DNS over HTTPS coming to Firefox

There is an upcoming feature in Mozilla Firefox that will use DNS over HTTPS.

As it says in the linked post: Firefox does not yet use DoH by default. It has been available on an opt-in basis for some time now for users of nightly builds of Firefox, and at the moment it's running as a shield test for builds of Firefox. Assuming the tests all go well, it could well become the default in the future.

Once enabled Firefox will use the proposed DNS over HTTPS protocol, directed by default to a Cloudfare DNS server, but changeable by the user. It will stop using your system's DNS settings, except in cases where it can't get through to the DoH server fast enough.

What this means for those using Firefox with Pi-hole: If you're in the study, (or if it becomes the default in a future upgrade) then you might see ads or other content that you would expect to be blocked, and you'll see less traffic in your Pi-hole log. Depending upon the relative speed of the DoH and DNS servers, the relative proportion of lookup traffic handled via each protocol could vary greatly. It will be entirely possible for a particular domain name to be blocked at one time, but not at another, which when combined with browser caching could lead to some odd results with partially blocked content, with things changing somewhat randomly during page-refreshes.

At the moment it's something to be aware of if you run Firefox, and something to consider if your blocking starts to get a bit sketchy.

Personal rants/notes:

  1. For me, unless/until there is a way to work with this sort of thing rather than around it, it will simply be another browser feature (similar to chrome's asynchronous dns) to switch off.
  2. Yes, I'm aware that DNS over HTTPS isn't the only one with has its hand up (alongside DNS over TLS and DNSCRYPT) to be the new "default" standard for DNS. I've no interest in picking a side, but I would like it very much if there could be one clear winner soon please. Pretty please.

Interesting that Firefox is doing this. In my opinion, running this on a browser is the wrong solution. That's only covering part of your internet traffic. On my home network I have 13 IOT devices, 2 PCs, 3 Macs, 3 iPhones, 2 iPads, 2 Pi's, Samsung tablet - all but one served with a single PiHole (the other serves my Mac and I use that one for experimenting). With a PiHole serving your entire network, you can run DoH with cloudflared (good instructions here Redirecting...) and get the same result. The added advantages are the caching of a single PiHole (sees all the requests from your network and more likely to have the answer in cache).

With Firefox running it's own DNS in parallel with a PiHole, you lose the ad-blocking functionality.

Why not just have Firefox get it's DNS service from your PiHole along with all the rest of your devices?

If Firefox allows to change the DNS, I don't think it's big issue. We can just change it to Pi-Hole address. Or like Rob suggest turn the feature off.

It would allow you to move it to another DNS over HTTPS server, but not to a DNS server like Pi-hole or Unbound that did not have an HTTPS front end designed for it. But from what I have heard and from my contacts it may not be an easy flag to disable. I raised a concern about Active Directory and other forced DNS locations that require a specific, non-HTTPS resolver and the response was to deploy the Firefox LTS and not use the mainline release.

That sucks! I prefer Firefox.

I agree and I've been hit with this. Do we know how to point it to pi-hole or turn it off?

actually I found where you can turn it off
tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS

If this is the same feature I mentioned here, the solution is:
‘network.trr.mode=5’, using ‘about:config’

@R_V could you please check if disabeling it, using the gui, has the same effect?

I am running Firefox V62 (64bit) and I don't see any issues yet. And don't see the flag mentioned in settings to disable it!
What version do you have installed?

I couldn't find network.trr.mode when I searched previously. I see it now and it is set to 0.
so my unchecking "tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS" may have added it.

I can confirm that unchecking tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS works.

For the life of me I could not figure out what was going on. I was checking my host file, I was running ipconfig /flush and /all and couldn't find the problem. On a lark I tried ie and chrome. Both used the pi-hole. When I'd us Firefox nightly I was seeing very little activity on the pi-hole when watching the pihole -t output. The other browser showed a lot of activity. That's when I found this and other threads.

A post was merged into an existing topic: [FYI] Google / Chrome: "Experimenting with same-provider DNS-over-HTTPS upgrade"

Sorry to necro this thread, but this "feature" was officially released today and there is an option in the settings to add your own DNS entry. Should we just add our Pi-hole address into that?

1 Like

Pi-hole doesnt do DoH.
Only Do53:

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|pihole-FTL'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      18952/pihole-FTL
tcp        0      0*               LISTEN      18952/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      18952/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      18952/pihole-FTL
udp        0      0    *                           18952/pihole-FTL
udp        0      0    *                           18952/pihole-FTL
udp6       0      0 :::53                   :::*                                18952/pihole-FTL
  • 4711 is the Pi-hole API and 67 is DHCP

Thanks for the pointer!

Ah, okay. So we should just turn this feature off like the rest of the thread said months ago?

It wasnt on in the first place for me ???

Right, it wasn't on for me either after the latest update but I was mostly asking if it's recommended to just keep it off since it doesn't work with Pi-hole anyway.

Logic says yes :smiley:

Haha, thank you!

1 Like

Firefox DoH opt-out mode is being rolled out for just the United States. We hate ourselves here.

1 Like