How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Michael Torrie torriem at
Mon Sep 9 20:22:38 MDT 2019

On 9/9/19 7:58 PM, Andy Bradford wrote:
> Thus said Michael Torrie on Mon, 09 Sep 2019 15:04:09 -0600:
>> Ostensibly this  is to protect users  from bad actors who  might alter
>> the DNS responses  and redirect unsuspecting users to  bogus sites for
>> nefarious purposes.
> And  yet,   it  will   funnel  all   DNS  queries   through  centralized
> locations---it's  much more  difficult  to hijack  DNS  in it's  current
> distributed form, but funnel it all through DoH and what have you got?


> In the article, it mentions this:
>     If a user has chosen to manually enable DoH, the signal from the
>     network  will  be ignored  and  the  user's preference  will  be
>     honored.
> So, how  does a *user* express  his preference that this  feature not be
> enabled? The  article suggests  DNS tricks, but  typical users  won't be
> doing that.

Individual users can turn it off or on in preferences, or they can go
into about:config and change "network.trr.mode" to "5."  Why Mozilla
didn't make this opt-in I don't know.

This DNS thing is intended for organizations. But like you say, it's
getting hard to keep track of all these canary domains to disable
rubbish like this.  Certainly if it's in the interests of ISPs to
control your DNS they could also implement the canary domain thing.  So
I'm just not sure the point.

More information about the PLUG mailing list