How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Michael Torrie torriem at gmail.com
Mon Sep 9 15:04:09 MDT 2019


As many of you know recent releases of Firefox have implemented DNS over
HTTPS (their own idea as opposed to the standard DNS over TLS), which
bypasses your local DNS and uses cloudfare's DNS server on port 443.
Ostensibly this is to protect users from bad actors who might alter the
DNS responses and redirect unsuspecting users to bogus sites for
nefarious purposes.  Mozilla has or will soon enable this by default.
However in many organizations this is going to cause a lot of problems,
particularly if you have host names that resolve differently if you're
inside or outside of the organization, or if you're trying to implement
family-friendly DNS filtering on your network.

A solution to this is to configure your DNS server to respond with
NXDOMAIN (no such domain) to a query for "use-application-dns.net" which
will cause firefox to revert to the normal DNS behavior.  See
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Here's how to do this with Bind, taken largely from this site:
https://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/

- Create a zone file called "rpz":
------
$TTL 1800	; 30 minutes
@			IN SOA	yournameserver.domain. (
				1 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				38400      ; minimum (10 hours 40 minutes)
				)
@ IN			NS	yournameserver.domain.
use-application-dns.net IN CNAME .
-----
You can also add other domains that you might want to block, such as
tracking and ad sites, sites you don't wish to access from your home,
etc, using the same CNAME . notation.

Then in named.conf, define the zone like this:
-----
zone "rpz" {
        type master;
        file "rpz";
        allow-query { none; };
	#allow-transfer { ...; }; #uncomment for slave servers
};
-----
Finally, in the options block in named.conf, add the following:
-----
response-policy { zone "rpz"; };
-----

After this, DNS should respond with domain not found to lookups to
use-application-dns.net, which will tell Firefox not to use DoH by
default, although I'm pretty sure you can manually enable DoH.


More information about the PLUG mailing list