Beginning in version 63 of Firefox, Mozilla may enable DNS over HTTPS by default for Firefox users. This will send DNS over HTTPS to CloudFlare, which may bypass your Umbrella settings. In order to preserve your Umbrella settings, follow the steps below.
Affected Firefox users will see the following banner when DNS over HTTPS is enabled by Firefox.
To protect your Umbrella deployment, Umbrella has now included DNS over HTTPS provders into the Proxy/Anonymizer content category. This blocks the domain used by Firefox to its DNS over HTTPS provider, causing Firefox to revert to standard system DNS where Umbrella is covering your DNS. To ensure that your settings block DNS over HTTPS providers:
1. Navigate to Policies > Content Categories
2. Select your in use category setting.
3. Ensure that "Proxy/Anonymizer" is selected
Your users will now remain covered by Umbrella when Firefox rolls out this change to your users.
To ensure full coverage against DNS over HTTPS with CloudFlare in Firefox, we recommend blocking 220.127.116.11 on your firewall. This would ensure full coverage against DoH for CloudFlare in Firefox.