Enable DNS over HTTPS and Encrypted SNI in Firefox

In Firefox 62, Mozilla has added two new features called DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR). The ideal behind each of these features is to improve user privacy and improved performance. DNS has typically been sent over insecure HTTP allowing anyone on the wire, such as your ISP, to monitor what sites you are visiting.

Below we’ll look at how to enable TRR you can tell Firefox to make DoH it’s first choice and use the system DNS as a fallback option.

The second feature we will be enable is Encrypted SNI, which prevents others from intercepting the TLS SNI extension and use it to determine what websites you are browsing.

How to enable Trusted Recursive Resolver and ESNI in Firefox

  1. First download and install the latest version of Firefox browser.
  2. In the Firefox address bar type in the about:config and click on “I accept the risk!
    firefox about:config
  3. Next search for network.trr.mode and change it’s value from 0 to 2.
    firefox network.trr.mode
  4. Now, in the search box type in network.security.esni.enabled. It’s default value will be set to “false”, double click on it to change the value to “true”.
    firefox network.security.esni.enabled

Further, you can check your browsing experience security by heading over to https://www.cloudflare.com/ssl/encrypted-sni/

Alternative DoH endpoints

By default, when you enable DNS-over-HTTPS your requests will go through Cloudflare at: https://mozilla.cloudflare-dns.com/dns-query

Firefox - network.trr.uri

However you can use any DoH compliant endpoint by changing the network.trr.uri value to any end point that supports it, such as:

How to disable Trusted Recursive Resolver

Not everyone is overly excited about the new TRR feature, since all of your DNS traffic would be sent to Cloudflare.

If that is the case for you, you can easily turn off TRR for good by setting network.trr.mode to 5.

Here are the current network.trr.mode values:

  • 0: Off by default
  • 1: Firefox will choose based on which is faster
  • 2: TRR preferred, fall back to DNS on failure
  • 3: TRR only, no DNS fallback
  • 5: TRR completely disabled

Which do you trust more, your ISP or Cloudflare? Do you have TRR enabled or have you set it to 5 to ensure it stays disabled? Let me know below!

This Post Has 5 Comments

  1. There’s an important missing point here. In order to use mode 3 (enforced), the setting “trr.bootstrapAddress” must be set to a trusted DNS resolver which will be used to resolve the domain in the “trr.uri” setting.
    If “trr.bootstrapAddress” is left empty (as it is by default), DoH will not work in mode 3.

  2. I followed the steps to switch on DNS over HTTPS using Cloudflare in Firefox 66.0.1 , but the first two test fields: Secure DNS and DNSSEC do not pass – “You may not be using secure DNS.” and “Your resolver does not appear to validate DNS responses with DNSSEC.” The last two tests pass – “Your browser supports TLS 1.3, which encrypts the server certificate.” and “Your browser encrypted the SNI when visiting this page.”

    Please let me know why this is.

    1. I got that too, caused by NoScript Firefox-addon. You are using NoScript or maybe uBlock Origin?

  3. Set it to 5, thanks for the info. Don’t like this feature at all – how is it good for privacy/security to send all DNS queries to Cloudflare?

    1. Can’t be any worse than leaving all DNS quaries in plain text for my ISP to read and then probably sell the info. My ISP is Xfinity, I will take my chances with Cloudflare.

Leave a Reply