Firefox have recently launched a feature that allows you to encrypt your DNS traffic, historically DNS uses a combination of UDP and/or TCP on port 53 which has always been available to see in plain text. This controversial feature moves DNS away from the network OS level to the application level.

With this setting enabled the domain name you typed is sent to a DNS-over-HTTPS (DoH) compatible server using an encrypted HTTPS connection instead of a plain text one. This prevents third parties (malicious or not) from observing your DNS traffic.

This article shows you how to enable the setting in Firefox and show the setting in action within Wireshark.

The main benefit in this is privacy for the user to hide domain name lookup's, the risk elements sits with companies who use this as part of the URL filtering component or to monitor network traffic before actual traffic is transmitted over HTTPS. This is a setting in which Chrome are experimenting and more browsers will eventually incorporate.

One way to disable the setting at a company level, providing you have control of the windows endpoint you could deploy a Firefox group policy setting this value to 0 (See settings section at end of article), alternatively if you have SSL decryption/encryption on the firewall you could deal with it there. Blocking HTTPS access to Cloudflare IP ranges is possible but not recommended as it will open other issues due to the amount of websites that use Cloudflare services. 

To enable DoH, you need to be running at a minimum Firefox 69, this can be checked by going to the Help > About page, if this is not at this version please update before continuing.

Within Options then Network Settings scroll down to the section then select Enable DNS over HTTPS then from the dropdown select Cloudflare then restart Firefox

When using Firefox for browsing it will not use your DNS that have been dynamically assigned from DHCP but redirect all requests to Cloudflare DoH servers.

You can exclude addresses or subnet's within the settings by adding them to the box shown below for LAN lookup's.

You should now be using DoH for all Firefox requests, other browsers such as Chrome or Internet Explorer will continue to use plaintext DNS.

The DoH traffic can be shown within Wireshark when performing a DNS lookup a site

The communication with shown above is a server within the Cloudflare range, providing everything is working correctly you should not see any external traffic on UDP or TCP port 53.

You can further tweak the settings in Firefox by go to about:config then search for network.trr.mode

This can be changed to the following if required;

  • 0 - Default value which means DoH is disabled
  • 1 - DoH is enabled but Firefox picks the DNS method based on which returns faster query responses
  • 2 - DoH is enabled and regular DNS works as a backup
  • 3 - DoH is enabled and regular DNS is disabled