Your internet service provider (ISP) can track every website you go to, even if you’re using HTTPS. How? They watch your domain name service (DNS) lookups. What’s that? Well when you go to “Google.com” you’re not really going to google.com. You’re going to an IP address that your DNS has routed you to. You’re telling someone else where you want to go.
Think of it like asking a friend for another friend’s phone number. You might not have Jeff’s phone number, but Sarah has it, so she gives it to you so you can call Jeff. However, now Sarah knows you’re talking to Jeff. You can anonymize your traffic all you want, talk to Jeff in your secret language or off in a corner away from Sarah, but as long as you’re still asking Sarah for Jeff’s information, she knows more details than you likely want her knowing. In this scenario, your ISP is Sarah, and it’s not just nosy, it’s spying on you. Every time you ask your ISP for an IP address, they’re tracking you. Also, anyone watching your internet traffic can track you too. Now they know you’re interested in buying a Nintendo Switch, a new keyboard, and maybe a new skateboard. They can sell that information to advertisers who will want you buying from them.
So, what do you do?
You can manually set up an encrypted DNS server, like Cloudflare’s 1.1.1.1 service. It’s not hard, but it does involve going into your computers network settings. What if you’re not much of a techie? Now the answer’s easy. Just use Firefox.
In This Article:
What is DNS Over HTTPS?
This is what happens when you don’t encrypt your notes!
So what is DNS over HTTPS? Well, it encrypts your request for an IP address based on that domain name. Let’s say, in the previous telephone example, you can instead ask Sarah for her phone and copy Jeff’s number out of it, then hand it back to her. Now she wouldn’t know who you’re texting, because she didn’t see what number you copied down. Your paramour’s identity is protected! That’s not really how DNS over HTTPS works, but it’s a close enough approximation to understand what we want to have happen here. With real DNS over HTTPS (DoH), you route secured HTTPS traffic to a third party source. Here, your request is encrypted, and your identity protected. There, you get the IP address for the website you want to look up. Now you can just go directly to it through HTTPS, no need to tell your ISP exactly where you’re going.
Mozilla explained it in far more detail here, if you’re interested. You’ll find I left a lot of details out to keep this article shorter. What you need to know is that, by using DNS over HTTPS, you prevent your ISP from seeing everything you do online. Your ISP has been collecting information on you and selling it for years. If you think Google’s data collection is bad, consider the fact that every request has been going through your ISP. One of the largest collectors of private information that you thought you had to just deal with is gone.
There’s another issue with insecure DNS lookups. Someone could spoof your DNS response. So, instead of going to your ISP to find out where YourBank.com is, it’s going to a hacker’s server. They tell you YourBank.com is at their address. You go to a fake site made to look like your bank’s website, and you log in, sending them your personal information. Now your bank account is theirs. They can forward you to the real website, say you entered your password wrong, and you’d never know you just handed your information over to a hacker.
And Encryption Protects This?
Sure does! By encrypting your request and the response, not even the servers handling your data between your computer and the DNS servers can read or modify it. Since they can’t decrypt or encrypt it the same way as the DNS servers, your data is secure when it leaves your computer and the response is protected from tampering as well. The service, if it’s something like Cloudflare, collects no personal data. They’re just serving up IP Addresses.
Your ISP will be able to collect a small amount of information on the first sites you visit, but not the details. They won’t be able to see anything in the initial DNS lookup, but they will be able to see the IP address you’re heading for eventually. They can perform their own DNS lookup on that to relate it to a website. But they won’t know what you do once you go to a domain. For example, your ISP may be able to figure out that you went to Amazon.com, but won’t know what you’re shopping for or if you bought anything.
Firefox’s DNS Over HTTPS
The new service works using Cloudflare’s excellent secure DNS. Once enabled, every website you enter into your address bar is encrypted and looked up on Cloudflare’s servers. Your ISP won’t be able to track you. Mozilla is also working with NextDNS. While I have less information on them, they do the same thing Cloudflare does: secure your browsing. Firefox may decide to automatically switch between trusted services, so you don’t have to sacrifice performance for security and privacy.
This isn’t just a pie in the sky plan. Firefox has rolled out the feature to users already, you just have to set it up.
How Do I Enable It?
Mozilla hopes to bring this to all Firefox users soon. However, if you’re impatient (and I am), you can enable it right now. Just go into preferences (Command + , or Firefox -> Preferences). In the General tab, scroll to the bottom. There, click “Settings….” Next, look to the last checkbox, “Enable DNS over HTTPS.” Turn it on, then click OK. You can select Cloudflare or NextDNS, it’s up to you, but it’ll default to Cloudflare. That’s it! You’re secured!
Other Firefox Protection
I’d be remiss if I didn’t mention this. Mozilla was already killing it with Firefox. Not only does the browser block tracking cookies and other tracking requests automatically, it’s highly customizable with plugins that can disable even more tracking, like ad blockers. It also has a Facebook container extension. This ensures that Facebook can’t track your activity outside of Facebook. Normally, Facebook uses cookies and their “Sign in with Facebook” service to track your movement around the web. But Firefox’s Container extension will lock up all Facebook’s information in a container. It’ll hide your traffic from Facebook.
Firefox can help keep your data safe, secure, and private. That’s pretty rare these days. Some browsers are based on doing the exact opposite.
Firefox Under Fire?
So, this has likely all sounded wonderful, right? You get more security, advertisers can’t track you, and even your ISP is out of luck. That means you get to browse in peace without worrying about whether or not Facebook or Google are going to start selling you something.
Well, this is a lot like how Apple started encrypting the data on your iPhone. If your data is yours, it makes it much harder for the government to steal it too. In fact, the U.K. government has stated that it would block any such privacy measures in the interest of protecting children, but a majority of the complaints come from ISPs, who want to sell your data. Those who state that DoH could protect people looking for child pornography think perverts are simply Googling for their exploitative trash. They’re not. They’re already securing their movements. That’s why so many go undetected for years, or are caught by accident or through sting operations. These security methods have always been available to criminals. Now they’re in your hands. Best of all, Firefox still works with law enforcement agencies in the U.K. to ensure traffic to known restricted websites doesn’t receive protection. Someone using Firefox may thing their illegal misdeeds are secured, only to have the police knocking at their door.
Of course, to a government or corporation that wants all of your data at all times, warrant or not, then, yes, this is a problem. But I won’t worry about them too much. Mozilla won’t either. That is, until the FBI decides it’s tired of trying to bully Apple and sets their sights on Mozilla. That’s a risk Mozilla seems to be willing to take.
Users First
Mozilla knows this could lead to a legal battle with the United States government. They know most users won’t understand what encrypted DNS over HTTPS actually means. They don’t care. They’re just making a fantastic product that protects users’ privacy. That’s why I’ve been a regular Firefox user for years. Safari isn’t cross platform and lacks the most advanced privacy features. Google Chrome doesn’t know the meaning of the word privacy and sells everything you do to advertisers. Brave? They replace ads with their own, potentially cutting out small blogs from revenue. Plus it’s ran by a homophobe. But Firefox? With that, you know what you’re getting: a fast, safe, and private browser. Plus, they kicked that homophobe to the curb.
Later this year, we expect that Mozilla will be launching their own VPN service. This would encrypt all traffic through your internet connection, allowing you to anonymize everything you do. With a secure VPN and Firefox, advertisers won’t know what you’re doing on the internet. What you browse, what you buy, what you watch, and what you read will be for your eyes only. Mozilla is leaning heavily on privacy in an increasingly hostile world. Let’s hope it works out for all of us.