Click the menu button Menu and select Preferences.
In the General panel, scroll down to Network Settings and click the Settings button.
In the dialog box that opens, scroll down to Enable DNS over HTTPS.
On: Select the Enable DNS over HTTPS checkbox. Select a provider or set up a custom provider. Off: Deselect the Enable DNS over HTTPS checkbox.
Click the Use Provider drop-down under Enable DNS over HTTPS to select a provider.
Change DNS Provider
Add your DOH URL (https://XYZ.dns.securd.com/dns-query).
Click OK to save your changes and close the window.
about:config
network.trr.boostrapAddress=142.202.107.1
network.trr.custom_uri=
network.trr.mode=3
network.trr.uri=
network.trr.mode (https://wiki.mozilla.org/Trusted_Recursive_Resolver)
The resolver mode. You should not change the mode manually, instead use the UI in the Network Settings section of about:preferences
• 0 - Off (default). use standard native resolving only (don't use TRR at all)
• 1 - Reserved (used to be Race mode)
• 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
• 3 - Only. Only use TRR, never use the native resolver.
• Up to FF >= 73, this mode also requires the bootstrapAddress pref to be set.
• Starting with Firefox 74, setting the bootstrap address is no longer mandatory - the browser will simply bootstrap itself using regular DNS, unless the DoH server domain can't be resolved.
• The native resolver will still be used for portal detection and telemetry (Bug 1593873)
• 4 - Reserved (used to be Shadow mode)
• 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.
Load Securd Root CA
http://downloads.securd.com/securd_root_ca.crt
REQUIRED: MOBILE DOH ADDRESS
systemd resolved
Warning: Prior to systemd version 245.2-2, systemd-resolved only validated the DNS server certificate if it was issued for the server's IP address (a rare occurrence). DNS server certificates without an IP address were not checked making systemd-resolved vulnerable to man-in-the-middle attacks
/etc/systemd/resolved.conf or /etc/systemd/resolved.conf.d/*.conf
[Resolve]
DNS=142.202.107.1@853#
DNSOverTLS=yes
Domains=~.
unbound 1.8.1 or later (Ubuntu/Debian)
server:
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 142.202.107.1@853#
forward-addr: 142.202.107.2@853#
forward-addr: 2620:82:6000::1@853#
forward-addr: 2620:82:6000::2@853#
unbound 1.8.1 or later (Fedora)
server:
tls-cert-bundle: "/etc/pki/tls/certs/ca-bundle.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 142.202.107.1@853#
Import Securd Root CA
http://downloads.securd.com/securd_root_ca.crt
REQUIRED: MOBILE DOH ADDRESS
Enable DoH
• Open the Registry Editor (regedit).
• Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
• Create a new DWORD (32-bit) Value named EnableAutoDoh.
• Set its value data to 2.
Add DoH Servers to Windows 10’s auto-promotion list
Run the following commands as administrator:
netsh dns add encryption server=142.202.107.1 dohtemplate="https://
netsh dns add encryption server=142.202.107.2 dohtemplate="https://
netsh dns add encryption server=2620:82:6000::1 dohtemplate="https://
netsh dns add encryption server=2620:82:6000::2 dohtemplate="https://
Verify DoH Servers
Verify the template was applied to the DoH servers with the following commands:
netsh dns show encryption server=142.202.107.1
netsh dns show encryption server=142.202.107.2
netsh dns show encryption server=2620:82:6000::1
netsh dns show encryption server=2620:82:6000::2
Configure DNS Servers in Control Panel
• Open Control Panel.
• Go to Network and Internet -> Network and Sharing Center -> Change adapter settings.
• Right click on the connection you want to add a DNS server to and select Properties.
• Select either Internet Protocol Version 4 (TCP/IPv4) and/or Internet Protocol Version 6 (TCP/IPv6) and click Properties.
• Select the Use the following DNS server addresses radio button, and add the DNS server addresses into the fields below.
• Click OK or Apply to close all the dialog window.
• Restart the computer and voila, Windows 10 should abandon classic DNS over port 53 and send DNS resolution requests over HTTPS.
Import Securd Root CA
http://downloads.securd.com/securd_root_ca.crt