 Today is October 27th, 2019. And yesterday, October 26th, 2019, I made a video testing Firefox DOH without Cloudflare, PF Blocker, DNS filtering and site blocking discussion. And I know there was a mistake at about the five minute mark where it says I was using it and I said you had to restart Firefox. Both those things are not true. No restart of Firefox is needed to change this setting. So I figured I'll get that out of the way real quick. But thank you very much for all those who commented, pointed out, I did reply. I'm also gonna pin this video to the top because some of you answered some other questions and I wanted to get it out to the greater audience and everybody reads the comment section of YouTube and sometimes it's not great reading the comments in YouTube. But we were talking about the trusted recursive resolver settings, specifically network TRR mode. So I wanted to bring this up because one of the questions I had was like, okay, we have BLOD DNS over here and BLOD DNS supports some filtering but that filtering still will fail because the default config for Firefox right now is and it makes sense to do it this way that when you look something up and there's a failure it then refers back to local DNS. And this can be for a number of reasons. One of those number of reasons is let's say you have some custom DNS entries in your server because you have local resources on your network that are not publicly available but do have their own DNS entries. Right, there's a reason to definitely leave it on if you're using this in an environment where you have those things that you need to get to not by IP but by DNS name. So that is a concern. And so they did default to that which probably makes sense because a lot of people use Firefox and a lot of people do have really especially in the business world local resources that may not be publicly available and custom DNS entries. Also, when you rely on one of these DOH servers and this is blah DNS is a small hobby of ad blocks and DNS project. Well, if this person's hobby has a problem and it doesn't resolve, your browser will stop working until you change it. So it's worth noting that that's in there but of course that doesn't do anything for site blocking if your local resolver doesn't block the same sites as this DOH one. So we go over here to the about config and we have network TRR mode. So you can see the default value right now too. So when this is turned on, you get a default of two. And what two means is, so zero is off when you're not using DOH, one reserved, two first used here for first only if the name resolve fails to use the native resolver swallowback so it goes back to your operating system resolver. All right, three only used here, never use native. This mode requires bootstrap address per to be set. What does that mean? Well, I was doing some testing with it and what happens is, if we go here and we set this to three and this goes for really any of the providers that you're gonna use for DOH but if you choose a DOH provider and you want the browser to not use local DNS resources it still has to in order to get the name of this. So right here is DOH-fi.bladns.com. We need to resolve that name. So we gotta go here. I'm just gonna do a little copy. Then go here and we'll do a quick dig, paste that in DOH-fi.bladns. Now we have this IP address. What you have to do is resolve this. Then you can set that setting. So in about config, we set it to three. Now we gotta go and put that IP address in and we gotta put it in the bootstrap address. So while we're still in about config over here we type in bootstrap address, modify, throw the IP address in there and away we go. That's all you have to do to make that work. Now that we've turned those two things on. So one, the DNS resolver works. It knows where to find it without going to local. You can now go over here and this site was loaded and we'll go ahead and refresh it now and it will fail. The reason it failed is because this Bladns has that particular site block so we can actually, this is from the other day, we had the demo on there so let's go here. They have a little checker. Check a domain status. Gemini.lookupfaileder blocked so we know that's a blocked one and of course now we can go back over here to the network.trr which is right there. Modify and if you put it back to two which means go ahead and use local resolver as well. We go here and hit control F5. My local resolver does resolve this therefore it works. Once again, no reboot. I will mention that as well. Also I was looking there are, if you start doing some searching there are plenty of other places that support DOH and I did notice clean browsing. I've heard people mention I've honestly never used it but they have some DOH filters as well. So if you were to set these up and you wanted to plug these into your browser to use the clean browsing one including they have an adult filter on here if that's something you want blocked out. They do have it but please note you'll have to follow some of that same process of if you wanted to not use local resolver at all you'll have to do that same thing over here. I'm using dig UK if your windows NS lookup I believe works the same way. So you'd have to put the IP addresses into there. I'm not sure how it handles having two of them but just some thoughts on that. And if you're using three of course now you've locked it into that particular provider so you could have other issues if that one DNS provider doesn't work. It's not as robust I think as regular DNS but I figured I'd cover that for those interested and of course in some people like to point out they don't like the fact that Firefox has been looks like they're gonna be pushing this as default and then using Cloudflare as the custom default. Opinions seem to vary on that. I think a defaulting to the end users the general public a more encrypted DNS versus the public facing is better especially due to the fact that a lot of manipulation happens within the DNS but there's been some agreements made some Cloudflare not to also try to monetize and manipulate the DNS and Firefox does reserve the right to change that at will. So Firefox they seem to care about our privacy. I do believe Firefox as a foundation will probably do the right thing if they caught Cloudflare not behaving properly and switched to another provider just throwing it out there but of course this is all customizable for those of you that wanna customize it. Well this video is just a follow up to show how you would lock it down using the trusted recursive resolver and what you need to do to make that work if you only want a DOH. Kind of a nice thing about it if you were to set this was when you do this now your browser doesn't need to do any DNS lookup. So if you are starting out on some other network you have less of a risk of getting hijacked of your DNS at all because it never looks locally for anything it's always going right out to the web and right out to those IP addresses in there. So I think it's kind of an interesting opportunity especially when you use your laptop maybe on wifi not with a VPN on some public network where there is the higher potential like let's say a coffee house type network or somewhere anyone providing free wifi getting around whatever they're doing for DNS is generally a good idea because you don't know if they're injecting something in there manipulating the DNS records and you don't necessarily wanna rely on local resolvers which is one of the reasons we tell a lot of people switch to public DNS but by default most computers out of the box or when they attach them to a local network they don't do this they're gonna just use whatever resolver was handed to them based on whatever network they joined locally. So just some thought I just wanted to follow up on this and thank you for all you the comments I don't get mad when people call me out as wrong cause you're never as wrong as when you're wrong on the internet it actually helps me learn and this video is to help others cause I'll pin it to the top for others wanting to know those couple details I just didn't know like how to set this network TR mode and things like that. And of course like I said for people someone people messaged me and asked about the filtering clean browsing does have the adult filter on there so if you wanted to plug it in there to help block some of the adult sites that maybe you don't want the kids going to that's an option I'll be careful those kids are generally pretty smart and get around things quickly so keep an eye on them that's the bigger part there that's my recommendation. All right and thanks. And thank you for making it to the end of the video. If you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out. If you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free. Also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time.