HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox
Firefox has recently added a feature they call Trusted Recursive Resolver (TRR). It uses DNS over HTTPS to resolve DNS queries directly in the browser rather than using the native OS resolver. Though they have not currently enabled it by default, they would like to do so in the near future.
While this may offer some additional privacy benefits in certain situations, with regard to pfSense it means that your DNS policies like DNSSEC, host and domain overrides, caching, pfBlocker DNSBL, and so on will be ignored by clients using TRR.
Is this a good thing? Well, that depends. For some, sure. For others, no. There are technical reasons not to want this behavior, as mentioned above and in more detail below. There are also privacy benefits as well for many users. Mozilla has partnered with Cloudflare so that means TRR DNS queries are sent there and not to the intended server. Some people already use Cloudflare, or they don't care where the queries go, so that's a wash or a net gain. If you do not trust Cloudflare or do not want to put all your eggs in the Cloudflare basket, that's not so good.
In particular this could potentially interfere with things like Captive Portal, but TRR does have a built-in fallback if TRR fails to resolve a host. It may add some additional time to Captive Portal initial requests but how much remains to be seen. I haven't tested this yet, but I don't expect it to be a significant factor.
Another potential source of trouble is mixing this with a proxy, depending on whether or not you splice/bump/MITM SSL. I don't have a setup handy to try this, but it could easily go either way. May be fine, may break. Even if the DNS over HTTPS queries work through the proxy, the fact that it's using a different DNS server than the proxy could cause failures.
So what can be done about it? That remains to be seen as well. This is a user preference in Firefox but it not currently exposed as a user option outside of
about:configa user can set
5to completely disable TRR. This may also be possible on larger managed deployments on a wider scale, but that depends on the OS and network infrastructure.
For BYOD/Guest networks there isn't much that can be done by a network admin. Mozilla is not using
220.127.116.11for this, it is using https://cloudflare-dns.com/dns-query and the DNS query for that must be bootstrapped using the native OS resolver. So if queries for that domain fail it may cause TRR to fail and fall back to your configured DNS server. This could potentially be accomplished with DNS host overrides.
For those interested in testing the behavior, in Firefox, open
2which will prefer TRR but fall back to regular DNS. The current values are:
0: Off by default
1: Firefox will choose based on which is faster
2: TRR preferred, fall back to DNS on failure
3: TRR only, no DNS fallback
5: TRR completely disabled
Yeah I am not a fan of this at all.. If they want to allow the users to enable this - sure ok.. But it should never be on out of the box without user interaction to enable it if you ask me.
I already have network.trr.mode set to 5... I see no use of this at all
chpalmer last edited by
Default seems to be 0 for everyone I know.. Is 5 better?
0 may turn into 2 based on what Mozilla wants to do, since 0=default, 5=explicitly disabled.
chpalmer last edited by
Thanks 5 it is!
yon 0 last edited by
默认似乎都是0 .. 5更好吗？
i am using u simpledns server :)
my ISP blocked the Cloudflare , so i want to have to change to close
Huh?? yon your post is gibberish.. what server you want to use has zero to do with what TRR is..
yon 0 last edited by
I mean, I can only use my own DNS or VPN.If a website is blocked, TRR may not solve this problem.
TRR is more problems than anything ti could possible solve.. Especially if they turn it on without explicit users acknowledgment.. Problem is even the user agrees to some pop up, vast majority of them not even going to understand what they are agree too.. Typical users - and then wondering why their local resolving of xyz.com broke.
This should require users actually having to do something to enable it, like edit about:config entry and on purpose turn it on.
And you sure and hell could use cloudflare through your vpn... So you still could use trr if you wanted to, even if your isp blocks where its going. I still don't why anyone would want to use this.. Sorry I don't want to send all my dns queries to 1 provider.. I don't want to use you for dns - I will do it myself thank you very much.
Got question about ios version of firefox.. How can you ensure this is never used? about:config is not available in ios version of firefox.
That's a tough one to answer.
I did see a post on Reddit earlier this week from someone who claimed association with Mozilla that said they no longer plan on ever making this the default, only available as a GUI option. I'm not holding my breath waiting on that to be verified, but it is at least a bit of hope that we won't have to jump through hoops.
Thanks for the info - lets hope they don't try and enable this on the sly in the background ;) Doing such a thing for sure would force me to rethink my browser choice..
bcruze last edited by
this is why i use firefox ESR.
the version that would get this automagically would be the standard version of FF