User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Enable Trusted Recursive Resolver:

• network.trr.mode = 3
• network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query

Enable ESNI:

• network.security.esni.enabled = true

Visit any website:

• https://www.cloudflare.com/ssl/encrypted-sni/
• any other website.

Actual results:

Error:

Hmm. We’re having trouble finding that site.

We can’t connect to the server at www.cloudflare.com.

If that address is correct, here are three other things you can try:

Try again later.
Check your network connection.
If you are connected but behind a firewall, check that Nightly has permission to access the Web.

Expected results:

Page should have loaded.

Disable ESNI with TRR enabled:

• Success

Disable TRR with ESNI enabled:

• Success

Reproduced on latest Nightly 68.0a1 (2019-05-01) (64-bit). Moving over to it's component.
Thanks for the report!

Works for me:
mozregression --launch 2019-05-06 --pref network.trr.mode:3 network.trr.uri:"https://mozilla.cloudflare-dns.com/dns-query" network.trr.bootstrapAddress:"1.1.1.1" network.security.esni.enabled:true -a https://www.cloudflare.com/ssl/encrypted-sni/

In DoH-only mode, Firefox is not allowed to use regular DNS to resolve the IP address of mozilla.cloudflare-dns.com, so it must be configured manually by the user (via network.trr.bootstrapAddress).

OK, I accept this response, but I request that a Doc bug be opened in reference to this as I was unable to locate anywhere that his is needed. Additionally, it might be a good idea to pre-populate a config with IPs for known D0H providers, so the end user doesn't need to configure this when it is released to GA (Adding the DoH provider's IP to a setting is overly complex for the average FireFox user).

(In reply to Gregory Young from comment #3)

OK, I accept this response, but I request that a Doc bug be opened in reference to this as I was unable to locate anywhere that his is needed.

If I may ask, where did you find out about trr.mode = 3?

Additionally, it might be a good idea to pre-populate a config with IPs for known D0H providers

I don't think that's wise. IPs are likely to change more often than we are able to release Firefox and update the prefs. Also, it's unlikely that this mode will ever be enabled by default.

Adding the DoH provider's IP to a setting is overly complex for the average FireFox user

I don't expect the average user to run TRR-only mode.

(In reply to Valentin Gosu [:valentin] from comment #4)

If I may ask, where did you find out about trr.mode = 3?

Via CloudFlare's ESNI Test: https://www.cloudflare.com/ssl/encrypted-sni/

That said, upon reviewing the linked Mozilla page closer, I do see it is mentioned further down that you need to bootstrap: https://wiki.mozilla.org/Trusted_Recursive_Resolver

Additionally, it might be a good idea to pre-populate a config with IPs for known D0H providers

I don't think that's wise. IPs are likely to change more often than we are able to release Firefox and update the prefs. Also, it's unlikely that this mode will ever be enabled by default.

As the current documented providers are CloudFlare and Google, whos DNS IPs don't change (1.1.1.1 and 8.8.8.8), at the very least they could be used as bootstrap IPs or the default settings. Personally, my feeling is CloudFlare would be the best option as a default, out of the box setting, as they are a leader in the Internet Security space, and have established themselves as a trusted resource for everyone on the internet.

Adding the DoH provider's IP to a setting is overly complex for the average FireFox user

I don't expect the average user to run TRR-only mode.

Why? The whole idea is to secure DNS for everyone on the internet to prevent snooping, tampering or ISP DNS injection. This really should be an "on by default" option once it reaches a stable state (along with ESNI). Mozilla is in a very strong position to help drive adoption of DoH and/or DoT, and should be using that position to help drive a more secure internet.

(In reply to Gregory Young from comment #5)

As the current documented providers are CloudFlare and Google, whos DNS IPs don't change (1.1.1.1 and 8.8.8.8), at the very least they could be used as bootstrap IPs or the default settings. Personally, my feeling is CloudFlare would be the best option as a default, out of the box setting, as they are a leader in the Internet Security space, and have established themselves as a trusted resource for everyone on the internet.

Bootstrapping to 1.1.1.1 works, but I'm not sure that's correct.
Resolving mozilla.cloudflare-dns.com locally gives me 104.16.248.249
I am not sure whether mozilla specific privacy policy also applies to 1.1.1.1 (probably does but I haven't confirmed with anyone).

I don't expect the average user to run TRR-only mode.

Why? The whole idea is to secure DNS for everyone on the internet to prevent snooping, tampering or ISP DNS injection. This really should be an "on by default" option once it reaches a stable state (along with ESNI). Mozilla is in a very strong position to help drive adoption of DoH and/or DoT, and should be using that position to help drive a more secure internet.

My mom doesn't know what DNS is. If she tries to access her local printer, and it doesn't work, whose fault is that?
As much as I'd love for everyone to be free from snooping, there are a lot things to figure out before we get there. You can watch Bug 1434852 (DoH) to follow our progress and we welcome any contribution you may want to bring to the process.

Thanks!

(In reply to Valentin Gosu [:valentin] from comment #6)

(In reply to Gregory Young from comment #5)

As the current documented providers are CloudFlare and Google, whos DNS IPs don't change (1.1.1.1 and 8.8.8.8), at the very least they could be used as bootstrap IPs or the default settings. Personally, my feeling is CloudFlare would be the best option as a default, out of the box setting, as they are a leader in the Internet Security space, and have established themselves as a trusted resource for everyone on the internet.

Bootstrapping to 1.1.1.1 works, but I'm not sure that's correct.
Resolving mozilla.cloudflare-dns.com locally gives me 104.16.248.249
I am not sure whether mozilla specific privacy policy also applies to 1.1.1.1 (probably does but I haven't confirmed with anyone).

1.1.1.1 is simply an alias for your closest CloudFlare Datacenter. Looking up the FQDN of the resolver will always point to the IP of the resolver in the closest datacenter. Using 1.1.1.1 as the bootstrap simply provides the TRR implementation with the local datacenter IP for the DoH resolver, which then is subsequently used for future lookups.

I don't expect the average user to run TRR-only mode.

Why? The whole idea is to secure DNS for everyone on the internet to prevent snooping, tampering or ISP DNS injection. This really should be an "on by default" option once it reaches a stable state (along with ESNI). Mozilla is in a very strong position to help drive adoption of DoH and/or DoT, and should be using that position to help drive a more secure internet.

My mom doesn't know what DNS is. If she tries to access her local printer, and it doesn't work, whose fault is that?

OK, I get the point about local resolvers, and that is what 'network.trr.mode=2' is for (use TRR when possible, then fall back to local DNS).

As much as I'd love for everyone to be free from snooping, there are a lot things to figure out before we get there. You can watch Bug 1434852 (DoH) to follow our progress and we welcome any contribution you may want to bring to the process.

The above mentioned bug is closed. Instead of defaulting to 'network.trr.mode=3', 'network.trr.mode=2' would be the better setting, but some sort of indicator that the request fell back to the OS resolver would be a good idea (similar to the SSL/TLS indicator) so security conscious users are aware the request wasn't resolved securely. As a stretch goal, detection of whether the OS resolver is using DoH/DoT would be a good check before setting the above suggested indicator.

(In reply to Gregory Young from comment #7)

As much as I'd love for everyone to be free from snooping, there are a lot things to figure out before we get there. You can watch Bug 1434852 (DoH) to follow our progress and we welcome any contribution you may want to bring to the process.

The above mentioned bug is closed.

It's closed because initial support for DoH landed. It's now used for tracking TRR related bugs.
You can also use https://bugzilla.mozilla.org/buglist.cgi?quicksearch=[trr] to see the active bugs.

but some sort of indicator that the request fell back to the OS resolver would be a good idea (similar to the SSL/TLS indicator) so security conscious users are aware the request wasn't resolved securely.

bug 1525640 which just landed that adds platform support for that. See bugs 1542331 and 1542357 for the UI work.

As a stretch goal, detection of whether the OS resolver is using DoH/DoT would be a good check before setting the above suggested indicator.

We currently have no way of knowing if the OS resolver is using DoH/DoT

Note that you can ping me in #necko on irc.mozilla.org if you need more info. Cheers!

(In reply to Gregory Young from comment #7)

Instead of defaulting to 'network.trr.mode=3', 'network.trr.mode=2' would be the better setting

Default is 0 (no DoH).
network.trr.mode is set to 2 if you open about:preferences > Scroll down & open "Network Settings" > scroll down and enable "DNS-over-HTTPS"