DNS over HTTPS

Why/User Benefit/User Problem

As a user i want to Protect myself while browsing the web From Man-in-the-middle attack and make sure Attackers cannot trick users into visiting a fake website by manipulating DNS responses for domains that are outside their control.

What/Requirements:

Secure DNS: To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT). DNSSEC: DNSSEC allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be. TLS 1.3 : is Supported In Firefox Fenix 👍 Encrypted SNI: Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.

Acceptance Criteria (how do I know when I’m done?)

Dns-over-Https option in the settings or in about:config like Fennec browser. You can test your browser here: https://www.cloudflare.com/ssl/encrypted-sni/

┆Issue is synchronized with this Jira Task

Why not use DoT instead? It is less complex and has less overhead.

In Firefox Android, we do have support for DoH, but there is no UI to easily configure DoH settings like Firefox Quantum, we've to configure it from about:config settings which make things harder for novice FF users; although from Android 9 pie, we've support for DoT, but using DoH has its own pros like our DNS traffic is hidden inside HTTPS traffic.

@vesta0, Do we've plans for implementing an UI for DoH configuration?

@finn0 yes this is something we will be looking into later this year!

ESNI works well in latest Firefox Beta 75.0.0-beta.6

I would like the opposite (ability to turn off the DoT or DoH) as I pihole everything via VPN and my own VPS and I definitely do not trust cloudflare or whoever with my DNS data.

As of 79.0.0 (Build #2015753875) even the ability to turn on this feature without GUI is no longer available since about:config is no longer accessible and essentially completely locked out of using this feature, which is very unfortunate :-(

Launching on Chrome in 85 https://blog.chromium.org/2020/09/a-safer-and-more-private-browsing.html

Hi all,

The settings are available in about:config, so is this just a UI thing or is there more to it? I have enabled it in about:config and according to about:networking#dns it's working.

Cheers 🙂

hsaito is correct; this functionality is not available in v80 as about:config is no longer available.

madb1lly: As I understand it, this bug is abiut the UI. https://github.com/mozilla-mobile/fenix/issues/14261 is not a duplicate; it is a regression - please reopen it.

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

Yeah, I'm also couldn't understand why they dicide to disable about:config, what an awful decision!

I'm bit surprised why they've decided to disable about:config, it's a very powerful feature that makes Firefox very flexible. Some of the other tuning including enterprise trust, etc., are currently only accessible through about:config. If that's not feasible to bring back about:config for any reason., I would at least want to see prefs.js somewhere that users can edit.

Yeah, I'm also couldn't understand why they dicide to disable about:config, what an awful decision!

You can still use about:config on the Nightly channel.

You can still use about:config on the Nightly channel.

Or beta, if you prefer less possible breakage. :smile:

You can still use about:config on the Nightly channel.

Or beta, if you prefer less possible breakage. 😄

Hmm... How about stable release? Will about:config still exist?

see also https://bugzilla.mozilla.org/show_bug.cgi?id=1664878

cool

If you roll this out, please make it an optional Opt-In and not an Opt-Out feature! I'm more concerned about privacy with using DoH with Cloudflare or Google as with using my provider's regular DNS (Germany has more strict rules about privacy as Cloudflare or Google could offer)

@lordgurke Mozilla made it opt-out for US and opt-in for everybody else. US ISPs are really bad with privacy. It's looking into adding more DoH providers. Currently nextdns is an option on desktop. https://wiki.mozilla.org/Security/DOH-resolver-policy

There must be a UI option to configure secure dns or dns resolver like other chromium browser.. Esni feature is removed from about:config in latest nightly....not sure why😡😒

ESNI has been deprecated in favour of ECH: https://blog.cloudflare.com/encrypted-client-hello/

ESNI has been deprecated in favour of ECH: https://blog.cloudflare.com/encrypted-client-hello/

Thanks for the info... As per article the feature is still in testing and not ready to be deployed.. It also says esni will be supported by cloudflare till ech is ready.. So can you please enable the feature again till ech is fully ready?

This issue is not the proper place for these discussions. https://bugzilla.mozilla.org/show_bug.cgi?id=1667743

+1 need this

    [ Quote etanot @ CE 2019-12-23 01:37:34 UTC: https://github.com/mozilla-mobile/fenix/issues/4584#issuecomment-568064713     ... have support for DoH, but there is no UI to easily configure DoH settings ... ] <.>    [ Quote cadeyrn @ CE 2020-09-09 10:52:39 UTC: https://github.com/mozilla-mobile/fenix/issues/4584#ref-issue-696705690     Add UI to turn on DNS over HTTPS support (TRR) ] <^>    A somewhat clumsy but working workaround:     .     Adding below to Bookmarks: [     |*| Name: \..     |*| URL: about:config?filter=^(?:d(?:evice%5C.sensors|om%5C.(?:event%5C.c(?:lipboardevents|ontextmenu)|select_events))%5C.enabled|font%5C.size%5C.systemFontScale|general%5C.useragent%5C.override|intl%5C.accept_languages|javascript%5C.enabled|network%5C.(?:http%5C.referer%5C.spoofSource|cookie%5C.cookieBehavior|trr%5C.(?:mode|uri))|security%5C.(?:ssl%5C.disable_session_identifiers|tls%5C.version%5C.enable-deprecated)|webgl%5C.disabled)%24 ]

    Related:     |*| https://github.com/mozilla-mobile/fenix/issues/16287     |*| https://regex101.com/?regex=^(?:d(?:evice%5C.sensors|om%5C.(?:event%5C.c(?:lipboardevents|ontextmenu)|select_events))%5C.enabled|font%5C.size%5C.systemFontScale|general%5C.useragent%5C.override|intl%5C.accept_languages|javascript%5C.enabled|network%5C.(?:http%5C.referer%5C.spoofSource|cookie%5C.cookieBehavior|trr%5C.(?:mode|uri))|security%5C.(?:ssl%5C.disable_session_identifiers|tls%5C.version%5C.enable-deprecated)|webgl%5C.disabled)%24&flags=i

This is there in all chromium browsers (Vivaldi, brave, kiwi etc) should be added in firefox!

    A few notes on the subject:     .     At the moment:     [ https://www.cloudflare.com/ssl/encrypted-sni/ ] seems to only support ESNI but not ECH.     [ https://crypto.cloudflare.com/cdn-cgi/trace ] seems to be one of the very few (if not the only) sites that support ECH.

    Additional info: [     |*| ECH / ESNI related (Firefox inclined) (in French)     |*| https://lafibre.info/cryptographie/encrypted-sni/24     |*| Google Translate: https://translate.google.com/translate?hl=en&sl=fr&tl=en&u=https://lafibre.info/cryptographie/encrypted-sni/24 ]     , [     |*| [Question] Is such DoH (DNS over HTTPS) implementation a brilliant folly?     |*| https://github.com/curl/curl/issues/9160 <.>    |*| Note: Similar behavior also in Chrome, Firefox, etc. . ]

It seems the DoH and DoT are getting more important since some "countries" are now tampering the DNS results deliberatly. This is in addition to the privacy concerns already mentioned in this issue.

Using DoH with firefox desktop is straightforward but for android this option is not available. The about:config page is blocked and there's no way to enable DoH for android below 9 system-wide.

Chrome already has DoH option accessible. But I want to stick to firefox for nostalgic reasons.

Also enabling DoH system-wide has it's own disadvantages.

I agree with the people that say this is not a feature request any more. It's getting more like a reggresion.

Just like the HTTPs-everywhere was implemented and is important, DoH and DoT should be considered the same in matters of security and privacy

    I suppose Firefox without Nightly is unusable.

    And I'd suggest doing more research before making rash conclusions.

The about:config page is blocked

you could switch to fennec from f-droid: it's compiled from firefox stable release, and enables about:config. it also enables custom extension collections (so you can install any extension you want) and disables some mozilla telemetry.

https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/

This bug is tracked in Bugzilla here: https://bugzilla.mozilla.org/show_bug.cgi?id=1664878

DoH is not enabled by default in Firefox on Android yet due to performance issues.