DNS Over HTTPS: Censorship/ISP Spying- Enable

I just went into Firefox Preferences and noticed DNS over HTTPS was not enabled by default.
This means your DNS resolves go through clear text, & commonly monitored by ISP. In fact there has been quite an outcry by ISP’s over Firefox/Google enabling this feature in their newer browsers. That alone should make you go “Hmmmmm…”

Why you should care:
By default, most connect through their ISP provided DNS servers which open users up to website monitoring, censorship (block via DNS), DNS redirection & other problems.

Below I have uploaded the quick process to enable DNS over HTTPS which is not enabled but available in Parrot’s newer versions of Firefox. I mainly uploaded the pics because in them I left open the EFF (Electronic Frontier Foundation) web page talking about this comforting new feature. (if the pics are too big I will gladly remove).

#1) First go to top right of your Firefox browser and click the ‘3 lines’ to bring down menu. Click on Preferences.

#2) Next scroll to the bottom of Preferences page and click on Network Settings.

#3) Click to check Enable DNS Over HTTPS. (Cloudflare is the one that comes with Firefox but you can find others available online.

Below is from the beginnging of a decent article from Fastcompany.com:

The federal government has authorized your internet service provider to spy on you. The right was enshrined by a 2017 act of Congress that cancelled anti-spying regulations enacted by the Obama-era Federal Communications Commission. Today, your ISP can log every place you go online and use that data any way it wants, such as building user profiles for its own or other companies’ advertising platforms.

But ISPs’ most powerful spying tool is now easy to block, by encrypting what’s called a DNS request—a bit of data that announces the websites you visit. Mozilla’s Firefox browser already offers DNS encryption as an option, and it’s about to turn it on by default in the coming days or weeks. This protects you not only from a snooping ISP but also from a hacker who wants to watch your surfing or even redirect you to bogus sites containing malware.

The rest of the article is at:

I thought the community might find this info interesting/valuable.

1 Like

Nice Howto! but, correct me if i am wrong but now all dns request goest to cloudflare right? :slight_smile:
As european people i dont want to see any data of mine in the US or any other spying nation. :wink:
so i prefer opendns in cleartext … opensoftware and tor.
For an admin it would be nice if people look at there rigth to privacy and to hide data from the censorship … but, if you are managing some filtering firewalls its more and more complicated to protect my users cause i dont see inside the traffic to filter out trash, ransomware or anything else. HSTS is nice and some other stuff but not for the admin i think.
So its not a win/win situation …

1 Like

I totally understand. I can see how it might complicate your job as an admin. But Admins could try blocking known DNS over Https servers if it becomes a security risk. I just selected Cloudflare to make sure it worked. They have an agreement with Mozilla to not use it for surveillance, but nothing is guarunteed (as we know).

Most ppl here may know all this but for anyone else still curious & for full disclosure here are some details:

The risk for using non https DNS is potential DNS redirection to malware or even fake Parrot linux updates that install backdoors among other issues (appearing normal via root certs etc).

Domain names only go through whichever DNS server (cloudflare default on firefox DoH)-- DNS only sees the domain name itself (which is why opennic is also great option).

Once DNS resolves domain to IP. ISP loads SSL encrypted data from server to ISP to browser (80% web now uses https encrypted data needing root cert to view) using IP/page extension. Browser decrypts https browsing.

Censorship in some parts of the world is done at DNS level, making a possible solution for those who who live in oppressive areas of the world under heavy censorship.

Someone using ISP dns & getting pages from ISP at same time + root cert installed on your browser, gives ISP entire browsing history for filtering. Many ISP’s are building profiles on their customers to monetize to advertisers & who knows who else (billion$/yr for big ISP’s in USA all for just one customer, so most in US do it).

Important thing is DNS server cannot see actual content/web address pages on domains visited (unless between the data).

Compartmentalizing as much of protocols as possible is the best solution for those concerned about ISP abuse of data. A big well known problem in the US where everything is for sale.

1 Like

Cleartext DNS is worst … but DNSsec would fix some of the biggest issus.
But its the same like IPv6 . There is something new, better (maybe) but nobody use it.
Cause most people are comfortable and have no sense of security.

They will use WIN-XP and Windows SRV2003 … heardbleed … etc.

and the admins who are responsible for security, life is made unnecessarily difficult to hide the garbage (advertising, data theft) from them.

So, if you ask me i would say:

  • use open software and OS
  • use (Open)VPN from a non five Eyes Company (to hide traffic from your ISP)
  • use open and nonlogging DNS Servers (over VPN) :wink:
  • dont use chrome
  • dont use windows or mac
  • and the most importent thing … stay up2date

then, you dont need dns over tcp or https cloudflare stuff or something else! :wink:

1 Like

You will find some DNS servers on OpenNIC that support DNSCrypt, unfortunately ours don’t.

1 Like

sounds like a new project … :wink:

1 Like

Well it should be supported, just not configured.

1 Like