Firefox DoH and IPFire blocked DNS ports


since Firefox starts to switch on DoH in their browsers ( )
I would like to know if this affects somehow my current IPFire installation.

I’ve set up DHCP to distribute IPFire’s IP-address as DNS servers. Additionally, I’ve set up a custom firewall (not in GUI) to redirect all DNS requests to port 53 and 853 directly to IPFire. Basically this prevents DNS spoofing, at least it should and should force IP as the primary and only DNS server. Tests with Windows clients showed that this works as expected - so far.

Now, when Firefox turns on DoH, do you expect my setup will still work? I guess so, but I’m not sure at all. What do you think?


Good question.

I suppose that you will have to find out which servers Firefox contacts and block those IP addresses. You will simply see traffic on Port 443. It is standard HTTPS. Blocking it will be hard.

The best option is disabling this in Firefox.

For now there is a special domain that Firefox consults using traditional DNS to know if it should use DoH or not on a network. See

Note that this is not guarantied to work forever: if ISPs start blocking this domain it is very likely that Firefox will stop using it altogether.

Hi all,
according the marriage from Firefox with Cloudflare this article --> is somehow interesting i think.

Firefox here do have under ‘network.trr.resolvers’
[{ "name": "Cloudflare", "url": "" },{ "name": "NextDNS", "url": "" }]
To disable DoH, you can set the value ‘5’ for ‘network.trr.mode’ .

Another thing in FF which left me speechless was an activated ‘WebRTC’ after an update which spreads the local IP through out the internet (i should better read every changelog :cold_face: ) --> .



1 Like

Well, I think we should consider that IPFire always blocks this, because clearly people who run IPFire probably want to use the resolver inside it and not DoH.

1 Like

That’s my understanding or wish, too.

1 Like

I sent an email to the dev list:

Lets see if anybody objects. It would be dirty.

What do you mean by “dirty”?
Doing DNS bypassing the rules defined in the network FF is running, is dirty.

1 Like

Guess you are talking about Firefox bypassing the DNS, right? If so full acknowledge!
The admin should have control about what happens in its LAN and not any 3rd party software.

Unfortunately, I can only manually set up FF to not use this new “feature” by setting “network.trr.mode” to value=5 as Erik already suggested. There is no GPO (Group Policy) right now to configure each FF installation by remote.

I’ve already sent a request for this to happen to the developers in Github

1 Like

Best way is to force the user to use a proxy (not trasparent). In this case the proxy do the dns resolve and not firefox.
I think this is the reason why corporate networks doesn’t really care this yet.