I read this when FF started using DoH, gently written and easy to understand.
How can we fix this with Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH)?
At Mozilla, we feel strongly that we have a responsibility to protect our users and their data. We’ve been working on fixing these vulnerabilities.
We are introducing two new features to fix this — Trusted Recursive Resolver (TRR) and DNS over HTTPS (DoH). Because really, there are three threats here:
- You could end up using an untrustworthy resolver that tracks your requests, or tampers with responses from DNS servers.
- On-path routers can track or tamper in the same way.
- DNS servers can track your DNS requests.
So how do we fix these?
- Avoid untrustworthy resolvers by using Trusted Recursive Resolver.
- Protect against on-path eavesdropping and tampering using DNS over HTTPS.
- Transmit as little data as possible to protect users from deanonymization.