Firefox now defaults to Cloudflare DNS, what if you're using AdGuard DNS or AdGuard Home
First of all, for those who don't know the news yet: Firefox enabled DNS-over-HTTPS by default for the US users.
Firefox team has been talking about doing this for a long time and this initiative of theirs has caused serious debate in the community and among experts.
But what's the problem, you might ask?
Basically, all the criticism mostly boils down to the fact that now instead of Internet providers it's Cloudflare who will see the browsing history of users. And this is not exactly a good thing: when all users' browsing history is controlled by very few selected companies, it doesn't matter how well-intended or reputable these companies are, the risk of something going wong with users' data skyrockets.
Experts, and we too, are wondering why did Firefox make this decision? What does Cloudflare get from this deal? Is it really possible that DNS centralization and turning one of the DNS providers into a "super-provider" (albeit using an encrypted protocol) will ultimately bring any benefit?
For our part, we take this approach quite cautiously.
If this is a temporary measure designed to solve the problem with the Internet providers' surveillance of users specifically in the US, then yes, this idea has legs. But if, by some misfortune, this solution will be picked up by other browsers, this can damage the decentralized system of DNS servers.Comment from Andrey Meshkov, AdGuard's CTO and co-founder
Some people argue that the DoH protocol is secure, so there's nothing to worry about. First, it helps, but it's not as secure as the general public thinks. And second, those ISPs that really, really want to get access to your traffic, will do so anyway, by using HTTPS imperfections, for example.
We think that the main risk of Mozilla's approach is a potential DNS centralization, and there is a plenty of issues with it. Please note, that the points below is an apocalyptic scenario and things are not that bad now. We just want to warn you and to explain why this is important.
So what might happen if DNS is fully centralized:
- A small number of Cloud companies (Google, Cloudflare, etc) will be the ones who control the Internet.
- Decreased stability. Obviously, fewer points of failure makes the Internet more error-prone.
- What bothers us most, DNS filtering software (like AdGuard DNS or AdGuard Home) won't work anymore. There are examples of that already - Google Home devices use Google's DNS server which makes such software ineffective.
Nevertheless, DNS encryption is a step in the right direction, we cannot argue with that. It's just not the ultimate solution and should not be conceived as one.
Let us please repeat two things in bold so that there is no misunderstanding:
- DoH is a GOOD thing, there is nothing wrong with the protocol.
- DNS centralization is a BAD thing.
What if I'm using AdGuard DNS/AdGuard Home?
Luckily, specifically for DNS servers with filtering (like AdGuard DNS or AdGuard Home), Firefox provided the ability to disable the default DNS server, the so-called canary domain.
So if you are using AdGuard DNS or AdGuard Home — you can relax, as you will not be switched to another DNS server without your knowledge.
Nevertheless, we recommend that you configure Firefox specifically to use the DNS-over-HTTPS version of AdGuard DNS. To do so, in Firefox browser head to the Settings, then Network settings, scroll down to DNS-over-HTTPS, choose "Custom" and enter https://dns.adguard.com/dns-query, like this:
