Making Firefox DNS more secure and private

Enable Encrypted SNI (ESNI) for Firefox.

Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted, so an eavesdropper can see which site is being requested. (wiki) Mozilla and Cloudflare seem to have worked together to make this protocol more private see details here: https://blog.cloudflare.com/esni/


Enable Trusted Recursive Resolver (trr.mode) for Firefox.

Firefox provides an optional resolver mechanism using a dedicated DNS-over-HTTPS server. DNS-over-HTTPS (DOH) allows DNS resolves with enhanced privacy, secure transfers and improved performance. More information here: https://wiki.mozilla.org/Trusted_Recursive_Resolver

How to enable these settings on Firefox.

about:config

set network.trr.mode to 2

set network.security.esni.enabled to true

Test your work here when your are done: https://www.cloudflare.com/ssl/encrypted-sni/

Before:

After:

Be the first to comment

Leave a Reply