Mozilla is enabling CIRA Canadian Shield as the default trusted recursive resolver (TRR) for Canadian Firefox users. It is another step forward by the organization as they make DNS encryption the default for the browser under their overall commitment to privacy. Since CIRA Canadian Shield supports both traditional IPv4 and IPv6 as well as the emerging DNS encryption standards, it was a natural fit.
By default, Firefox uses, DNS over HTTPs, which is more commonly referred to by its acronym, “DoH” in the community. Before we dig into the mechanics it is first important to understand what it is doing.
What is the DNS
Every time you click on a link or type an address into the browser you are using a link that is human-understandable. In order for this address to find its way to a server it needs to be translated into the IP address that a machine understands.
This is called the Domain Name System (DNS) and it is often described as the internet’s phone book. For most Canadians, this lookup originates at a server located at their Internet Service Provider at something called a recursive resolver. Many people who work in IT, or who just generally like to play with technology, change this DNS setting, either on their router, operating system or browser. They do it to get more privacy, better performance, or even just because it is fun. This flexibility it is one of the amazing things about the DNS - the user has choice.
What is wrong with the DNS that we need these new solutions?
One of the features of the DNS is that all this information exchanges in the wild of the internet in clear text. The entire (original) point of the internet was that it was a free and open, and where notions of privacy between two “conversations” did not exist. The internet of old was built on utopian principals and, that utopia has been strained of late. As a result, the IETF created new standards for DNS privacy – including DoH.
What is DoH
DoH is one of two emerging methods (the other being DoT) to encrypt the DNS traffic - which in this case is between your browser and the CIRA DNS resolver (or server). We then resolve the query and send you on your merry way to the website, mail server, online application, or cat video that you were looking for.
Because this is encrypted the information (or zone file) that we exchange is not available for interception, inspection, and possibly even editing. The latter of which, could send you to somewhere you didn’t intend.
DoH is an excellent addition to the security and privacy landscape and when combined with the other things people do, delivers a net positive. CIRA recommends that you consider using DNS encryption for personal and business use. It is a useful part of an overall privacy and security solution.
Want to read more? We have written quite a bit on this subject but a good primer is our blog on DNS Encryption – Evolution or Revolution
What is Mozilla/Firefox doing with CIRA and DoH?
By default Firefox is using DoH for DNS resolution – it is the first major browser to do this. What is super exciting is that for those who identify (in their settings) that they are located in Canada, Firefox will default to using CIRA Canadian Shield – Private, as its DNS resolver. This service level is simply answering queries privately and with no filtering of any kind (more on this later).
Why CIRA? First off, we easily met Mozilla’s strict TRR program through our commitment to security, privacy, and transparency.
CIRA is a nationally-focused supplier and the first of its kind in the world to offer a kind of sovereign DoH resolution. One that is designed to optimize quality and privacy for Canadians – but is still available throughout the world for those who travel. We are a non-profit with no interest in your data and, in fact, a stated interest in your privacy and in the open internet. We have the appropriate procedures in place to ensure privacy and have hired an auditor to test those systems. And finally, we offer a very high quality, high-reliability service with nodes located very close to Canadians and very well peered to the various networks that make up the internet in Canada (and that connect to the outside world).
Sound amazing? We think so and we have heard a lot of rumblings in the world of global internet governance that suggest we will start seeing similar models emerge elsewhere in the world. However, make no mistake that for DNS nerds, like us, CIRA being first is a reason to be proud to be a Canadian.
What if I want to change resolvers?
Firefox DNS settings are configurable in the settings, to enable both traditional DNS settings and to change the default DoH provider to whatever the end user prefers. Firefox comes with a number of DoH providers that you can optionally select or you can add your own custom resolver.