13
edits
Changes
create Trusted Recursive Resolver
Firefox provides an optional resolver mechanism using a dedicated DNS-over-HTTPS server.
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure
transfers and improved performance.
== Setting DNS-over-HTTPS in Firefox ==
* Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback (1 lets Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it).
* Set `network.trr.uri`. Ones that you may use, https://cloudflare-dns.com/dns-query https://dns.google.com/experimental
TRR is preffed OFF by default and you need to set a URI for an available DOH
server to be able to use it. Since the URI for DOH is set with a name itself,
it may have to use the native resolver for bootstrapping. (Optionally, the
user can set the IP address of the DOH server in a pref to avoid the required
initial native resolve.)
All prefs for TRR are under the "network.trr" hierarchy.
== Dynamic Blacklist ==
To keep the failure rate at a minimum, the TRR system manages a dynamic
persistent blacklist for host names that can't be resolved with DOH but works
with the native resolver. Blacklisted entries will not be retried over DOH for
a couple of days. "localhost" and names in the ".local" TLD will never be
resolved via DOH.
When TRR starts up, it will first verify that it works by first checking a
"confirmation" domain name. This confirmation domain is a pref by default set
to "example.com". TRR will also by default await the captive-portal detection
to raise its green flag before getting activated.
== See also ==
* Initial ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852
* The DNS-over-HTTPS spec: https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-02
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure
transfers and improved performance.
== Setting DNS-over-HTTPS in Firefox ==
* Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback (1 lets Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it).
* Set `network.trr.uri`. Ones that you may use, https://cloudflare-dns.com/dns-query https://dns.google.com/experimental
TRR is preffed OFF by default and you need to set a URI for an available DOH
server to be able to use it. Since the URI for DOH is set with a name itself,
it may have to use the native resolver for bootstrapping. (Optionally, the
user can set the IP address of the DOH server in a pref to avoid the required
initial native resolve.)
All prefs for TRR are under the "network.trr" hierarchy.
== Dynamic Blacklist ==
To keep the failure rate at a minimum, the TRR system manages a dynamic
persistent blacklist for host names that can't be resolved with DOH but works
with the native resolver. Blacklisted entries will not be retried over DOH for
a couple of days. "localhost" and names in the ".local" TLD will never be
resolved via DOH.
When TRR starts up, it will first verify that it works by first checking a
"confirmation" domain name. This confirmation domain is a pref by default set
to "example.com". TRR will also by default await the captive-portal detection
to raise its green flag before getting activated.
== See also ==
* Initial ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852
* The DNS-over-HTTPS spec: https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-02
