Mozilla's new DNS resolution


VIP Member
VIP Member
Feb 21, 2013
All your DNS traffic will be sent to Cloudflare

A new feature in Firefox
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially about the TRR. They advertise it as an additional feature which enables security. We think quite the opposite: we think it's dangerous, and here's why.
DNS? What is DNS?
The Domain Name System (DNS) is a service used in converting a computer’s host name or a Top-Level Domain (TLD) into an IP address. When you enter the domain of a website in your browser, you automatically send a request to the DNS server you have configured. The DNS server then looks up the host name and returns an IP address so your browser knows where exactly to connect to.

But here begins the problem. Not only your browser knows where exactly to connect to, but also the DNS server knows where YOU connect to. This must not be a problem in every case. Basically most of the ISPs have their own DNS server that is automatically configured. And your ISP knows where you connect to anyways. So the data or information generated by their DNS server provides no additional information to them.

Why would you replace your ISP's DNS server with another one?
There are a variety of problems with the DNS protocol ("the language of DNS"). DNS requests are usually sent unencrypted and potentially everyone between you and the DNS server can read your DNS requests. Mozilla is using a new technique to transport requests over https, which encrypts the data. That is generally speaking a good thing. However usually the DNS servers that you use are local DNS servers (from your ISP) and thus the attack vector (i.e. who can spy on you) is local.
Mozilla wants to override any configured DNS server with Cloudflare
So let’s get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). With the next Mozilla patch in September any DNS change you configure in your network won't have any effect anymore, at least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.

How to turn TRR off

User rendx nicely described how to turn off TRR and we want to share this info with you:
  • Enter about:config in the address bar
  • Search for network.trr
  • Set network.trr.mode = 5 to completely disable it
ungleich Blog - Mozilla's new DNS resolution is dangerous