Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

DOH potential security risk message

more options

When trying DNS over https in in a neetwork that uses googles DNS 8.8.8.8 and 8.8.4.4 I configured FF as follows set network.trr.mode=3 set network.trr.bootstarpaddress=8.8.8.8 set network.trr.uri=https://dns.google/dns-query

Then I went to https://1.1.1.1/help knowing full well that I am use googles DOH and not cloudflare expecting cloudflare web site to tell me I am not using there services with results being all negative.

Instead FF reported that "Warning potential security problem ahead". See enclosed If I am using Googles DOH values and I go to a cloudgflare site why would FF flag the site as a security risk? Keeping in mind FF appears to be working for other sites in the DOH configuration for Google with no visible problems.

When trying DNS over https in in a neetwork that uses googles DNS 8.8.8.8 and 8.8.4.4 I configured FF as follows set network.trr.mode=3 set network.trr.bootstarpaddress=8.8.8.8 set network.trr.uri=https://dns.google/dns-query Then I went to https://1.1.1.1/help knowing full well that I am use googles DOH and not cloudflare expecting cloudflare web site to tell me I am not using there services with results being all negative. Instead FF reported that "Warning potential security problem ahead". See enclosed If I am using Googles DOH values and I go to a cloudgflare site why would FF flag the site as a security risk? Keeping in mind FF appears to be working for other sites in the DOH configuration for Google with no visible problems.
Capturas de pantalla anexas

Chosen solution

The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.

I will have to put this question to the Library as to why the filter? Not that I expect an answer

Ler a resposta no contexto 👍 0

All Replies (15)

more options

Can you click the Advanced button for more information about why the certificate verification failed?

more options

1.1.1.1 would normally redirect you to a server in your vicinity using anycast, so there might be a domain mismatch for the certificate after the redirect.

more options

The certificate failed because it was not HTTPs so the connection was not secure. But strangely I was not able to connect using CloudFlare DOh value only with Googles DOH value shown in this web site "https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers"

more options

Those settings are working:

about:config?filter=network.trr

network.trr.bootstrapAddress > 8.8.8.8 network.trr.confirmationNS > dns.google network.trr.credentials > dns.google network.trr.disable-ECS > false network.trr.early-AAAA > true network.trr.mode > 3 network.trr.uri > https://dns.google.com/experimental

after set, restart firefox and enjoy :)

more options

I have already stated the settings I used. I have already stated that google DOH worked.

Why does cloudflare the default used by FF not work?

more options

again, please click on advanced on the error page to see what's the error code and possibly inspect the failing certificate...

more options

You dont seem to understand. No certificate was obtained as shown in my enclosure.

Why would cloudflare site be blocked and not google? Why is it I could not get through to cloudflare when google DOH was working?

more options

Hi Mace2, on the error page, there is an Advanced button -- the gray one next to the large blue one. That Advanced button opens a panel with more technical information about the problem. I don't think you can diagnose the issue without that.

more options

Enclosed is the advance tab. Keep in mind the google DOH values are set and work. But the cloudflare web site 1.1.1.1/help did not work

more options

I'm looking at the domains of the certificate provided to Firefox in your screenshot and I wonder whether your service provider may not permit IP address URLs, or at least this one. Otherwise, why would that certificate be showing up?

more options

Chosen Solution

The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.

I will have to put this question to the Library as to why the filter? Not that I expect an answer

more options

Do you think they filter 1.1.1.1 in particular, or filter IP address URLs in general?

more options

I think a greater question is why Cloidflare DOH was filtered over Google DOH

more options

So if you aren't using DOH you can access https://1.1.1.1/help on that same network?

more options

I am using DOH. I am using googles DOH server. The librayr is filtering only cloudflare DOH.

the configuration network.trr.mode=3 ensures only DOH is being used.