Mozilla’s new Firefox update puts user security at risk with TRR feature
by AnkitGupta,
August 7, 2018

Mozilla is all set to introduce two new features to its Firefox browser in its upcoming patch. Called as ‘DNS over HTTPs’ (DOH) and Trusted Recursive Resolver (TRR), Mozilla says that they are meant to enable additional security, with many security experts thinking otherwise. Signaling out TRR among the two, security experts at Ungleich say that this feature by default routes requests with a 3rd party service; thus making it less secure.

With Trusted Recursive Resolver (TRR) turned on as default, any DNS changes that a Firefox user configured in the network will be overridden. This is because Mozilla had partnered with Cloudflare and will resolve the domain names from the application itself through a DNS server of Cloudflare located in the US. This allows Cloudflare to read user’s DNS requests.

Lashing out on Mozilla for advertising TRR as a feature that ‘increases security’, the security expert at Ungleich mentions,

“From our point of view, us being security geeks, advertising this feature with slogans like “increases security” is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don’t know, it is not true that this increases security in general.”

Cloudflare on its part, though commits to a ‘pro-user privacy’ policy and the detection of all personally identifiable data after 24 hours, there is no guarantee where a user’s data may finally end up.

Mozilla’s TRR disables user’s anonymity
With TRR allowing all DNS requests seen by Cloudflare, user’s anonymity stands completely destroyed. Government agencies always have the right to request data from the service owners, and even for a small suspicious, Firefox users risk their data being shared with the government or any investigating agency.

Finally, it is up to the users if they really trust Cloudflare or their local ISP. Still, as Ungleich mentions, users can very easily turn TRR off. Follow these steps to do so.

  • Enter about:config in the address bar
  • Search for network.trr
  • Set network.trr.mode = 5 to completely disable it

“Change network.trr.mode to 2 to enable DoH. This will try and use DoH but will fall back to insecure DNS under some circumstances like captive portals. (Use mode 5 to disable DoH under all circumstances.)”