all the information about your internet usage, which domains you contact over email, what pages you visit, etc.

The problem is clear: DNS requests are almost 90% of the time sent unencrypted, and this leads to a potential man in the middle (ISP in the middle in this situation) interventions.

Luckily, some DNS providers are still on the user’s side, fighting for their privacy. Cloudflare is a great example: in April 2018, they launched their own public DNS resolvers called promising a faster and safer internet for everyone who uses their public service.

They claimed their DNS servers to be more secure and private than other popular services like OpenDNS or the classic Google DNS servers.

Now Mozilla (another company that has been always focused on improving the privacy of their end users) has announced their efforts to encrypt the DNS queries using Cloudflare DNS servers to create a faster and secure experience.

However, some security experts are claiming this Mozilla + Cloudflare DNS integration would not be as secure and private as they declare. Why?

Because all your DNS traffic will be sent to Cloudflare public DNS, and they are a third party company, who at the end (forced by the law) can share the information about your DNS requests.

How does this Firefox + Cloudflare integration actually work?

Right now Mozilla is enforcing their users to activate the Cloudflare public DNS on their software, so when you install Firefox for the first time, or update your current version, you will start using the new DNS servers.

New Firefox versions will come with two privacy-first focused features:

  • DNS over HTTPS (aka DoH)
  • Trusted Recursive Resolver (aka TRR)

What is DNS over HTTPS: this new feature will allow users to browse using encrypted queries over the DNS protocol. Each time you visit a web page your request will no longer be sent unencrypted, every information between your initial connection and the DNS server will be secure now. This seems to be a pretty good way to improve a very old DNS security problem that has been there for decades.

What is Trusted Recursive Resolver? Firefox will provide an alternative DNS resolver instead your traditional ISP based public resolver. This mechanism will be using a DoH server, that will help users to enhance their privacy by providing secure data transfers.

And this last thing (TRR) is the main reason that is causing some panic inside some cybersecurity experts: if Mozilla Firefox activates TRR by default, Cloudflare will be able to read all your DNS queries from all the browser users.

And even, if your local DNS resolvers are set on your computer or router, these will be disregarded while you are using Firefox, as the browser will resolve all domain names and hosts using their own Cloudflare based servers. This is exactly the same as if you use on your operating system right now.

The big question is: will Cloudflare delete all your DNS history within the last 24 hours as they promise? And that’s not the only problem… Remember that all the DNS queries made against Cloudflare public DNS can be requested by any federal / government country agencies at any time in any part of the world.

This basically disables the right to anonymous surfing, which is the main reason for this forced-DNS server implementation in Mozilla.

What information will be stored about your DNS activity?

This Mozilla Firefox and Cloudflare agreement includes a very limited amount of data to be stored inside CF DNS servers.

This includes and is limited to:

  • Query Name
  • Query Type
  • Query Class
  • Query Rd bit set
  • Query Do bit set
  • Query Size Query EDNS
  • EDNS Version
  • EDNS Payload
  • EDNS Nsid
  • Response Type (normal, timeout, blocked)
  • Response Code
  • Response Size
  • Response Count
  • Response Time in Milliseconds
  • Response Cached
  • DNSSEC Validation State (secure, insecure, bogus, indeterminate)
  • Colo ID
  • Server ID
  • Timestamp
  • IP Version (IPv4 vs IPv6)
  • Resolver IP address + Port the Query Originated From
  • Protocol (TCP, UDP, TLS or HTTPS)

This is supposed to be stored as “temporary logs”, and will be deleted within 24 hours.

They will also store other parts of your DNS traffic, such as:

  • An aggregate list of all domain names requested.
  • Samples of Domain names queried along with the times of such queries.
  • The total number of requests processed by each Cloudflare servers.

After this the big question is…

Is there any way to have a 100% private DNS resolver?

You could set up your own DNS resolvers, but your Internet provider can always intercept your traffic to know what pages are served.

You could also use a local ISPS resolver, however, you are in the same situation, they are all ruled under your local country government laws, that in the 99% of the cases, have the power to request a legal intervention to inspect your traffic.

If you decided to disable Cloudflare DNS, then keep reading below.

Configuring DNS public servers manually

You can turn off TRR feature by following this steps:

  • Open Firefox.
  • Move to the address bar and type: about:config
  • Confirm you will be careful by using the configuration mode.
  • Search for network.trr
  • Configure a new value: 5

This will completely disable TRR. On the other hand, if you want to test this new feature.

Restart your browser and you are all set.

If DNS, HTTP, and SSL Encryption is your game, then stay tuned, as we will be releasing new fresh HTTPS security content in the upcoming weeks.

Do you want to boost your DNS, domain enrichment and IP security?

We at SecurityTrails are devoted to providing you with advanced security toolkit that will deliver domain and IP enrichment. Join us and launch your queries manually or integrate it with your own apps by using our free API tier, 100% compatible with most modern programming languages like PHP, Python, Go, etc.

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders