Scheduled maintenance: Thursday, September 24, between 11:30am and 13:30pm UTC. This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn’t solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Enable ESNI without DoH?

  • 4 replies
  • 1 has this problem
  • 16 views
  • Last reply by RobertJ

more options

I'd like to enable ESNI. However, I can't seem to do this without enabling DoH on FireFox, which bypasses my DNS filter at home (which also uses DoH). Is there any way I can get ESNI enabled without DoH on FireFox? Thanks!

All Replies (4)

more options

Hi S, I'm pretty sure that it's the same in Mac as in Windows -

Type (or paste) about:config in the address bar and press Enter/Return(?) Click "Accept the Risk and Continue" in the search bar enter network.security.esni.enabled double-click the entry line to toggle it's value to True (or use the Toggle button at the right)

While your there, check your DoH setting. Enter network.trr.mode in the search bar, and check that the value is set to: 0 = Off (default). use standard native resolving only (don't use TRR at all) 5 = Off by choice. This is the same as 0 but marks it as done by choice and not done by default (forced Off)

Other settings: 2 = Use TRR first, and only if the name resolve fails use the native resolver as a fallback (This is the DoH setting used in Network Settings) 3 = Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)

See: MozillaWiki - Trusted Recursive Resolver https://wiki.mozilla.org/Trusted_Recursive_Resolver

more options

Yes, I have enabled the ESNI setting in about:config. However, I wish to leave trr.mode as set to 0, so that my own DNS filtering will continue to work. Leaving DoH disabled also seems to break ESNI, as web tests show ESNI is disabled.

more options

You're right. It's probably because ESNI is a Cloudflare design. Unless you have Cloudflare set as your TRR, ESNI fails. You can double-check me by going to your Network Settings at the bottom of the Options -> General page and setting the DoH provider to NextDNS and testing again.

more options

From Cloudflare:

"Encrypted SNI

The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy.

Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.

All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default."


So, ESNI will only work with domains on Cloudflare, anyway.