Configure DNS Over HTTPS in Firefox
DNS over HTTPS is a relatively new feature designed to improve the privacy, security and connection reliability of DNS look-ups; the feature is currently in draft status and tested by companies such as Google, Cloudflare or Mozilla.
DNS resolves play an important part on today's Internet; domain names that you enter in your browser's address bar need to be linked to IP addresses, and that is what DNS is used for. These DNS look-ups happen automatically and often without any form of encryption or protection from prying eyes or tampering.
DNS over HTTPS attempts to fix this by sending DNS requests in encrypted form to a compatible DNS server so that these don't reveal the target of the request anymore to third-parties, e.g. someone on the same network or an Internet Service Provider.
Internet users up until now had options to connect to a non-leaking VPN provider, switch the DNS provider to one that promises better privacy and security, or use DNSCrypt to improve privacy and security.
DNS Over HTTPS in Firefox
Mozilla started to roll out DNS over HTTPS for Firefox users in the United States in 2019. The service is in fallback mode which means that the browser will first try to use DNS over HTTPS for the query and only if that fails traditional unencrypted DNS to ensure that the query is successful.
Firefox users in the United States will receive a popup notification in the browser when DNS over HTTPS is first enabled. The prompt explains what the feature does and includes an option to disable it.
Note that the feature won't be enabled if any of the following is found:
- Parental controls are used (as these often use DNS filtering).
- If the default DNS provider supports malware filtering.
- If the device is managed by an organization.
Users who opted in may opt out on about:studies at any time by removing the "DNS over HTTPS US Rollout" study.
Configure DNS over HTTPS manually in Firefox
Firefox users from around the world may configure the browser to use DNS over HTTPS. Type about:support to check the version of Firefox; it if it at least version 60.x, you may configure the feature. Please note that this may lead to connectivity issues (which may be limited by configuring a fallback).
Note: You may use a number of DNS over HTTPS supporting services now. You can check out the latest listing on GitHub. Some examples:
- Adguard: https://dns.adguard.com/dns-query
- Cloudflare: https://cloudflare-dns.com/dns-query
- Google RFC 8484: https://dns.google/dns-query
- Google JSON API: https://dns.google/resolve
- Open DNS: https://doh.opendns.com/dns-query
- Secure DNS EU: https://doh.securedns.eu/dns-query
- Quad 9: https://dns.quad9.net/dns-query
All current versions of Firefox come with options to enable DNS over HTTPs in the settings. These don't provide the same level of customization that the advanced configuration offers but it is easier to setup
It is necessary to change three Trusted Recursive Resolver preferences in the browser. Here is how that is done:
- Load about:preferences#general in the web browser's address bar.
- Scroll down to the Network Settings section (at the bottom of the page) and activate the Settings button.
- Scroll down on that page until you find the "Enable DNS over HTTPS" setting.
- Check the box and pick one of the providers (Cloudflare or NextDNS), or pick custom to specify a custom provider (see list above).
- Click okay to complete the configuration change.
Firefox users who want more control over DNS over HTTPS may configure additional details in the advanced configuration:
- Load about:config in the Firefox address bar.
- Confirm that you will be careful if the warning page is displayed.
- Search for network.trr.mode and double-click on the name.
- Set the value to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback. This is the optimal setting for compatibility.
- Set the value to 3 to only use DNS over HTTPS (no fallback).
- If you want to set it to off, set the value to 0. Configuration values 1 and 4 are no longer used.
- Search for network.trr.uri. Firefox expects a DNS over HTTPS server. Double-click on the name and add the URL of one of the providers listed above.
- Search for network.trr.bootstrapAddress and double-click on it. Note that this is no longer required from Firefox 74 onward if mode 3 is being used.
- Set the value to 18.104.22.168 (if you use Cloudflare, or look up the IP on the provider's website or use a DNS query tool to find out)
Tip: Use the preference network.trr.excluded-domains on about:config to exclude domains from DNS over HTTPS. Edit the value, add domains, and separate them with a comma. See also Mozilla's help article on configuring networks to disable Dns over HTTPs.
Note: Mozilla has a special agreement with Cloudflare which limits the logged data and data retention. Cloudflare launched the public DNs service 22.214.171.124 yesterday which supports DNS over HTTPS as well.
Tip: Check out our Firefox DNS over HTTPS article which lists all available parameters and what they do.
The core benefit of DNS over HTTPS is that you limit exposure of your DNS queries. You need to trust the public provider, Cloudflare or Google are the only ones right now. It is likely that other providers will introduce support for it if the feature is integrated into the stable versions of popular web browsers.
Now You: Have you changed the DNS provider on your devices?Advertisement