Mozilla Firefox is expected to introduce two new features in its next patch: DNS over HTTPs (DoH) and Trusted Recursive Resolver (TRR) which it has been testing in the web browser’s Nightly build. The latter is advocated by Mozilla with specific attention to security. This release attempts to override configured DNS servers with Cloudflare. This partnership has received stark criticism for security violation as this overhaul allows Cloudflare to access all DNS requests and the information that they entail.
To understand why introduction of Cloudflare-backed TRR is considered this way by critics, it is first important to understand the function of DNS. DNS converts your computer’s name into an IP address which connects with the server of the website you’re trying to access which then returns an exact IP address for your computer to connect to in order to establish access. This means that your DNS communication contains all the information about your computer and where it’s connecting to. This isn’t usually considered to be a privacy violation as this is just how the connection mechanism operates and as your Internet Service Providers (ISPs) have their own DNS servers, they can access this information on your part anyway.
Why is Mozilla so interested in placing another DNS protocol in the way of the already existing protocol of your ISP then? It seems that with TRR, Mozilla is attempting to encrypt over https the previously unencrypted DNS communication with the ISP. This, however, isn’t really necessary as the DNS servers we communicate with regularly are local and the only point of spying or attack would need to be a local vector as well.
Mozilla’s TRR is attempting to encrypt this information regardless through a Cloudflare partnership. This means that where the concern lay of the ISP being able to access such browsing information, Cloudflare has it easier now to spy on your browsing activity. Although this feature increases user security in unfamiliar or public networks where phishing scams can steal your personal information and send it to attackers, it is not considered to add any value on home networks which is why it has received criticism for being misleading under the label of security. As government agencies possess the legal right to ask for such information from Cloudflare, users’ privacy is at risk under the umbrella of this added layer of security.
TRR can be found in the nightly build of the browser thus far. Users can turn TRR off by entering about:config in the address bar of the browser, searching for network.trr, and setting network.trr.mode = 5.