Browser Security

Firefox DNSSEC feature (DNS over HTTPS)

Firefox seems to work now together with Cloudflare, in order to get your data. What Mozilla calls ‘DNS over HTTPS’ is simply another term for DNSSEC which signs the queries so that an attacker can’t see which domain you’re visiting, on paper this sounds good.


Firefox nightly and network.trr.mod about:config

It’s unclear if the new entry gets Cloudflare pre-configured in the future or not, since Cloudflare has a separate Firefox policy I assume it might get the default in later Firefox stable versions.

  • Changing the value to 2 to ensures DNS Over HTTPS will become your browser’s first choice but use regular DNS as a fallback, this will be used in case there some problems with your external DNS provider and this option also will be the default.
  • Another option is to set it to 1 to let Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it. This option should be used carefully since TRR might not work as expected. Chrome uses 2 as default but doesn’t provide any other option to change it (for now?)
  • Changing network.trr.bootstrapAddress to ensures the queries are preferred going over Cloudflare’s DNS.

You can also change the url or provider as you like and are two examples and provider which support it.


DNSSEC signs DNS records. It does not encrypt, it just confirms authenticity. The root signs keys from TLDs for example as .org or .de, TLDs sign keys from registrars, and registrars sign the DNS records from you.

It offers some security mechanism against well-known problems, but not every problem.

Domain Name System Security Extensions (DNSSEC) not perfect

While this sounds great you should know several things:

  • DNSSEC might break MX record lookups (Domain enumeration)
  • DNSSEC is weak against amplification DDoS attacks, see also this
  • DNSSEC means a decreased risk for becoming a victim of fraud when, for example, banking or shopping online because it is easier for the user to determine that they are communicating with the right bank or shop and not a fraudster. The security mechanism is only designed to prevent attacks where the attacker manipulates responses to DNS queries to achieve their goal. Pishing, DOS etc are still not solvable Hijacking traffic via spoofing responses.

Is it still worth?

Yes, I assume it gets the default soon or later in every Browser. My fear or fears from several people is to give up the control in the hands of Google or CloudFlare. They log both the same when it comes to DNSSEC and since no one provides any information what happens to the keys you should ask yourself if it’s worth trusting them instead of using other providers or creating your own server with eg. DNSCrypt/DNSCurve running.

Closing Words

Cloudflare promises a faster DNS service and they hold what they promise, blindly trusting them because they claim to make things better is maybe not a good option, I would suggest you wait until the hype is over and some people take a serious look at it. Mozilla seems to trust CloudFlare and I’m not sure if switching from Google to Cloudflare makes a difference here cause these are the big players and they might sell you out whenever they’re in the mood.


6 replies on “Firefox DNSSEC feature (DNS over HTTPS)”

CK – I’m not a tech, so might be wrong. Cloudflare’s recent announcement about seemed to indicate that it was providing some aggregate info only to the owner of in exchange for use of that IP but otherwise not logging, etc. Is that wrong?


There is no DNS provider which doesn’t log. It’s not possible to protect something without collecting logs, or how do you think that any provider blacklist attackers? The myth that some log and others don’t is nothing but this – a myth. Basically all websites, ISP and also DNS Provider and Resolver logging. The question is moreover if they do it for good intentions or do they sell data.

To answer Cloudflare specific questions:
– Cloudflare official logs, they say that they won’t log individuals BUT they collect more advance logs (It’s even written on their privacy policy page) in order to get statistics. So, my question is how do you logs only the big ‘mass’ without logging individuals too? Right, it’s not possible. This already answeres the question that Cloudflare logs same like Google and all the others, the difference is that other providers are more (or less) open when it comes to the documentation what or what they don’t collect.

I saw you also asked other questions in the cloudflare specific blog post, so let me answer it here.
– Update all your machines at least to Windows 7. SImply don’t use XP.
– There is currently no evidence that Cloudflare doesn’t hold what they promise, so it’s up to you if you like to use Cloudflare’s DNS or not. Since there is no evidence that they lie or don’t like, I say use it if you’re happy with what they have to offer.
– I usually don’t give security recommendations, I usually only give articles about the current statuses, security is in my opinion not something you can get using the right programs or services – it’s more an idea and work in progress which is never finished, which means you have constantly to read the latest news in order to stay up2date. For example you can use a VPN, encrypt everything and build your own ISP/DNS but this all is pointless when you write all your private information into the internet by yourself.
– I like DNSCrypt and I see that the project is much underrated and my wish would be that this gets official an RFC. However, to answer the question if all the switches in the configuration file work, yes they do work. Everything is documented and if you like the project consider to support it or use it. Same like the Cloudflare question, it’s only up to you and only you can decide it.

There two major problems I see which are unanswered:
– Using bigger providers like Google, CloudFlare or your own ISP DNS gives them entire control over your DNS traffic and they might (regarding what they official write) anyway sell the statistics cause a lot of people and organisations have interest of such databases.
– Using decentralized services / providers might be problematic because there more insecure (cause they don’t have as much knowledge as Google, Cloudflare & co)
– Creating your own ISP/DNS (resolver)/VPN is possible, but it’s might be insecure since you need to become an expert in order to stay or offer something which is secure.

No matter which of the three points, they key is simply here to read, read and read to stay updated in order to address current security threats. So again, security is nothing you gain by using the ‘right’ programs, it might only avoids that you need to spent much time on such topics but you always have to trust others.

To summarize:
– As for now I see no problem with Cloudflare’s offer
– Reading and testing is essential in order to build strategies to stay ‘secure’ (whatever this really means)
– Use an OS (if possible Linux) instead or at least an OS which is known to be hardened against known issues, XP should not be used anymore it’s more vulnerable compared to other OS

Thanks for reading my Blog and your interest in such topic, that’s the first step. 🙂


No, they clearly show that they log the same like Google, which seems quite normal.

I’m more worried why Mozilla want to work with them together. This entire ‘we’re faster an better and more trustworthy than others’ stinks.


Comments are closed.