The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,867 other followers

Firefox: disable DNS over HTTPS (which they call TTR)

Posted by jpluimers on 2021/08/03

There are many reasons to disable DNS over HTTPS (DoH), of which enough are discussed in the links below.

Disabling DoH always talks about setting TTR (the abbreviation Mozilla uses for it) to 5 (like [WayBack] Thread by @isotopp: “Firefox is about to break DNS by enabling DNS-over-HTTP by default […]”), but hardly ever explains the meaning of 5, or any other potential values.

After some searching, I found [WayBack] Firefox disable trr | Knowledge Base:

  • 0: Off by default
  • 1: Firefox chooses faster
  • 2: TRR default w/DNS fallback
  • 3: TRR only mode
  • 5: Disabled

I imagine the setting we’re all looking for is: user_pref(“network.trr.mode”, 5); (emphasis mine)

It pointed me to [WayBack] Trusted Recursive Resolver – MozillaWiki:

DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure transfers and improved performance.

All preferences for the DNS-over-HTTPS functionality in Firefox are located under the `network.trr` prefix (TRR == Trusted Recursive Resolver). The support for these were added in Firefox 62.


The resolver mode. You should not change the mode manually, instead use the UI in the Network Settings section of about:preferences

  • 0 – Off (default). use standard native resolving only (don’t use TRR at all)
  • 1 – Reserved (used to be Race mode)
  • 2 – First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
  • 3 – Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
  • 4 – Reserved (used to be Shadow mode)
  • 5 – Off by choice. This is the same as 0 but marks it as done by choice and not done by default.

To keep the failure rate at a minimum, the TRR system manages a dynamic persistent blacklist for host names that can’t be resolved with DOH but works with the native resolver. Blacklisted entries will not be retried over DOH for a couple of days. “localhost” and names in the “.local” TLD will never be resolved via DOH.

When TRR starts up, it will first verify that it works by first checking a “confirmation” domain name. This confirmation domain is a pref by default set to “”.


Related links for further reading:

Thanks Kristian:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: