DNS over HTTPS coming to Firefox

Wow amazing.
Makes you wonder who/what decides.

image

EDIT: just checked Debian laptop and is same.
You have to opt-in.

I have Firefox 73.0.1 on MacOS and the default is OFF.

As you can choose a provider of DNS over HTTPS, I do wonder if this could be my pi-hole in the future... anyone can tell me if this is, or is not possible?

What would be the purpose or benefit of encrypting local DNS traffic on your LAN?

1 Like

not so much indeed. But one thing could be that I want to make sure that Firefox uses the DNS I specify and doesn't change without me noticing it.

As discussed in this thread, people are not sure that the settings of their browser might not change with an update.

If your browser does not honor your networks DNS settings and chooses to contact DNS servers of its choice instead, the only instance where you could control this is your very browser.

This is entirely independent from the protocol being employed, and there is absolutely nothing that Pi-hole could do about it.

If you'd want to control that possible misbehaviour at network level, you'd have to introduce a DPI firewall at the gateway or on the device where your browser lives to selectively block port 443 requests and quite possible have to break the connections encryption as well (not very feasible).

and that is exactly what this is about... Firefox changing DNS to Cloudflare without informing the user is a problem.

I hope that there are better/easier/fairer solutions then the one you propose.

This is the default setting n the currently released version of Pi-hole.

1 Like

https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

Latest stable v4:

pi@noads:~ $ tail -1 /etc/dnsmasq.d/01-pihole.conf
server=/use-application-dns.net/

Beta v5:

pi@phb5:~ $ tail -1 /etc/dnsmasq.d/01-pihole.conf
server=/use-application-dns.net/

Is there an issue with the currently shipping versions?

Not that I know of if your asking me.
That added directive is doing exactly whats expected.
With that directive:

dehakkelaar@laptop:~$ host -t a use-application-dns.net.
Host use-application-dns.net. not found: 3(NXDOMAIN)

Without:

dehakkelaar@laptop:~$ host -t a use-application-dns.net.
use-application-dns.net has address 63.245.208.212

I don't understand this post, there wasn't any detail of what we were looking at or why it was posted.

I was confirming what you stated:

Looks like latest release is preventing DoH as described in the linked article.
Or am I missing something obvious :smiley:

This has already been posted here, but I think this will make it easier to spot as a solution.
For all that are still wondering how to easily stop Firefox from working around pi-hole and using its own doh magic, there is an easy solution.
Just have your pi-hole block this url: use-application-dns.net
Firefox is checking if it can reach use-application-dns.net upon startup and will turn off all doh features if the result is negative.
For further reading: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

This has been incorporated in Pi-hole since Feb 2020, in Version 4.4.

The configuration option can be toggled in the FTL configuration file:

https://docs.pi-hole.net/ftldns/configfile/#mozilla_canary

3 Likes

Seriously, thank you so much! I completely missed that!

1 Like

hello sir @ Protecther

i tried adding domain use-application-dns.net to blacklist, restarted firefox and it still ignores my dns settings

i am just trying to block 2 domains and i've learned that firefox ignores these settings ... it works in chrome and edge but not firefox

why would a browser ignore dns settings? i don't understand in which case is this usefull and even if it is, i can't understand why would a checkbox exist in settings IF IT DOES FUCK ALL ?

Phew, it's been some time. All I remember is, that when it came to safe browsing, Mozilla and co took it into their own hands to make browsing "safe" by sending the browser traffic straight to a DNS service like Cloudflare.. this is not 100% correct, but what I want to say is that your browser is basically tunneling your pi-hole because it doesn't know that you are a step ahead of everyone else and not your average internet user.
I remember solving this by changing a setting in the browser... aaaarrr I mean the deep settings, not through the settings menu. And by blocking as mentioned above, but as also posted here, there is apparently a setting for it in pi-hole, so you might want to check that first.
I hope this helps somewhat. Best of luck!