What's new

Disabling Firefox's automatic switch to DoH

AntonK

Senior Member
Are you in the U.S.? I believe it's (currently) only automatically enabled if it thinks you're in the U.S.
Yes, I'm in the U.S.
 

Makaveli

Very Senior Member
If I turn DoH on then network.trr.mode gets set to 2. With it off, the value is 0. The network.trr.max-fails value does not change. It stays 5. Don't need to go into about:config to change it. Just go to Options -> General -> Network Settings button and look for the checkbox at the bottom. Screenshot: https://i.imgur.com/CA35fAr.png

Interesting. I turned it on and Imgur would not load.
Thanks that is turned off by default for me.
 

RMerlin

Asuswrt-Merlin dev
My FF installation has never shown the DNS over HTTPS setting checked to on. Are you saying that even though it's not checked, it STILL is on under the hood?
I don't know the details, you'd have to ask the Firefox devs.
 

DonnyJohnny

Very Senior Member
I just upgraded to 70

And I see this



Now is it 5 to disable or 3 to disable?
it is better to set it as 5. By your choice and not default by browser.

network.trr.mode
set which resolver mode you want.

0 - Off (default). use standard native resolving only (don't use TRR at all)

1 - Race (removed)

2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.

3 - Only. Only use TRR. Never use the native (after the initial setup).

4 - Shadow. (removed)

5 - Off by choice This is the same as 0 but marks it as done by choice and not done by default.
 

bits

Regular Contributor
3) DoH would just go away and die

Technologies like DoH are just poorly engineered workarounds, and their supporters fail to point out the side-effects caused by their implementation of the technology.
DoH is currently supported and preferred by Chrome, Firefox and Curl. That is support from basically everybody that matters for nearly all platforms. The only notable exception is Apple, but they often lag with new standards.
DoH is going nowhere anytime soon. I expect the shift to DoH for most https users in the world to be rapid and complete within 12 months.
 

RMerlin

Asuswrt-Merlin dev
DoH is currently supported and preferred by Chrome, Firefox and Curl. That is support from basically everybody that matters for nearly all platforms. The only notable exception is Apple, but they often lag with new standards.
DoH is going nowhere anytime soon. I expect the shift to DoH for most https users in the world to be rapid and complete within 12 months.
That still doesn't validate it as being a good design, or a good idea. Maybe once people start getting burned by it they will come back to their senses, and leave name resolution duties into the hands of the system resolver.

And at least Chrome devs had enough common sense to realize that it should only be automatically implemented as an upgrade, not enforced by switching to a completely different resolver than what the system is configured to use.
 

Skruf

Occasional Visitor
Hey,

It's not just the browsers... Mozilla's Thunderbird has the same setting/option...

Tools... Options... Advanced... Network & Disk Space tab... Settings button for Connection.

Fun video to watch:


Best.
 
Last edited:

Mutzli

Very Senior Member

Mutzli

Very Senior Member
ArsTechnica ran an intersting story this morning about Mozilla and Firefox's DoH implementation. It looks like DoH is here to stay and will be default in future releases, but it will also allow for manual override to DoT and detection of parental control filters etc.
https://arstechnica.com/tech-policy...ad-confusion-about-encrypted-dns-mozilla-says
With the above changes coming do any of you use a proxy firewall like IPFire to manage internet traffic instead of the router based solution?
 

RMerlin

Asuswrt-Merlin dev
ArsTechnica ran an intersting story this morning about Mozilla and Firefox's DoH implementation. It looks like DoH is here to stay and will be default in future releases, but it will also allow for manual override to DoT and detection of parental control filters etc.
https://arstechnica.com/tech-policy...ad-confusion-about-encrypted-dns-mozilla-says
The problem is, how do you explain a technical problem to a bunch of politicians who barely know how to read their emails? The issues behind Firefox's plans for DoH are highly technical. I doubt a politician would be able to understand that "it will break CDNs performance in some scenarios". So, the lobbyists tried to dumb it down, adding a layer of half-truths in the mix to "scare them good".

To be honest, DoH is NOT a political issue. The ISPs tried to make it one (for personal reasons, mind you, not for the greater good of their customers), and are failing at it.
 

Makaveli

Very Senior Member

RMerlin

Asuswrt-Merlin dev

dave14305

Part of the Furniture
WTF is wrong with these people... DNS over TLS is what should be implemented at a resolver level. DoH is an application level hack.

Sounds like just another "me too" decision.
I don't see how all the Enterprise customers will stand for the potential loss of DNS control within corporate networks. They have strong-armed Microsoft to keep supporting old OSes for years beyond belief. Hopefully they'll have the same clout to ensure it doesn't become more of a free-for-all than DoH already is.

The article does say that DoT is still "on the table" for Microsoft, which is promising (once they get spanked by their largest customers).
 

ColinTaylor

Part of the Furniture
Sounds like just another "me too" decision.
"me too" has been Microsoft's strategy in every aspect of their business for many years now IMHO. Every time they've tried to "lead" they've shot themselves in the foot. So now they just copy their competitors hoping for a slice of that pie.

I don't see how all the Enterprise customers will stand for the potential loss of DNS control within corporate networks.
They won't. And to be fair I think it more or less says so in that article: "We believe device administrators have the right to control where their DNS traffic goes." In a business/enterprise scenario the "administrator" is the IT department and the end user doesn't have the ability to change their DNS settings.
 

RMerlin

Asuswrt-Merlin dev
I don't see how all the Enterprise customers will stand for the potential loss of DNS control within corporate networks. They have strong-armed Microsoft to keep supporting old OSes for years beyond belief. Hopefully they'll have the same clout to ensure it doesn't become more of a free-for-all than DoH already is.
Pretty sure a Group Policy will give network admin control over that feature.
 

nlurker

Regular Contributor
Is it likely/possible that Roku and other devices will implement DOH, making it impossible for me to block ads on them?
 

tiko

Occasional Visitor
I tried the first post config on an AC87U and it does not work.

I activated the option (Prevent Firefox DoH in WAN Setting) on an AC68U and it does work, but as AC87U has not reached the 384.14 it does not have that option.

Has any one have an idea for it to work? Basically we are trying to prevent employees from NSFW content at the office to avoid a future lawsuit, and they are now using this option (small office of 6 people only)
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top