Mozilla’s DNS Single Point of Failure build into Firefox

[German]Firefox developers are starting again a (security) war against it’s users by attempting, to implement DNS-over-HTTPS (DoH) and Trusted Recursive Resolver (TRR) into Firefox browser. But Mozilla’s way to do that, is a Single Point of Failure  (SPOF). Here is some information on the subject and why this is bad, bad, bad.


Security expert Stefan Kanthak sent me an e-mail last Sunday (subject ‘The fools at Mozilla has failed again’) to draw my attention to the facts. I will try to collect and prepare the various background information.

DNS Services

When you enter an URL containing an internet domain into a browser, the computer contacts a DNS server. The domain part of the URL is then translated into an IP address. This IP address is used to contact the web server with the associated domain. But DNS has two major problems.

  • First, everyone within the communication stream can see the DNS requests send by a users system. This bears the risk of surveillance.
  • Second, it’s possible, to send false answers redirecting people to other servers. This may be used to deploy malware or government trojans.

The first problem that someone could read DNS requests is usually not very big if you use the DNS server of a trustable (for instance, in my case a German) Internet provider. But this problem become worse, if you set Google’s or Cloudflares DNS server for DNS resolution. The NSA can very easily access both IP addresses (which are subject to US law) and thus intercept and even manipulate DNS requests.

The story within the ungleich blog

The ungleich blog reported that Mozilla will introduce two new features to their Firefox browser (currently these feature are included in nightly builds). One feature is “DNS over HTTPs” (DoH) and the other is Trusted Recursive Resolver (TRR). The good thing: Mozilla intends to transport requests over https, which encrypts the data, so third party can’t read the DNS requests.

But there is another aspect. Mozilla likes to override the default DNS service, configured within your network, with it’s own DNS service, using the new Firefox feature called “Trusted Recursive Resolver” (TRR). Currently Mozilla turns this on by default in nightly Firefox builds. So all DNS requests are going to the DNS service, Mozilla has pre-configured within Firefox (independent, what you have configured within your network).


For Firefox, Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare, located in the United States. Cloudflare will then be able to read everyone’s DNS requests, as noted within the blog post. Mozilla’s developers advertising the “Trusted Recursive Resolver” feature as ‘increasing security’. But security geeks are seeing the opposite. While TRR raise the security in an untrustworthy network (public Wi-Fi), because the DNS request of websites you call from a random DNS server is not exposed, there is a drawback.

Mozilla attempts to integrate a single point of failure (SPOF) into Firefox. I a SPOF breaks, the whole security infrastructure breaks. The SPOF build into Firefox is using Cloudflare’s DNS service to resolve URLs into IP addresses. If Cloudflare’s DNS service is down, no Firefox user can surf anymore. But much more critical: If Cloudflare’s DNS service is compromised, the whole chain is broken. DNS requests may be directed to malicious sites or government sites, where malware and government trojans may be distributed.

After Mozilla’s change, all DNS requests are also recorded by Cloudflare’s DNS service. Due to the fact, that Cloudflare is located in the US, any government agency has legal right to request data from Cloudflare. Or as blog  wrote:

With Mozilla’s change, any (US) government agency can basically trace you down. f there is anything wrong with your government (for instance corruption, collusion or fraud) and you have information to publish about it, the government will be able to trace you down. This puts any whistleblower at risk.

So it simply isn’t true in general, that TRR increases security. The Mozilla way (currently used in nightly builds) is a wrong way – or a build in SPOF.

Turn TRR off in Firefox

There has been a Hacker News post, describing how to disable TRR in Firefox browser. Just enter about:config in the browsers address bar, press ENTER and search then for the entry network.trr. Set the value to:

network.trr.mode = 5

Then the redirection to Cloudflare’s DNS services is switched off. Within the ungleich blog and also at you will find more details. A German blogger describes it as ‘Mozilla’s developers are again in a war against their users’. So it’s time, to dump Firefox.


This entry was posted in browser, Security and tagged , , . Bookmark the permalink.

2 Responses to Mozilla’s DNS Single Point of Failure build into Firefox

  1. wsusu says:

    Hello, are you sure that dns is now SPOF of Firefox?
    Because I read that if cloudfare dns cant find dns name (because is local dns namespace), local dns servers are used.
    Do maybe is cloudfare only 1. first priority, but system dns servers are always there.
    Or did you tested it with blocked dns to cloudfare?

    • guenni says:

      The SPOF has two aspects: One is fail safe (maybe there will be a fail over solution, but I don’t know, what’s, if Cloudflare’s DNS service is down). But the other is surveilance. If all DNS requests worldwide are going to one Service provider in the US, guess, what happens? That’s the major concern, security experts here in Europe express (or in other words: It’s a no go).

Leave a Reply

Your email address will not be published. Required fields are marked *