FireFox DNS over HTTPS Causes Leak

[deleted]

I just wanted to share a funny with everyone and hopefully save someone out there some time...

I've spent the last three hours pulling out every hair on my head (and soon after other places) because suddenly my DNS is leaking with VPN use. I use Surfshark with OpenVPN and have had no problems prior. I also use Cloudflare DNS (with PiHole as a DNS sink for ads/telemetry) and suddenly decided to check my VPN for any leaks only to notice my actual DNS servers. I went through everything I could possibly think of from bypassing my PiHole, swapping to my ISP's DNS, and other things just short of nuking my laptop. Even after swapping DNS servers to anything but Cloudflare Firefox always leaked Cloudflare DNS servers. Finally I decided to dance with the devil and install Chrome only to notice no leaks! Apparently Firefox now uses DNS over HTTPS for some users. This in itself is a very sane setting for speed and to respect privacy, but for FF users employing a VPN it causes leaks because it bypasses the system (and thus VPN) DNS settings.

TLDR

If you've updated FireFox and suddenly have DNS leaks over VPN, it's because FireFox has enabled DNS over HTTPS for some users. Open Preferences, scroll down to Network Settings, scroll down to DNS over HTTPS and turn it off to resolve. Or leave it on if you like Cloudflare DNS and don't use a VPN.

brent

I also think using alphabet is dancing with the devil and I uninstalled Chrome this afternoon. (Oh day of irony--you installed it.) This is an unpopular opinion but you make me feel not crazy.
Of course it performed for you. It gave me one day of what I've needed then stopped.
I'm work-fried and have re-read you so forgive me if I didn't get it all---two questions:
1) did the adjusted FF settings cause you to go back to FF?
2) do you trust your leak auditor? did you get a second opinion? I've always been mindful of this quote: "a man with one watch always knows what time it is; a man with two watches is never sure."

[deleted]

brent

You're not alone, I try to balance common sense privacy settings with convenience and if I have to choose I err on the side of privacy. I'll admit to Gmail and Google Maps (unfortunately this is a requirement for my work) but I've turned off all the long-term retention/personalization and periodically request a copy of my data/deletion since it's technically a personal account. I'm not afraid to use chrome but I'd change all the privacy settings if I did.

I love my FF so I never intended to switch, I only installed Chrome for testing.

I used 4 services to audit and they all came up identical so I'm reasonably sure at this point that it's fixed.

brent

[deleted] I can't amend or add to your brilliant response. You have to do what'scomfortable and what work-acceptable, and what you can sleep with.
The cynic in me thinks they will always win and beat you. Your advertising/personal dossier is...it is what it is to parties unknown and nefarious. A cookie watch website says 67%--yes 67% I did not get that wrong---percent of cookies are "undetermined origin". Good times🙂