This content has moved.
Please go to bagder/TRRprefs for the current incarnation of the docs, and please help us out polish and maintain this documentation!
This content has moved.
Please go to bagder/TRRprefs for the current incarnation of the docs, and please help us out polish and maintain this documentation!
but one thing i'm really confused is when bootstrapAddress setted
In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1
so.. that means trr.uri is always priority to check resolver by web browser(ff in this case) so bootstrapAddress isn't important to put value on there right?
@phonphen I inserted
8.8.8.8
and it still doesn't work, probably an issue with Firefox itself.
You have to make sure that dns.google.com
resolve to 8.8.8.8
.
dns.google.com
NEVER resolve to 8.8.8.8
for me but 172.217.31.110
. that's why you can't use 8.8.8.8
as bootstrapAddress.
but one thing i'm really confused is when bootstrapAddress setted
In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1
[...] so bootstrapAddress isn't important to put value on there right?
it is, i'm afraid. if you choose TRR mode 3.
but usually TRR mode 2 recommanded for common users. 🤔
so anyway leave it(bootstrapAddress) empty for now.. is best?
some of dns packet detect & manipulate nation's users need to proper test on these settings if there's further change on values.
as i've confirm, Android Firefox is flush those values on every application updates..
so highly suggest this website for test dnsleak after every trr settings apply.
but usually TRR mode 2 recommanded for common users. thinking
yes
so anyway leave it(bootstrapAddress) empty for now.. is best?
Leave empty will use the system native resolver. Should work "best" in the most cases: It will most likely be the ISP of your current connection.
It seems trr prefs don't work when FF is driven by selenium
, anybody experienced the same issue?
I use this script below but they don't even work when I set them manually:
from selenium import webdriver
#resolver_url = 'https://mozilla.cloudflare-dns.com/dns-query'
resolver_url = 'https://dns.google.com/experimental'
fp = webdriver.FirefoxProfile()
fp.DEFAULT_PREFERENCES['frozen']["network.trr.mode"] = 2
fp.DEFAULT_PREFERENCES['frozen']["network.trr.uri"] = resolver_url
driver = webdriver.Firefox(firefox_profile=fp)
driver.get('http://facebook.com')
driver.quit()
The screenshot below is an example: same FF version, same trr prefs in about:config, but the one on the left is driven by selenium
and it uses the system's DNS server instead of Google's:
Question:
Could you confirm what "network.trr.max-fails" is about? I assume that it's the maximum number of retransmissions after giving up resolution for the current domain name -- the timeout for each query being network.trr.request-timeout millisec.
So essentially resolution of a name will fail after
Fail=network.trr.request-timeout * network.trr.max-fails
?
Good stuff, thanks. What about the 'network.trr.disable-ECS' option?
network.trr.disable-ECS If set, TRR asks the resolver to disable ECS (EDNS Client Subnet). Some resolvers will use ECS to the upstream if this request is not passed on to them.
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
https://bugzilla.mozilla.org/show_bug.cgi?id=1466462
Another one to add to the list of possible resolvers (network.trr.uri) is Quad9's DoH service.
https://dns9.quad9.net/dns-query
or for no malicious blocking...
https://dns10.quad9.net/dns-query
with the boostrap IPs of 9.9.9.9
that's why you can't use 8.8.8.8 as bootstrapAddress.
So how come I can use 1.1.1.1 even though cloudflare-dns.com never resolves to 1.1.1.1 ?
I tried 2 servers and I did not get trr.mode 3 (forced) to work with any of them other then cloudflair. I used 1.1.1.1 on bootstrap am I supposed to use another server? Should any normal DNS server work there? I tried another regular IPv4 DNS server in there but it does not work either.
Firefox 67.0.4 (64-Bit) on Tumbleweed.
// actually https://dns10.quad9.net/dns-query works with 9.9.9.9 bootstrap as well as mentioned above so every resolver url has to have its own specific bootstrap DNS server for forced mode?
From this list https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers Foundation for Applied Privacy sounds really nice but what use is it if I can not use it in forced mode? They say on their instructions how to set the URL and say you have to set bootstrap but do not bother to tell you to what exactly? I do not get it, tried their IPv4 they list below for DNS-over-TLS (DoT) not sure if this relates, at first I thought it works but I guess it was just because of cache, it actually does not work.
@iphorde Yeah, cause RFC for it doesn't exist, it totally isn't rfc8484, oh wait.
The RFC was written after I posted my comment. You should look at the dates. October 2018. I posted on Aug 5, 2018. This is still a terrible idea.
What about network.trr.wait-for-A-and-AAAA
? It seems to be true
by default, but it looks like it would do the same thing as network.trr.early-AAAA
. What does it do?
I created this gist while working for Mozilla on the TRR implementation. It has not been maintained and I do not work for Mozilla anymore - since late 2018. For up-to-date Firefox DoH documentation, I hope that Mozilla has a better reference than this by now!
@iphorde: the RFC was work in progess within the IETF when we wrote this code and several others did the same. That's how protocol standards are typically made.
Update Google's server please-- https://dns.google/dns-query
If it helps anyone that winds up at this gist, you can exclude / bypass domains from being resolved with DoH using network.trr.excluded-domains
I've transitioned this gist into a separate github repository, and I will accept pull requests to update and fix the documentaton.
Open a PR for the google DOH server address change.
I've now cut down this gist to force everyone over to the repo instead to keep the docs at a single place. I also added two missing prefs and moved over some blurb from my blog post.
In the most cases the value bootstrapAddress can be empty! Its initially resolving https://mozilla.cloudflare-dns.com/dns-query to a IP. You can set any valid DNS e.g. 8.8.8.8 or 1.1.1.1