Firefox DoH is not working since at least version 89

DNS over Https does not appear to be working since at least Firefox version 89.0-0.1.

Last tested on stable update 2021-06-14 (KDE) and FF 89.0.1-1 but was happening before since at least previous stable release.

Steps to Reproduce

  • Enable DNS over HTTPS > Cloudflair
  • Test by browsing to https://1.1.1.1/help
  • Result: Using DNS over HTTPS (DoH) No

In about:config, set network.trr.mode to 3, and try again. This will tell Firefox to use only DoH. See Trusted Recursive Resolver - MozillaWiki for more information.

No that doesn’t work.

Setting network.trr.mode=3 (was 2) just means I can’t browse at all as there is no native resolver fallback.

This is a relatively new issue. DoH has been working fine. I have this issue on other manjaro machines but not on Windows.

Have you tried with a clean profile and no extensions activated?
If you are using a router can you connect the computer directly to the modem and see if it works?
Can you indicate what you have tried so far?

Hmm. I have eliminated network issues by checking that DoH works on Windows (FF 89 - with same extensions) on same network as previously stated. Multiple manjaro machines not working - making it less likely to be profile issue IMHO.

Can somebody independently verify if this is working or not as per my original post? Should be simple enough to try and reproduce. Thanks in advance.

P.S. Corrected original post: Issue first discovered in FF 89.0-0.1 (although could have been present since earlier versions)

I have tested it with 89.0.1 and it’s working when I set it to Cloudflare (and also my own server).

In which country are you? Some are blocking DoH.

Hey thanks for testing! Was that on latest KDE stable by any chance?

I’m confident its not a network/country thing as I say it works on Windows on the same network. I should add that I have tried other providers as well to no avail.

Can you test on dnsleaktest.com which DNS you’re actually using?

You could try with curl -v -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query\?name\=manjaro.org\&type\=A If you receive any response.

So the network DNS which FF falls back on is opendns. How does knowing that help? Remember my Windows FF can use DoH fine on same network.

 $ curl -v -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query\?name\=manjaro.org\&type\=A
*   Trying ::ffff:146.112.61.106:443...
* Connected to cloudflare-dns.com (::ffff:146.112.61.106) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

There, you have it. The certificate is not working. Is your system fully up-to-date and the date and time correctly set?

The IPv6 address that you’re receiving is invalid. It should be 2606:4700::6810:f8f9 or 2606:4700::6810:f9f9.
If you check the IP that you receive, you’ll find out that it belongs to OpenDNS.

Hey thanks for this, it makes perfect sense!

OpenDNS has filtering functionality and what have happened is that at some point they must have added the various DoH providers Ive been using to their blacklist. What threw me is that my Windows FF was able to use DoH without issue - I suspect what must be happening there is the corporate transparent proxy on my laptop is circumventing the blocking by OpenDNS somehow.

It sounds like the solution to this would be to change your systemwide DNS from opendns to anything else. I also recommend keeping network.trr.mode at 3 because Firefox will use only DoH with that setting.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.