Firefox DNS-over-HTTPS

About DNS-over-HTTPS

When you type a web address or domain name into your address bar (example: www.mozilla.org), your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third-parties to see what website you’re about to access.

DNS-over-HTTPS (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third-parties from seeing what websites you are trying to access.

Benefits

DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior.

Risks

  • Some individuals and organizations rely on DNS to block malware, enable parental controls, or filter your browser’s access to websites. When enabled, DoH bypasses your local DNS resolver and defeats these special policies. When enabling DoH by default for users, Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy.
  • When DoH is enabled, Firefox by default directs DoH queries to DNS servers that are operated by a trusted partner, which has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy in place that forbids our partners from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy.
  • DoH could be slower than traditional DNS queries, but in testing, we found that the impact is minimal and in many cases DoH is faster.

About our rollout of DNS over HTTPS

In 2019 we completed our rollout of DoH to all Firefox desktop users in the United States. We are currently working toward rolling out DoH in more countries. As we do so, DoH is enabled for users in “fallback” mode. For example, if the domain name lookups that are using DoH fail for some reason, Firefox will fall back and use the default DNS configured by the operating system (OS) instead of displaying an error.

Opt-out

For existing Firefox users in locales where we’ve rolled out DoH by default, the notification below will display if and when DoH is first enabled, allowing the user to choose not to use DoH and instead continue using their default OS DNS resolver.

DoH89

In addition, Firefox will check for certain functions that might be affected if DoH is enabled, including:

  • Are parental controls enabled?
  • Is the default DNS server filtering potentially malicious content?
  • Is the device managed by an organization that might have a special DNS configuration?

If any of these tests determine that DoH might interfere with the function, DoH will not be enabled. These tests will run every time the device connects to a different network.

Manually enabling and disabling DNS-over-HTTPS

You can enable or disable DoH in your Firefox connection settings:

  1. In the Menu bar at the top of the screen, click Firefox and select Preferences. Click the menu button Fx57Menu and select OptionsPreferences.Click the menu button Fx89menuButton and select Settings.

  2. In the General panel, scroll down to Network Settings and click the Settings… button.
  3. In the dialog box that opens, scroll down to Enable DNS over HTTPS.
    • On: Select the Enable DNS over HTTPS checkbox. Select a provider or set up a custom provider.
    • Off: Deselect the Enable DNS over HTTPS checkbox.
    toggle doh
  4. Click OK to save your changes and close the window.

Switching providers

  1. In the Menu bar at the top of the screen, click Firefox and select Preferences. Click the menu button Fx57Menu and select OptionsPreferences.Click the menu button Fx89menuButton and select Settings.

  2. Scroll down to Network Settings and click the Settings… button.
  3. Click the Use Provider drop-down under Enable DNS over HTTPS to select a provider.
    change dns provider
    Change DNS Provider fx73
  4. Click OK to save your changes and close the window.

Excluding specific domains

You can configure exceptions so that Firefox uses your OS resolver instead of DoH:

  1. Type about:config in the address bar and press EnterReturn.
    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.
  2. Search for network.trr.excluded-domains.
  3. Click the Edit Fx71aboutconfig-EditButton button next to the preference.
  4. Add domains, separated by commas, to the list and click on the checkmark Fx71aboutconfig-Checkmark to save the change.
    Note: Do not remove any domains from the list.
About subdomains: Firefox will check all the domains you've listed in network.trr.excluded-domains and their subdomains. For instance, if you enter example.com, Firefox will also exclude www.example.com.

Configuring Networks to Disable DoH

See Configuring Networks to Disable DNS over HTTPS and the DNS over HTTPS (DoH) FAQs.

Was this article helpful?

Please wait...

These fine people helped write this article:

Illustration of hands

Volunteer

Grow and share your expertise with others. Answer questions and improve our knowledge base.

Learn More