Comcast is partnering with Mozilla to deploy encrypted DNS lookups on the Firefox browser, the companies announced today. Comcast's version of DNS over HTTPS (DoH) will be turned on by default for Firefox users on Comcast's broadband network, but people will be able to switch to other options like Cloudflare and NextDNS. No availability date was announced.
Comcast is the first ISP to join Firefox's Trusted Recursive Resolver (TRR) program, Mozilla said in today's announcement. Cloudflare and NextDNS were already in Mozilla's program, which requires encrypted-DNS providers to meet privacy and transparency criteria and pledge not to block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates."
"Adding ISPs in the TRR program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results," the announcement said. "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user."
Firefox CTO Eric Rescorla said that "bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences," and that Mozilla hopes today's news "sets a precedent for further cooperation between browsers and ISPs."
Joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements. Mozilla noted in today's announcement that encrypting DNS is "the first step" toward privacy, and not the only necessary step.
Firefox started providing DNS over HTTPS (DoH) by default with Cloudflare to US-based users in February.
Mozilla and Comcast haven't said exactly when Comcast's encrypted DNS will be available on Firefox. Whenever it happens, the change should be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."
Mozilla told Ars that Comcast's DoH in Firefox will be "opt-out," meaning that it will be possible to switch from Comcast to Cloudflare or NextDNS. Instructions for switching encrypted-DNS providers in Firefox are available here.
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
The Comcast/Mozilla partnership is notable because ISPs have fought plans to deploy DNS over HTTPS in browsers, and Mozilla's work on the technology is largely intended to prevent ISPs from snooping on their users' browsing. In September 2019, industry groups including the NCTA cable lobby that Comcast belongs to wrote a letter to Congress objecting to Google's plans for encrypted DNS in Chrome and Android. Comcast gave members of Congress a lobbying presentation that claimed the encrypted-DNS plan would "centraliz[e] a majority of worldwide DNS data with Google" and "give one provider control of Internet traffic routing and vast amounts of new data about consumers and competitors." Comcast's lobbying presentation also complained about Mozilla's plan for Firefox.
Mozilla in November accused ISPs of lying to Congress in order to spread confusion about encrypted DNS. Mozilla's letter to Congress criticized Comcast, pointing to an incident in 2014 in which Comcast "injected ads to users connected to its public Wi-Fi hotspots, potentially creating new security vulnerabilities in websites." Mozilla said that because of the Comcast incident and others involving Verizon and AT&T, "We believe that such proactive measures [to implement encrypted DNS] have become necessary to protect users in light of the extensive record of ISP abuse of personal data." Mozilla also pointed out the country's lack of broadband privacy rules, which were killed by Congress in 2017 at the request of ISPs.
As Mozilla moved ahead with plans to automatically switch Firefox users to encrypted DNS providers such as Cloudflare, Comcast said it does not track its broadband users' Web browsing histories and launched a public beta of its own version of DNS over HTTPS. Eventually, they began working together. "Comcast and Mozilla have been discussing DNS encryption since 2019 and signed an agreement to deploy DoH to Firefox users on Comcast networks in March 2020," Mozilla told Ars.
Comcast's encrypted DNS should also be coming to Chrome at some point. Comcast is part of Chromium's DNS over HTTPS beta program, along with Cloudflare, OpenDNS, and others.