User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

On a Firefox configured to use (Cloudflare) DoH, I blocked the domain mozilla.cloudflare-dns.com (using either udp DNS returning the wrong ip, or firewall rules dropping connection to what that domain resolves to) .

Actual results:

As it could not join DoH resolve, Firefox continued using system resolver without any warning.

Expected results:

While stopping to work because DoH would not work seems like a bad idea, I would expect Firefox to show something telling the user that DoH is not working, maybe like the yellow DRM banner. In it's current form, DoH gives no amount of privacy as blocking it is easy and, from an end-user point of view, unnoticeable.

(I'm not sure if I should mark it as a security issue, at the benefit of doubt I did, but if you think it shouldn't, feel free to make it public)

Pretty sure this is works as expected and changeable in preferences, but NI Dragana to make sure.

The thing with showing a banner is that once it's shown it's already too late. Also, if this happens more often than "super rare" these will just annoy people. A blocking dialog before continuing to the site probably wouldn't be helpful either, as we have the classic "click this button to make it work" dilemma, where most users will choose the insecure option to get their task done.

It's difficult.

This is expected. DoH in Firefox has 2 modes:

1. fallback to native (internally called mode 2)
2. don not fallback to native (internally called mode 3)

In Preference you can only set mode 2. If you want mode 3 you can set it in about:config, look for network.trr.mode and set it to 3.

I guess this depends on having UI to enable mode3. Not a priority right now, but I expect it'll happen at some time this year.