DNS over HTTPS : Status Active with Provider Cloudflare
We have systems on our network that run Mozilla Firefox when accessing a specific URL are able to do so with no issues. Then we have other systems in our network that run Mozilla Firefox when accessing that same URL received the following error:
Secure Connection Failed
An error occurred during a connection to "URL". PR_END_OF_FILE_ERROR
Error code: PR_END_OF_FILE_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Both are running the same version of Firefox. The only difference I have found is the DNS over HTTPS status. On the one that the user is able to access the URL, the DNS over HTTPS status is off. On the one that the user is unable to access the same URL, the DNS over HTTPS status is Active using the provider Cloudflare.
These are both brand new install of Firefox and there was no configuration changes. We don't use any GPO's or anything else to manage Firefox. Why would one be off and the other active? This is causing issues.
Modified by Tony Shoemaker
All Replies (3)
Your 2 systems are installed at different regions? The PR_END_OF_FILE_ERROR indicating a problem with establishing a secure SSL/TLS connection
If you choose Default Protection Firefox performs checks and automatically enables or not DNS over HTTPS.
The difference in status is likely because one system passed these checks while the other failed.
You can disable Default Protection Menu > Settings > Privacy Security > Go to DNS over HTTPS > Change the setting to Disable protection.
Alternatively, if you want DNS over HTTPS to remain active for other sites, you can set the protection level to "Default Protection" or click "Manage Exceptions" and add your specific URL to the list.
Both systems are in the same location. We have not done any configuration changes to Mozilla on either system and are trying to remediate this without touching Firefox. I'm just not understanding why one would have passed the check and the other fail.
Υou didn't clarify if the fail system work if you disable DNS over HTTPS.
Since the systems are in the same physical location the difference in the DoH points in the network environment or the host operating system.
Even if both computers are connected to the same switch, a host-level difference can influence Firefox's decision. A simple DHCP glitch or static IP setting that led one system to get the correct internal DNS server and the other to get a public or fallback or a different configuration of antivirus/security software etc.
When DoH is enabled, Firefox by default directs DoH queries to DNS servers that are operated by a trusted partner, which has the ability to see users' queries. Mozilla has a strong Trusted Recursive Resolver (TRR) policy for that. More info https://wiki.mozilla.org/Security/DOH-resolver-policy
Firefox uses a mechanism called a Canary Domain to determine if a network is managed and prefers to use its own DNS service. More info https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet https://support.mozilla.org/en-US/kb/firefox-dns-over-https
So i recommend 1 Ensure all your clients are using your internal/local DNS server for their DNS settings. 2 On that local DNS server, you need to create a rule to respond to queries for the domain use-application-dns.net with an NXDOMAIN (non-existent domain) response.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.