Firefox never reads the hosts file directly. Instead, when Firefox sends DNS requests to your operating system, your OS integrates the hosts file. Maybe you can guess my next comment. If you switch Firefox to using DNS over HTTPS (DoH) the DNS requests are not sent to your system for valid domains, only domains that the new DNS resolver doesn't recognize. So your hosts file never comes into play with that setting. Could that explain the problem, or is DoH off? You can check the status on the Preferences page. More info here: Firefox DNS-over-HTTPS.

First, thank you very much for your response and assistance.

After a little research (how it works, history), I see in February of this year Firefox began the rollout of DoH.

I didn't see any warning about the change. I think it's important enough that a change like this should be more overtly communicated.

Before looking at my systems I went to my kids systems to discover Firefox completely defeated the tools I use to protect my children from porn without warning (or, perhaps more correctly, prevent the expected an inevitable exploration). I'm sure they discovered the deficiency and happily, knowingly or unknowingly (most-likely the latter), accepted the Firefox developement-stated-plan(1) to specifically eliminate the hosts file from DNS resolution. As you may guess, the tools I used largely revolved around the hosts file which I really liked as it was the least invasive, took so little additional CPU cycles (vs other solutions which I found unacceptable) as to be unnoticable, provided logging (allowing my wife and I to act as parents and address infractions), and was effective until the Firefox development team gave children better access to porn.

(1) - ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1453207 "Technically speaking, none of those entries *block* the name, they provide custom IP addresses for them. The blocking is a side-effect." and "I'm going to mark this wontfix"

Interestingly enough, the person stating hosts entries don't "block" is completely incorrect. A "pointer to null" is a block and/or trash-bin. Technically speaking, viagra was a drug to help people with heart problems. How many people know that? This is a very irresponsible attitude and from my experience in business is a significant factor in litigation.

When DoH rolls in, I believe a little notification drops down from the address bar about keeping or rolling back the change. If you weren't on the computer when that happened, of course you would have missed it and I'm sure kids do not care one way or the other.

Mozilla has built-in detection for certain parental control products/services to avoid enabling DoH but with a DIY approach, that wouldn't work. To prevent problems going forward, you could look at suggestions in the help articles and consider using the Policy feature:

• Network settings: Configuring Networks to Disable DNS over HTTPS
• Policy feature: https://github.com/mozilla/policy-templates#dnsoverhttps
• Policy implementation: Customizing Firefox Using policies.json

jscher2000, thank you very much. I'll read-up on what you have listed.

I really like the encryption and privacy protection DoH can offer.

I am very disappointed the Firefox implementation doesn't offer the simple solution of keeping the hosts file priority.

I'm very surprised the Firefox dev team missed this as a common requirement. Just search on "parental control" and "hosts file" and you will find numerous recommendations as a common solution.

The hosts file is also valuable for many other reasons. I hope the Firefox development changes their view (or get directed to) and recognizes their responsibility to their users.

I do think someone has submitted the suggestion in the bug tracking system to consult the hosts file directly when using DNS over HTTPS.

jscher2000, you have been awsome through this process. I'm still researching and have some testing to perform but here is what I've found:

network.trr.excluded-domains https://wiki.mozilla.org/Trusted_Recursive_Resolver (then search on network.trr.excluded-domains)

"This pref can be used to make /etc/hosts works with DNS over HTTPS in Firefox."--from the above reference.

network.trr.excluded-domains
https://wiki.mozilla.org/Trusted_Recursive_Resolver (then search on network.trr.excluded-domains)

I think the practicality of using that preference depends on the number of domains you want to opt out from DoH. If it's a dozen, that wouldn't be too hard to maintain, but it might get impractical for long lists.

Also, in order to lock this list so it couldn't be cleared in about:config, you would need to use a mechanism such as Autoconfig or Policy.