Background & Configuration
I have enabled DNS-over-HTTPS (DoH) in Firefox, in order to hand a stream of sites I access over to Cloudflare and thence directly to government agencies in one convenient place. This is hidden away in Preferences, General tab, scroll down to the bottom right, Settings button, scroll down to the bottom again.
I noticed on attempting to search for a term containing a dot, that DNS-over-HTTPS was not being used. My ISP, BT, were still hijacking plain old DNS to redirect to their site. This is surprising given the wording provided by Firefox that indicates to any reasonable person that this would be safe. Firefox UX sign-off could do with bucking their ideas up, IMO.
So, after googling I have gone into about:config and changed network.trr.mode to 3 in order that Firefox does not fail unsafe on DoH.
This doesn't work at all.
Further googling, I have switched off the BT "Smart Setup" on my ADSL router. The steps for my BT Home Hub:
- Log in to the admin site 192.168.1.254.
- Advanced Settings
- Continue to Advanced Settings (!)
- Home Network
- "Smart Setup" (It seems "smart" is never smart.)
- No
- Apply
That seemed to work for a while, but then failed and kept failing.
It's an intermittent failure. Switching network.trr.mode back to 2 (fail open!) and then possibly loading something, allows setting network.trr.mode back to 3 for a while.
I suspected that Firefox may be doing all the lookups outside of DoH using just the poisoned DNS cache. However, sites I had not been to still worked.
Going to https://1.1.1.1/help during intermittent failures gives me:
Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
AS Name Checking...
AS Number Checking...
Cloudflare Data Center LHR
When working that becomes:
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) Yes
Using DNS over TLS (DoT) No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center LHR
Going to https://www.cloudflare.com/ssl/encrypted-sni/ I noticed that Encrypted SNI was not happening. As I understand it, SNI enabled a web server to provide the correct certificate for a site when a single IP address is mapped from multiple names. Unfortunately, by default, Firefox sends host names in plain text even when using DoH. Believable.
Yet more googling turns up setting network.security.esni.enabled to true in about:config to encrypt host names here. How this fails, I don't know.
I have also tried using a public access point (The Cloud), and the behaviour is much the same.
I have been using macOS Catalina. Seems to be the same on a Windows 10 cheap and very nasty laptop. Have tried flushing the Windows DNS cache with ipconfig /flushdns and also setting network.dnsCacheExpiration to 0. Neither makes it work when it is failing, nor makes it fail when it is working.
The question
What is causing fail-safe DoH that intermittently fail on Firefox and how do I fix it?
I notice that the www.cloudflare.com name is in the DoH configuration. Is it failing to bootstrap in a sensible fashion? Does it expire the lookup after a while and not use DoH in time?
