Wednesday, February 13, 2019

Turning off Mozilla Firefox Cloudflare DNS Service from Data Mining

Mozilla Firefox partnered with Cloudflare earlier last year to provide in-browser DoH via Cloudflare’s 1.1.1.1 public DNS service. It's will be turned on by default in Firefox in the future. When browsing via Firefox, this implementation overrides the DNS resolver set at a system-level, which some observers have compared to DNS hijacking. Assuming you’re aware of who’s handling your users’ queries (Cloudflare), and you’re okay with this arrangement, this could be a good option for over-the-network privacy. With virtually no setup required, queries will be masked as HTTPS traffic.


But this means your traffic/data can be monitored and monetized via the third party DNS resolver.  According to https://blog.thousandeyes.com/choosing-public-dns-resolver/ here's what at stake for your privacy.




















Encryption of DNS queries ensures that your browsing data is safe from in-transit snooping. DNS over HTTPS (DoH), DNS over TLS (DoT) and DNSCrypt are three encryption mechanisms, each of which works slightly differently. Works best in Firefox version 62+.


For those interested in testing the behavior, in Firefox, open about:config and set network.trr.mode to 2 which will prefer TRR but fall back to regular DNS. The current values are:
  • 0: Off by default
  • 1: Firefox will choose based on which is faster
  • 2: TRR preferred, fall back to DNS on failure
  • 3: TRR only, no DNS fallback
  • 5: TRR completely disabled


Disable Firefox DNS Resolver


You can turn off Trusted Recursive Resolver (TRR) in Firefox feature by following this steps:


1] Open Firefox. Type about:config in the location bar
2] Search for network.trr (TRR stands for Trusted Recursive Resolver – it is the DoH Endpoint used by Firefox.)
3] Change network.trr.mode to 5  - 
This will disable DoH under all circumstances.


Partially use Firefox DNS Resolver



1] Open Firefox: Type about:config in the location bar
2] Search for network.trr (TRR stands for Trusted Recursive Resolver – it is the DoH Endpoint used by Firefox.)
3] Change network.trr.mode to 2 to enable DoH. This will try and use DoH but will fallback to insecure DNS under some circumstances like captive portals.  This make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback.
4] Set network.trr.uri to your DoH server. Cloudflare’s is https://mozilla.cloudflare-dns.com/dns-query but you can use any DoH compliant endpoint.
The DNS tab on the about:networking page indicates which names were resolved using the Trusted Recursive Resolver (TRR) via DoH.


Default Firefox DNS Resolver Setting 

network.trr.mode = 0 


Firefox DNS Resolver (TRR) settings

1 comment:

  1. Thank you VERY MUCH for this helpful article. I am less concerned about the feature and it is good to know it can be disabled.

    ReplyDelete