Enable ESNI without DoH?
I'd like to enable ESNI. However, I can't seem to do this without enabling DoH on FireFox, which bypasses my DNS filter at home (which also uses DoH). Is there any way I can get ESNI enabled without DoH on FireFox? Thanks!
All Replies (4)
Hi S, I'm pretty sure that it's the same in Mac as in Windows -
Type (or paste) about:config in the address bar and press Enter/Return(?) Click "Accept the Risk and Continue" in the search bar enter network.security.esni.enabled double-click the entry line to toggle it's value to True (or use the Toggle button at the right)
While your there, check your DoH setting. Enter network.trr.mode in the search bar, and check that the value is set to: 0 = Off (default). use standard native resolving only (don't use TRR at all) 5 = Off by choice. This is the same as 0 but marks it as done by choice and not done by default (forced Off)
Other settings: 2 = Use TRR first, and only if the name resolve fails use the native resolver as a fallback (This is the DoH setting used in Network Settings) 3 = Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
See: MozillaWiki - Trusted Recursive Resolver https://wiki.mozilla.org/Trusted_Recursive_Resolver
Yes, I have enabled the ESNI setting in about:config. However, I wish to leave trr.mode as set to 0, so that my own DNS filtering will continue to work. Leaving DoH disabled also seems to break ESNI, as web tests show ESNI is disabled.
You're right. It's probably because ESNI is a Cloudflare design. Unless you have Cloudflare set as your TRR, ESNI fails. You can double-check me by going to your Network Settings at the bottom of the Options -> General page and setting the DoH provider to NextDNS and testing again.
From Cloudflare:
"Encrypted SNI
The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy.
Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.
All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default."
So, ESNI will only work with domains on Cloudflare, anyway.