How to enable DNS-over-HTTPS (DoH) in Firefox
The DNS-over-HTTPS (DoH) protocol is currently the talk of the town, and the Firefox browser is the only one to support it.
However, the feature is not enabled by default for Firefox users, who will have to go through many hoops and modify multiple settings before they can get the DoH up and running.
But before we go into a step-by-step tutorial on how someone can enable DoH support in Firefox, let’s describe what it does first.
How DNS-over-HTTPS works
The DNS-over-HTTPS protocol works by taking a domain name that a user has typed in their browser and sending a query to a DNS server to learn the numerical IP address of the web server that hosts that specific site.
This is how normal DNS works, too. However, DoH takes the DNS query and sends it to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53.
This way, DoH hides DNS queries inside regular HTTPS traffic, so third-party observers won’t be able to sniff traffic and tell what DNS queries users have run and infer what websites they are about to access.
Further, a secondary feature of DNS-over-HTTPS is that the protocol works at the app level. Apps can come with internally hardcoded lists of DoH-compatible DNS resolvers where they can send DoH queries.
This mode of operation bypasses the default DNS settings that exist at the OS level, which, in most cases are the ones set by local internet service providers (ISPs).
This also means that apps that support DoH can effectively bypass local ISPs traffic filters and access content that may be blocked by a local telco or local government — and a reason why DoH is currently hailed as a boon for users’ privacy and security.
This is one of the reasons that DoH has gained quite the popularity in less than two years after it launched, and a reason why a group of UK ISPs nominated Mozilla for the award of 2019 Internet Vilain for its plans to support the DoH protocol, which they said would thwart their efforts in filtering bad traffic.
As a response, and due to the complex situation in the UK where the government blocks access to copyright-infringing content, and where ISPs voluntarily block access to child abuse website, Mozilla has decided not to enable this feature by default for British users.
The below step-by-step guide will show Firefox users in the UK and Firefox users all over the world how to enable the feature right now, and not wait until Mozilla enables it later down the road — if it will ever do.
Step 1: Type about:config in the URL bar and press Enter to access Firefox’s hidden configuration panel. Here users will need to enable and modify three settings.
Step 2: The first setting is network.trr.mode. This turns on DoH support. This setting supports four values:
- 0 – DoH is disabled
- 1 – DoH is enabled, but Firefox picks if it uses DoH or regular DNS based on which returns faster query responses
- 2 – DoH is enabled, and regular DNS works as a backup
- 3 – DoH is enabled, and regular DNS is disabled
A value of 2 works best.
Step 3: The second setting that needs to be modified is network.trr.uri. This is the URL of the DoH-compatible DNS server where Firefox will send DoH DNS queries. By default, Firefox uses Cloudflare’s DoH service located at https://mozilla.cloudflare-dns.com/dns-query. However, users can use their own DoH server URL. They can select one from the many available servers, from this list, here. The reason why Mozilla uses Cloudflare in Firefox is because the companies reached an agreement following which Cloudflare would collect very little data on DoH queries coming from Firefox users.
Step 4: The third setting is optional and you can skip this one. But if things don’t work, you can use this one as a backup for Step 3. The option is called network.trr.bootstrapAddress and is an input field where users can enter the numerical IP address of the DoH-compatible DNS resolver they entered in Step 3. For Cloudflare, that would be 220.127.116.11. For Google’s service, that would be 18.104.22.168. If you used another DoH resolver’s URL, you’ll need to track down that server’s IP and enter it here, if ever necesarry.
Normally, the URL entered in Step 3 should be enough, though.
Settings should apply right away, but in case they don’t work, give Firefox a restart.
Article source: Mozilla Wiki