Configure networks to disable DNS over HTTPS

Firefox Firefox Senast uppdaterad: 2 veckor, 6 dagar ago 50% av användarna tyckte att det här var hjälpsamt
Ingen har hjälpt till att översätta den här artikeln än. Om du redan vet hur översättning för SUMO fungerar, börja översätta nu. Om du vill lära dig hur man översätter artiklar för SUMO, vänligen börja här.

At Mozilla, we believe that DNS over HTTPS (DoH) is a feature that everyone should use to enhance their privacy. By encrypting these DNS requests, DoH hides your browsing data from anyone on the network path between you and your nameserver. For instance, using standard DNS queries on a public network can potentially disclose every website you visit to other users on the network as well as the network operator. While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

  • Networks that have implemented some sort of filtering via the default DNS resolver. This can be used to implement parental controls or to block access to malicious websites.
  • Networks that respond to names that are private, and/or that provide different responses than are provided publicly. For example, a company may only expose the address of an application used by employees on their internal network.

Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users. This will first happen for users in the United States in the Fall of 2019, in Canada in the Summer of 2021 and in Russia and Ukraine in March 2022. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

Network administrators may configure their networks to treat DNS requests for a canary domain differently, to signal that their local DNS resolver implements special features that make the network unsuitable for DoH.

In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the “DoH always” preference as mentioned above. The additional checks that will be performed for content filtering are:

  • Resolve canary domains of certain known DNS providers to detect content filtering.
  • Resolve the “safe-search” variants of google.com and youtube.com to determine if the network redirects to them.
  • On Windows and macOS, detect parental controls enabled in the operating system.

The additional checks that will be performed for private “enterprise” networks are:

  • Is the Firefox security.enterprise_roots.enabled preference set to true?
  • Is any enterprise policy configured?

Var den här artikeln till hjälp?

Vänligen vänta...

Dessa fina personer hjälpte till att skriva den här artikeln:

Illustration of hands

Bli volontär

Väx och dela din expertis med andra. Svara på frågor och förbättra vår kunskapsbas.

Läs mer