DNS over HTTPS is a new protocol that is getting a lot of traction lately. Firefox recently added support for it on its nightly version and in this article we will go through the steps on how to get it configured.
DNS over HTTPS (DoH) is not enabled by default, so you have to type about:config on your browser bar to open up the settings page. In there, you have to modify 2 settings related to the Trusted Recursive Resolver (aka network.trr):
- network.trr.uri (where you specify the secure resolver you want to use).
The first one (trr.mode) controls how DoH should be used. By default it is set to 0, meaning it is disabled. You can change it to "2" to enable it. The options for the trr.mode are:
- 0 — Off (default). To use operating system resolver.
- 1 — Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
- 2 — First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
- 3 — Only. Only use TRR. Never use the native (after the initial setup).
- 4 — Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
- 5 — Off by choice This is the same as 0 but marks it as done by choice and not done by default.
I recommend to set trr.mode to 2 so it will fall back to the default resolver in case it fails. For the most paranoid, you can set to 3, but you can go offline if your DNS over HTTPS servers goes down.
As for the network.trr.uri, you have to specify the provider to use. There are 4 publicly announced DoH servers:
- https://mozilla.cloudflare-dns.com/dns-query (unfiltered by CloudFlare)
- https://dns.google.com/experimental (unfiltered by Google — the most stable and running for longer)
- https://doh.cleanbrowsing.org/doh/family-filter/ (filtered by CleanBrowsing, blocks adult content)
- https://doh.cleanbrowsing.org/doh/secure-filter/ (filtered, blocks malicious domains only)
So if I am enforcing the Google DNS over HTTPS, that how your about:config will look like (mode set to 3 and the trr.uri to the Google URL):
For CleanBrowsing, in case you want to filter adult content, that's how it will look like:
Behind the scenes, DNS over HTTPS is quite interesting. I setup a proxy to look at the traffic and that's how it looks like with the GET mode (instead of using HTTP POSTS):
GET https://dns.google.com/experimental?ct&dns=AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAACAAE HTTP/2.0”
The DNS query is comes from this base64 value that decodes to the A record request for example.com. I noticed that Firefox is doing multiple A requests for example.com, even when I am not visiting that site. I assume that's done for testing if DNS over HTTPS is working.
The user agent provided to the server is just your standard from the browser. In my case: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:61.0) Gecko/20100101 Firefox/61.0.
That means a few things:
- If you are using the GET mode, all your requests will be stored in the DNS server web logs. Don't use it unless really necessary.
- You have to trust your DNS over HTTPS provider (duh). But something to think about. With just a few providers supporting it, we are centralizing DNS on the hand of a few companies that can see everything you are doing. Google does no evil and both CloudFlare and CleanBrowsing say they do not log the requests. But, we have to be careful.
If you need to debug and test DNS over HTTPS (or the FireFox modes are not working), I recommend trying these 2 tools:
The first one is in Perl and can be useful to decode the base64 requests and the other is in PHP, which can be used to troubleshoot the connections and test DoH for any domans.
And that's about it. Are you using DNS over HTTPS? What's your experience so far?