Mozzila this week announced that will move the integration of the Cloudflare DNS resolver towards a broader set of users on Beta channel, after testing the DNS over HTTPS in Firefox Nightly.
The first test started in June on Firefox Nightly and in August Mozzila presented the results: “the slowest users show a huge improvement, anywhere up to hundreds of milliseconds, and most users see only a small performance slowdown of around 6 milliseconds, which is acceptable given the improved security,” wrote Selena Deckelmann, Senior Director Of Engineering, Firefox Runtime at Mozilla.
Mozilla says will once again work with users who are already participating in Firefox experiments, and continue to provide in-browser notifications about the experiment and details about the DoH service provider so that everyone is fully informed and has a chance to decline participation in this particular experiment. A soft rollout to selected Beta users in the United States will begin the week of September 10th.
DoH is DNS over HTTPS, a new protocol which uses encryption to protect DNS requests and responses
“Cloudflare has been a great partner in developing this feature and has committed to very strong privacy guarantees for our users. Moving forward, we are working to build a larger ecosystem of trusted DoH providers that live up to this high standard of data handling, and we hope to be able to experiment with other providers soon.”Selena Deckelmann, Senior Director Of Engineering, Firefox Runtime at Mozilla
How does the Cloudflare DNS resolver work on Firefox?
Every time a user types a web address, such as ppc.land, into a web browser the web browser sends a query to a DNS resolver. Whenever a resolver receives your query it looks up the IP address associated with the web address that you entered and relays that information to your web browser. “DNS resolution” as this process is referred to, is a crucial component of your Internet experience because, without it, the web browser would be unable to communicate with the servers that host
For most Internet users the DNS resolver that they use is either the one that comes with the operating system running on their machines or the one that is set by their network provider.
Cloudflare says that in some cases, these resolvers leave a lot to be desired because of their susceptibility to unwanted spying and other security threats.
To counter such threats, Mozilla has partnered with Cloudflare to provide direct DNS resolution from within the Firefox browser using the Cloudflare Resolver for Firefox. Whenever a user clicks on or type a web address in the Firefox browser the DNS lookup request will be sent over a secure channel to the Cloudflare Resolver for Firefox rather than to an unknown DNS resolver, significantly decreasing the odds of any unwanted spying or man in the middle attacks.
What information is collected by Cloudflare?
Cloudflare says any data Cloudflare
- IP Version (IPv4 vs IPv6)
- Resolver IP address + Port the Query Originated From
- Protocol (TCP, UDP, TLS or HTTPS)
- Query Name
- Query Type
- Query Class
- Query Rd bit set
- Query Do bit set
- Query Size Query EDNS
- EDNS Version
- EDNS Payload
- EDNS Nsid
- Response Type (normal, timeout, blocked)
- Response Code
- Response Size
- Response Count
- Response Time in Milliseconds
- Response Cached
- DNSSEC Validation State (secure, insecure, bogus, indeterminate)
- Colo ID
- Server ID
All of the above information will be stored briefly as part of Cloudflare’s temporary logs, and then permanently deleted within 24 hours of Cloudflare’s receipt of such information. In addition to the above information, Cloudflare will also collect and store the following information as part of its permanent logs:
- Total number of requests processed by each Cloudflare co-location facility
- Aggregate list of all domain names requested
- Samples of domain names queried along with the times of such queries
- Information stored in Cloudflare’s permanent logs will be anonymized and may be held indefinitely by Cloudflare for its own internal research and development purposes
A privacy compromise
Cloudflare promises to use the information that they collect from the Cloudflare Resolver for Firefox solely to improve the performance of Cloudflare Resolver for Firefox and to assist in debugging efforts if an issue arises. In addition to limiting the collection and use of the data, Cloudflare also promises that will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox; Cloudflare will not combine the data that it collects from such queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; and Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission.