Comcast Inks Deal to Adopt Mozilla’s Firefox DNS Encryption

In a new partnership, Comcast will be the first Internet Service Provider (ISP) to offer users of Mozilla’s Firefox browser with private and secure encrypted Domain Name System (DNS) services via Mozilla’s Trusted Recursive Resolver (TRR) Program. Comcast’s DNS over HTTPS (DoH) will be activated by default for Firefox over Comcast’s Xfinity broadband network. Users will be able to switch to Cloudflare or NextDNS, which were already included in Mozilla’s program. No date of availability was released.

Ars Technica reports that Mozilla’s program “requires encrypted-DNS providers to meet privacy and transparency criteria and pledge not to block or filter domains by default ‘unless specifically required by law in the jurisdiction in which the resolver operates’.” DoH “helps keep eavesdroppers from seeing what DNS lookups your browser is making,” thus making it “more difficult for ISPs or other third parties to monitor what websites you visit.”

Firefox chief technology officer Eric Rescorla said that, “bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences,” and added that Mozilla hopes the partnership “sets a precedent for further cooperation between browsers and ISPs.” With the terms of the agreement, Comcast won’t “retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.”

According to Ars Technica, “the Comcast/Mozilla partnership is notable because ISPs have fought plans to deploy DNS over HTTPS in browsers.”

In September 2019, NCTA (the Internet & Television Association), which includes Comcast, wrote Congress to object to “Google’s plans for encrypted DNS in Chrome and Android,” and Comcast stated that the encrypted-DNS plan would “centraliz[e] a majority of worldwide DNS data with Google,” thereby giving it “control of Internet traffic routing and vast amounts of new data about consumers and competitors.”

At the time, Comcast “also complained about Mozilla’s plan for Firefox.”

Now, Comcast is “testing the mechanism” whereby Firefox users on Xfinity “automatically default to Xfinity resolvers under Mozilla’s Trusted Recursive Resolver program unless they have manually chosen a different resolver, or if DoH is disabled.” The results of testing will be documented in an Internet Engineering Task Force (IETF) Draft. Mozilla, which called encrypting DNS as “the first step” towards privacy, enabled Firebox to provide DoH “by default with Cloudflare to U.S.-based users in February.”

In a blog post, Mozilla noted that, “over the last few years, Mozilla, Comcast, and other industry stakeholders have been working to develop, standardize” DoH which “helps to protect browsing activity from interception, manipulation, and collection in the middle of the network by encrypting the DNS data.”

It adds that the “second step” in securing privacy is to “require that the companies handling this data have appropriate rules in place …  limiting data collection and retention from the resolver, ensuring transparency for any data retention that does occur, and limiting any potential use of the resolver to block access or modify content.”