Thanks for your reply to my post #72. I was just curious if Beyonder in post #57 might have run into problems in setting up Quad9 in Connection Settings. I've been working the network.trr prefs since DoH first showed up in Firefox version I-forget-the-#. Almost two years now, I think; how time flies. The screenshots do verify the default mode is 2 (fallback) even though the bootstrap data are made present in network.trr. I'd like to see an an "Enable bootstrapping" checkbox in the Connection Settings to set mode 3. I'm not holding my breath.
@Surt FWIW ~ Getting Started with DoH and Quad9 - 2018-10-05 - Updated July 25, 2019 https://www.quad9.net/doh-quad9-dns-servers/ Spoiler: DoH and Quad9 Firefox DNS over HTTPS (DoH) is not enabled by default, so you have to type about:config in your browser bar to open up the settings page. In Settings, you can modify 3 items related to the Trusted Recursive Resolver (aka network.trr): network.trr.mode trr.mode controls when and how DoH should be used. By default it is set to 0, meaning it is disabled. If you change it it will enable it. 0 — Off (default). To use operating system resolver. 1 — Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win. 2 — First. Use TRR first, and only if the secure resolution fails use the operating system resolver. 3 — Only. Only use TRR. Never use the native (after the initial setup). 4 — Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results. 5 — Off by choice This is the same as 0 but marks it as done by choice and not done by default. We recommend trr.mode of ‘2’ so it will fall back to the default resolver if the connection to the DoH server fails. If you only ever want to use DoH you can set it to 3 – You will be unable to resolve DNS names if your DoH server goes down and you won’t have a back-up using your system resolver. network.trr.uri (this is where you specify the resolver you want to use) network.trr.bootstrapAddress (you can forgo setting this and it will use the native system resolver for the initial query for hxxps://dns.quad9.net/dns-query) https://www.quad9.net/wp-content/uploads/2018/10/ff-setting-doh.png You can check out the logs by typing about:networking#dns into your browser bar. Look for TRR ‘true’ entries to see what is being looked up via DNS over HTTPS. for example: msn.com with uBlock Origin disabled
Thanks. I found it interesting and new, not reading about it anywhere else. I thought I'd attempt to begin a discussion on it. Had I considered malicious I'd've peppered my post with
Firefox 73 Released [...] New DoH Provider February 11, 2020 https://www.bleepingcomputer.com/ne...ed-with-security-fixes-new-doh-provider-more/
Well, that's a good thing, but with a little effort one can more broadly implement DoH using YogaDNS and use whichever provider you wish.
True, YogaDNS is pretty darn good. Otherwise, with even less effort one can just tweak the preferences in network.trr for one's fav provider.
Firefox turns encrypted DNS on by default to thwart snooping ISPs US-based Firefox users get encrypted DNS lookups today or within a few weeks February 25, 2020 https://arstechnica.com/information...ed-dns-on-by-default-to-thwart-snooping-isps/ Mozilla: Firefox continues push to bring DNS over HTTPS by default for US users
For those who do not wish this to happen (e.g. running pfsense unbound), there is nominally a canary address that inhibits Firefox from adopting DoH: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
I have just had a prompt to use DoH in Firefox. I thought this was only rolling out to US users? Could this be because I had my VPN set to the US? I was still being prompted after I turned my VPN off.
I know I can enable it manually in FF settings but this is the first time I've seen the prompt. Maybe they are expanding the rollout?
How can DoH be forced/enabled in Chrome and/or Chromium-based browsers? Firefox already has the option to force it, but I cannot find it in Chrome or the latest Edge Chromium Canary version.
I don't believe DoH support is built into Chrome yet, but you can easily implement YogaDNS to get the same result.
What version of Chrome are you using? I have the latest release - 80.0.3987.149 - and I can't find that feature in the list of experimental flags.
It was supposedly made available as of Chrome 78....? https://winaero.com/blog/enable-dns-over-https-in-chrome-doh/
Yeah, I found it! Thanks! That option, however, doesn't exist in the latest version of Edge Chromium Canary x64.
Does it make sense to enable DoH with Chrome and/or Firefox when VPN with custom DNS is used? My VPN uses it's own custom DNS for use in both Network Adapter and TAP Driver settings when connecting via OpenVPN. What about Encrypted SNI setting? Tor currently has that setting, but it is set to disabled as default.
Thanks for the screenshots. The setting comes up in Edge, but not in Google Chrome. It's weird, but not a problem for me as I'm implementing DoH via YogaDNS.
