Security/DOH-resolver-policy

From MozillaWiki
Jump to: navigation, search

Mozilla Policy Requirements for DNS over HTTPs Partners

This document describes the minimum set of policy requirements that a party must satisfy to be considered as a potential partner for Mozilla’s Trusted Recursive Resolver (TRR) program. It specifically describes data collection and retention, transparency, and blocking policies and is in addition to any contractual, technical or operational requirements necessary to operate the resolver service.

Privacy Requirements

Mozilla’s TRR is intended to provide better, minimum privacy guarantees to Firefox users than current, ad hoc provisioning of DNS services. As such, resolvers must strictly limit data collection and sharing from the resolver. More specifically:

1. The resolver may retain user data (including identifiable data, data associated with user IP addresses, and any non-aggregate anonymized data) but should do so only for the purpose of operating the service and must not retain that data for longer than 24 hours.
  • Only aggregate data that does not identify individual users or requests may be retained beyond 24 hours.
2. The resolver must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.
3. The resolver must not combine the data that it collects from queries with any other data in any way that can be used to identify individual end users.
4. The resolver must not sell, license, sublicense, or grant any rights to user data to any other person or entity.
5. The resolver must support DNS Query Name Minimisation as defined in RFC 7816.
6. The resolver must not propagate unnecessary information about queries to authoritative name servers. In particular, the client subnet DNS extension in RFC 7871 must not be sent to servers unless the connection to the authoritative server is encrypted and only to authoritative name servers operated by the domain owner directly or by a DNS provider pursuant to its contract with the domain owner.

Transparency Requirements

The party operating the resolver must be transparent about any data collection and sharing that does occur in accordance with the above requirements. More specifically:

1. Privacy Notice. There must be a public privacy notice specifically for the resolver service that documents the specific fields for data that will be retained for 24 hours and that documents specific fields for aggregate data that will be retained beyond 24 hours. The notice should also attest to requirements 2 - 4 above.
2. Transparency Report. There must be a transparency report published at least yearly that documents the policy for how the party operating the resolver will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law.

Blocking & Modification Prohibitions

1. The party operating the resolver should not by default block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates. Mozilla will generally seek to work with DNS resolvers that provide unfiltered DNS responses and, at its discretion, may remove from consideration resolvers subject to legal filtering obligations, depending on the scope and nature of those obligations.
  • Resolvers may block or filter content with the user’s explicit consent.
2. For any filtering that does occur under the above requirement, the party must maintain public documentation of all domains that are blocked and a log of when particular domains are added and removed from any blocklist.
3. When a domain requested by the user is not present, the party operating the resolver should provide an accurate NXDOMAIN response and must not modify the response or provide inaccurate responses that direct the user to alternative content.

Enforcement

The decision of who to include in (or remove from) Mozilla’s Trusted Recursive Resolver (TRR) program is at Mozilla’s sole discretion, and we may evaluate additional factors such as abusive practices or other security concerns not specifically identified here. We may publicly document violations of this Policy and take additional actions if necessary.