How to use Bind response policy zone to stop Firefox from using DNS over HTTPS
torriem at gmail.com
Mon Sep 9 20:22:38 MDT 2019
On 9/9/19 7:58 PM, Andy Bradford wrote:
> Thus said Michael Torrie on Mon, 09 Sep 2019 15:04:09 -0600:
>> Ostensibly this is to protect users from bad actors who might alter
>> the DNS responses and redirect unsuspecting users to bogus sites for
>> nefarious purposes.
> And yet, it will funnel all DNS queries through centralized
> locations---it's much more difficult to hijack DNS in it's current
> distributed form, but funnel it all through DoH and what have you got?
> In the article, it mentions this:
> If a user has chosen to manually enable DoH, the signal from the
> network will be ignored and the user's preference will be
> So, how does a *user* express his preference that this feature not be
> enabled? The article suggests DNS tricks, but typical users won't be
> doing that.
Individual users can turn it off or on in preferences, or they can go
into about:config and change "network.trr.mode" to "5." Why Mozilla
didn't make this opt-in I don't know.
This DNS thing is intended for organizations. But like you say, it's
getting hard to keep track of all these canary domains to disable
rubbish like this. Certainly if it's in the interests of ISPs to
control your DNS they could also implement the canary domain thing. So
I'm just not sure the point.
More information about the PLUG