Firefox 启用 DNS over HTTPS(DoH) 免运营商污染(填坑中)

免除运营商的DNS劫持来的广告骚扰

Update:

  • 更新了ipleak的网址。 www.ipleak.net >>> ipleak.net

版本要求

Firefox是在60.x后才启用 DNS over HTTPS

如果版本不对的话,请自己更新。

现在最新的稳定版已经是60.x的了,直接更新到最新即可。

中文简易教程

  1. 打开你的Firefox浏览器

  2. 在地址栏输入about:config

  3. 确定弹出的警告

  4. 在搜索栏(Search),搜索,network.trr.mode

  5. 修改这个network.trr.mode的值(value),改成3

  6. 通过上面搜索的方式,修改network.trr.uri的值(value)为https://cloudflare-dns.com/dns-query

  7. 通过上面搜索的方式,修改network.trr.bootstrapAddress的值(value)为1.1.1.1

  8. 打开https://ipleak.net/–如果成功,网页显示的DNS服务器将会是0。

官方英文原版的介绍用法

It is necessary to change three Trusted Recursive Resolver preferences in the browser.

  1. Load about:config in the Firefox address bar.

  2. Confirm that you will be careful if the warning page is displayed.

  3. Search for network.trr.mode and double-click on the name.
    -Set the value to 2 to make DNS Over HTTPS the browser’s first choice but use regular DNS as a fallback. This is the optimal setting for compatibility.
    -You can set it to 1 to let Firefox pick whichever is faster, 3 for TRR only mode, or 0 to disable it.

  4. Search for network.trr.uri. Firefox expects a DNS over HTTPS server. Double-click on the name. There are two public ones that you may use,
    https://cloudflare-dns.com/dns-query
    https://dns.google.com/experimental

  5. Search for network.trr.bootstrapAddress and double-click on it.
    Set the value to 1.1.1.1 (if you set Cloudflare)

相关参数

Github 英文版

在这里我用蹩脚的英语水平以及菜鸟级别的网络知识水平翻译一下。

还在翻译中~~~ XD

network.trr.mode

  • 值: 0 - 默认值 - 仅使用本地DNS解析方案。即,在任何情况下,都不使用Trusted Recursive Resolver(TRR)。

  • 值: 1 — 本地DNS和TRR同时进行域名解析。并且使用第一个返回的值。

  • 值: 2 — 首先使用TRR进行域名解析。只有前者在失败的时候,使用本地的DNS作为fallback。

  • 值: 3 — 仅使用TRR进行域名解析。在初始化启动之后,不再使用本地DNS进行解析。

  • 值: 4 — 在本地DNS解析的时候,也进行TRR解析,并且进行计时以及测量。但最后只取本地DNS解析返回的值。

  • 值: 5 — 与 0 一致,并且会标记完成。默认是不标记。

network.trr.uri

  • 默认值: none

  • 为你的DoH服务器设置一个URI。Firefox会对URL发出一个HTTP请求。这必须是一个HTTPS URL。如果useGET的值为enabled,当构造一个HTTP请求的时候,Firefox会在URI后面增添?ct&dns=....。在默认的POST请求中,它们将被准确地发送到指定的URI。

  • 公开的服务地址:
    https://mozilla.cloudflare-dns.com/dns-query
    https://dns.google.com/experimental

network.trr.credentials

  • 默认值: none

  • 设置在对DOH的端口的HTTP请求中使用的证书。It is the right side content, the value, sent in the Authorization: request header.

network.trr.wait-for-portal

(default: true) set this boolean to tell Firefox true to wait for the captive portal detection to okay first before TRR is used. (on Android, this will default to false since the captive portal handling is done outside of Firefox, by the OS itself.)

  • 默认值: true

  • 设置这个布尔值,告诉Firefox在使用TRR之前,是不是要等待captive portal detection完成。

  • Android上面的默认值为falsecaptive portal是OS完成的,是工作在Firefox外面。

network.trr.allow-rfc1918

(default: false) set this to true to allow RFC 1918 private addresses in TRR responses. When set false, any such response will be considered a wrong response that won’t be used.

  • 默认值: false

  • 设置为true 则 是允许RFC 1918私有地址在TRR的应答里面。

  • 设置为false 则 任何这样应答都会视为错误,将不会被使用。

network.trr.useGET

(default: false) When the browser issues a request to the DOH server to resolve host names, it can do that using POST or GET. By default Firefox will use POST, but by toggling this you can enforce GET to be used instead.

  • 默认值: false

  • 当浏览器发送请求到DoH服务器请求解析域名的时候,可以用POST或者GET。Firefox默认是使用POST,但是你可以用这个值作为开关,去用GET去代替它。

network.trr.confirmationNS

(default: example.com) Firefox will check an NS entry at startup to verify that TRR works to ensure proper configuration. This preference sets which domain to check. The verification only checks for a positive answer, it doesn’t actually care what the response data says. Set this to skip to completely avoid confirmation.

  • 默认值: example.com

  • Firefox会在启动的时候,检验NS,以确保TRR的配置能正常工作。这个选择项是设置用哪个域名去测试。

Firefox将在启动时检查一个NS条目,以验证TRR是否工作以确保正确的配置。此首选项设置要检查的域。验证只检查一个肯定的答案,它实际上并不关心响应数据说什么。将其设置为“跳过”,以完全避免确认。

network.trr.bootstrapAddress

(default: none) by setting this field to the IP address of the host name used in “network.trr.uri”, you can bypass using the system native resolver for it.

network.trr.blacklist-duration

(default: 1200) is the number of seconds a name will be kept in the TRR blacklist until it expires and then will be tried with TRR again. The default duration is 20 minutes.

Entries are added to the TRR blacklist when the resolve fails with TRR but works with the native resolver, or if the subsequent connection with a TRR resolved host name fails but works with a retry that is resolved natively. When a host name is added to the TRR, its domain gets checked in the background to see if the whole domain should be blacklisted to ensure a smoother ride going forward.

network.trr.request-timeout

(default: 3000) is the number of milliseconds a request to and corresponding response from the DOH server is allowed to take until considered failed and discarded.

network.trr.early-AAAA

(default: false) For each normal name resolve, Firefox issues one HTTP request for A entries and another for AAAA entries. The responses come back separately and can come in any order. If the A records arrive first, Firefox will - as an optimization - continue and use those without waiting for the second response. If the AAAA records arrive first, Firefox will only continue and use them immediately if this option is set to true.

Does it work?

Go to about:networking, click the DNS link in the left-side menu. That shows the contents of the in-memory DNS cache. The TRR column says “true” for host names that were resolved using TRR (DNS-over-HTTPS).

I found a bug!

If you experience a problem or find a host name that has problems with TRR, consider extracting logs from Firefox during the hiccup by asking for nsHostResolver:5 logs as instructed on the HTTP logging page and submit a bug report

0%