Disabling Firefox's automatic switch to DoH

[Kingp1n]

This is just one of the numerous reasons why I dislike Mozilla's whole approach to this. It's impossible to accurately predict whether you will be using DoH or not, there are far, far too many variables involved. It makes troubleshooting anything DNS-related a major PITA.

Would the fix be to stop using Firefox?

 

[MDM]

No, just be sure it is disabled (anyway others will follow sooner or later...).

 

[Netbug]

Would the fix be to stop using Firefox?

as MDM suggested you can disable the setting. Issue for many i think is those with children who have they're kids devices set to for example opendns family to protect them from adult content, gambling etc. They could easily change to custom and enter dns of an unfiltered dns server and bypass the dns set at router level as DoH is done over HTTPS.

Mutzil describes it well.

That's the problem, DoH will always go direct to resolve your DNS requests without going through your DoT enabled router since the router doesn't know that this is a DNS request from your browser, it's categorized as HTTPS. I hope this makes sense.
Btw the latest version is 70.0, came out today.

 

[AntonK]

I've installed version 70 and the "Enable DNS over HTTPS" setting remains unchecked.

 

[MarkRH]

Updated to 70 Release, 71 Beta, and 72 Nightly. (Yes, I have all three installed with their own profiles).

Anyway, updating via the internal updater, none of them enabled DoH. Network Settings are still set to No Proxy and nothing else checked there. So, my guess is the automatic enabling happens with a fresh install. Launching 70 using a clean profile also does not enable DoH. Perhaps I'm not in the pool of auto-enabled users yet. More info: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

 

[Mutzli]

I've installed version 70 and the "Enable DNS over HTTPS" setting remains unchecked.

The problem is if you have Firefox Private Network activated, (info over here: https://private-network.firefox.com/ ), it will always switch your Firefox settings to use DoH. I haven't found a way to manually configure the settings. You can go into about:config and make changes to the network.trr settings. But the next time Firefox Private Network is turned on the settings go right back to DoH. I know this is probably needed to have Firefox Private Network work, but it would be nice to have it go back to the old settings once it's turned off.

 

[Zastoff]

A new feature maybe to handle software restriction policies? Or maybe it can be done with firewall?
If this is used to bypass routers DNS & parental control and so on..

 

[MDM]

It has absolutely nothing to do with software and/or firewall..
I is only browser related and can not be controlled (where the issue), since it is in base just HTTPS trafic.

 

[Zastoff]

It has absolutely nothing to do with software and/or firewall..
I is only browser related and can not be controlled (where the issue), since it is in base just HTTPS trafic.

I know my question was off-topic since it`s about DoH problem with Firefox.
I dont use Firefox myself but i guess it can be used/installed on my network (kids devices) to bypass parental control..
Guess i could block Firefox and more if needed on every device, But was hoping i could do it on the router

 

[dave14305]

I know my question was off-topic since it`s about DoH problem with Firefox
I dont use Firefox myself but i guess it can be used/installed on my network (kids devices) to bypass parental control..
Guess i could block Firefox and more if needed on every device, But was hoping i could do it on the router

I think there's opportunity to hijack the DNS names used for TLS verification of the DoH connection to break DoH locally, and using DNSFilter to ensure the bootstrapping queries go to the router.

This is written for BIND, but I think the same ideas can be applied to dnsmasq.
https://github.com/bambenek/block-doh

 

[bits]

Firefox has supported users turning on DNS over https for about 18 months now. If you want it off, turn it off but if that is all you did the user could just turn it back on. Just like 18 months ago.

Chrome now supports DNS over https and the user can just turn it on like in Firefox. There is zero difference between chrome and Firefox abilities to allow the user to bypass a DNS filter with ease.

If you have concerns about what settings an app has on a local machine like Chrome or Firefox you need a admin/parental app to control that.

Children bypassing a DNS filter is not at all the concern here. Chrome and Firefox readily let a normal user bypass that, fix = control the machine.

The complaint in this thread is about Firefox enabling the setting by default, pushing user data towards a Firefox nominated server.


RMerlin sees this as a privacy concern as many users may not understand their data is centralised for Firefox.
Firefox claim they will not use or sell user data but RMerlin still has concerns, maybe they lie or get hacked or change their mind without notice.

I see it as the lesser evil, I trust Firefox but definitely do not trust the random networks like wifi hot spots people connect to.
I also definitely do not trust the other users that also know the WiFi networks password that can see and log all my traffic.
People are severely under estimating how compromised almost all users are right when using standard DNS.

Either the common user is definitely screwed as things are right now with standard DNS vs maybe they get screwed with Firefox's DNS over https.

PS always remember any savy user can set Firefox to any server of their choice. Firefox isn't enforcing you use their servers they are just pushing users to not be using standard dns. Browsers are slowly killing off http with the exact same intent.
Simple/majority of users will likely stick with Firefox's initial server offer. But I'm sure Norton will point Firefox to their server when installed, same with every other "antivirus" and browser helper app.

 

[Zastoff]

I think there's opportunity to hijack the DNS names used for TLS verification of the DoH connection to break DoH locally, and using DNSFilter to ensure the bootstrapping queries go to the router.

This is written for BIND, but I think the same ideas can be applied to dnsmasq.
https://github.com/bambenek/block-doh

Would be an awesome option

 

[dave14305]

Would be an awesome option

I added these entries to my diversion blacklist. It broke the Firefox DoH when manually enabled.

192.168.1.2 mozilla.cloudflare-dns.com # Block DoH
192.168.1.2 dns.google # Block DoH
192.168.1.2 cloudflare-dns.com # Block DoH
192.168.1.2 dns9.quad9.net # Block DoH
192.168.1.2 dns10.quad9.net # Block DoH
192.168.1.2 doh.cleanbrowsing.org # Block DoH
192.168.1.2 dns.dnsoverhttps.net # Block DoH
192.168.1.2 doh.crypto.sx # Block DoH
192.168.1.2 doh.powerdns.org # Block DoH
192.168.1.2 doh-jp.blahdns.com # Block DoH
192.168.1.2 dns.dns-over-https.com # Block DoH
192.168.1.2 doh.securedns.eu # Block DoH
192.168.1.2 dns.rubyfish.cn # Block DoH
192.168.1.2 doh.dnswarden.com # Block DoH
192.168.1.2 doh.captnemo.in # Block DoH
192.168.1.2 doh.tiar.app # Block DoH

 

[bits]

I added these entries to my diversion blacklist. It broke the Firefox DoH when manually enabled.

The first Google link I clicked listing public doh servers has about 20 more domains from Cisco, Comcast, etc.

 

[RMerlin]

RMerlin sees this as a privacy concern as many users may not understand their data is centralised for Firefox.
Firefox claim they will not use or sell user data but RMerlin still has concerns, maybe they lie or get hacked or change their mind without notice.

To be clear, my privacy concern isn't about Mozilla or Cloudflare's potential use of the data (I'd say I generally trust these two companies not to do anything nefarious with user data), but about the fact that all of this data is aggregated to a single point. If someone ever managed to compromise that one single server address, you can imagine the sheer volume of data they would gain access to.

However, my primary issue with all of this is the fact that it's automatically enabled, which will bypass any security measure that you, the end-user/network admin, might have in place. Case in point: if you decided to implement a network-wide DNS-over-TLS setup, or use a DNS-based parental filter to protect your kids, then Firefox might transparently, without you even knowing it, bypass those security measures you have put in place, putting your kids at risk of being exposed to inappropriate content.

While I'm not a fan of the DoH protocol itself (in part because of how easily it can bypass your self-implemented security measures, or your configured network management rules), my biggest beef here is that Firefox will 1) automatically, 2) if it feels like it (i.e. if in the US, but not if another country) enable it. It makes any troubleshooting a pain, because a technician will have to guess whether you are using a public DNS server, or the DoH-selected DNS server. The address you might get by using nslookup might not necessarily be the same as used by Firefox. It's a tech support nightmare. In this regard, I like Chrome's approach, where what they do is just bump the protocol from regular DNS queries to DoH if you are currently using a DNS server known to support it. For example if your network uses Quad9, then it will switch to DoH, still through Quad9. It will have no drawback, beside maybe a slight slowdown in resolution speed.

In an ideal world...:

1) Client operating systems would support DNS-over-TLS at their resolver level, with user-configurable servers, not hardcoded ones
2) Domain owners would secure their zone through DNSSEC
3) DoH would just go away and die

Technologies like DoH are just poorly engineered workarounds, and their supporters fail to point out the side-effects caused by their implementation of the technology.

 

[RMerlin]

But I'm sure Norton will point Firefox to their server when installed

Norton DNS was discontinued in November 2018.

 

[Makaveli]

I just updated Firefox from 69.03 to release 70.0. They did now turn on DoH on default. No problem I thought, I just have to go into about:config and change network.trr.mode from 3 to 5 (disable) to have DoT active again. To my surprise when I restarted Firefox I found that the value have been automatically set back from 5 to 3. Is there another setting I'm missing or does Mozilla now force DoH on us?

I just upgraded to 70

And I see this



Now is it 5 to disable or 3 to disable?

 

[AntonK]

However, my primary issue with all of this is the fact that it's automatically enabled, which will bypass any security measure that you, the end-user/network admin, might have in place.

My FF installation has never shown the DNS over HTTPS setting checked to on. Are you saying that even though it's not checked, it STILL is on under the hood?

 

[cmkelley]

My FF installation has never shown the DNS over HTTPS setting checked to on. Are you saying that even though it's not checked, it STILL is on under the hood?

Are you in the U.S.? I believe it's (currently) only automatically enabled if it thinks you're in the U.S.

 

[MarkRH]

I just upgraded to 70

And I see this



Now is it 5 to disable or 3 to disable?

If I turn DoH on then network.trr.mode gets set to 2. With it off, the value is 0. The network.trr.max-fails value does not change. It stays 5. Don't need to go into about:config to change it. Just go to Options -> General -> Network Settings button and look for the checkbox at the bottom. Screenshot: https://i.imgur.com/CA35fAr.png

Interesting. I turned it on and Imgur would not load.