Hi all,
Long time FF user here, have been using since the very beginning and since then have never really got on with any other browser.
I have recently noticed something strange that I cannot explain, I run my own AdGuard instance on my network for resolving DNS, lately DNS queries done in FF on MacOS have stopped showing in AdGuard.
Initially I checked to make sure that DoH had not become toggled on in FF (it had not), then I toggled off iCloud Private Relay (which I keep on for the Apple Mail client) and everything started to work as expected again.
As I understood it FF was not able to use iCloud Private Relay (unless I have missed a pretty major release note somewhere), so I am wondering by what mechanism is this happening?
Anyone got any ideas?
Cheers.
iCloud Private Relay will override system DNS
So when looking for a DNS, it will use whichever is first available, in the order: Firefox DoH > iCloud Private Relay ODoH > DNS as set in system settings > DNS as set on network > DNS from ISP
Thus if you want to use DNS as set on network, you need to disable/unset the three before it, so that it “falls through” to the network DNS
Note that iCloud Private Relay is BOTH a DNS (ODoH) and a lightweight VPN (to hide your IP address). The former is system-wide (unless overriden by an app - both FF DoH and dig handle their own DNS lookups), the latter is only in safari (and seemingly some other apps, like curl). AFAIK you cannot turn off the DNS portion without disabling it altogether.
This is good info. Thanks for your reply.
I was not aware that FF could leverage iCloud Private Relay at all, it certainly has not always been this way and I seem to have missed the announcement where it now can use it. Do you happen to know when this ability was added?
I am seeing inconsistent behaviour between applications though, Edge is using the DNS that is set via DHCP (AdGuard), obviously FF is using iCloud Private Relay, terminal applications are still using DHCP DNS too. So it does not appear to be a system wide setting to use iCloud Private Relay.
Just tested on macOS 13.2 and Firefox 109.0.1
DNS in System Settings is set to google 8.8.8.8 just to have a baseline for testing. In your case, this would fallback to the DHCP DNS.
In terminal, when using dig or nslookup, DNS resolution is done by google, so private relay does not affect these tools. Using curl, my IP is the private relay one (cloudflare IP instead of the one from my ISP), somewhat surprisingly.
In safari, DNS is cloudflare, so private relay overrides here. My IP is the cloudflare one for private relay. Both as expected.
Now for firefox…
- When FF DoH is on, DNS is whichever provider is chosen in FF settings, as expected
- When FF DoH is off, and private relay is on, DNS is showing as cloudflare AND it shows that DoH is in use (despite being turned off in FF), so that means private relay is overriding system/DHCP DNS
- When both FF DoH and private relay are off, DNS shows as google and not using DoH
- In any case, my IP is the real IP from my ISP, not the cloudflare/private relay one. This VPN-style feature of private relay does not seem to work with firefox.
So, to get firefox to use custom DNS, it seems that private relay does need to be off
Browser DNS was checked using both https://1.1.1.1/help and https://dnsleaktest.com
One thing to note about dig (and possible other apps), it does its own lookups. The man page for it notes that other applications may ask macOS to do lookups for them, and so the DNS results may differ as a result (presumably this is how other apps get DNS through private relay). This could explain the discrepancy between FF and terminal. I don’t have a local DNS set up right now to do a more exhaustive check.
Going to edit my original comment for clarity
No clue how long it’s been this way, to be honest I’ve never thought to check until now
This is some good methodology, similar to what I have done but much better written up, so thanks very much for replicating.
I am guessing Mozilla have made a change to FF at some point to use some Apple API to be able to use this functionality.
I will probably continue to use Private Relay as it I am using uBlock Origin to block trackers and obtrusive ads.
I do find it surprising that I cannot find any documentation for iCloud Private Relay that says it works for anything other than Safari and Mail.
I also cannot find any documentation for FF that says that it is capable of using Private Relay, at least for DNS, and/or how to tell FF not to if you would like to opt out for some reason. I searched their issue tracker to see if I could find where a patch had been made to support it and could not find anything.
Of course it does not help that Mozilla have a service called relay too, which definitely blurs the search results. Interestingly, this thread now shows up pretty high if you search for “Firefox iCloud Private Relay”.