1

Mozilla contractual obligations in relation to public NextDNS?

Hi! Let me explain this question 😭

On June 1st, 2018, Mozilla announced they were implementing DNS-over-HTTPS, a more secure way of using DNS - preventing DNS snooping (similar to the HTTP vs HTTPS problem). The single provider was Cloudflare. The important reason they said they chose Cloudflare is because they were willing to agree to a strict contract - one that led them to diverging from the regular "1.1.1.1 Public DNS Resolver" and making a new "Cloudflare Resolver for Firefox" instead. (Read the privacy policy for the Public DNS Resolver and the Resolver for Firefox!)

NextDNS was later announced as a Trusted Recursive Resolver on December 17th, 2019. Notably, NextDNS used their own unique DoH endpoint: https://firefox.dns.nextdns.io. This is not what they tell you to put in if you're using a custom NextDNS endpoint - they'd ask you to use https://dns.nextdns.io/[whatever]. This makes me think that they, too, had to do something similar to making a custom resolver - because the others listed on the policy page definitely did not have their own custom resolver!

I understand that with DNS providers, I am inherently trusting someone else. I've been a longtime NextDNS watcher, but I finally decided to get it over with and stick with it everywhere. And I love it! Having this much control is the feeling of fresh air. It's so, so nice. But I liked the reassurance that came with using the default NextDNS in Firefox because I know that contractually they cannot diverge from the strict standards Mozilla is making them follow. So:

  1. Did Mozilla's contract apply to all of NextDNS, or just firefox.dns.nextdns.io?
  2. If not, I know that elsewhere there are subdomains, too - apple.dns.nextdns.io is another example. (There doesn't seem to be any special sauce there, though...) Could I just use firefox.dns.nextdns.io/[whatever] to get both my custom configuration and the contractual reassurance, or would this void that?
  3. How do those subdomains even work, anyway? It seems like that as long as there's a valid configuration, the subdomains work without a hassle. (I might not need help with this question. Assuming I can edit this post after I make it - I have seen places where I can't, unfortunately - I can probably test various ideas out.)

Thank you for all of your hard work 🫡 

1 reply

null
    • Martheen
    • 1 yr ago
    • Reported - view

    The Mozilla's TRR requirement clearly only applies to  firefox.dns.nextdns.io, because the logging requirement isn't satisfied by regular user-specific NextDNS endpoints if the user enables logging. It doesn't even apply to  firefox.dns.nextdns.io/abc123 since if abc123 is a valid profile identifier, it will follow that profile setting, including logging.

    From my quick tests using https://github.com/ameshkov/dnslookup, with *DoH*, the subdomain doesn't matter, both firefox and apple subdomain still serve the queries according to the profile ID you use, including logging. For DoT & DoQ, 🤷‍♀️, I think NextDNS simply implement a profile with custom logging rule, though obviously you can't use it with your own profile.

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 1Replies
  • 1884Views
  • 2 Following