How to use Bind response policy zone to stop Firefox from using DNS over HTTPS
joel at finlinson.net
Mon Sep 9 22:34:07 MDT 2019
Looks like Google wants in on the game with Chrome too.
<https://support.google.com/chrome/a/thread/10152459?hl=en#> Chrome Browser
This is a heads up about our short term plans for DNS over HTTPS in
- please feel free to provide your comments there or on this blog post.
DNS over HTTPS is, as the name implies, a protocol to perform Domain Name
System resolution over HTTPS, i.e. converting a site name into an IP
address over an encrypted channel.
Most DNS resolution today occurs over an unencrypted channel. This is bad
for privacy and for security reasons. Anyone who is on-path can eavesdrop
on your browsing habits or even tamper with the resolution to have you
navigate to a phishing website or an “access blocked” page for censored
sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples).
This is a complex space and our short term plans won’t necessarily solve or
mitigate all these issues but are nevertheless steps in the right direction.
On Mon, Sep 9, 2019 at 10:09 PM Jason Healy <jason at jhealy.net> wrote:
> For those that use pihole for DNS level filtering, there was a pull
> request merged 2 days ago to return an NXDOMAIN for this request.
> On 2019-09-09 20:55, Andy Bradford wrote:
> > Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600:
> >> I'm pretty sure that if Firefox is trying DoH and it fails for
> >> whatever reason, it will fall back to normal DNS. On Slashdot several
> >> folk talked about blocking the cloudfare dns servers' IP addresses.
> > Yes, according to their wiki, it will blacklist domains that fail to
> > resolve via DoH for a period of time and use normal DNS resolver.
> >> Currently they are getting a lot of flack over this move to enable DoH
> >> by default, so we'll have to see if they bow to pressure and reverse
> >> this.
> > I've already changed network.trr.mode to 5 on all of my Firefox profiles
> > that I can at the moment.
> > There's one question I have... in the network.trr.confirmationNS there
> > is example.com---I wonder if I need to block this as well:
> > https://wiki.mozilla.org/Trusted_Recursive_Resolver
> > Of course, these are the current defaults and I wonder if I don't alter
> > the defaults if Mozilla will assume that it's alright to modify the
> > default and thus undo any blocking I might have made.
> > Andy
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
More information about the PLUG