config statements for DOH in FireFox

2019/07/31

introduction

I understood from the xs4all helpdesk that the DNS server of my internet provider supports 'DNS over HTTPS' (see e.g. Cloudflare and Wikipedia) . Because I read that the Mozilla Firefox browser supports this, I thought that I would use this (and preferably with the xs4all server).

config statements for the Cloudflare server

On the internet I found several suggestions to make this work. The most helpful was a very detailed webpage by Daniel Stenberg (bagder) containing also a link to an unofficial list of list of 'DNS over HTTPS' (DoH) servers.
In Daniel’s page I saw that I could use in the about:config ‘page’ of FireFox the setting network.trr.mode = 2.
This means: FireFox will try to use TRR (TRR == Trusted Recursive Resolver) first, and only if the name resolve fails use the native resolver as a fallback.
Mike Tabor’s page suggests to also set network.security.esni.enabled = true and links to a Cloudflare page that automatically tests whether DNS queries and answers are encrypted, whether the DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether the browser supports encrypted Server Name Indication (SNI).

The following image shows my about:config options containing the phrase network that have non-default values (i.e. are modified):

Because I did not specify 'network.trr.uri' the default value of 'https://mozilla.cloudflare-dns.com/dns-query' is used. With these values the Cloudflare page indicates that all tests are passed.
Also the FireFox ‘page’ about:networking#dns shows that for most ‘hostnames’ TRR is used: only ocsp.digicert.com is used without TRR . We will see later that is not the case for the xs4all server. It should be noted that after changing the network settings sometimes it takes some time before all hosts work with TRR.

config statements for the xs4all server ??

My purpose is to use the DNS server of my internet provider. I thought this was as easy as simply changing the 'network.trr.uri' option to the name (or IP address) of this server. The following image shows the options that were modified in the about:config ‘page’ :

So the following x options were changed:

network.trr.confirmationNS = skip # default example.com
network.trr.uri = https://resolver.xs4all.nl/dns-query
# default https://mozilla.cloudflare-dns.com/dns-query


The result is that the Cloudflare page indicates that the tests for Secure DNS and Encrypted SNI are not passed. The about:config ‘page’ shows that all hostnames are resolved without using TRR :

So with these about:config options the xs4all DNS server will not use TRR

question

Which FireFox options should be used to get TRR (DNS over HTTPS) working with the xs4all DNS server?

When asking the question in twitter I was asked to request the information in DM. In answer to this I was given a different url to specify for network.trr.uri. I don’t give it here, because apparently it is not open yet for the general public. I also set network.trr.bootstrapAddress to the IP address of this server.
about:networking#dsn now shows all hostnames resolved with TRR.
The Cloudflare page indicates that all tests are passed with the exception of the Secure DNS test that is flagged with a question mark.
I have reset the about:config options for FireFox to the default after I deployed the VPN server ExpressVPN.