Privacy and Security Focused DNS Resolver

The DNS over HTTPS (DoH) protocol is currently in the news, and the Firefox browser is the only one that supports it.

However, the feature is not enabled by default in Firefox. Several settings must be changed before they can get the DoH up and running.

However, before we look at how anyone can enable DoH support in Firefox, let’s start by describing what it does.

How DNS works over HTTPS

The DNS over HTTPS protocol uses a domain name entered by a user in its browser and sends a query to a DNS server to determine the numeric IP address of the web server hosting that particular site.

This is how a standard DNS works. However, DoH accepts the DNS query and sends it over an encrypted HTTPS connection on port 443 to a DoH-compliant DNS server, not plain text to port 53.

In this way, DoH hides DNS queries in regular HTTPS traffic so that observers can not listen to traffic and determine which DNS queries users have run and which websites they want to access.

Further, a secondary feature of DNS-over-HTTPS is that the protocol works at the app level. Apps can come with internally hardcoded lists of DoH-compatible DNS resolvers where they can send DoH queries.

This mode of operation bypasses the default DNS settings that exist at the operating system level, which in most cases are set by the Internet service provider (ISP) using DHCP.

This also means that apps that support DoH can effectively bypass the traffic filters of ISPs and access content that may be blocked by a telecommunications company or local government. That’s one of the reasons why DoH is currently hailed as a boon for users’ privacy and security.

A step by step guide to enable DNS-over-HTTPS (DoH) support in the Firefox browser.

Step 1: Type about:config in the URL bar and press Enter to access Firefox’s hidden configuration panel. Press the “I accept the risk!” button. Here users will need to enable and modify three settings.


Step 2:
Turn on DoH support. In the search field enter network.trr.mode and press Enter. Double-click on the name/line and enter the number 2, press OK.

This setting (network.trr.mode) supports five values:

  • 0 – DoH is disabled
  • 1 – DoH is enabled, but Firefox picks if it uses DoH or regular DNS based on which returns faster query responses
  • 2 – DoH is enabled, and regular DNS works as a backup
  • 3 – DoH is enabled, and regular DNS is disabled
  • 5 – DoH is explicitly disabled


Step 3:
The second setting that needs to be modified is network.trr.uri. This is the URL of the DoH-compatible DNS server where Firefox will send DoH DNS queries. By default, Firefox uses Cloudflare’s DoH service located at https://mozilla.cloudflare-dns.com/dns-query.

The reason why Mozilla uses Cloudflare in Firefox is because the companies reached an agreement following which Cloudflare would collect very little data on DoH queries coming from Firefox.

However, users can use their own DoH server URL. You can also select another publicly available server, from this list.

Who runs it Base URL Comment
Google https://dns.google/dns-query Full RFC 8484 support
Cloudflare https://cloudflare-dns.com/dns-query Supports both -04 and -13 content-types
Quad9 Recommended: https://dns.quad9.net/dns-query
Secured: https://dns9.quad9.net/dns-query
Unsecured: https://dns10.quad9.net/dns-query
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet
Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet
Recommend is currently identical to secure.

On the website DNSPERF you can look at the speed performance of each server.


Step 4:
The third setting is optional and you can skip this one. But if the URL does not work, you can use it as a backup for step 3. The option is called network.trr.bootstrapAddress and is an input field where users can enter the numerical IP address of the DoH-compatible DNS resolver they entered in Step 3. For Cloudflare, it’s the address 1.1.1.1 or 1.0.0.1. For the Google service, it’s the address 8.8.8.8 or 8.8.4.4. If you used another DoH resolver’s URL, you’ll need to track down that server’s IP and enter it here.

Normally, the URL entered in Step 3 should be enough, though.

Settings should apply right away, but in case they don’t work, give Firefox a restart.