Trusted Recursive Resolver
Firefox provides an optional resolver mechanism using a dedicated DNS-over-HTTPS server.
DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure transfers and improved performance.
Setting DNS-over-HTTPS in Firefox
- Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback (1 lets Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it).
- Set `network.trr.uri`. Ones that you may use, https://cloudflare-dns.com/dns-query https://dns.google.com/experimental
TRR is preffed OFF by default and you need to set a URI for an available DOH server to be able to use it. Since the URI for DOH is set with a name itself, it may have to use the native resolver for bootstrapping. (Optionally, the user can set the IP address of the DOH server in a pref to avoid the required initial native resolve.)
All prefs for TRR are under the "network.trr" hierarchy.
To keep the failure rate at a minimum, the TRR system manages a dynamic persistent blacklist for host names that can't be resolved with DOH but works with the native resolver. Blacklisted entries will not be retried over DOH for a couple of days. "localhost" and names in the ".local" TLD will never be resolved via DOH.
When TRR starts up, it will first verify that it works by first checking a "confirmation" domain name. This confirmation domain is a pref by default set to "example.com". TRR will also by default await the captive-portal detection to raise its green flag before getting activated.
- Initial ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1434852
- The DNS-over-HTTPS spec: https://tools.ietf.org/html/draft-ietf-doh-dns-over-https-02