DOH potential security risk message
When trying DNS over https in in a neetwork that uses googles DNS 8.8.8.8 and 8.8.4.4 I configured FF as follows set network.trr.mode=3 set network.trr.bootstarpaddress=8.8.8.8 set network.trr.uri=https://dns.google/dns-query
Then I went to https://1.1.1.1/help knowing full well that I am use googles DOH and not cloudflare expecting cloudflare web site to tell me I am not using there services with results being all negative.
Instead FF reported that "Warning potential security problem ahead". See enclosed If I am using Googles DOH values and I go to a cloudgflare site why would FF flag the site as a security risk? Keeping in mind FF appears to be working for other sites in the DOH configuration for Google with no visible problems.
Ọ̀nà àbáyọ tí a yàn
The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.
I will have to put this question to the Library as to why the filter? Not that I expect an answer
Ka ìdáhùn ni ìṣètò kíkà 👍 0All Replies (15)
Can you click the Advanced button for more information about why the certificate verification failed?
1.1.1.1 would normally redirect you to a server in your vicinity using anycast, so there might be a domain mismatch for the certificate after the redirect.
The certificate failed because it was not HTTPs so the connection was not secure. But strangely I was not able to connect using CloudFlare DOh value only with Googles DOH value shown in this web site "https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers"
Those settings are working:
about:config?filter=network.trr
network.trr.bootstrapAddress > 8.8.8.8 network.trr.confirmationNS > dns.google network.trr.credentials > dns.google network.trr.disable-ECS > false network.trr.early-AAAA > true network.trr.mode > 3 network.trr.uri > https://dns.google.com/experimental
after set, restart firefox and enjoy :)
I have already stated the settings I used. I have already stated that google DOH worked.
Why does cloudflare the default used by FF not work?
again, please click on advanced on the error page to see what's the error code and possibly inspect the failing certificate...
You dont seem to understand. No certificate was obtained as shown in my enclosure.
Why would cloudflare site be blocked and not google? Why is it I could not get through to cloudflare when google DOH was working?
Hi Mace2, on the error page, there is an Advanced button -- the gray one next to the large blue one. That Advanced button opens a panel with more technical information about the problem. I don't think you can diagnose the issue without that.
Enclosed is the advance tab. Keep in mind the google DOH values are set and work. But the cloudflare web site 1.1.1.1/help did not work
I'm looking at the domains of the certificate provided to Firefox in your screenshot and I wonder whether your service provider may not permit IP address URLs, or at least this one. Otherwise, why would that certificate be showing up?
Ọ̀nà àbáyọ Tí a Yàn
The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.
I will have to put this question to the Library as to why the filter? Not that I expect an answer
Do you think they filter 1.1.1.1 in particular, or filter IP address URLs in general?
I think a greater question is why Cloidflare DOH was filtered over Google DOH
So if you aren't using DOH you can access https://1.1.1.1/help on that same network?
I am using DOH. I am using googles DOH server. The librayr is filtering only cloudflare DOH.
the configuration network.trr.mode=3 ensures only DOH is being used.