Comcast is partnering with Mozilla to deploy encrypted DNS lookups on the Firefox browser, the companies announced today. Comcast's version of DNS over HTTPS (DoH) will be turned on by default for Firefox users on Comcast's broadband network, but people will be able to switch to other options like Cloudflare and NextDNS. No availability date was announced.

Comcast is the first ISP to join Firefox's Trusted Recursive Resolver (TRR) program, Mozilla said in today's announcement. Cloudflare and NextDNS were already in Mozilla's program, which requires encrypted-DNS providers to meet privacy and transparency criteria and pledge not to block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates."

"Adding ISPs in the TRR program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results," the announcement said. "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user."

Firefox CTO Eric Rescorla said that "bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences," and that Mozilla hopes today's news "sets a precedent for further cooperation between browsers and ISPs."

Joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements. Mozilla noted in today's announcement that encrypting DNS is "the first step" toward privacy, and not the only necessary step.

Firefox started providing DNS over HTTPS (DoH) by default with Cloudflare to US-based users in February.

Mozilla and Comcast haven't said exactly when Comcast's encrypted DNS will be available on Firefox. Whenever it happens, the change should be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."

Mozilla told Ars that Comcast's DoH in Firefox will be "opt-out," meaning that it will be possible to switch from Comcast to Cloudflare or NextDNS. Instructions for switching encrypted-DNS providers in Firefox are available here.

More information

source: https://arstechnica.com/tech-policy/2020/06/comcast-mozilla-strike-privacy-deal-to-encrypt-dns-lookups-in-firefox/?&web_view=true