During July 2018, a planned Firefox Nightly experiment was performed involving secure DNS via the DNS over HTTPS (DoH) protocol. About 25,000 Firefox Nightly 63 users had agreed to be part of Nightly experiments and participated in this study. Cloudflare operated the DoH servers that were used according to the privacy policy they had agreed to with Mozilla. Each user was additionally given information directly in the browser about the project. That information included the service provider, and an opportunity to decline participation in the study.
Browser users are currently experiencing spying and spoofing of their DNS information due to reliance on the unsecured traditional DNS protocol. Using a trusted DoH cloud based service in place of traditional DNS is a significant change in how networking operates and it raises many things to consider as we go forward when selecting servers. However, the initial experiment focused on validating two separate important technical questions:
- Does the use of a cloud DNS service perform well enough to replace traditional DNS?
- Does the use of a cloud DNS service create additional connection errors?
The experiment is now complete and here are the finding highlights:
- The HTTPS with a cloud service provider shows a minor performance impact on the majority of non-cached DNS queries as compared to traditional DNS. Most queries were around 6 milliseconds slower, which seems to be an acceptable cost for the benefit of securing the data. However, the slowest DNS transactions performed much better with the new DoH based system than the traditional one – sometimes hundreds of milliseconds better.
Source: Firefox Nightly
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
- The above chart shows the net improvement of the DoH performance distribution vs the traditional DNS performance distribution. The fastest DNS exchanges are at the left of the chart and the slowest at the right. The slowest 20% of DNS exchanges are radically improved (improvements of several seconds are truncated for chart formatting reasons at the extreme), while the majority of exchanges exhibit a small tolerable amount of overhead when using a cloud service. It shows a good result.
- The Firefox team hypothesized the improvements at the tail of the distribution derived from 2 advantages DoH provides compared to traditional DNS. First, the consistency of the service operation – when dealing with thousands of different operating system that are overloaded, unmaintained, or forwarded to strange locations. Second, HTTP’s use of modern loss recovery and congestion control allow it to better operate on very busy or low quality networks.
- The experiment also considered connection error rates and found that users using the DoH cloud service in ‘soft-fail’ mode experienced no statistically significant different rate of connection errors than users in a control group using traditional DNS. Soft-fail mode primarily uses DoH, but it will fallback to traditional DNS when a name does not resolve correctly or when a connection to the DoH provided address fails. The connection error rate measures whether an HTTP channel can be successfully established from a name and therefore incorporates the fallbacks into its measurements. These fallbacks are needed to ensure seamless operation in the presence of firewalled services and captive portals.
“We’re committed long term to building a larger ecosystem of trusted DoH providers that live up to a high standard of data handling. We’re also working on privacy preserving ways of dividing the DNS transactions between a set of providers, and/or partnering with servers geographically. Future experiments will likely reflect this work as we continue to move towards a future with secured DNS deployed for all of our users.” says the Firefox Nightly team.
Mozilla’s new Firefox DNS security updates spark privacy hue and cry
Firefox Nightly browser: Debugging your app is now fun with Mozilla’s new ‘time travel’ feature
Firefox has made a password manager for your iPhone