How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Andy Bradford amb-sendok-1570676112.fpdmbpdjhnomfcgbojff at bradfords.org
Mon Sep 9 20:55:12 MDT 2019


Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600:

> I'm  pretty sure  that  if Firefox  is  trying DoH  and  it fails  for
> whatever reason, it will fall back  to normal DNS. On Slashdot several
> folk talked about blocking the cloudfare dns servers' IP addresses.

Yes, according  to their wiki,  it will  blacklist domains that  fail to
resolve via DoH for a period of time and use normal DNS resolver.

> Currently they are getting a lot of flack over this move to enable DoH
> by default, so we'll  have to see if they bow  to pressure and reverse
> this.

I've already changed network.trr.mode to 5 on all of my Firefox profiles
that I can at the moment.

There's one  question I have... in  the network.trr.confirmationNS there
is example.com---I wonder if I need to block this as well:

https://wiki.mozilla.org/Trusted_Recursive_Resolver

Of course, these are the current defaults  and I wonder if I don't alter
the defaults  if Mozilla  will assume  that it's  alright to  modify the
default and thus undo any blocking I might have made.

Andy
-- 
TAI64 timestamp: 400000005d7710b5




More information about the PLUG mailing list