Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This once held TRR prefs. Now it has moved.

NOTE

This content has moved.

Please go to bagder/TRRprefs for the current incarnation of the docs, and please help us out polish and maintain this documentation!

@wellington1993

This comment has been minimized.

Copy link

commented Jun 4, 2018

Thanks!

@zsnmwy

This comment has been minimized.

Copy link

commented Jun 8, 2018

Thanks!
It's useful for me.

@mdavids

This comment has been minimized.

Copy link

commented Jun 22, 2018

Thanks.
I was wondering if the web developer tools or some other tool in FF have an option to follow the DoH queries. I would like to see the actual HTTP-request.

@hsmiranda

This comment has been minimized.

Copy link

commented Jun 29, 2018

thanks!

@cleanbrowsing

This comment has been minimized.

Copy link

commented Jul 13, 2018

Awesome! Would add that CleanBrowsing also has 3 public DoH endpoints:

Family filter (blocks adult content + proxies + enforces safe search + strict mode on youtube)
https://doh.cleanbrowsing.org/doh/family-filter/

Adult filter (blocks adult content)
https://doh.cleanbrowsing.org/doh/adult-filter/

Security filter (blocks malware and phishing):
https://doh.cleanbrowsing.org/doh/security-filter/

@iphorde

This comment has been minimized.

Copy link

commented Aug 6, 2018

Who thought this would be a good idea? Do you work for Cloudflare? Once upon a time this kinda thing was posted as an RFC. Now people just implement stupid ideas without first talking it over.

@rugk

This comment has been minimized.

Copy link

commented Aug 6, 2018

More servers are here: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Also I am not sure whether this gist is still up-to-date, but:

The support for these are targeted for shipping in release Firefox 62.

So it won't be enabled in this version?

@enygren

This comment has been minimized.

Copy link

commented Aug 6, 2018

Why is network.trr.early-AAAA set to false by default? How does this relate to the rest of the Happy Eyeballs implementation? The best practice is / should be to try and use IPv6 from AAAA responses unless IPv4 is measured to be significantly better. Using a faster DNS response for A records is a poor reason to select using IPv4. See RFC8305 for current best-practices.

@uBlock-user

This comment has been minimized.

Copy link

commented Aug 7, 2018

Google DNS doesn't work in TRR mode 3, domains don't get resolved at all, Firefox says Server not found. Why ?

@phonphen

This comment has been minimized.

Copy link

commented Aug 10, 2018

@uBlock-user

go to https://dns.google.com/query?name=dns.google.com&type=A&dnssec=true

resolve ip address for dns.google.com
for example 74.125.68.101

then insert in about:config network.trr.bootstrapAddress

then TRR mode 3 should work for google DNS

@uBlock-user

This comment has been minimized.

Copy link

commented Aug 28, 2018

@phonphen I inserted 8.8.8.8 and it still doesn't work, probably an issue with Firefox itself.

@hong620

This comment has been minimized.

Copy link

commented Sep 6, 2018

I'm little confuse on Cloudflare's URI

https://mozilla.cloudflare-dns.com/dns-query
dump me to
104.16.112.25 US

and
https://cloudflare-dns.com/dns-query
that description in mozilla's wiki https://wiki.mozilla.org/Trusted_Recursive_Resolver
is dump me to closer regional properly.
1.1.1.1 AUS

i dunno much on tech aside but tested both with Force mode(3) and seems alright on both.
so i've choose closer regional one.
during FF60~61 period is quite broken and not worked well. now seems works fine with FF62 i guess.

@tscpd

This comment has been minimized.

Copy link

commented Sep 6, 2018

I'm little confuse on Cloudflare's URI

To use Mozilla's TRR you have to use https://mozilla.cloudflare-dns.com/dns-query - this activates Mozilla's strong privacy agreement on servers operated by cloudflare. Those are located all over the world. You dont have to think about "closer regional"!

and https://cloudflare-dns.com/dns-querythat description in mozilla's wiki https://wiki.mozilla.org/Trusted_Recursive_Resolver

I guess that should indeed be changed in mozilla's wiki!

@hong620

This comment has been minimized.

Copy link

commented Sep 9, 2018

@tscpd

Yeah, 1.1.1.1 or 104.16.112.25 or whichever already Cloudflare's DNS is fastest and less latenrcy then other DNS for most of users living in asia-pacific regions so which ever pick doesn't affect much.

but one thing i'm really confused is when bootstrapAddress setted in major address they anounced as '1.1.1.1', then that Mozilla base uri(not the 1.1.1.1 one) could be discordant beside those two values, and this could be a make a 'issue depends on user's regional so make hard to tracking causes'

theoretically this is should be describe clearly by Mozilla themself..
anyone got a contacts or know persons in that part?

bugzilla couldn't be good for asking this..

@tscpd

This comment has been minimized.

Copy link

commented Sep 14, 2018

but one thing i'm really confused is when bootstrapAddress setted

In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1

@hong620

This comment has been minimized.

Copy link

commented Sep 14, 2018

but one thing i'm really confused is when bootstrapAddress setted

In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1

so.. that means trr.uri is always priority to check resolver by web browser(ff in this case) so bootstrapAddress isn't important to put value on there right?

@nanake

This comment has been minimized.

Copy link

commented Sep 21, 2018

@phonphen I inserted 8.8.8.8 and it still doesn't work, probably an issue with Firefox itself.

You have to make sure that dns.google.com resolve to 8.8.8.8.

dns.google.com NEVER resolve to 8.8.8.8 for me but 172.217.31.110. that's why you can't use 8.8.8.8 as bootstrapAddress.

@nanake

This comment has been minimized.

Copy link

commented Sep 21, 2018

but one thing i'm really confused is when bootstrapAddress setted

In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1

[...] so bootstrapAddress isn't important to put value on there right?

it is, i'm afraid. if you choose TRR mode 3.

@hong620

This comment has been minimized.

Copy link

commented Sep 22, 2018

but usually TRR mode 2 recommanded for common users. 🤔
so anyway leave it(bootstrapAddress) empty for now.. is best?

some of dns packet detect & manipulate nation's users need to proper test on these settings if there's further change on values.
as i've confirm, Android Firefox is flush those values on every application updates..
so highly suggest this website for test dnsleak after every trr settings apply.

https://dnsleaktest.com/

@tscpd

This comment has been minimized.

Copy link

commented Oct 3, 2018

but usually TRR mode 2 recommanded for common users. thinking

yes

so anyway leave it(bootstrapAddress) empty for now.. is best?

Leave empty will use the system native resolver. Should work "best" in the most cases: It will most likely be the ISP of your current connection.

@mjuarezm

This comment has been minimized.

Copy link

commented Oct 30, 2018

It seems trr prefs don't work when FF is driven by selenium, anybody experienced the same issue?

I use this script below but they don't even work when I set them manually:

from selenium import webdriver

#resolver_url = 'https://mozilla.cloudflare-dns.com/dns-query'
resolver_url = 'https://dns.google.com/experimental'

fp = webdriver.FirefoxProfile()
fp.DEFAULT_PREFERENCES['frozen']["network.trr.mode"] = 2
fp.DEFAULT_PREFERENCES['frozen']["network.trr.uri"] = resolver_url

driver = webdriver.Firefox(firefox_profile=fp)
driver.get('http://facebook.com')
driver.quit()

The screenshot below is an example: same FF version, same trr prefs in about:config, but the one on the left is driven by selenium and it uses the system's DNS server instead of Google's:

screenshot_2018-10-30_14-02-13

@fgont

This comment has been minimized.

Copy link

commented Nov 13, 2018

Question:

Could you confirm what "network.trr.max-fails" is about? I assume that it's the maximum number of retransmissions after giving up resolution for the current domain name -- the timeout for each query being network.trr.request-timeout millisec.

So essentially resolution of a name will fail after
Fail=network.trr.request-timeout * network.trr.max-fails

?

@mdavids

This comment has been minimized.

Copy link

commented Nov 14, 2018

Good stuff, thanks. What about the 'network.trr.disable-ECS' option?

@Atavic

This comment has been minimized.

Copy link

commented Nov 18, 2018

network.trr.disable-ECS If set, TRR asks the resolver to disable ECS (EDNS Client Subnet). Some resolvers will use ECS to the upstream if this request is not passed on to them.

https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
https://bugzilla.mozilla.org/show_bug.cgi?id=1466462

@tristanmorgan

This comment has been minimized.

Copy link

commented Dec 6, 2018

Another one to add to the list of possible resolvers (network.trr.uri) is Quad9's DoH service.
https://dns9.quad9.net/dns-query
or for no malicious blocking...
https://dns10.quad9.net/dns-query

with the boostrap IPs of 9.9.9.9

@ValZapod

This comment has been minimized.

Copy link

commented Dec 26, 2018

If you leave network.trr.bootstrapAddressLeave empty it will use the system native resolver for first resolution of DoH domain, but after this dns queary expires, it doesn't update again and you have it not working...

@uBlock-user

This comment has been minimized.

Copy link

commented Mar 17, 2019

that's why you can't use 8.8.8.8 as bootstrapAddress.

So how come I can use 1.1.1.1 even though cloudflare-dns.com never resolves to 1.1.1.1 ?

@nextgenthemes

This comment has been minimized.

Copy link

commented Jul 7, 2019

I tried 2 servers and I did not get trr.mode 3 (forced) to work with any of them other then cloudflair. I used 1.1.1.1 on bootstrap am I supposed to use another server? Should any normal DNS server work there? I tried another regular IPv4 DNS server in there but it does not work either.

Firefox 67.0.4 (64-Bit) on Tumbleweed.

// actually https://dns10.quad9.net/dns-query works with 9.9.9.9 bootstrap as well as mentioned above so every resolver url has to have its own specific bootstrap DNS server for forced mode?

From this list https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers Foundation for Applied Privacy sounds really nice but what use is it if I can not use it in forced mode? They say on their instructions how to set the URL and say you have to set bootstrap but do not bother to tell you to what exactly? I do not get it, tried their IPv4 they list below for DNS-over-TLS (DoT) not sure if this relates, at first I thought it works but I guess it was just because of cache, it actually does not work.

@ewanm89

This comment has been minimized.

Copy link

commented Jul 8, 2019

@iphorde Yeah, cause RFC for it doesn't exist, it totally isn't rfc8484, oh wait.

@iphorde

This comment has been minimized.

Copy link

commented Jul 8, 2019

The RFC was written after I posted my comment. You should look at the dates. October 2018. I posted on Aug 5, 2018. This is still a terrible idea.

@NatoBoram

This comment has been minimized.

Copy link

commented Jul 8, 2019

What about network.trr.wait-for-A-and-AAAA? It seems to be true by default, but it looks like it would do the same thing as network.trr.early-AAAA. What does it do?

@bagder

This comment has been minimized.

Copy link
Owner Author

commented Jul 10, 2019

I created this gist while working for Mozilla on the TRR implementation. It has not been maintained and I do not work for Mozilla anymore - since late 2018. For up-to-date Firefox DoH documentation, I hope that Mozilla has a better reference than this by now!

@bagder

This comment has been minimized.

Copy link
Owner Author

commented Jul 10, 2019

@iphorde: the RFC was work in progess within the IETF when we wrote this code and several others did the same. That's how protocol standards are typically made.

@uBlock-user

This comment has been minimized.

Copy link

commented Jul 12, 2019

Update Google's server please-- https://dns.google/dns-query

@ZackBoe

This comment has been minimized.

Copy link

commented Jul 13, 2019

If it helps anyone that winds up at this gist, you can exclude / bypass domains from being resolved with DoH using network.trr.excluded-domains

@bagder

This comment has been minimized.

Copy link
Owner Author

commented Jul 14, 2019

I've transitioned this gist into a separate github repository, and I will accept pull requests to update and fix the documentaton.

@uBlock-user

This comment has been minimized.

Copy link

commented Jul 14, 2019

Open a PR for the google DOH server address change.

@bagder

This comment has been minimized.

Copy link
Owner Author

commented Jul 14, 2019

I've now cut down this gist to force everyone over to the repo instead to keep the docs at a single place. I also added two missing prefs and moved over some blurb from my blog post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.