Mozilla announces DNS-over-HTTPS policy requirements
Mozilla has tested the more secure domain name resolution method Trusted Recursive Resolvers (TRRs) in the Firefox browser over the past few months, issuing DNS requests via HTTPs encryption. But obviously, you can’t choose a DNS resolution service provider in order to protect user privacy.
Recently, Mozilla has published a number of requirements for potential resolution service providers, including:
Privacy Requirements
Mozilla’s TRR is intended to provide better, minimum privacy guarantees to Firefox users than current, ad hoc provisioning of DNS services. As such, resolvers must strictly limit data collection and sharing from the resolver.
Transparency Requirements
The party operating the resolver must be transparent about any data collection and sharing that does occur in accordance with the above requirements.
Blocking & Modification Prohibitions
- 1. The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates. Mozilla will generally seek to work with DNS resolvers that provide unfiltered DNS responses and, at its discretion, may remove from consideration resolvers subject to legal filtering obligations, depending on the scope and nature of those obligations.
- Resolvers may block or filter content with the user’s explicit consent.
- 2. For any filtering that does occur under the above requirement, the party must maintain public documentation of all domains that are blocked and a log of when particular domains are added and removed from any blocklist.
- 3. When a domain requested by the user is not present, the party operating the resolver should provide an accurate NXDOMAIN response and must not modify the response or provide inaccurate responses that direct the user to alternative content.