
How to Enable DNS-over-HTTPS in Firefox - smacktoward
https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
======
dimkr1
Or, you can use [https://github.com/dimkr/nss-
tls](https://github.com/dimkr/nss-tls) \- everything that uses
gethostbyname(), addrinfo(), etc', including Firefox with network.trr.mode set
to DNS, will use DoH

~~~
antpls
Another option that may work, suggested by pmoriarty in another thread :
[https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy) which is a DNS proxy server
that could locally transform classic DNS to DNS-over-HTTPS by using iptables
to redirect DNS traffic to it
([https://news.ycombinator.com/item?id=20370741](https://news.ycombinator.com/item?id=20370741))

~~~
nothrabannosir
I use this and it works great. Especially in combination with
[https://github.com/jedisct1/bitbar-dnscrypt-proxy-
switcher](https://github.com/jedisct1/bitbar-dnscrypt-proxy-switcher) (and its
dependency Bitbar), which gives you a little icon in the taskbar to monitor
and manage the dnscrypt settings. (mac os x)

------
krispbyte
Why is this supported at the application level instead of the OS? So other
tools like ping or nslookup can use it too.

~~~
the_angry_angel
This is my beef with (my understanding maybe incomplete, in which case I
apologise) the implementation.

Internal DNS, split brain DNS aren’t catered for without disabling support? I
don’t want my internal names leaking to the internet, nor necessarily are they
the same for external resolvers. Now yes the latter is a hack, but it’s one
widely used still today.

The idea is laudable. But it feels hostile. I can disable support, but for how
long?

~~~
krispbyte
I guess it would be possible to run my own local DNS server that connects to
these DoH servers. Does any DNS server support DoH? This could also allow the
user to override domains using their /etc/hosts file in case DoH on Firefox
doesn't support it.

~~~
uponcoffee
I use pihole + dnscrypt-proxy 2.*

A fair number of resolvers support DoH and dnscrypt-proxy also supports DoT.
It's fairly feature rich, you can configure a hosts file and then some.

[0] [https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy)

------
snek
This article got the trr.mode key slightly wrong

0 - Default (will be one of the below options, right now it happens to be 5)

1 - Race regular DNS and DoH, use whichever one responds first

2 - Try DoH, use regular DNS if DoH fails

3 - Use DoH, regular DNS is disabled entirely

4 - unused

5 - DoH is fully disabled, always use regular DNS

~~~
the_pwner224
I recall reading on a Mozilla blog that 0 is 'default'; right now TRR is
disabled but eventually it will be enabled by default. If you want to disable
it you should explicitly set it to 5, so that a future update does not enable
it.

------
stevekemp
I enabled DNS over HTTPs in the recent past, and was very happy with it. Until
I came to test a staging-version of a website and discovered that updating
`/etc/hosts` to change the IP of the given name no longer worked.

It took me an embarassingly long time to realise I was still visiting the
production site.

~~~
ShinTakuya
Using the hosts file to visit a staging environment is a gross practice
anyway. Just make the domain configurable in your code and either but the IP
directly or make some subdomain (or better yet, separate domain) redirect to
it.

~~~
chousuke
That doesn't always work. There are migration scenarios where you have to use
the correct domain to be able to test everything properly.

~~~
ShinTakuya
I'm not convinced that's the same situation or if what you're describing is
necessary in the majority of cases. Using the "correct" domain shouldn't be
the norm - it should be an exceptional circumstance. As demonstrated in the
above comment, it's easy to accidentally hit the production environment at
which point you may be convinced that everything is alright and ship a broken
change to production.

~~~
bpizzi
In theory I agree with your stance.

OTOH, in the real world, almost all websites that I've got to migrate are
somewhat hardcoded for one domain (I've got this side project were I do
websites hosting, good recurring money, little work).

Going for /etc/hosts is the only pragmatic choice here.

~~~
ShinTakuya
Yeah, you're right, I'm all for pragmatism when it's just a small site not in
active development. I just didn't want people getting the idea that this is a
good practice. It's a hack, and a dangerous one at that, but hacks can be okay
depending on the circumstance.

------
plg
My Pi-hole is set up to do encrypted DNS. Advantage: every device on my home
network automatically benefits from this.

~~~
noncoml
So instead of getting spied, blocked, tampered, etc. by your ISP you are
getting spied by Cloudflare? We didn’t solve the problem, just shifted it..

~~~
snek
Cloudflare has a list of _all_ data they collect from firefox DoH here:
[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/firefox/)

~~~
LinuxBender
Before CF was CF, they were a group of blackhats running honeypots. I was part
of that community. It turned out, building a distributed CDN had potential to
make money. And here we are. They built a great CDN. I would use them over
Akamai any day. They have very talented hackers. That said, consolidating all
DNS lookups to one central company guarantees they will have non stop pressure
(if not already) to give warrant-less access to the data. This is very
valuable data.

I never take privacy statements on a website seriously. A company can say one
thing and do another. HN crowd knows this better than anyone.

~~~
noncoml
source?

~~~
LinuxBender
For what, the honeypots? I have no idea of such an article exists. I was one
of their members and ran several honeypots and made use of several of my
domains. It was started on freenode's IRC network, or at least that is how I
learned about it and joined in. There are probably IRC logs on archive servers
out there somewhere.

~~~
noncoml
Interesting story, thanks for sharing it!

------
ignoramous
Opera comes with a free VPN (which does collect as much data as it can), and I
think, Firefox is primed to move in that direction, as well. Given how they
already have a partnership for DoH, they might extend it for Warp, which might
be great if they do it in a privacy-oriented way and do right by their users.
Esp, as more and more govts censor the Internet and ISPs turn into trackers
the need for Firefox to be the thorn in the neck of powers-that-be is ever
more important.

~~~
theturtletalks
If Firefox included a built-in VPN, they could increase their market share
substantially. As long as they keep privacy a priority, they can give Chrome
solid competition.

~~~
tastroder
> As long as they keep privacy a priority,

This whole DNS over HTTP disaster makes it pretty clear to me as an end user
that it's not though. I wouldn't trust a free VPN further than I can throw it,
no matter who offered.

~~~
ignoramous
> This whole DNS over HTTP disaster makes it pretty clear to me as an end user
> that it's not though.

True. We've got DoT, which is a very viable alternative. Supported at OS level
by Android. And there's DnsCrypt with clients on all major platforms.

> I wouldn't trust a free VPN further than I can throw it, no matter who
> offered.

Valid point.

Though, the present situation is that one pays the ISPs and yet they traffic
shape, surveil, censor their users. I fear, after a point, VPNs might be the
only way to access censor-free Internet across the globe.

~~~
tastroder
While I personally trust my ISP more than some random US based entity, that's
of course true. The thing with VPN alternatives for me is that the VPN
landscape today is already weirdly organized, opaque and would have no real
incentive for a free tier.

Short of hosting their own, which consumers will not do, I don't see a
scenario where VPN providers end up in a position that's more trustful than
your average (Western world) ISP is today tbh.

~~~
incompatible
I don't think any ISP can really be trusted, in most countries, since they are
subject to arbitrary government demands. In Australia, for example, that
includes data retention, censorship, and assistance with any kind of spying
that may be demanded.

~~~
tastroder
Sure, valid as well. If VPNs get relevant enough to matter to nation state
actors none of that really exclusively applies to ISPs anymore though, I feel
like we're in a cozy transitioning stage there. They'd either get blocked (see
feeble attempts in China) or get the same treatment. Either through similar
legislation or technology level interference as we've seen before with the Tor
network. At that point it's a game of choosing the nation state control you're
most comfortable with in terms of oversight, governmental interference,
consumer protection, and business incentive. That'll likely still be my
European based ISP over a US VPN to be quite honest, given (theoretically)
better consumer protection legislation and generally less equipped/capable
surveillance apparatus.

Don't get me wrong, VPNs e.g. for access control or untrusted networks are
great use cases in my book. I just don't like the snake-oil vibe surrounding
VPNs that make it out to be a great way to secure everyday networking for
consumers.

------
floatingatoll
I hesitate to rain on a positive parade, but..

Keep in mind when enabling features ahead of widespread release in software,
that obvious and/or non-obvious things are _more_ likely to break when you do
so than if you wait until it’s enabled for you.

This goes double for users on the Release channel of software rather than the
Beta/Nightly/Canary/Whatever channel, since it takes weeks or months to fix
problems.

I’m not saying “don’t”, but I am saying “be prepared to encounter self-
inflicted issues”. The tendency is to blame the issues and the frustration of
tracking down their cause on the software developer. Keep notes about what you
enable, so you can try disabling it and see if that fixes it. Report bugs you
find, and don’t panic if they’re known and/or unsolved.

~~~
o-__-o
such as expecting an application (not OS) based DNS resolver to react to
/etc/hosts changes...

~~~
floatingatoll
Yes. But. That’s very specific and assumes they’ll only ever query one or the
other, which might not necessarily be true for *.local and localhost (I
haven’t researched or tested).

------
SimeVidas
PSA Firefox Nightly is very stable (with occasional breakage on some
websites). It has the latest features, including a convenient checkbox for
DoH:

[https://i.imgur.com/NhifLq5.png](https://i.imgur.com/NhifLq5.png)

~~~
blitmap
I don't know how I've improved the situation going from Chrome to Firefox and
then to Firefox Nightly:

I wish Mozilla put efforts toward preserving settings and not reinstalling
search providers one has purposefully removed. I understand that by using
Nightly I cannot expect what a general user expects, but this problem exists
in all browsers. I consider it user-hostile behavior that more emphasis isn't
taken to preserve settings. Oh a new update? Clearly you want us to sync
everything instead of just the few things you selected. Let's revert it all to
defaults.

I also understand how settings are stored (the backend format) might change
between minor or major versions. Sometimes factory defaults need to be
reinstated - but it should be very fucking clear (with a notification) that
the user should go review settings that have changed/reverted. And this cannot
be a banner that shows every time an update applies. Give the user some
transparency.

On Chrome when I ask it to preserve my previous session it preserves just that
session's browsing history. This history is forgotten if I make a point to
close all tabs and end the session. On Firefox I must save all history be to
'restore the current session'. Wish we had more control over this.

You can't disable Firefox from checking for updates (I wish this could be left
to package managers on some systems). I understand but I don't want to be
nagged. You can make Firefox ask you, but it will check nonetheless.

Why the fuck would I want "Recommmend features as I browse?" or "Recommend
extensions as I browse?" I hate being advertised to.

"Warn you about unwanted and uncommon software" \- who is making this
determination? Who is Firefox talking to about what I download?

I wish I could sync settings, open tabs, addresses, history, etc - to an
simple archive on close or periodically. No online service to sync against
with another account I have to worry about.

Sucks that in hotels Firefox determines if there's a captive portal in effect
by querying a Mozilla-hosted site (detectportal.firefox.com).

Blah.

~~~
Marsymars
> You can't disable Firefox from checking for updates (I wish this could be
> left to package managers on some systems).

You typically can... not sure about your platform, but I use policies.json on
Windows to disable update checks.

~~~
blitmap
That does not sound very user-friendly... but well within the realm of a
package manager installing a distro's custom policies.json

------
johnklos
I wonder how long it'll be before Firefox comes with it enabled by default. It
seems that they're going to do it regardless of the loss of control
implications to end users.

~~~
LogicX
FWIW, there's a standard being developed to allow network admins to maintain
control over DNS on their networks, even after this is enabled.

~~~
yjftsjthsd-h
That's neat/interesting; any chance you could point me in the right direction
to hear more? I'm curious how they'll make it respect that setting from the
"local" network and not from ex. an ISP.

------
mlrhazi
I saw somewhere that this can be enabled in Chrome from chrome://flags/, but I
can't seem to find it in mine, v75 on Mac. Was it removed from recent
versions?

~~~
judge2020
A chromium project called Bromite exposes this flag[0], but I don't think it's
ever been available on Desktop versions of Chrome (probably due to the
likelihood of Schools, Enterprises, etc. getting mad if a user uses it to
circumvent DNS blocks).

As per a comment by Eric [unknown surname] at Microsoft here[1], you can
enable it on desktop chrome by adding the following to your chrome launch
options:

    
    
        --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST
    

This can easily be done persistently via Windows, but I'm not sure what it
would take on Mac. The official Chromium guide for starting with launch
options[2] only recommends opening terminal every time, which would mean it
can't be easily ran on each launch with the shortcut/dock icon.

0: [https://github.com/bromite/bromite/wiki/Enabling-DNS-over-
HT...](https://github.com/bromite/bromite/wiki/Enabling-DNS-over-HTTPS)

1: [https://crbug.com/799753#c8](https://crbug.com/799753#c8)

2: [https://www.chromium.org/developers/how-tos/run-chromium-
wit...](https://www.chromium.org/developers/how-tos/run-chromium-with-flags)

~~~
mlrhazi
Thank you!

------
needle0
Is there any way to enable DoH by default but exclude certain domains that are
managed by a local DNS server? (eg. intranet domains?)

~~~
bzbarsky
In Firefox? Yes. Set the "network.trr.excluded-domains" pref in about:config
to a comma-separated list of the things you want to exclude.

------
josteink
A heroic, but misguided effort.

DNS should be provided by the OS, and not reimplemented in every application
running on top of it.

~~~
jbverschoor
While true, the OS will contain less and less functionality. Which is funny
because on one hand we want to have less dependencies, and on the other hand
we have microservices for everything.

Developers going the sysop direction of services Sysops going the developer
way of statically linking

~~~
josteink
> While true, the OS will contain less and less functionality.

That’s a bold claim, and I see no data to back it up.

If anything, OSes only tend to get bigger with time.

------
philo23
After that ISP award thing came out it finally convinced me to look into DoH
and give it a go. So I ended up setting up a Pi Hole this weekend running a
local DoH-to-DNS proxy and then changing the DNS settings on my router to
point to the Pi Hole. This also means my hosts file continues to work if I
need it, and all* the programs running on my PC are transparently going
through DoH without them being any the wiser.

The setup was a little bit fiddly to get going, but I'm now super happy with
it. As a sidenote, it was interesting to see how effective uBlock Origin
already was because I thought the Pi Hole's blacklists weren't working at
first!

*I imagine I'm not catching every single one of the DNS lookups on my network, but I bet it's now a large percentage of them.

------
redder2
TLTR: Question: To what do I set network.trr.bootstrapAddress for
[https://doh.appliedprivacy.net/query](https://doh.appliedprivacy.net/query)?

I am confused. The guide tell me to set:

network.trr.uri

But Foundation for Applied Privacy sounds nice and I want to force DNS over
HTTPS. The site specifically tells me to use the the Firfeox setting page
[https://appliedprivacy.net/services/dns/](https://appliedprivacy.net/services/dns/)
but that sets network.trr.custom_uri not network.trr.uri so whats the
diffrence? And it also tells that I have to set the
network.trr.bootstrapAddress but does not tell you to what in case I missed
something.

------
m-p-3
I tried to do it on Firefox Mobile (Android) through about:config but it
didn't seem to work. Any idea why, without using an app like Intra?

------
vinay_ys
I wonder if it is ever possible to move to a protocol like MinimalLT -
[https://cr.yp.to/tcpip/minimalt-20131031.pdf](https://cr.yp.to/tcpip/minimalt-20131031.pdf)
and solve the privacy aspects in a fundamental low-level protocol usable for
all types of packet transfers.

------
wst_
Using stable Firefox 67.0.4 64-bit and this is right there on the options page
in General/Network settings. Truth to be told, it will set network.trr.mode to
2, which falls back to normal DNS if anything is wrong, but nonetheless it's
there.

------
beezle
I understand how DOH can help prevent DNS spoofing, but I really don't
understand the privacy claims. Are not outbound connections, http or https,
known by the ISP? Or is the assumption that the world is all behind a proxy
like cloudfare?

------
tus88
Could something like pieHole intercept all DNS and send it over a VPN or
something, while providing a local DNS cache? Seems unnecessary to wait for
all software to support it nativity.

 _Edit:_ Apparently they already thought of this and it's a feature!

------
DavideNL
I think it's kind of strange that they are planning to enable DOH by default;

Your ISP can see all connections/ip addresses you connect to regardless of
whether you use your ISP's DNS servers or not. So, in the end by using DOH in
Firefox (= Cloudflare's DNS by default) you're just sharing your internet
history with _yet another_ third party.

This may be beneficial for some people where ISP's mess with DNS resolving,
but for many other people it's actually a regression in privacy (especially if
you live in a country that has higher privacy standards/laws than the US.)

~~~
ziegeer
An IP address is not always as telling as the DNS name of what you're
connecting to. E.g. I may be connecting to a CDN like CloudFlare for content
over HTTPS and my ISP will have no idea what I'm doing. But if I used the DNS
name that refers to that content it would likely be more obvious in many
cases.

~~~
zimbatm
ISPs can sniff the hostname from the HTTPS Server Name Indicator (SNI) headers
because they are transmitted in clear.

The next step will be to deploy the TLS 1.3 Encrypted Server Name Indicator
(ESNI)[1].

[1]: [https://tools.ietf.org/html/draft-ietf-tls-
esni-03](https://tools.ietf.org/html/draft-ietf-tls-esni-03)

------
option_greek
Is it supposed to speed up load times ? I assumed it would slow it down but
I'm actually noticing a improvement in page load time.

------
paulcarroty
Very cool feature, but adblocking on system side is tricky. Blocking by hosts
possible only with your own personal server.

------
aaossa
How can I check if I got the settings right? Is there any web app or command
or something?

~~~
sleavey
Yes there is: [https://www.cloudflare.com/ssl/encrypted-
sni/](https://www.cloudflare.com/ssl/encrypted-sni/)

------
darkhorn
Thanks to DNS over HTTPS now I can access illegal¹ web sites such as
Wikipedia.

Also enable ESNI in Firefox.

¹
[https://en.m.wikipedia.org/wiki/Block_of_Wikipedia_in_Turkey](https://en.m.wikipedia.org/wiki/Block_of_Wikipedia_in_Turkey)

------
Havoc
I'm guessing this is impossible to use with a pi hole?

------
cheez
Why over HTTPS vs TLS?

~~~
brians
Approximately: because browsers already have good HTTP parsers built in, and
that seems safer than trying a new fast binary parser.

~~~
mehrdadn
Is performance really such a big concern here? How slowly can one possibly
parse binary DNS responses in a native language?

~~~
jbverschoor
Also, why a complete http stack? Before we know it we need to send JSON
packets to the cpu to do some multiplication

