Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.
This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.
[...] At some point in the near future, Firefox users subscribed to Comcast will use the ISP's DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.
[...] Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.
ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."
Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.
(Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @01:39AM
You skipped a step.
The DNS request goes to the local DNS server FIRST.
This is exceedingly important in both home networks and corporate enterprises.
Home use: I just want to connect to my NAS - why is my request going FIRST to an external 3rd party? DoH is LESS privacy secure in this way.
Enterprise: The security implications are tremendous using the home example. In addition, if I host say, my_website, I don't want my Internal traffic going to my border router and then routing back internally. I tell my DNS server to send requests for my_website to an internal IP. Maybe I want to set up a DNS alias... all of this is less efficient and *clearly* a constant and impressive data leak.
Malware writer: I effing LOVE THIS! Everyone has to go through tremendous hoops just even think of blocking me...
I also guarantee you that the 5-eyes, 3-letter agencies are tapping these places to harvest all kind of information. Sure, they don't record it, but they don't have to. There's a closet that no one is allowed access to that has 3-letter agency equipment tapping directly in to the servers to log the info.