How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Jason Healy jason at
Mon Sep 9 22:09:49 MDT 2019

For those that use pihole for DNS level filtering, there was a pull 
request merged 2 days ago to return an NXDOMAIN for this request.

On 2019-09-09 20:55, Andy Bradford wrote:
> Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600:
>> I'm  pretty sure  that  if Firefox  is  trying DoH  and  it fails  for
>> whatever reason, it will fall back  to normal DNS. On Slashdot several
>> folk talked about blocking the cloudfare dns servers' IP addresses.
> Yes, according  to their wiki,  it will  blacklist domains that  fail to
> resolve via DoH for a period of time and use normal DNS resolver.
>> Currently they are getting a lot of flack over this move to enable DoH
>> by default, so we'll  have to see if they bow  to pressure and reverse
>> this.
> I've already changed network.trr.mode to 5 on all of my Firefox profiles
> that I can at the moment.
> There's one  question I have... in  the network.trr.confirmationNS there
> is wonder if I need to block this as well:
> Of course, these are the current defaults  and I wonder if I don't alter
> the defaults  if Mozilla  will assume  that it's  alright to  modify the
> default and thus undo any blocking I might have made.
> Andy

More information about the PLUG mailing list