How to DoH-only with Firefox
Firefox supports DNS-over-HTTPS (aka DoH) since version 62.
You can instruct your Firefox to only use DoH and never fall-back and try the native resolver; the mode we call trr-only. Without any other ability to resolve host names, this is a little tricky so this guide is here to help you. (This situation might improve in the future.)
In trr-only mode, nobody on your local network nor on your ISP can snoop on your name resolves. The SNI part of HTTPS connections are still clear text though, so eavesdroppers on path can still figure out which hosts you connect to.
A primary problem for trr-only is that we usually want to use a host name in the URI for the DoH server (we typically need it to be a name so that we can verify the server's certificate against it), but we can't resolve that host name until DoH is setup to work. A catch-22.
There are currently two ways around this problem:
- Tell Firefox the IP address of the name that you use in the URI. We call it the "bootstrapAddress". See further below.
- Use a DoH server that is provided on an IP-number URI. This is rather unusual. There's for example one at 126.96.36.199.
There are three prefs to focus on (they're all explained elsewhere):
network.trr.mode - set this to the number 3.
network.trr.uri - set this to the URI of the DoH server you want to use. This should be a server you trust and want to hand over your name resolves to. The Cloudflare one we've previously used in DoH tests with Firefox is https://mozilla.cloudflare-dns.com/dns-query.
network.trr.bootstrapAddress- when you use a host name in the URI for the network.trr.uri pref you must set this pref to an IP address that host name resolves to for you. It is important that you pick an IP address that the name you use actually would resolve to.
Let's pretend you want to go full trr-only and use a DoH server at https://example.com/dns. (it's a pretend URI, it doesn't work).
Figure out the bootstrapAddress with dig. Resolve the host name from the URI:
$ dig +short example.com 188.8.131.52
or if you prefer to be classy and use the IPv6 address (only do this if IPv6 is actually working for you)
$ dig -t AAAA +short example.com 2606:2800:220:1:248:1893:25c8:1946
dig might give you a whole list of addresses back, and then you can pick any one of them in the list. Only pick one address though.
Go to "about:config" and paste the copied IP address into the value field for network.trr.bootstrapAddress. Now TRR / DoH should be able to get going. When you can see web pages, you know it works!
If you happen to start Firefox behind a captive portal while in trr-only mode, the connections to the DoH server will fail and no name resolves can be performed.
In those situations, normally Firefox's captive portable detector would trigger and show you the login page etc, but when no names can be resolved and the captive portal can't respond with a fake response to the name lookup and redirect you to the login, it won't get anywhere. It gets stuck. And currently, there's no good visual indication anywhere that this is what happens.
You simply can't get out of a captive portal with trr-only. You probably then temporarily switch mode, login to the portal and switch the mode to 3 again.
If you "unlock" the captive portal with another browser/system, Firefox's regular retries while in trr-only will soon detect that and things should start working again.
- Serving Random Payloads with Apache mod_rewrite – Posts By SpecterOps Team Members
- Adobe Flash: Bypassing the local sandbox to exfiltrate data, obtain Windows user credentials (CVE-2016-4271)
- Exploiting XXE Vulnerabilities in IIS/.NET
- Cross-Site Phishing
- Automating Apache mod_rewrite and Cobalt Strike Malleable C2 Profiles