DNS over https using

When I use https://mozilla.cloudflare-dns.com/dns-query in firefox the reverse of mozilla.cloud-dns-query is but does not resolve any values when activated. if I replace mozilla.cloudflare-dns.com with it works.

Why does not work in firefox when it is the default?

I am using Firefox and would like to know why using the IP address works for Firefox instead of the default domain “https://mozilla.cloudflare-dns.com/dns-query” Which does not work. The domain mozilla.cloudflare-dns.com which resolves to IP and do not work even if I make the domain “”.

I use Firefox and the default setting is “https://mozilla.Cloudflare-dns.com/dns-query” or should I use “

Use It will save you a lookup.

I agree sdayman but when I resolve “mozilla.cloudflare-dns.com” it resovles to, and but does not work with DOH.

Any ideas

The below paste is with the default firefox setting

Interestingly enough, my traceroute to and are the same.

But I can confirm that I have the same problem if I use that Mozilla URL. The only way I can get that to work is by setting network.trr.bootstrapAddress to, which is kind of cheating.

I’m going to give @cs-cf a shout out. He :heart: DNS.

Thanks.for the confirmation. That mean Firefox default configuration will never work.

What problem are you having with https://mozilla.cloudflare-dns.com/dns-query?

The 5th post shows what happens from That’s what I got too: and reachable, but I get No/No/No for the first three tests.

Just to confirm. Anyone using Firefox default DOH value will not work?

I’ll test some stuff out tomorrow, but I would guess the DoH nginx configuration on Cloudflare’s side is along the lines of

server_name Cloudflare-dns.com mozilla.cloudflare-dns.com;

This means if you try to hit the non-dedicated IP without SNI (and/or the HOST header) the nginx-like frontend Won’t know you’re trying to access the DoH configuration/server block. FF’s DoH client should correctly handle this but I can’t check until tomorrow.

Firefox seems to work fine if properly configured. I tested configuring Firefox to each of https://Cloudflare-dns.com/dns-query, https://mozilla.Cloudflare-dns.com/dns-query, and, each of which was successful. fails (as it should).

By successful, I mean that I loaded a unique domain, then checked about:networking to make sure that the DNS record has status trr=true.

I also tested setting an invalid URL https://example.com/dns-query and Firefox is now unable to browse at all. Since I have network.trr.mode set to 3 (Only use TRR), this is expected behaviour and confirms that I am actually using the configured server and Firefox isn’t failing over to another DNS resolution method.

Finally, we can confirm everything is working as expected using curl. First we will construct a proper query:

[~]curl -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "Cloudflare.com.", "type": 1}],"Answer":[{"name": "Cloudflare.com.", "type": 1, "TTL": 402, "data": "198.41. 214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 402, "data": ""}]}

Now we will do the same thing, but force the connection to (still using cloudflare-dns.com in the actual request):

[~]curl --connect-to Cloudflare-dns.com:443: -H "accept: application/dns-json" https://Cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "cloudflare.com.", "type": 1}],"Answer":[{"name": "cloudflare.com.", "type": 1, "TTL": 311, "data": "198.41. 214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 311, "data": ""}]}

Next we will do the same with an IP that does not host a Cloudflare DNS service to understand what a failure should look like. This should fail, and it does:

[~]curl --connect-to cloudflare-dns.com:443: -H "accept: application/dns-json" https://cloudflare-dns.com/dns-query?name=cloudflare.com^&type=A
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

And finally we will try and see that it too fails.

[~]curl -H "accept: application/dns-json"^&type=A
curl: (35) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.

Since the service behaves as one would expect using curl, and Firefox behaves the same, as far as I can see everything seems to work here even if an ISP tampers with / directly.

I repeated the same using the mozilla.cloudflare-dns.com address with the same results but I don’t see any need to paste it here as the results are exactly the same.

1 Like

The domain cloudflare-dns.com resolves to or this is the default for firefox. I already know that and works.

Why does not work if that is the default DOH firefox uses. I have network.trr.mode=3 (use only DOH through firefox)

Because is not what Firefox uses for DOH by default, Firefox uses https://mozilla.cloudflare-dns.com/dns-query.

To expand on @thedaveCA, This is because of SNI/Host header. When Firefox hits the full mozilla.Cloudflare-dns.com hostname, it sends that hostname in the SNI and Host header. This is how the CF server itself recognizes what website you’re trying to access.

As for why the DNS is set to this random 104 address, it’s likely in order to maximize compatibility. 1^4 and are notorious for having routing issues due to ISPs adding suboptimal “hotfixes” to their routers or IX’s in order to allow them to be reached, so using the same CF IP address that other business and enterprise customers use will likely have little to no issues with routing.

The only actual issue is that your computer does its own DNS lookup for mozilla.Cloudflare-dns.com before performing DoH, which can add extra lookup time if the default resolver is slow. That’s why it can be faster to preset 1^4 or in your config page.

1 Like

After placing this issue on the forum the domain name mozilla.clodflare-dns started to resolve. It had not done this at any point a couple of monthsbefore when I started trying DNS over HTTPS.

did anything change?

Mine still isn’t working with the default value.

What do you think is causing the failure to resolve Firefox default DOH?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.