I am replying in this thread with Firefox 140.3.1 ESR. My queries are going to my router/firewall.
Verify that about:config network.trr.mode is set to 5.
If one has control over their local DNS they can also create a local record, example in Unbound DNS. Some applications will query this to see if DoH is permitted in the network.
If that does not work create a startup script that will loop through all the common DoH providers and blackhole route them. Some may say that DoH could be on any CDN node but that is not the case. The DoH providers use static addresses and in some cases vanity IP addresses. [1] using this entire data-set is unnessecary as Firefox has only ever used Cloudflare and Google in the past.
for OpenRes in $(grep -Ev ^# /usr/local/etc/_open_resolvers.txt);do /sbin/ip route add blackhole "${OpenRes}" 2>/dev/null;done
If using Unbound DNS enable logging of query responses to a tmpfs mount and ensure log rotation keeps the usage small and sends the compressed rotated files to the disk. Query logs can help verify requests are being processed by local DNS.
log-queries: no
log-replies: yes
log-servfail: yes
Thx! And seems that `use-application-dns.net` works for me. But I will still consider replacing Firefox, because this behavior, which is inconsistent with the settings, is unacceptable to me. However, I'm glad I learned a new thing, thx again :)
No problem. I've never see Firefox exhibit this behavior. Out of curiosity have you started in safe mode disabling all the addons and does it still do this?
Interesting. If network.trr.mode is set to 5 this should not be occurring. If there is no plan to use FF again then I suppose submitting a bug would be a waste of time. Perhaps others will run into whatever condition is causing this behavior or perhaps it would happen on mine and my blackhole routes are breaking it.
Can you confirm the full technical method you were using to see DoH traffic? i.e. Destination IP/port/protocol
Suggested capture methods:
tcpdump -p --dont-verify-checksums -i any -NNnntt -B32768 -c2000 -s0 proto 6 and 'tcp[13] == 2' and not host ${Your_Router_IP} &
tcpdump -p --dont-verify-checksums -i any -NNnntt -B32768 -c4000 -s0 proto 17 and not host ${Your_Router_IP} and 'length <256' &
Don't paste the output, just suggestions for capturing HTTPS SYN and QUIC over UDP.
For what it's worth they have added a lot more outbound crap. Even using user.js [1] there is still a lot of leaky outbound noise. Loads of connections to fastly, cloudfront and others. It has gotten worse with time. I would probably also consider using a different browser but I can not give up the addons I use in Firefox. I will just blackhole route those CDN's and see what breaks.
I am replying in this thread with Firefox 140.3.1 ESR. My queries are going to my router/firewall.
Verify that about:config network.trr.mode is set to 5.
If one has control over their local DNS they can also create a local record, example in Unbound DNS. Some applications will query this to see if DoH is permitted in the network.
If that does not work create a startup script that will loop through all the common DoH providers and blackhole route them. Some may say that DoH could be on any CDN node but that is not the case. The DoH providers use static addresses and in some cases vanity IP addresses. [1] using this entire data-set is unnessecary as Firefox has only ever used Cloudflare and Google in the past. If using Unbound DNS enable logging of query responses to a tmpfs mount and ensure log rotation keeps the usage small and sends the compressed rotated files to the disk. Query logs can help verify requests are being processed by local DNS. [1] - https://github.com/dibdot/DoH-IP-blocklistsThx! And seems that `use-application-dns.net` works for me. But I will still consider replacing Firefox, because this behavior, which is inconsistent with the settings, is unacceptable to me. However, I'm glad I learned a new thing, thx again :)
No problem. I've never see Firefox exhibit this behavior. Out of curiosity have you started in safe mode disabling all the addons and does it still do this?
Hi, I just tried safe mode, and still the same :)
Interesting. If network.trr.mode is set to 5 this should not be occurring. If there is no plan to use FF again then I suppose submitting a bug would be a waste of time. Perhaps others will run into whatever condition is causing this behavior or perhaps it would happen on mine and my blackhole routes are breaking it.
Yep, that `network.trr.mode` is `5`, just confirmed. I'm considering Zen now.
Can you confirm the full technical method you were using to see DoH traffic? i.e. Destination IP/port/protocol
Suggested capture methods:
Don't paste the output, just suggestions for capturing HTTPS SYN and QUIC over UDP.For what it's worth they have added a lot more outbound crap. Even using user.js [1] there is still a lot of leaky outbound noise. Loads of connections to fastly, cloudfront and others. It has gotten worse with time. I would probably also consider using a different browser but I can not give up the addons I use in Firefox. I will just blackhole route those CDN's and see what breaks.
[1] - https://github.com/arkenfox/user.js