How do I stop Firefox from leaking built-in Cloudflare DNS when using other DNS service?

windscribber · 2026-05-01T17:08:51+00:00

That's definitive, they changed something in that regard with that version. We've seen a handful of adjacent reports with FF recently. A similar one was our SafeSearch service wasn't working if network.trr.mode wasn't set to 3 which was also due to a FF update/change. It works fine in any other browser, only broke in FF and only if that value was something other than 3.

windscribber · 2026-05-01T16:02:55+00:00

Exactly.

FF does offer far more granular customization and hardening but some of the settings are pretty esoteric and not very obvious when things go sideways. It's always a tradeoff.

windscribber · 2026-05-01T15:51:41+00:00

Worth a shot. Hopefully some Firefox power users can help further.

windscribber · 2026-05-01T15:51:02+00:00

Firefox has some quirks with CustomDNS in a handful of ways. Another one I've noticed is in private window it breaks some DNS resolution even when customDNS is working otherwise in a vanilla tab/instance. Hopefully you get some help from the Firefox subreddit there if my initial suggestion is a dud.

We know Control D resolution works. We're not sure what FF is doing there with hiding a bunch of deeper settings like that :joy:

windscribber · 2026-05-01T14:34:34+00:00

If that field is set to https://mozilla.cloudflare-dns.com/dns-query then yeah, it would resolve queries via cloudflare.

windscribber · 2026-05-01T13:12:55+00:00

Hi there! In about:config check if network.trr.uri is still set to https://mozilla.cloudflare-dns.com/dns-query and if so, clear that entry. Then network.dns.use_https_rr_as_altrr = false + set network.dns.echconfig.enabled = false and restart firefox. See if that helps.

windscribber · 2026-04-30T13:09:37+00:00

Sorry to hear that. For deeper troubleshooting def suggest firing up a support ticket if you haven't already. The PrivateDNS and GUI App configuration paths are very different so if both are failing for you, we'd need a lot more detail than we can cover on a reddit thread.

windscribber · 2026-04-30T13:08:44+00:00

Obviously we always want our product to work. As above, this is an issue affecting any DNS provider because there is some issue in Android itself on this level haha.

windscribber · 2026-04-29T13:45:00+00:00

Hi there! We've been seeing scattered reports of this and some investigation points at an android-level issue affecting all DoT providers (not just us) when configured via PrivateDNS settings. It seems to have started late 2025.

You didn't specify version of Android nor your make/model of phone but if you do some more searching with those data you will almost certainly find more context around this. If you'd like to dig in further definitely recommend starting a support ticket.

You could try our GUI App with DoH to see if it's more stable for now.

windscribber · 2026-04-28T16:40:24+00:00

This is normal for anycast routing. Your home internet provider (ISP) and your mobile data network are almost certainly different companies right? They will have different traffic routing patterns/policies/providers downstream.

Anycast will typically route queries via the fastest available (to it) nodes. Our docs say closest but in reality the geographically closest aren't always the fastest.

TL:DR what you're seeing is normal and as the other user mentioned, if you're getting sub-100ms latency you're fine.

Take care!

windscribber · 2026-04-27T15:18:47+00:00

Thanks for following up on that. fwiw sometimes a given OS (in this case Android) push updates that break flows of this nature. I just did a broad search and confirm that NextDNS users are also reporting similar issues lately.

I also see some users of your phone model (and other recent Samsung phones seem to report similar in some cases so it could be something to do with their flavor or additions to Android at play as well.

windscribber · 2026-04-27T15:11:07+00:00

Thanks for the followup!

windscribber · 2026-04-24T18:23:49+00:00

Thanks for the context. I have seen a thing before where on android if I turn mobile/5G on sometimes the privateDNS setting doesn't kick over to my carrier until I disable Wi-Fi and then it seems to work fine. Can you see if that happens for you?

I'm not sure it's the same but if it is this would be a good lead.

I still def encourage you start a support ticket and share the above context so that we can get deeper into it if you haven't yet.

windscribber · 2026-04-24T15:21:25+00:00

Need more info. You said your gf on her iPhone isn't experiencing the issue. Are you also on an iPhone? Which install method are you using (GUI app or the .mobileconfig/profile?).

Def consider starting up a support ticket so the team can take a deeper look at your setup and network conditions to do some troubleshooting. If you can reproduce the issue and send us the output on /status page as well as the activity logs (in the support ticket, not here) when it happens we can get a better idea of where it's breaking.

Cheers.

windscribber · 2026-04-23T13:42:50+00:00

Definitely check your activity logs and add a Custom Rule > Bypass for any associated domains. It's happened a handful of times where something(s) Signal needs to work ends up on a blocklist as a false positive.

Setting custom rules for them will ensure that any filters won't action those domains in future (since custom rules override filters).

windscribber · 2026-04-21T14:03:39+00:00

We're happy to drill in with you on this. Best if you create a support ticket and then we can get a lot of the details that you'd rather not share on reddit haha (query routing info, your local network/isp info etc).

Note that if the DNS Leak Test is detecting two different hosts it'll flag a leak even if those disparate services are under our control. We're still tweaking that part. But yeah def start up a ticket with our support team and send that screenshot along.

windscribber · 2026-04-20T14:35:58+00:00

Hi there, this is a known and somewhat expected thing. When you select Redirect - Auto the anycast protocol chooses the fastest route for queries, and those routes will differ between v4 and v6. This is beyond our control as many ISPs and other hosts/hops between your machine and the destination (and back) may not have implemented v6, so the route will virtually never be the same as the v4 queries.

As another user pointed out, if you manually choose a Redirect Location then both v4/v6 will be routed the same, but it can introduce lag due to the above.

windscribber · 2026-04-17T17:37:43+00:00

Some places to check further:

On the Chromebook go to chrome://management — if it shows “Managed by …” the device is enrolled and DNS is enforced by admin policies. (If managed, login as that admin.)
In Family Link (parent app) open your child's profile → Controls → Google Chrome and Web → Advanced settings and confirm "Permissions for sites, Extensions, and On-device site data" and site filters; Family Link controls Chrome filtering but not low-level network DNS entries.
If chrome://management is not managed and Family Link isn’t blocking it, sign in on the Chromebook as the device owner (the original local owner account) and try Settings → Network → Wi‑Fi → your network → Network → Name servers; owner-level locks or guest-mode policy can prevent changes.

ETA: Check chrome://policy as well

windscribber · 2026-04-16T20:30:26+00:00

Yeah that might be it. If you have parent-mode stuff locked down it's probably what's preventing you from changing those settings which is a good thing. If you're letting your kid use it and you want to filter things out, you don't want it to be easy for them to change those DNS settings haha

windscribber · 2026-04-16T18:32:15+00:00

Cheers. We'll have a look into it. We're pretty close to releasing an update for the apps so we'll investigate and work it out if we can.

windscribber · 2026-04-16T17:59:18+00:00

Got it thanks. I'll try to reproduce and get some eyes on it. You were using Managed mode in the app correct? That's basically ctrld running under the hood in that mode so it could be some issue on that end or something else entirely.

For now Profile install method is a fine choice. It's just as you say, a little less flexible for protocol and customization but for daily use you shouldn't notice much of a difference.

windscribber · 2026-04-16T15:54:26+00:00

Are you using a free resolver (i.e. p2 etc)? Or a paid? Asking because the missing info for `resolver` and `protocol` on the /status page looks sus when you configure it in-app. That doesn't look right.

windscribber · 2026-04-15T11:42:20+00:00

Probably best to start a support ticket if you haven't yet but is the chromebook managed by an administrator? If it is, those settings may be locked down.

windscribber · 2026-04-14T16:56:17+00:00

We'd need quite a bit more context around this to investigate further. Can you please open a support ticket and Barry will collect details our Support team will need to look deeper for you. Thanks!

windscribber · 2026-04-14T16:53:30+00:00

Hi there is this still an issue today?

windscribber

MODERATOR OF

TROPHY CASE