Firefox: disable DNS over HTTPS (which they call TTR)
Posted by jpluimers on 2021/08/03
There are many reasons to disable DNS over HTTPS (DoH), of which enough are discussed in the links below.
Disabling DoH always talks about setting TTR (the abbreviation Mozilla uses for it) to 5 (like [WayBack] Thread by @isotopp: “Firefox is about to break DNS by enabling DNS-over-HTTP by default […]”), but hardly ever explains the meaning of 5, or any other potential values.
After some searching, I found [WayBack] Firefox disable trr | Knowledge Base:
0
: Off by default1
: Firefox chooses faster2
: TRR default w/DNS fallback3
: TRR only mode5
: DisabledI imagine the setting we’re all looking for is:
user_pref(“network.trr.mode”, 5);
(emphasis mine)
It pointed me to [WayBack] Trusted Recursive Resolver – MozillaWiki:
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure transfers and improved performance.
…
All preferences for the DNS-over-HTTPS functionality in Firefox are located under the `
network.trr
` prefix (TRR == Trusted Recursive Resolver). The support for these were added in Firefox 62.…
network.trr.mode
The resolver mode. You should not change the mode manually, instead use the UI in the Network Settings section of about:preferences
0
– Off (default). use standard native resolving only (don’t use TRR at all)1
– Reserved (used to be Race mode)2
– First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.3
– Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)4
– Reserved (used to be Shadow mode)5
– Off by choice. This is the same as 0 but marks it as done by choice and not done by default.…
To keep the failure rate at a minimum, the TRR system manages a dynamic persistent blacklist for host names that can’t be resolved with DOH but works with the native resolver. Blacklisted entries will not be retried over DOH for a couple of days. “localhost” and names in the “.local” TLD will never be resolved via DOH.
When TRR starts up, it will first verify that it works by first checking a “confirmation” domain name. This confirmation domain is a pref by default set to “example.com”.
…
- Initial ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852
- The DNS-over-HTTPS spec: https://tools.ietf.org/html/rfc8484
- https://support.mozilla.org/en-US/kb/firefox-dns-over-https
- https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
…
Related links for further reading:
- [WayBack] Serverless DNS over HTTPS (DoH) at the Edge – Articles for Developers Building High Performance Systems
- via [WayBack] This once held TRR prefs. Now it has moved. · GitHub
- [WayBack] Security Researchers Express Concerns Over Mozilla’s New DNS Resolution For Firefox – Slashdot
- [WayBack] BSD How To: Why not use DNS over HTTPS (DoH)?
- [Archive.is] Firefox will soon be sending all DNS requests to Cloudflare using DNS over HTTPs : sysadmin
- [WayBack] Thread by @isotopp: “Firefox is about to break DNS by enabling DNS-over-HTTP by default […]”
Firefox is about to break DNS by enabling DNS-over-HTTP by default. Once that happens, the browser will ask Cloudflare over DNS for name resolution instead of whatever your sysadmin configures, leaking the names of all the websites you visit to Cloudflare.To disable this,about://config
, void warranty, and setnetwork.trr.mode
to5
.
Thanks Kristian:
https://twitter.com/isotopp/status/1170973844527624192
https://twitter.com/isotopp/status/1170973842954686464
–jeroen
Leave a comment