Firefox DoH blocklist not working

hi all,

i've found a few similar issues in the forums but they are not quite what i need.

tl;dr i was expecting that the following line of configuration, which was added in a pihole PR last year, would fix my issue:

[alarm@alarmpi ~]$ cat /etc/dnsmasq.d/01-pihole.conf 
...
...
server=/use-application-dns.net/

I have a blocklist entry implemented as a regex for a certain domain. I know it works at a low-level:

(base) [kyle@catamaran ~]$ dig discord.com

; <<>> DiG 9.16.6 <<>> discord.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32315
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;discord.com.			IN	A

;; ANSWER SECTION:
discord.com.		2	IN	A	0.0.0.0

;; Query time: 13 msec
;; SERVER: 192.168.1.193#53(192.168.1.193)
;; WHEN: Wed Nov 11 23:55:47 EST 2020
;; MSG SIZE  rcvd: 45

however firefox is not getting blocked for the same domain and i see the following in pihole query logs when making a request to discord:

2020-11-11 23:57:45 	AAAA	mozilla.cloudflare-dns.com	wgwz-mac	OK (cached)
2020-11-11 23:57:45 	A	mozilla.cloudflare-dns.com	wgwz-mac	OK (cached)

i tested accessing the same domain in chrome and the domain is blocked there (after clearing the cache). i tried clearing the firefox cache hoping it was the same but it makes no difference.

i'm at a dead end, it appears that the fix here is no longer working: Support for returning nxdomain for use-application-dns.net to disable Firefox DoH

i went through the process here for setting up the recursive DNS server:

https://docs.pi-hole.net/guides/unbound/#setting-up-pi-hole-as-a-recursive-dns-server-solution

can confirm that the test cases there worked out as documented.

what am i missing?

So you've defined some regex to block discord.com, and it get's blocked in Firefox as well as Chrome.

I'd say it works as expected.

my apologies there was a typo;

it is not working in firefox. it works everywhere else i mentioned.

Please edit your original post also to properly reflect your intention.

Let's check whether Pi-hole correctly returns NXDOMAIN for the canary domain:

nslookup use-application-dns.net

If it does, Pi-hole is wroking correctly, and it's likely that Firefox is configured to always use DoH / Trusted Recursive Resolvers regardless.

Try to disable DoH in Firefox via Options/Preferences > General > Network Settings and/or check the trr.mode.

NXDOMAIN is correctly returned:

(base) [kyle@catamaran ~]$ nslookup use-application-dns.net
Server:		192.168.1.193
Address:	192.168.1.193#53

** server can't find use-application-dns.net: NXDOMAIN

Checking out the Firefox settings now. Now that you mention it I think I may have selected an always use DoH option...

Disabling the DoH setting, seems to have done the trick.

Screenshot_2020-11-12_20-05-24763×877 56.5 KB

Does Firefox enable this by default now? What is stated here may be true but ONLY if you manually intervene in your firefox settings (assuming it is the default setting). https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs#w_how-will-doh-impact-parental-controls

Sort of. It is the default in Firefox, but it respects the canary domain. It is only when you toggle this setting and deliberately select DoH that Firefox ignores the canary domain and does what you specified.

I think this is consistent with what I saw. But I'm pretty sure they have a pop-up now, which if you respond yes to, it turns on using DoH all the time. And it does seem to bypass the canary domain. Pop-up comes from the either the lock or shield icon next to the Firefox search bar.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.