Firefox DoH blocklist not working

hi all,

i've found a few similar issues in the forums but they are not quite what i need.

tl;dr i was expecting that the following line of configuration, which was added in a pihole PR last year, would fix my issue:

[alarm@alarmpi ~]$ cat /etc/dnsmasq.d/01-pihole.conf 

I have a blocklist entry implemented as a regex for a certain domain. I know it works at a low-level:

(base) [kyle@catamaran ~]$ dig

; <<>> DiG 9.16.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32315
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;			IN	A


;; Query time: 13 msec
;; WHEN: Wed Nov 11 23:55:47 EST 2020
;; MSG SIZE  rcvd: 45

however firefox is not getting blocked for the same domain and i see the following in pihole query logs when making a request to discord:

2020-11-11 23:57:45 	AAAA	wgwz-mac	OK (cached)
2020-11-11 23:57:45 	A	wgwz-mac	OK (cached)

i tested accessing the same domain in chrome and the domain is blocked there (after clearing the cache). i tried clearing the firefox cache hoping it was the same but it makes no difference.

i'm at a dead end, it appears that the fix here is no longer working: Support for returning nxdomain for to disable Firefox DoH

i went through the process here for setting up the recursive DNS server:

can confirm that the test cases there worked out as documented.

what am i missing?

So you've defined some regex to block, and it get's blocked in Firefox as well as Chrome.

I'd say it works as expected.

my apologies there was a typo;

it is not working in firefox. it works everywhere else i mentioned.

Please edit your original post also to properly reflect your intention.

Let's check whether Pi-hole correctly returns NXDOMAIN for the canary domain:


If it does, Pi-hole is wroking correctly, and it's likely that Firefox is configured to always use DoH / Trusted Recursive Resolvers regardless.

Try to disable DoH in Firefox via Options/Preferences > General > Network Settings and/or check the trr.mode.

NXDOMAIN is correctly returned:

(base) [kyle@catamaran ~]$ nslookup

** server can't find NXDOMAIN

Checking out the Firefox settings now. Now that you mention it I think I may have selected an always use DoH option...

Disabling the DoH setting, seems to have done the trick.

Does Firefox enable this by default now? What is stated here may be true but ONLY if you manually intervene in your firefox settings (assuming it is the default setting).

Sort of. It is the default in Firefox, but it respects the canary domain. It is only when you toggle this setting and deliberately select DoH that Firefox ignores the canary domain and does what you specified.

I think this is consistent with what I saw. But I'm pretty sure they have a pop-up now, which if you respond yes to, it turns on using DoH all the time. And it does seem to bypass the canary domain. Pop-up comes from the either the lock or shield icon next to the Firefox search bar.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.