How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Michael Torrie torriem at gmail.com
Mon Sep 9 20:45:54 MDT 2019


On 9/9/19 8:41 PM, Andy Bradford wrote:
> Thus said Michael Torrie on Mon, 09 Sep 2019 20:22:38 -0600:
> 
>> Individual users can turn it off or  on in preferences, or they can go
>> into about:config  and change  "network.trr.mode" to "5."  Why Mozilla
>> didn't make this opt-in I don't know.
> 
> Indeed. So when I browse  to
> 
> Options->General->Network Settings->Settings
> 
> I see  a checkbox labeled "Enable  DNS over HTTPS". It  is not currently
> checked, and it has a default DoH setting (greyed out) of:
> 
> https://mozilla.cloudflare-dns.com/dns-query
> 
> I   wonder  what   the  implications   would   be  if   I  also   hijack
> mozilla.cloudflare-dns.com on my DNS resolvers... I'm going to find out.

I'm pretty sure that if Firefox is trying DoH and it fails for whatever
reason, it will fall back to normal DNS.  On Slashdot several folk
talked about blocking the cloudfare dns servers' IP addresses.

Knowing some of the strange things they've done, I could totally see
them throwing up a warning to the user if it ever falls back to normal
DNS saying something like "warning, your name resolver is
untrustworthy."  Currently they are getting a lot of flack over this
move to enable DoH by default, so we'll have to see if they bow to
pressure and reverse this.


More information about the PLUG mailing list