1

Background & Configuration

I have enabled DNS-over-HTTPS (DoH) in Firefox, in order to hand a stream of sites I access over to Cloudflare and thence directly to government agencies in one convenient place. This is hidden away in Preferences, General tab, scroll down to the bottom right, Settings button, scroll down to the bottom again.

I noticed on attempting to search for a term containing a dot, that DNS-over-HTTPS was not being used. My ISP, BT, were still hijacking plain old DNS to redirect to their site. This is surprising given the wording provided by Firefox that indicates to any reasonable person that this would be safe. Firefox UX sign-off could do with bucking their ideas up, IMO.

So, after googling I have gone into about:config and changed network.trr.mode to 3 in order that Firefox does not fail unsafe on DoH.

This doesn't work at all.

Further googling, I have switched off the BT "Smart Setup" on my ADSL router. The steps for my BT Home Hub:

  • Log in to the admin site 192.168.1.254.
  • Advanced Settings
  • Continue to Advanced Settings (!)
  • Home Network
  • "Smart Setup" (It seems "smart" is never smart.)
  • No
  • Apply

That seemed to work for a while, but then failed and kept failing.

It's an intermittent failure. Switching network.trr.mode back to 2 (fail open!) and then possibly loading something, allows setting network.trr.mode back to 3 for a while.

I suspected that Firefox may be doing all the lookups outside of DoH using just the poisoned DNS cache. However, sites I had not been to still worked.

Going to https://1.1.1.1/help during intermittent failures gives me:

 Connected to 1.1.1.1           No
 Using DNS over HTTPS (DoH)     No
 Using DNS over TLS (DoT)       No
 AS Name                     Checking...
 AS Number                   Checking...
 Cloudflare Data Center         LHR

When working that becomes:

 Connected to 1.1.1.1           Yes
 Using DNS over HTTPS (DoH)     Yes
 Using DNS over TLS (DoT)       No
 AS Name                     Cloudflare
 AS Number                     13335
 Cloudflare Data Center         LHR

Going to https://www.cloudflare.com/ssl/encrypted-sni/ I noticed that Encrypted SNI was not happening. As I understand it, SNI enabled a web server to provide the correct certificate for a site when a single IP address is mapped from multiple names. Unfortunately, by default, Firefox sends host names in plain text even when using DoH. Believable.

Yet more googling turns up setting network.security.esni.enabled to true in about:config to encrypt host names here. How this fails, I don't know.

I have also tried using a public access point (The Cloud), and the behaviour is much the same.

I have been using macOS Catalina. Seems to be the same on a Windows 10 cheap and very nasty laptop. Have tried flushing the Windows DNS cache with ipconfig /flushdns and also setting network.dnsCacheExpiration to 0. Neither makes it work when it is failing, nor makes it fail when it is working.

The question

What is causing fail-safe DoH that intermittently fail on Firefox and how do I fix it?

I notice that the www.cloudflare.com name is in the DoH configuration. Is it failing to bootstrap in a sensible fashion? Does it expire the lookup after a while and not use DoH in time?

Improve this question
5
  • You mention the dns cache, but have you flushed it when you experience these failures? Obviously thinking that the machine may actually be resolving a bad address locally.
    – Yorik
    Commented Nov 12, 2019 at 19:17
  • @Yorik I haven't. So: What's the correct way of flushing the Firefox DNS cache. Going to History > Clear Recent History, provides a number of options, none of which explicitly says DNS. Secondly, you mean flushing before switching instead of setting mode back to 2, rather than flushing to see if it fails when working (obviously, I can try both).
    – Tom Hawtin - tackline
    Commented Nov 12, 2019 at 19:31
  • I mean that if it is cached, it may be using the cache and never reaching out to the world for information so you would not need to change any settings in your application. Probably not, but try it for "due diligence." This would be a Windows DNS cache. open a cmd window as administrator and ipconfig /flushdns ( docs.microsoft.com/en-us/windows-server/administration/… ) or power shell ( docs.microsoft.com/en-us/powershell/module/dnsclient/… )
    – Yorik
    Commented Nov 12, 2019 at 19:46
  • @Yorik I should have said, I am using macOS Catalina. Though I do have a cheap and nasty Windows machine at home to play with.
    – Tom Hawtin - tackline
    Commented Nov 12, 2019 at 20:12
  • RIght, sorry. Most if not all modern OS cache DNS. The steps vary by version for MacOS. Google "mac os flush dns cache"
    – Yorik
    Commented Nov 12, 2019 at 20:14

1 Answer 1

Reset to default
2

I have now had a look at the wiki.

It turns out that it is indeed the issue of bootstrapping the name used in the resolver HTTPS URL. An IP of a DNSSEC server needs to be in network.trr.bootstrapAddress, probably using the same server as for DNS-over-HTTPS. The wiki suggest looking up with https://dns.google/query?name=mozilla.cloudflare-dns.com which can be checked with nslookup. For Cloudflare this gives the choice 104.16.249.249 or 104.16.248.249. The initial ticket also suggests the alternative of using an IP address in HTTPS URL (though I guess that means it would be using an IP address HTTPS certificate).

So beyond the preferences window, the configuration you need in about:config to make DNS-over-HTTPS work in Firefox appears to be:

 network.security.esni.enabled    true
 network.trr.mode                 3
 network.trr.bootstrapAddress     104.16.249.249

All I wanted was a ticky box.

Edit: It's difficult to reproduce, but I still see the intermittent problem. It occurs for one page then clears itself.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .