为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

Firefox behavior if doh is blocked by firewall

ravinder.verma
ravinder.verma
more options

I am working on firewall which can block Doh request to cloudfare or any custom doh service provider. I would like to know if firewall silently drops/block what is the behavior of firefox? Does it automatically fallback to premise DNS server or fallback is config driven and if fallback disabled then it continue using DOH only in which case things will continue to fail forever. Is it possible firewall can generate some end user notification to browser so it can detect block (e.g connection refused etc) connection and fallback? Yes my firewall is kind of MITM and does terminate TCP connection so its firewall/proxy.

I am working on firewall which can block Doh request to cloudfare or any custom doh service provider. I would like to know if firewall silently drops/block what is the behavior of firefox? Does it automatically fallback to premise DNS server or fallback is config driven and if fallback disabled then it continue using DOH only in which case things will continue to fail forever. Is it possible firewall can generate some end user notification to browser so it can detect block (e.g connection refused etc) connection and fallback? Yes my firewall is kind of MITM and does terminate TCP connection so its firewall/proxy.

被采纳的解决方案

Hi,

yes, if Firefox fails to resolve a domain via DoH, it should fallback to the DNS. You can modify this behaviour using the network.trr.mode preference. Possible values of this pref are:

  • 0 - Off (default). use standard native resolving only (don't use TRR at all)
  • 1 - Reserved (used to be Race mode)
  • 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
  • 3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
  • 4 - Reserved (used to be Shadow mode)
  • 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.


Type of the DNS connection you can check on the about:networking#dns page (it is a TRR column).

定位到答案原位置 👍 0

所有回复 (2)

TyDraniu
TyDraniu
  • Top 10 Contributor
more options

选择的解决方案

Hi,

yes, if Firefox fails to resolve a domain via DoH, it should fallback to the DNS. You can modify this behaviour using the network.trr.mode preference. Possible values of this pref are:

  • 0 - Off (default). use standard native resolving only (don't use TRR at all)
  • 1 - Reserved (used to be Race mode)
  • 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
  • 3 - Only. Only use TRR. Never use the native (This mode also requires the bootstrapAddress pref to be set)
  • 4 - Reserved (used to be Shadow mode)
  • 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.


Type of the DNS connection you can check on the about:networking#dns page (it is a TRR column).

由TyDraniu于修改

ravinder.verma
ravinder.verma 提问者
more options

Thank you TyDraniu; this helps!