The cartoon intro to DNS more than HTTPS

Threats to users’ privacy plus security are growing. At Mozilla, we closely track these risks. We believe we have a responsibility to do everything we can to protect Opera users and their data.

We’ re taking on the businesses and organizations that want to privately collect and sell user data. For this reason we added tracking protection plus created the Facebook container extension . And you’ ll be viewing us do more things to shield our users over the coming several weeks.

Icons for security projects that we’ ve introduced

Two more defenses we’ re adding to that list are usually:

  • DNS more than HTTPS, a new IETF standards work that we’ ve championed
  • Trusted Recursive Resolver, a brand new secure way to resolve DNS that will we’ ve partnered with Cloudflare to provide

Using these two initiatives, we’ re shutting data leaks that have been part of the website name system since it was created 35 years back. And we’ d like your assist in testing them. So let’ ersus look at how DNS over HTTPS and Trusted Recursive Resolver guard our users.

However, let’ s look at how webpages move around the Internet.

If you already know just how DNS and HTTPS work, you are able to skip to how DNS over HTTPS assists .

A short HTTP crash  course

When people explain how a browser downloading a web page, they usually explain this way:

  1. Your internet browser makes a GET request to a machine.
  2. The server sends a response, that is a file containing HTML.

browser OBTAIN request + response

This system is known as HTTP.

But this particular diagram is a little oversimplified. Your internet browser doesn’ t talk directly to the particular server. That’ s because they most likely aren’ t close to each other.

Instead, the server might be thousands of miles away. And there’ s likely no direct hyperlink between your computer and the server.

image of client and server upon opposite ends of the network

So this request has to get from the browser to that machine, and it will go through multiple hands just before it gets there. And the exact same is true for the response coming back in the server.

I think of the like kids passing notes to one another in class. On the outside, the take note will say who it’ t supposed to go to. The kid who published the note will pass this to their neighbor. Then that following kid passes it to one of the neighbors  —   probably not the particular eventual recipient, but someone who’ s in that direction.

kids passing notes

The problem with this is that anyone across the path can open up the notice and read it. And there’ s no way to know in advance which usually path the note is going to consider, so there’ s no informing what kind of people will have access to this.

It could end up in the particular hands of people who do dangerous things…

Like writing the contents of the note along with everyone.

kid saying “ Ooo, hi everybody… Danny loves Sandy! ”

Or changing the reaction.

kid saying “ Do you like me? Y/N… Heh, I’ m going to bogus him and put no here” inch width=

To fix these issues, a new, secure edition of HTTP was created. This is known as HTTPS. With HTTPS, it’ s i9000 kind of like each message has a secure on it.

open envelope next to locked envelope

Both the browser and the server understand the combination to that lock, but nobody in between does.

With this particular, even if the messages go through multiple routers in between, only you and the web site can actually be able to read the contents.

This solves a lot of the protection issues. But there are still some communications going between your browser and the machine that aren’ t encrypted. This implies people along the way can still pry directly into what you’ re doing.

One place where information is still exposed is in setting up the bond to the server. When you send your own initial message to the server, a person send the server name too (in a field called “ Machine Name Indication” ). This lets machine operators run multiple sites on a single machine while still knowing you trying to talk to. This initial ask for is part of setting up encryption, however the initial request itself isn’ capital t encrypted.

The other location where data is exposed is within DNS. But what is DNS?

DNS: the Domain Name  System

In the moving notes metaphor above, I declared that the name of the recipient had to be on the outside from the note. This is true for HTTP requests too… they need to say who they actually are going to.

But you can’ t use a name for them. Nothing of the routers would know who else you were talking about. Instead, you have to how to use IP address. That’ s the way the routers in between know which machine you want to send your request in order to.

network with IP addresses

This the problem. You don’ t need users to have to remember your site’ s IP address. Instead, you wish to be able to give your site an appealing name… something that users can keep in mind.

This is why we have the particular domain name system (DNS). Your internet browser uses DNS to convert the website name to an IP address. This particular process  —   converting the particular domain name to an IP address  —   is called domain name resolution.

domain plus address equivalence

How does the internet browser know how to do this?

One particular option would be to have a big listing, like a phone book in the internet browser. But as new web sites arrived online, or as sites relocated to new servers, it would be hard to maintain that list up-to-date.

So instead of having one listing which keeps track of all of the domain names, there are many smaller lists that are linked to one another. This allows them to be managed separately.

one list, vs lots of smaller lists

In order to get the IP address that will corresponds to a domain name, you have to discover the list that contains that domain name. Achieving this is kind of like a treasure quest.

What would this particular treasure hunt look like for a web site like the English version of wikipedia, en. wikipedia. org ?

We can divided this domain into parts.

domain split up into top level, second level, plus subdomain.

With these parts, we are able to hunt for the list that contains the IP address for the site. We need several help in our quest, though. The particular tool that will go on this look for us and find the IP deal with is called a resolver.

First, the resolver talks to the server called the Root DNS. This knows of a few different Basic DNS servers, so it sends the particular request to one of them. The resolver asks the Root DNS where it could find more info about addresses within the  . org top-level domain.

The main DNS will give the resolver a good address for a server that understands about  . org addresses.

resolver talking to Root DNS

The following server is called a top-level website (TLD) name server. The TLD server knows about all of the second-level domain names that end with  . org .

It doesn’ t know anything about the subdomains under wikipedia. org , though, so it doesn’ big t know the IP address for en. wikipedia. org .

The TLD title server will tell the resolver to ask Wikipedia’ s title server.

resolver talking to TLD DNS

The particular resolver is almost done now. Wikipedia’ s name server is what’ s called the authoritative server. This knows about all of the domains under wikipedia. org . Which means this server knows about sobre. wikipedia. org , and other subdomains like the German version, de. wikipedia. org . The particular authoritative server tells the resolver which IP address has the CODE files for the site.

resolver talking to respected DNS

The resolver will come back the IP address for en. wikipedia. org to the operating system.

This process is called recursive resolution, since you have to go back and forth inquiring different servers what’ s simply the same question.

I actually said we need a resolver to assist us in our quest. But how exactly does the browser find this resolver? In general, it asks the computer’ s operating system to set it up having a resolver that can help.

browser asking OS intended for resolver

How does the operating system understand which resolver to use? There are 2 possible ways.

A person can configure your computer to use a resolver a person trust. But very few people do that.

Instead, most people simply use the default. And by default, the particular OS will just use what ever resolver the network told this to. When the computer connects towards the network and gets its IP address, the network recommends the resolver to use.

operating system getting a suggestion from the network

This means that the resolver that you’ re using can transform multiple times per day. If you head to the particular coffee shop for an afternoon work program, you’ re probably using a various resolver than you were in the morning. Which is true even if you have configured your own personal resolver, because there’ s simply no security in the DNS protocol.

How can DNS be used?

So how can this technique make users vulnerable?

Usually a resolver will inform each DNS server what domain name you are looking for. This request sometimes consists of your full IP address. Or even if not your full IP deal with, increasingly often the request includes the majority of your IP address, which can effortlessly be combined with other information to figure out your own identity.

DNS request

This means that every machine that you ask to help with website name resolution sees what site you’ re looking for. But more than that will, it also means that anyone on the path to those people servers sees your requests, as well.

There are a few ways that this technique puts users’ data at risk. Both major risks are tracking plus spoofing.


Like I said over, it’ s easy to take the complete or partial IP address information and figure out who’ s requesting that web site. This means that the DNS server and anyone along the way to that DNS server  —   called on-path routers  —   can create a profile of you. They could create a record of all of the web sites that will they’ ve seen you search for.

And that data is certainly valuable. Many people and companies are going to pay lots of money to see what you are searching for.

a router offering to sell data

Even though you didn’ t have to worry about the probably nefarious DNS servers or on-path routers, you still risk having your information harvested and sold. That’ ersus because the resolver itself  —   the one that the network gives in order to you  —   could be untrustworthy.

Even if you trust your own network’ s recommended resolver, you’ re probably only using that will resolver when you’ re in your own home. Like I mentioned before, whenever you visit a coffee shop or hotel or make use of any other network, you’ re possibly using a different resolver. And who knows exactly what its data collection policies are usually?

Beyond having your information collected and then sold without your understanding or consent, there are even more harmful ways the system can be exploited.


Along with spoofing, someone on the path between your DNS server and you changes the particular response. Instead of telling you the real IP address, a spoofer will give you the incorrect IP address for a site. By doing this, they can block you from going to the real site or send you to some scam one.

spoofer sending user in order to wrong site

Again, this is a situation where the resolver itself might work nefariously.

For example , let’ s say you’ re buying something at Megastore. You want to do a cost check to see if you can get it cheaper in a competing online store, big-box. com.

But if you’ re upon Megastore WiFi, you’ re most likely using their resolver. That resolver can hijack the request to big-box. com and lie to you, saying the site is unavailable.

How can we fix this along with Trusted Recursive Resolver (TRR) plus DNS over HTTPS  (DoH)?

At Mozilla, we really feel strongly that we have a responsibility to shield our users and their information. We’ ve been working on repairing these vulnerabilities.

We have been introducing two new features to correct this  —   Trusted Recursive Resolver (TRR) and DNS more than HTTPS (DoH). Because really, you will find three threats here:

  1. You could end up using an untrustworthy resolver that tracks your requests, or even tampers with responses from DNS servers.
  2. On-path routers can monitor or tamper in the same way.
  3. DNS machines can track your DNS demands.

the three threats— resolvers, on-path routers, and DNS servers

So, just how do we fix these?

  1. Avoid untrustworthy resolvers by utilizing Trusted Recursive Resolver.
  2. Protect against on-path eavesdropping and tampering using DNS over HTTPS.
  3. Transmit as little information as possible to protect users from deanonymization.

Avoid untrustworthy resolvers by using Trusted Recursive Resolver

Networks can get aside with providing untrustworthy resolvers that will steal your data or spoof DNS because very few users know the dangers or how to protect themselves.

Even for users who else do know the risks, it’ s difficult for an individual user to make a deal with their ISP or other enterprise to ensure that their DNS data can be handled responsibly.

Nevertheless , we’ ve spent time learning these risks… and we have discussing power. We worked hard to find a business to work with us to protect users’ DNS data. And we found one: Cloudflare .

Cloudflare is providing a recursive resolution service with a pro-user online privacy policy. They have committed to throwing away all private data after 24 hours, and to certainly not pass that data along in order to third-parties. And there will be regular audits to ensure that data is being cleared not surprisingly.

With this, we have the resolver that we can trust to shield users’ privacy. This means Firefox may ignore the resolver that the network offers and just go straight to Cloudflare. With this particular trusted resolver in place, we don’ t have to worry about rogue resolvers promoting our users’ data or deceiving our users with spoofed DNS.

Why are we choosing one resolver? Cloudflare is as thrilled as we are about building a privacy-first DNS service. They worked with all of us to build a DoH resolution assistance that would serve our users properly in a transparent way. They’ ve been very open to adding consumer protections to the service, so we’ re happy to be able to collaborate with these.

But this doesn’ t mean you have to use Cloudflare. Users can configure Firefox to make use of whichever DoH-supporting recursive resolver they need. As more offerings crop up, we intend to make it easy to discover and in order to them.

Protect against on-path eavesdropping and tampering using DNS over  HTTPS

The particular resolver isn’ t the only danger, though. On-path routers can monitor and spoof DNS because they can easily see the contents of the DNS demands and responses. But the Internet currently has technology for ensuring that on-path routers can’ t eavesdrop such as this. It’ s the encryption which i talked about before.

By utilizing HTTPS to exchange the DNS bouts, we ensure that no one can spy to the DNS requests that our users make.

Transmit as little information as possible to protect users from deanonymization

In addition to providing a reliable resolver which communicates using the DoH protocol, Cloudflare is working with all of us to make this even more secure.

Normally, a resolver might send the whole domain name to every server— to the Root DNS, the particular TLD name server, the second-level name server, etc . But Cloudflare will be doing something different. It will just send the part that is highly relevant to the DNS server it’ ersus talking to at the moment. This is called QNAME minimization .

image showing resolver only asking the kind of question

The resolver will also usually include the first 24 bits of your own IP address in the request. This can help the DNS server know in which you are and pick a CDN closer to a person. But this information can be used by DNS servers to link different demands together.

Instead of accomplishing this, Cloudflare will make the request in one of their own IP addresses near the consumer. This provides geolocation without tying this to a particular user. In addition to this, we’ re looking into how we can allow even better, very fine-grained load controlling in a privacy-sensitive way.

Doing this  —   getting rid of the irrelevant parts of the website name and not including your IP address  —   means that DNS servers possess much less data that they can collect regarding you.

DNS request with client subnet and first part of domain mix out

What isn’ t set by TRR with DoH?

With these fixes, we’ ve reduced the number of people who can see exactly what sites you’ re visiting. Yet this doesn’ t eliminate information leaks entirely.

Once you do the DNS lookup to find the IP address, you still need to connect to the internet server at that address. To get this done, you send an initial request. This particular request includes a server name indicator, which says which site over the server you want to connect to. And this demand is unencrypted.

This means that your ISP can still figure out which usually sites you’ re visiting, since it’ s right there in the machine name indication. Plus, the routers that pass that initial demand from your browser to the web machine can see that info too.

However , once you’ ve made that connection to the web machine, then everything is encrypted. As well as the neat thing is that this encrypted connection can be used for any site which is hosted on that server, not only the one that you initially asked for.

This is sometimes called HTTP/2 link coalescing, or simply connection reuse. If you open a connection to a server that will supports it, that server think what other sites it hosts. Then you can certainly visit those other sites making use of that existing encrypted connection.

Why does this help? A person don’ t need to start up a brand new connection to visit these other websites. This means you don’ t have to send that unencrypted initial demand with its server name indication stating which site you’ re going to. Which means you can visit any of the other websites on the same server without revealing exactly what sites you’ re looking at for your ISP and on-path routers.

With the rise of CDNs, more and more independent sites are being offered by a single server. And as you can have multiple coalesced connections open up, you can be connected to multiple shared web servers or CDNs at once, visiting all the sites across the different servers without having leaking data. This means this will be increasingly more effective as a privacy shield.

What is the  status?

You can enable DNS more than HTTPS in Firefox today, and encourage you to.

We’ d like to turn this upon as the default for all of our customers. We believe that every one of our customers deserves this privacy and protection, no matter if they understand DNS leakages or not.

But it’ s a big change and we need to test that out first. That’ s exactly why we’ re conducting a study. We’ re asking half of our Firefox Nightly users to help us gather data on performance.

We’ ll use the default resolver, as we do now, but we’ ll also send the demand to Cloudflare’ s DoH resolver. Then we’ ll compare both to make sure that everything is working once we expect.

For individuals in the study, the Cloudflare DNS response won’ t be used however. We’ re simply checking that will everything works, and then throwing away the particular Cloudflare response.

diagram showing a person time both and then throwing away Cloudflare response

We are thankful to have the support in our Nightly users — the people who seem to help us test Firefox each day  —   and we wish that you will help us test this particular, too.

Lin is an professional on the Mozilla Developer Relations group. She tinkers with JavaScript, WebAssembly, Rust, and Servo, and also pulls code cartoons.

More articles simply by Lin Clark…

If you liked The cartoon intro to DNS more than HTTPS by Lin Clark Then you'll love Web Design Agency Miami

Add a Comment

Your email address will not be published. Required fields are marked *