DNS over HTTPS coming to Firefox

actually I found where you can turn it off
tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS

If this is the same feature I mentioned here, the solution is:
‘network.trr.mode=5’, using ‘about:config’

@R_V could you please check if disabeling it, using the gui, has the same effect?

I am running Firefox V62 (64bit) and I don't see any issues yet. And don't see the flag mentioned in settings to disable it!
What version do you have installed?

I couldn't find network.trr.mode when I searched previously. I see it now and it is set to 0.
so my unchecking "tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS" may have added it.

I can confirm that unchecking tools, options, general, network settings, settings, uncheck Enable DNS over HTTPS works.

For the life of me I could not figure out what was going on. I was checking my host file, I was running ipconfig /flush and /all and couldn't find the problem. On a lark I tried ie and chrome. Both used the pi-hole. When I'd us Firefox nightly I was seeing very little activity on the pi-hole when watching the pihole -t output. The other browser showed a lot of activity. That's when I found this and other threads.

A post was merged into an existing topic: [FYI] Google / Chrome: "Experimenting with same-provider DNS-over-HTTPS upgrade"

Sorry to necro this thread, but this "feature" was officially released today and there is an option in the settings to add your own DNS entry. Should we just add our Pi-hole address into that?

1 Like

No.
Pi-hole doesnt do DoH.
Only Do53:

pi@noads:~ $ sudo netstat -nltup | grep 'Proto\|pihole-FTL'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      18952/pihole-FTL
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      18952/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      18952/pihole-FTL
tcp6       0      0 ::1:4711                :::*                    LISTEN      18952/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           18952/pihole-FTL
udp        0      0 0.0.0.0:67              0.0.0.0:*                           18952/pihole-FTL
udp6       0      0 :::53                   :::*                                18952/pihole-FTL
  • 4711 is the Pi-hole API and 67 is DHCP

Thanks for the pointer!

Ah, okay. So we should just turn this feature off like the rest of the thread said months ago?

It wasnt on in the first place for me ???

Right, it wasn't on for me either after the latest update but I was mostly asking if it's recommended to just keep it off since it doesn't work with Pi-hole anyway.

Logic says yes :smiley:

Haha, thank you!

1 Like

Firefox DoH opt-out mode is being rolled out for just the United States. We hate ourselves here.

1 Like

Wow amazing.
Makes you wonder who/what decides.

image

EDIT: just checked Debian laptop and is same.
You have to opt-in.

I have Firefox 73.0.1 on MacOS and the default is OFF.

As you can choose a provider of DNS over HTTPS, I do wonder if this could be my pi-hole in the future... anyone can tell me if this is, or is not possible?

What would be the purpose or benefit of encrypting local DNS traffic on your LAN?

1 Like

not so much indeed. But one thing could be that I want to make sure that Firefox uses the DNS I specify and doesn't change without me noticing it.

As discussed in this thread, people are not sure that the settings of their browser might not change with an update.

If your browser does not honor your networks DNS settings and chooses to contact DNS servers of its choice instead, the only instance where you could control this is your very browser.

This is entirely independent from the protocol being employed, and there is absolutely nothing that Pi-hole could do about it.

If you'd want to control that possible misbehaviour at network level, you'd have to introduce a DPI firewall at the gateway or on the device where your browser lives to selectively block port 443 requests and quite possible have to break the connections encryption as well (not very feasible).

and that is exactly what this is about... Firefox changing DNS to Cloudflare without informing the user is a problem.

I hope that there are better/easier/fairer solutions then the one you propose.