DNS over https using https://104.16.249.249/dns-query

dash-dns
dash-crypto
#1

When I use https://mozilla.cloudflare-dns.com/dns-query in firefox the reverse of mozilla.cloud-dns-query is 104.16.249.249 but does not resolve any values when activated. if I replace mozilla.cloudflare-dns.com with 1.1.1.1 it works.

Why does 104.16.249.249 not work in firefox when it is the default?

DNS over https https://1.0.0.1/dns-query
Recommend way to implement DNS over HTTPS on Firefox
#2

I am using Firefox and would like to know why https://1.0.0.1/dns-query using the IP address 1.0.0.1 works for Firefox instead of the default domain “https://mozilla.cloudflare-dns.com/dns-query” Which does not work. The domain mozilla.cloudflare-dns.com which resolves to IP 104.16.248.249 and 104.16.249.249 do not work even if I make the domain “https://104.16.248.249/dns-query”.

#3

I use Firefox and the default setting is “https://mozilla.cloudflare-dns.com/dns-query” or should I use “https://1.1.1.1/dns-query

#4

Use 1.1.1.1. It will save you a lookup.

#5

I agree sdayman but when I resolve “mozilla.cloudflare-dns.com” it resovles to 104.16.249.249, and 104.16.248.249 but does not work with DOH.

Any ideas

The below paste is with the default firefox setting

#6

Interestingly enough, my traceroute to 1.1.1.1 and 104.16.248.249 are the same.

But I can confirm that I have the same problem if I use that Mozilla URL. The only way I can get that to work is by setting network.trr.bootstrapAddress to 1.1.1.1, which is kind of cheating.

I’m going to give @cscharff a shout out. He :heart: DNS.

Recommend way to implement DNS over HTTPS on Firefox
#7

Thanks.for the confirmation. That mean Firefox default configuration will never work.

#8

What problem are you having with https://mozilla.cloudflare-dns.com/dns-query?

#9

The 5th post shows what happens from 1.1.1.1/help. That’s what I got too:
1.1.1.1 and 1.0.0.1 reachable, but I get No/No/No for the first three tests.

#10

Just to confirm. Anyone using Firefox default DOH value will not work?

#11

I’ll test some stuff out tomorrow, but I would guess the DoH nginx configuration on Cloudflare’s side is along the lines of

server_name 1.1.1.1 1.0.0.1 cloudflare-dns.com mozilla.cloudflare-dns.com;

This means if you try to hit the non-dedicated IP without SNI (and/or the HOST header) the nginx-like frontend Won’t know you’re trying to access the DoH configuration/server block. FF’s DoH client should correctly handle this but I can’t check until tomorrow.

#12

Firefox seems to work fine if properly configured. I tested configuring Firefox to each of https://cloudflare-dns.com/dns-query, https://mozilla.cloudflare-dns.com/dns-query, and https://1.1.1.1/dns-query, each of which was successful. https://104.16.248.249/dns-query fails (as it should).

By successful, I mean that I loaded a unique domain, then checked about:networking to make sure that the DNS record has status trr=true.

I also tested setting an invalid URL https://example.com/dns-query and Firefox is now unable to browse at all. Since I have network.trr.mode set to 3 (Only use TRR), this is expected behaviour and confirms that I am actually using the configured server and Firefox isn’t failing over to another DNS resolution method.

Finally, we can confirm everything is working as expected using curl. First we will construct a proper query:

[~]curl -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "cloudflare.com.", "type": 1}],"Answer":[{"name": "cloudflare.com.", "type": 1, "TTL": 402, "data": "198.41. 214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 402, "data": "198.41.215.162"}]}

Now we will do the same thing, but force the connection to 104.16.249.249 (still using cloudflare-dns.com in the actual request):

[~]curl --connect-to cloudflare-dns.com:443:104.16.249.249:443 -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "cloudflare.com.", "type": 1}],"Answer":[{"name": "cloudflare.com.", "type": 1, "TTL": 311, "data": "198.41. 214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 311, "data": "198.41.215.162"}]}

Next we will do the same with an IP that does not host a Cloudflare DNS service to understand what a failure should look like. This should fail, and it does:

[~]curl --connect-to cloudflare-dns.com:443:172.24.10.1:443 -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

And finally we will try https://104.16.249.249 and see that it too fails.

[~]curl -H "accept: application/dns-json" https://104.16.249.249/dns-query?name=cloudflare.com^&type=A
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

Since the service behaves as one would expect using curl, and Firefox behaves the same, as far as I can see everything seems to work here even if an ISP tampers with 1.1.1.1 / 1.0.0.1 directly.

I repeated the same using the mozilla.cloudflare-dns.com address with the same results but I don’t see any need to paste it here as the results are exactly the same.

1 Like
#13

The domain cloudflare-dns.com resolves to 104.16.248.249 or 104.16.249.249 this is the default for firefox. I already know that 1.1.1.1 and 1.0.0.1 works.

Why does https://104.16.248.249/dns-query not work if that is the default DOH firefox uses. I have network.trr.mode=3 (use only DOH through firefox)

#14

Because https://104.16.248.249/dns-query is not what Firefox uses for DOH by default, Firefox uses https://mozilla.cloudflare-dns.com/dns-query.

#15

To expand on @thedaveCA, This is because of SNI/Host header. When Firefox hits the full mozilla.cloudflare-dns.com hostname, it sends that hostname in the SNI and Host header. This is how the CF server itself recognizes what website you’re trying to access.

As for why the DNS is set to this random 104 address, it’s likely in order to maximize compatibility. 1^4 and 1.0.0.1 are notorious for having routing issues due to ISPs adding suboptimal “hotfixes” to their routers or IX’s in order to allow them to be reached, so using the same CF IP address that other business and enterprise customers use will likely have little to no issues with routing.

The only actual issue is that your computer does its own DNS lookup for mozilla.cloudflare-dns.com before performing DoH, which can add extra lookup time if the default resolver is slow. That’s why it can be faster to preset 1^4 or 1.0.0.1 in your config page.

1 Like
#16

After placing this issue on the forum the domain name mozilla.clodflare-dns started to resolve. It had not done this at any point a couple of monthsbefore when I started trying DNS over HTTPS.

did anything change?

#17

Mine still isn’t working with the default value.

#18

What do you think is causing the failure to resolve Firefox default DOH?

closed #19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.