Security/DNS Over HTTPS/Heuristics
Firefox runs several heuristics on each network to determine whether it's OK to enable DoH on that network. Generally, the heuristics attempt to disable DoH in order to support parental controls and enterprise configurations.
High-level overview: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
DoHController.jsm is responsible for running them at startup and upon network changes, and taking action to disable or enable DoH based on the outcome.
Parental Controls Service
nsIParentalControlsService provides an interface to check whether parental controls are enabled on the user account on the OS. If so, we disable DoH.
- Parental Controls Service component
Forced SafeSearch (DNS-based Parental Controls)
As a way to detect DNS-based content filtering, we perform DNS lookups of filtered and unfiltered domains of popular content platforms. If any of the IPs returned for the filtered domains of a given platform are identical to any of the IPs returned for the unfiltered domains, we disable DoH. Currently, Google and YouTube are supported.
Third-party Root Certificates
We look at all certs in the cert database and check if any of them are not "built-in". If such certs are present, we disable DoH.
If enterprise policies are active, we disable DoH unless it is explicitly enabled by the DNSOverHTTPS policy.
If enterprise root support has been enabled by setting the pref `security.enterprise_roots.enabled` to true, we disable DoH.
ZScaler Canary Domain
Currently, ZScaler has not yet adopted the global canary, and is supported by a separate canary lookup heuristic that operates on `sitereview.zscaler.com`.
VPN or Proxy
If a VPN, proxy or NRPT is detected on Windows, then Firefox will not automatically use DNS over HTTPS.