From 7077f4caa5e8d31296201de3c32196d6beecdd6f Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 25 Aug 2019 13:38:12 +0300
Subject: [PATCH 1/5] dns: document enabling Firefox TRR

---
 _includes/sections/dns.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/_includes/sections/dns.html b/_includes/sections/dns.html
index 219f170c..b5d6061f 100644
--- a/_includes/sections/dns.html
+++ b/_includes/sections/dns.html
@@ -307,6 +307,10 @@ github="https://github.com/jedisct1/dnscrypt-proxy"
     <li><strong>Encrypted DNS clients for desktop:</strong>
       <ul>
         <li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li>
+            <ul>
+                <li>DNS-over-HTTPS can be enabled in Menu -> Settings -> Network Settings -> Settings -> [x] enable DNS over HTTPS, use provider: custom, and enter the address you find from the documentation of your DoH provider.</li>
+                <li>Advanced users may enable it in `about:config` by setting `network.trr.custom_uri` and `network.trr.uri` as the address you find from the documentation of your DoH provider and `network.trr.mode` as `2`. It may also be desirable to set `network.esni.enabled` to `True` in order to encrypt SNI and make sites supporting ESNI a bit more difficult to track.</li>
+            </ul>
       </ul>
     </li>
     <li><strong>Encrypted DNS clients for mobile:</strong>
@@ -330,6 +334,13 @@ github="https://github.com/jedisct1/dnscrypt-proxy"
     </li>
     <li><strong>Further reading:</strong>
       <ul>
+        <li>On Firefox, DoH and ESNI</li>
+            <ul>
+                <li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
+                <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li>
+                <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS directly without having to enable DoH</a></li>
+                <li><a href="https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
+            </ul>
         <li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
         <li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li>
       </ul>
-- 
2.47.2


From 23f63299f4edffc690cfbee1f2e5c15dd2013baa Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 25 Aug 2019 13:48:18 +0300
Subject: [PATCH 2/5] browser-tweaks: rm/note that TRR/DoH/ESNI have moved

---
 _includes/sections/browser-tweaks.html | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/_includes/sections/browser-tweaks.html b/_includes/sections/browser-tweaks.html
index 277bbd57..b523deb4 100644
--- a/_includes/sections/browser-tweaks.html
+++ b/_includes/sections/browser-tweaks.html
@@ -118,23 +118,8 @@
   </ul>
   </dd>
 
-  <dt>network.trr.mode = 2</dt>
-  <dd>
-  Use Trusted Recursive Resolver (DNS-over-HTTPS) first and if it fails, use the system resolver <a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Source</a>
-  <ul>
-    <li>0 = disabled by default, may change in the future</li>
-    <li>1 = use the faster resolver</li>
-    <li>2 = use DoH first, fallback to system resolver</li>
-    <li>3 = only use DoH. This may require <code>network.trr.bootstrapAddress</code> or using an IP address in <code>network.trr.uri</code>.</li>
-    <li>5 = explicitly disable DoH</li>
-  </ul>
-  </dd>
-
-  <dt>network.trr.uri = CHANGEME</dt>
-  <dd>The address of your DNS-over-HTTPS provider, if you don't have one, <a href="/providers/dns/#icanndns">check our encrypted DNS recommendations</a>. It can also be changed in <em>Settings, Network Settings, Enable DNS over HTTPS, Use Provider, Custom</em>.</dd>
-
-  <dt>network.security.esni.enabled = true</dt>
-  <dd>Hide the address which you are requesting SSL certificate for if the server supports it. This <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">requires DoH/TRR to be enabled</a> even <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">on Android 9+ when Private DNS is enabled</a>.</dd>
+  <dt>Looking for TRR, DoH or ESNI?</dt>
+  <dd>They have moved to <a href="https://privacytoolos.io/providers/dns/#icanndns">our DNS page</a>.</dd>
 
   <dt>webgl.disabled = true</dt>
   <dd>WebGL is a potential security risk. <a href="https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern">Source</a></dd>
-- 
2.47.2


From e0dfed8f5648cda0812c6d6133a74b4fadfa81c2 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 25 Aug 2019 13:50:38 +0300
Subject: [PATCH 3/5] dns: fix formatting

---
 _includes/sections/dns.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_includes/sections/dns.html b/_includes/sections/dns.html
index b5d6061f..1191fef0 100644
--- a/_includes/sections/dns.html
+++ b/_includes/sections/dns.html
@@ -309,7 +309,7 @@ github="https://github.com/jedisct1/dnscrypt-proxy"
         <li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li>
             <ul>
                 <li>DNS-over-HTTPS can be enabled in Menu -> Settings -> Network Settings -> Settings -> [x] enable DNS over HTTPS, use provider: custom, and enter the address you find from the documentation of your DoH provider.</li>
-                <li>Advanced users may enable it in `about:config` by setting `network.trr.custom_uri` and `network.trr.uri` as the address you find from the documentation of your DoH provider and `network.trr.mode` as `2`. It may also be desirable to set `network.esni.enabled` to `True` in order to encrypt SNI and make sites supporting ESNI a bit more difficult to track.</li>
+                <li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li>
             </ul>
       </ul>
     </li>
-- 
2.47.2


From 0022e09d9615acdd35d945eda458cfc8562edb7c Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 25 Aug 2019 13:55:47 +0300
Subject: [PATCH 4/5] browser-tweaks: fix embarassing typo

---
 _includes/sections/browser-tweaks.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_includes/sections/browser-tweaks.html b/_includes/sections/browser-tweaks.html
index b523deb4..a6cbb25b 100644
--- a/_includes/sections/browser-tweaks.html
+++ b/_includes/sections/browser-tweaks.html
@@ -119,7 +119,7 @@
   </dd>
 
   <dt>Looking for TRR, DoH or ESNI?</dt>
-  <dd>They have moved to <a href="https://privacytoolos.io/providers/dns/#icanndns">our DNS page</a>.</dd>
+  <dd>They have moved to <a href="https://privacytools.io/providers/dns/#icanndns">our DNS page</a>.</dd>
 
   <dt>webgl.disabled = true</dt>
   <dd>WebGL is a potential security risk. <a href="https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern">Source</a></dd>
-- 
2.47.2


From a663ab57b76f8251b5ce221777048e8372a56e26 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Mon, 26 Aug 2019 00:11:35 +0300
Subject: [PATCH 5/5] browser-tweaks & dns: apply @nitrohorse's suggestions
 (and fix link)

---
 _includes/sections/browser-tweaks.html | 2 +-
 _includes/sections/dns.html            | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/_includes/sections/browser-tweaks.html b/_includes/sections/browser-tweaks.html
index a6cbb25b..e12400be 100644
--- a/_includes/sections/browser-tweaks.html
+++ b/_includes/sections/browser-tweaks.html
@@ -119,7 +119,7 @@
   </dd>
 
   <dt>Looking for TRR, DoH or ESNI?</dt>
-  <dd>They have moved to <a href="https://privacytools.io/providers/dns/#icanndns">our DNS page</a>.</dd>
+  <dd>They have moved to <a href="/providers/dns/#icanndns">our DNS page</a>.</dd>
 
   <dt>webgl.disabled = true</dt>
   <dd>WebGL is a potential security risk. <a href="https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern">Source</a></dd>
diff --git a/_includes/sections/dns.html b/_includes/sections/dns.html
index 1191fef0..19c3e777 100644
--- a/_includes/sections/dns.html
+++ b/_includes/sections/dns.html
@@ -308,7 +308,7 @@ github="https://github.com/jedisct1/dnscrypt-proxy"
       <ul>
         <li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li>
             <ul>
-                <li>DNS-over-HTTPS can be enabled in Menu -> Settings -> Network Settings -> Settings -> [x] enable DNS over HTTPS, use provider: custom, and enter the address you find from the documentation of your DoH provider.</li>
+                <li>DNS over HTTPS can be enabled in Menu -> Preferences (<code>about:preferences</code>) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom," and enter your DoH provider's address.</li>
                 <li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li>
             </ul>
       </ul>
@@ -338,8 +338,8 @@ github="https://github.com/jedisct1/dnscrypt-proxy"
             <ul>
                 <li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
                 <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li>
-                <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS directly without having to enable DoH</a></li>
-                <li><a href="https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
+                <li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH</a></li>
+                <li><a href="https://blog.cloudflare.com/encrypted-sni/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
             </ul>
         <li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
         <li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li>
-- 
2.47.2