Starting today, Mozilla has begun to enable DNS-over-HTTPS (DoH) by default for users in the USA to provide encrypted DNS resolution and increased privacy.

DNS-over-HTTPS is a new standard that allows web browsers to perform DNS resolution over encrypted HTTPS connections rather than through normal plain text DNS lookups.

As some countries and ISPs block sites or censor content by monitoring DNS traffic, DoH will allow users to bypass these blocks and increase the privacy of their DNS requests.

Mozilla has stated that this will be a gradual rollout of the DoH feature, which means that it will be done slowly over the next few weeks to make sure there are no issues with the implementation as more people begin to use it.

"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users," Mozilla stated in an announcement.

When enabled, Firefox will use the Cloudflare DNS provider by default, but users can switch to NextDNS or a custom provider by going into the Firefox network options.

Mozilla's DoH plans have been met with criticism

When Mozilla's plans were first announced, it was met with criticism as Cloudflare was the only DoH provider being used by Firefox.

This caused security researchers, privacy advocates, and admins to become concerned that so much user data would now be in the hands of a single DNS provider.

Admins were also concerned that Firefox would overrule DNS policies and security precautions put in place by system administrators by forcing DNS through Cloudflare.

To address these concerns, users can use a custom DoH provider or disable it entirely.

In Firefox 73, Mozilla also added NextDNS as an additional DoH provider to give users more choice.

Checking if DoH is enabled in Firefox

With this rollout, it can be confusing to determine if DoH is enabled as it is done through a system addon that manually changes about:config preferences.

To see if the DoH Roll-Out system addon is installed, you can enter about:support in the Firefox address bar and scroll down to the list of 'Firefox Features'.

If you see 'DoH Roll-Out' listed, then DNS-over-HTTPS has been rolled out to your browser and enabled by default.

About:support extensions list

Alternatively, you can check if DoH is enabled by going into about:config, accepting the risks, and searching for 'network.trr.mode'.

If DNS-over-HTTPS is enabled by this rollout, you will see the network.trr.mode set to '2'.

Firefox network.trr.mode setting

Due to the confusion caused by rolling out this feature via a system addon, Mozilla plans to eventually integrate it directly into Firefox.