Firefox seems to work now together with Cloudflare, in order to get your data. What Mozilla calls ‘DNS over HTTPS’ is simply another term for DNSSEC which signs the queries so that an attacker can’t see which domain you’re visiting, on paper this sounds good.
Firefox nightly and network.trr.mod about:config
It’s unclear if the new entry gets Cloudflare pre-configured in the future or not, since Cloudflare has a separate Firefox policy I assume it might get the default in later Firefox stable versions.
- Changing the value to 2 to ensures DNS Over HTTPS will become your browser’s first choice but use regular DNS as a fallback, this will be used in case there some problems with your external DNS provider and this option also will be the default.
- Another option is to set it to 1 to let Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it. This option should be used carefully since TRR might not work as expected. Chrome uses 2 as default but doesn’t provide any other option to change it (for now?)
- Changing network.trr.bootstrapAddress to 126.96.36.199 ensures the queries are preferred going over Cloudflare’s DNS.
You can also change the url or provider as you like https://dns.cloudflare.com/.well-known/dns and https://dns.google.com/experimental are two examples and provider which support it.
DNSSEC signs DNS records. It does not encrypt, it just confirms authenticity. The root signs keys from TLDs for example as .org or .de, TLDs sign keys from registrars, and registrars sign the DNS records from you.
It offers some security mechanism against well-known problems, but not every problem.
Domain Name System Security Extensions (DNSSEC) not perfect
While this sounds great you should know several things:
- DNSSEC might break MX record lookups (Domain enumeration)
- DNSSEC is weak against amplification DDoS attacks, see also this
- DNSSEC means a decreased risk for becoming a victim of fraud when, for example, banking or shopping online because it is easier for the user to determine that they are communicating with the right bank or shop and not a fraudster. The security mechanism is only designed to prevent attacks where the attacker manipulates responses to DNS queries to achieve their goal. Pishing, DOS etc are still not solvable Hijacking traffic via spoofing responses.
Is it still worth?
Yes, I assume it gets the default soon or later in every Browser. My fear or fears from several people is to give up the control in the hands of Google or CloudFlare. They log both the same when it comes to DNSSEC and since no one provides any information what happens to the keys you should ask yourself if it’s worth trusting them instead of using other providers or creating your own server with eg. DNSCrypt/DNSCurve running.
Cloudflare promises a faster DNS service and they hold what they promise, blindly trusting them because they claim to make things better is maybe not a good option, I would suggest you wait until the hype is over and some people take a serious look at it. Mozilla seems to trust CloudFlare and I’m not sure if switching from Google to Cloudflare makes a difference here cause these are the big players and they might sell you out whenever they’re in the mood.