From 8d2372b92e29ee79e013810b29d3bf1117d432e3 Mon Sep 17 00:00:00 2001
From: brainscar <38463143+brainscar@users.noreply.github.com>
Date: Fri, 28 Dec 2018 19:41:19 +0000
Subject: [PATCH] Set TRR to 5: Explicitly Off

See inline comments.
---
 librefox/mozilla.cfg | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/librefox/mozilla.cfg b/librefox/mozilla.cfg
index 955526a..506b2da 100644
--- a/librefox/mozilla.cfg
+++ b/librefox/mozilla.cfg
@@ -509,14 +509,20 @@ lockPref("media.peerconnection.ice.no_host", true); // (FF51+)
 
 // Pref : 0707 : disable (or setup) DNS-over-HTTPS (DoH) (FF60+)
 // TRR = Trusted Recursive Resolver
-// .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result
+// .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result, 5=explicitly turn it off
 // [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
 // [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
 // [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ 
 // BUG : This seem to disable socks_remote_dns ?! need to check with wireshark 
 // If true, just settings urls to null should be enough to disable 
 // Without impacting socks_remote_dns
-lockPref("network.trr.mode", 0);
+// -------
+// Mode 0 is only off because right now that's the default, the default can change.
+// Mode 5 means explicitly off, regardless of default.
+// https://wiki.mozilla.org/Trusted_Recursive_Resolver
+// https://nakedsecurity.sophos.com/2018/08/07/mozilla-faces-resistance-over-dns-privacy-test/#comment-5193521
+// -------
+lockPref("network.trr.mode", 5);
 lockPref("network.trr.bootstrapAddress", "");
 lockPref("network.trr.uri", "");