Enable DNS over HTTPS and Encrypted SNI in Firefox

Written by Security

In Firefox 62, Mozilla has added two new features called DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR). The ideal behind each of these features is to improve user privacy and improved performance. DNS has typically been sent over insecure HTTP allowing anyone on the wire, such as your ISP, to monitor what sites you are visiting.

Below we’ll look at how to enable TRR you can tell Firefox to make DoH it’s first choice and use the system DNS as a fallback option.

The second feature we will be enable is Encrypted SNI, which prevents others from intercepting the TLS SNI extension and use it to determine what websites you are browsing.

How to enable Trusted Recursive Resolver and ESNI in Firefox

  1. First download and install the latest version of Firefox browser.
  2. In the Firefox address bar type in the about:config and click on “I accept the risk!
    firefox about:config
  3. Next search for network.trr.mode and change it’s value from 0 to 2.
    firefox network.trr.mode
  4. Now, in the search box type in network.security.esni.enabled. It’s default value will be set to “false”, double click on it to change the value to “true”.
    firefox network.security.esni.enabled

Further, you can check your browsing experience security by heading over to https://www.cloudflare.com/ssl/encrypted-sni/

Alternative DoH endpoints

By default, when you enable DNS-over-HTTPS your requests will go through Cloudflare at: https://mozilla.cloudflare-dns.com/dns-query

Firefox - network.trr.uri

However you can use any DoH compliant endpoint by changing the network.trr.uri value to any end point that supports it, such as:

How to disable Trusted Recursive Resolver

Not everyone is overly excited about the new TRR feature, since all of your DNS traffic would be sent to Cloudflare.

If that is the case for you, you can easily turn off TRR for good by setting network.trr.mode to 5.

Here are the current network.trr.mode values:

  • 0: Off by default
  • 1: Firefox will choose based on which is faster
  • 2: TRR preferred, fall back to DNS on failure
  • 3: TRR only, no DNS fallback
  • 5: TRR completely disabled

Which do you trust more, your ISP or Cloudflare? Do you have TRR enabled or have you set it to 5 to ensure it stays disabled? Let me know below!