Fix Firefox Not Using Clash Proxy: Disable DoH and Reset Settings Step by Step

Why Firefox Can Ignore OS System Proxy Around Clash

Most Chromium-based browsers quietly follow whatever the operating system declares for HTTP(S) proxies—exactly what you want after Clash pushes system proxy to 127.0.0.1 plus your YAML mixed-port. Firefox does not blindly mirror that behaviour. Gecko ships explicit network preferences, sandboxed DNS features, telemetry-friendly connectivity pings, and a history of resisting silent proxy injection for sensible security reasons. Separately, routing through the tunnel interface (see Clash TUN mode basics) often “just works” for every app because packets enter the Mihomo-compatible core regardless of Firefox’s opinion—while system proxy alone requires Firefox actually to honour the PAC or manual table you exported from the tray client. Misunderstanding those layers wastes hours rewriting Clash YAML when nothing is wrong on the outbound side.

Symptoms fall into predictable buckets you should triage deliberately. Tabs still complete TLS to foreign CDNs despite your domestic-only YAML because DNS over HTTPS (DoH) skips your ISP—but also skips the UDP/TCP DNS path Clash rewrote. You tweaked network.proxy.http_port years ago during a captive Wi-Fi session, so HTTPS still hops through SOCKS even though Windows now points nowhere near that port; about:debugging listing add-ons alone will not magically restore OS defaults. Containers, private windows, profiles, enterprise policies (policies.json), CSP/HSTS exceptions, outdated mixed-content blocks, extensions that ship their own proxy engines—each overlaps with “Clash ignores me” anecdotes. Isolate variables: temporarily launch with a pristine profile (-P profile manager), keep one window, uninstall extensions suspected of pinning upstreams—and never compare unrelated guides that assume Chromium plus SwitchyOmega when you deliberately run stock Firefox beside Clash YAML routing best practices.

DNS over HTTPS Versus Resolver Inside Clash

When observers say “DNS leaks direct,” they mean the authoritative answer never traversed Mihomo—even if the subsequent TCP flows through DIRECT or proxy policy afterward. Turning on Clash DNS with fake-ip sniffing aligns rule matches with sniffed hostnames (Configure Clash Meta DNS: nameserver, fallback, fake-ip-filter), yet Firefox keeps an independent knob: Secure DNS (“network.trr” family) can forward queries to Mozilla, Cloudflare, NextDNS, etc., using HTTPS—even when the underlying OS resolver would have sent UDP to localhost. Disconnect the two paths in your mental model—TLS session health may look flawless while GEOIP lookups still ingest wrong countries because PTR-style answers came from bootstrap resolvers untouched by Mihomo routing.

Recommended sequence for testers on permitted networks:

1. Open Settings → Privacy & Security, locate DNS over HTTPS, flip to Off (sometimes labelled “Increase security” toggle). Completely disabling DoH aligns native resolver behaviour with whichever stack your OS inherits from Clash for that session.
2. Advanced users may alternatively set resolver mode to OS default using about:networking#dns diagnostics—but confirm the effective TRR (trusted recursive resolver) mode afterward in about:support → Application Basics; anything other than explicitly off means lingering encrypted DNS hops.
3. Reconnect your YAML tweaks for nameserver chaining if you mirrored earlier guidance on fake-ip exclusions and bypass lists from IPv6 dual-stack troubleshooting articles such as Clash IPv6 dual-stack leak checks when both AAAA paths must align.

After flipping DoH off, revisit your Clash log—DNS decisions should converge with domain-based rules (DOMAIN-SUFFIX, GEOSITE) plus fake-ip interplay you already configured. Persisting inconsistencies often mean policy order issues rather than resolver bugs; cross-check sequencing using GEOIP precedence guidance from Clash rules match order troubleshooting before accusing Firefox silently.

Firefox Settings Before about:config

Before editing raw preferences, skim the visible UI—not because it magically fixes everything but because stray manual overrides lurk beneath friendly labels:

• General → Network Settings — choose “Use system proxy settings” whenever you intentionally manage proxy state through Clash. That keeps parity with Chromium-style behaviour assuming the OS slider currently matches your Mihomo tray export.
• Avoid “Manual proxy configuration” alongside active system proxy—you double-maintain IPs/ports diverging from YAML during each mixed-port tweak. If manual mode exists because you pasted 127.0.0.1 during travel, reconcile numbers with whichever flow you traced in Clash listening port housekeeping.
• “Automatic proxy configuration URL” (PAC/PAD) interacts badly with captive portal detection—remove stale PAC lines unless you purposely script split intranet exemptions.
• Review HTTPS-only mode separately; it does not touch DNS but can mask mixed-content breakage that manifests as silent loading failures resembling proxy bypass.

Afterwards, reopen the site in a wholly new profile (-no-remote testing) minus extensions to confirm quirks come from Gecko preferences—not WebRTC overlays that require WebRTC containment steps.

Essential network.proxy and network.trr Prefs

Type about:config; accept risk prompt on machines you legally administer. Useful entries (exact names drift across ESR versus rapid release clusters—Mozilla documents canonical strings in source tree and SUMO periodically):

firefox about:config — prioritize these families# DNS over HTTPS bootstrap and mode
network.trr.mode (0 — off unless you intentionally re-enable encrypted DNS elsewhere)
network.trr.bootstrapAddress (often empty when disabling)

# Proxy subsystem
network.proxy.type (0=no proxy, 1=manual, 2=PAC URL, 4=system proxy, 5=SOCKS isolated)
network.proxy.http / ssl / socks & companions (blank when leaning on OS)
network.proxy.socks_remote_dns (normally false unless routing DNS through SOCKS intentionally)

# Optional hardening resets
network.dns.disablePrefetch / network.predictor.* (helps isolate stray speculative resolves)

Interpret network.proxy.type carefully:

• 4 matches “mirror operating system”; pair with refreshed OS proxy pointers after each Clash restart—especially if quitting the client lingered stranded entries you previously cleared using recovering connectivity after quitting Clash.
• 1 means manual—even if Firefox shows correct numbers, reconcile with Mihomo YAML since drift here bypasses PAC entirely.
• 2 indicates PAC-managed proxying—purge obsolete scripts referencing corporate onboarding portals.

After resets, bounce Firefox fully (graceful shutdown, not merely closing tabs) because network stacks cache proxy handles per process lifecycle—mirroring best practices gleaned while debugging TLS interruptions during Clash handshake log analysis.

Captive Portal and Connectivity Checks

Gecko periodically probes captive-portal diagnostics—think HTTP GET probes toward known endpoints verifying whether hotspots demand login—which can appear as unsolicited traffic outside your proxy policy briefly. Administrators sometimes disabled these checks aggressively in captiveportal.* and network.connectivity-service.* pref trees to reduce noise behind strict MITM gateways. While unrelated to SOCKS authenticity, contradictory symptoms (“Firefox loads captive-check host direct”) amplify confusion precisely when diagnosing split routes. Decide consciously: disabling connectivity checks trades convenience for deterministic logging—fine in lab rigs, dubious on laptops roaming campuses.

TUN Versus SOCKS: What Firefox Controls

If you escalate to transparent capture—Clash binds a virtual NIC and steers outbound flows without asking each apps’ SOCKS settings—Firefox behaviour becomes orthogonal; you mostly confirm Clash—not Firefox—captures SYN packets appropriately. Conversely, SOCKS proxy mode hinges on trusting both OS-level exports and Gecko proxy preferences plus optional socks-remote-dns toggles aligning DNS with the SOCKS path. Mixed stacks—say TUN capturing everything while Firefox insists on SOCKS to 127.0.0.1 twice—replay routing loop anecdotes similar to layering browser extensions improperly (compare duplicate proxy stories in SwitchyOmega cross-talk).

Apple Silicon or Intel Mac users juggling system extensions occasionally mis-order toggles; walk their specialized cleanup path if TUN approvals fight legacy proxy toggles concurrently—reuse macOS TUN approvals alongside proxy conflicts troubleshooting before ripping apart Firefox internals.

Returning to parity: whichever layer “owns routing,” minimise Firefox-exclusive overrides inconsistent with YAML—matching the intention behind global Clash versus monolithic VPN models where deliberate policy—not implicit browser heuristics—steers egress.

Verification: Separate DNS Symptoms from TLS Path

Build a repeatable checklist—noticing whether symptoms stem from malformed DNS resolutions versus blocked TCP egress:

1. Open dns.google/query externally referencing the suspicious hostname—but avoid leaking sensitive internal names; redact corp segments when practising.
2. Use curl without -x, then with explicit -x http://127.0.0.1:MIXED; compare HTTP status codes versus Firefox inside identical profile sandbox.
3. Observe Clash dashboards for matching rules—duplicate hits on DIRECT unexpectedly often trace to DNS-derived IP classification errors rather than SOCKS bypass.
4. Inspect about:networking#dns after reproducing—a quick glance illuminates leftover TRR scaffolding.

Persisting contradictory outcomes between curl and Firefox after DoH disables and pref resets pinpoint extension interference or hardened enterprise policies—you may need organisational MDM exemptions rather than more YAML rewriting.

If evidence points toward transport failures instead of resolver drift, escalate using connection journal patterns described for upstream TLS errors across generic proxy stacks—borrow diagnostic rhythm from consolidated logging walkthrough material above without duplicating Mihomo internals here.

Reset or New Profile Without Losing the Point

When experimentation spirals—themes, decades-old addons, mutated prefs—Firefox’s Refresh or brand-new lightweight profile cleanly removes crusty leftovers while preserving bookmarks through export/import flows. Automated “Refresh Firefox” nukes brittle network states yet keeps essentials; pair that with reaffirming system proxy correctness from Clash’s tray icon before blaming Mozilla.

Document what you flipped in version control—even a tiny Markdown note referencing baseline Clash YAML commit hash plus Firefox preference snapshot reduces weekend regressions when upstream subscriptions mutate weekly inside public rule providers mirrored by routing best practices guides already cited.

Ultimately Firefox adds transparency and control—you simply align those powers with Mihomo-era expectations: DoH off unless intentionally managed, Gecko proxy prefs matching OS truths, captive portal behaviour consciously chosen. Compared with juggling opaque browser extensions layering chaos atop Clash tray automation, consolidating policy inside Mihomo-compatible cores plus deliberate Firefox toggles restores predictability comparable to cleanly ordered YAML evaluated under GEOIP stewardship rulesets once DNS answers finally align.

→ Download Clash for free and experience the difference through our central hub—a desktop build that exposes listener ports, system proxy parity, tunnel state, live domain matches, leaving Firefox as the standards-compliant rendering surface—not the accidental policy engine.