Browse Source

browser-extensions: choose Unbound over eSNI :(

It seems like a lose-lose situation to me.

Closes: #157
Mikaela Suomalainen 9 months ago
Signed by: mikaela <> GPG Key ID: 0C207F07B2F32B67
1 changed files with 2 additions and 1 deletions
  1. +2

+ 2
- 1
pages/browser-extensions.markdown View File

@@ -72,12 +72,13 @@ Future note: [`network.dns.blockDotOnion;false`](

* `network.trr.bootstrapAddress` DNS server to use for resolving the DoH
name, e.g. `` (Resolver 2 of [Quad9](
* `network.trr.mode` 2 to prefer DoH, but fallback to system resolver (or 3 to enforce DoH without fallback)
* `network.trr.mode` depends, 2 to prefer DoH, but fallback to system resolver (or 3 to enforce DoH without fallback). ***If there is system encrypted DNS, just take 1 to maybe benefit from eSNI while likely benefiting from system DNS cache without ESNI.***
* [DoH is required by Firefox ESNI support]( which encrypts SNI which would still leak which
sites you visit. [Another bug about ESNI + Android DoT](
* I have ended up to recommending 2 as otherwise the DoH server going
down stops DNS from working on your Firefox entirely, which may be
more of a problem than unencrypted SNI as not everyone supports it.
* since then I have decided that 1 is the best option, because otherwise it goes past ***my*** Unbound setup. I hope Mozilla/Firefox will fix the two bugs linked above, so I don't have to choose between DNS under my control vs encrypted SNI.
* `network.trr.early-AAAA` `true` to hopefully prefer IPv6
* `network.trr.uri` for the actual resolver address, e.g.
`` or `` (removes the need for `network.trr.bootstrapAddress` and allows ǹetwork.trr.mode` `3`?) or