Firefox web browser has built-in support for DNS over HTTPS (DoH) protocol natively to allow DNS resolution look-ups to be transmitted securely over encrypted HTTPS protocol, comparing with the classic DNS look-ups which are sent in plain text to get the IP addresses for domain names. DNS over HTTPS has the potential to improve the privacy and security, in addition to increase the reliability of DNS service.

If you can’t wait for Windows 10 DNS over HTTPS client to be ready, you can enable Firefox’s DoH support, allowing Firefox to bypass Windows operating system DNS configuration to send DNS lookup queries itself to the DoH-compatible DNS resolver that you set in Firefox’s settings.

How to Enable DNS over HTTPS in Firefox

  1. In Firefox, open menu, and go to Options (or directly enter about:preferences#general in the address bar.
  2. In General tab, scroll to the bottom to locate Network Settings section, then click or tap on Settings button.
  3. At the bottom of the page, select the checkbox for Enable DNS over HTTPS.
  4. Then select a DoH-compatible DNS provider from the Use Provider drop down box. Firefox includes CloudFlare and NextDNS natively, but you can choose Custom, and manually enter the DNS provider’s DNS template URL.
DNS over HTTPS in Firefox

Here’s a brief list of URL of DNS over HTTPS supported template for popular publicly available DNS servers:

  • Google: https://dns.google/dns-query
  • AdGuard: https://dns.adguard.com/dns-query
  • AdGuard Family protection: https://dns-family.adguard.com/dns-query
  • OpenDNS: https://doh.opendns.com/dns-query
  • OpenDNS FamilyShield: https://doh.familyshield.opendns.com/dns-query
  • Quad9: https://dns.quad9.net/dns-query
  • CleanBrowsing: https://doh.cleanbrowsing.org/doh/family-filter/
  • nextdns.io: https://dns.nextdns.io/<config_id>

An updated list of publicly available DNS service providers that support DNS over HTTPS with their template URLs is available on github.com.

DNS over HTTPS in Firefox operates in fallback mode. So if the browser fails to get a respond over DoH for a DNS resolution query, it will fallback to conventional unencrypted DNS port 53 to complete the DNS lookup.

Firefox will skip DNS over HTTPS protocol if any of the following functions are in use:

  • Parental controls (DNS filtering requires plain-text DNS resolution queries)
  • Default DNS provider supports malware filtering.
  • The device is managed by an organization.

If you want to have more fine controls of DNS over HTTPS settings in Firefox, where you can also enable or disable DNS over HTTPS, you can do so in advanced configuration preferences of Firefox. To do so, head to about:config in the Firefox address bar.

Firefox’s settings for DNS over HTTPS are named as Trusted Recursive Resolver (trr). So you can search for trr to list all settings related to DNS over HTTPS. Here’s some notable TRR’s settings:

  • network.trr.mode
    • 0: Disabled
    • 2: Auto (DoH with DNS as fallback)
    • 3: Use only DNS over HTTPS (no fallback)
  • network.trr.uri
    • Enter the URL of a DNS provider’s DNS template.
  • network.trr.bootstrapAddress
    • Specify that IP address of the host name used in “network.trr.uri” to avoid Firefox having to resolve for the host name. Normally the IP address of DNS server.
  • network.trr.excluded-domains
    • Exclude domains from DNS over HTTPS, multiple domains to be separated by commas.

Note that some settings, such as network.dns.skipTRR-when-parental-control-enabled, may not have any effort as the web browsers want to provide a way for DNS filtering to work, which is essential to parental controls.