Sammenlign revisioner

DoH improves privacy by hiding domain name lookups from anyone lurking on public Wi-Fi, your ISP or others on your local network. Learn more.

This article describes DNS over HTTPS and how to enable, edit settings, or disable this feature. __TOC__ =About DNS-over-HTTPS= When you type a web address or domain name into your address bar (example: [https://www.mozilla.org www.mozilla.org]), your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third-parties to see what website you’re about to access. [https://wikipedia.org/wiki/DNS_over_HTTPS DNS-over-HTTPS] (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third-parties from seeing what websites you are trying to access. =Benefits= DoH improves privacy by hiding domain name lookups from someone lurking on public Wi-Fi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior. =Risks= *Some individuals and organizations rely on DNS to block malware, enable parental controls, or filter your browser’s access to websites. When enabled, DoH bypasses your local DNS resolver and defeats these special policies. When enabling DoH by default for users, Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy. *When DoH is enabled, Firefox by default directs DoH queries to DNS servers that are operated by a trusted partner, which has the ability to see users' queries. Mozilla has a strong [https://wiki.mozilla.org/Security/DOH-resolver-policy Trusted Recursive Resolver (TRR) policy] in place that forbids our partners from collecting personal identifying information. To mitigate this risk, our partners are contractually bound to adhere to this policy. *DoH could be slower than traditional DNS queries, but in testing, we found that the [https://blog.mozilla.org/futurereleases/2019/04/02/dns-over-https-doh-update-recent-testing-results-and-next-steps/ impact is minimal and in many cases DoH is faster]. =About our rollout of DNS over HTTPS= We completed our rollout of DoH by default to all United States Firefox desktop users in 2019 and to all Canadian Firefox desktop users in 2021. We began our rollout by default to Russia and Ukraine Firefox desktop users in March 2022. We are currently working toward rolling out DoH in more countries. As we do so, DoH is enabled for users in “fallback” mode. For example, if the domain name lookups that are using DoH fail for some reason, Firefox will fall back and use the default DNS configured by the operating system (OS) instead of displaying an error. =Opt-out= If you’re an existing Firefox user in a locale where we’ve rolled out DoH by default, you’ll receive a notification in Firefox if and when DoH is first enabled, allowing you to choose not to use DoH and instead continue using your default OS DNS resolver. [[Image:OptIn_Infobar]] In addition, Firefox will check for certain functions that might be affected if DoH is enabled, including: *Are parental controls enabled? *Is the default DNS server filtering potentially malicious content? *Is the device managed by an organization that might have a special DNS configuration? If any of these tests determine that DoH might interfere with the function, DoH will not be enabled. These tests will run every time the device connects to a different network. {for fx114} =Enabling, disabling and configuring DNS-over-HTTPS= See the [[Configure DNS over HTTPS protection levels in Firefox]] article. {/for} {for not fx114} =Manually enabling and disabling DNS-over-HTTPS= You can enable or disable DoH in your [[Connection settings in Firefox|Firefox connection settings]]: #[[Template:optionspreferences]] #In the {menu General} panel, go down to ''Network Settings'' and click the {button Settings…} button. #In the dialog box that opens, scroll down to ''Enable DNS over HTTPS''. #*'''On''': Select the '''Enable DNS over HTTPS''' checkbox. #*;Select a provider or set up a custom provider ([[#w_switching-providers|see below]]). #*'''Off''': Deselect the '''Enable DNS over HTTPS''' checkbox. #;{for not fx111}[[Image:DoH_Enable]]{/for}{for fx111}[[Image:Fx111DoH_Enable]]{/for} #Click {button OK} to save your changes and close the box. =Switching providers= #[[Template:optionspreferences]] #In the {menu General} panel, go down to ''Network Settings'' and click the {button Settings…} button. #Click the '''Use Provider''' drop-down under ''Enable DNS over HTTPS'' to select a provider in the list. #;{for not fx111}[[Image:DoH_Provider]]{/for}{for fx111}[[Image:Fx111DoH_Provider]]{/for} #You can also select '''Custom''' to set up a custom provider. #;[[Image:Fx99DoH_Custom_Provider]] #Click {button OK} to save your changes and close the box. =Excluding specific domains= You can configure exceptions so that Firefox uses your OS resolver instead of DoH: [[Template:aboutconfigwarning]] #[[Template:aboutconfig]] #Search for {pref network.trr.excluded-domains} preference. #Click the ''Edit'' [[Image:Fx71aboutconfig-EditButton]] button next to the preference. #Add domains, separated by commas, to the list and click on the checkmark [[Image:Fx71aboutconfig-Checkmark]] to save the change. {note}Do not remove any domains from the list.{/note} '''About subdomains:''' Firefox will check all the domains you've listed in {pref network.trr.excluded-domains} and their subdomains. For instance, if you enter example<!-- -->.com, Firefox will also exclude www.example<!-- -->.com. {/for} =Configuring Networks to Disable DoH= *[[Configuring Networks to Disable DNS over HTTPS]] *[[DNS-over-HTTPS (DoH) FAQs]] =Encrypted Client Hello (ECH)= With [[Find what version of Firefox you are using|Firefox version]] 118, we're rolling out a significant security feature: the Encrypted Client Hello (ECH). Its primary role is to reinforce the security of the initial connection ''handshake'' made during online interactions. ECH, in conjunction with DNS over HTTPS (DoH), takes browsing security up a notch: *'''DoH as a prerequisite:''' In Firefox's implementation, ECH relies on DoH to fetch the necessary encryption keys for the ''handshake''. Without DoH activated, ECH cannot operate. *'''Synergized protection:''' DoH works by encrypting DNS queries, effectively safeguarding the conversion of website names to IP addresses. On the other hand, ECH focuses on encrypting the initial exchanges between the user and the website. Together, they present a comprehensive defense against many online threats. *'''Enhanced protection:''' With both ECH and DoH enabled, users gain an enhanced dual-layer of privacy, diminishing potential vulnerabilities and amplifying online discretion. Ensure DoH is enabled in Firefox to fully benefit from the security enhancements provided by ECH. For a detailed understanding, see [[Understand Encrypted Client Hello (ECH)]] and [[Encrypted Client Hello (ECH) - Frequently asked questions]].