Maintain DoH in Firefox and Chrome Using GPO

Available Languages

Download Options

  • PDF     (6.1 KB)
    View with Adobe Reader on a variety of devices
Updated:September 18, 2025
Document ID:224957

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to maintain and disable DNS over HTTPS (DoH) in Firefox and Chrome using Group Policy Objects (GPO) in Cisco Umbrella.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Cisco Umbrella. 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    DNS over HTTPS (DoH) is a feature added to several web browsers that allows DNS to bypass the system DNS stack over HTTPS. In many cases, you can disable this functionality to ensure that web browsers do not override any Umbrella settings.

    Firefox and Chrome both provide DoH functionality and the ability to prevent DoH use on your network and managed computers. However, DoH implementations differ greatly between browsers.

    Firefox

    Firefox operates with a default-on DoH setting where DNS is sent to CloudFlare by default at 1.1.1.1. This setting does not take the system DNS setting into account. 

    To combat this, Umbrella by default sets the override to disable DoH (see our article here for more information). However, this override can only take effect if there are no explicitly set DoH settings. To ensure that DoH is never enabled to divert Firefox DNS away from the system settings, GPO settings are required.

    To disable, set the value for "network.trr.mode" to 0. For more information, see the Firefox TRR settings in detail. 

    For more information on managing enterprise policies in Firefox, see the Mozilla documentation. 

    Chrome

    Chrome has support for DoH for several providers including Umbrella. Unlike Firefox, Chrome DoH can only enable when system DNS is observed to be a participating DNS provider. Therefore, it cannot enable if system DNS is a local DNS server or the roaming client, but can enable if local DNS is 208.67.220.220 and 208.67.222.222. Therefore, Chrome does not direct your DNS away from system DNS, but enhances it with DoH.

    During the initial stages of the Chrome DoH experiment, Chrome can disable DoH if the device is managed, AD joined, or has an Enterprise policy applied.

    See the Chrome website for more details.

    For more information on managing enterprise policies in Chrome, see the Chrome documentation. 

    Revision History

    Revision Publish Date Comments
    1.0
    18-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products