How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Joel Finlinson joel at
Mon Sep 9 22:34:07 MDT 2019

Looks like Google wants in on the game with Chrome too.

<> Chrome Browser
Enterprise <>
DNS-over-HTTPS Setting
Hi all,

This is a heads up about our short term plans for DNS over HTTPS in
Chrome (design
- please feel free to provide your comments there or on this blog post.

DNS over HTTPS is, as the name implies, a protocol to perform Domain Name
System resolution over HTTPS, i.e. converting a site name into an IP
address over an encrypted channel.

Most DNS resolution today occurs over an unencrypted channel. This is bad
for privacy and for security reasons. Anyone who is on-path can eavesdrop
on your browsing habits or even tamper with the resolution to have you
navigate to a phishing website or an “access blocked” page for censored
sites (see for examples).

This is a complex space and our short term plans won’t necessarily solve or
mitigate all these issues but are nevertheless steps in the right direction.

On Mon, Sep 9, 2019 at 10:09 PM Jason Healy <jason at> wrote:

> For those that use pihole for DNS level filtering, there was a pull
> request merged 2 days ago to return an NXDOMAIN for this request.
> On 2019-09-09 20:55, Andy Bradford wrote:
> > Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600:
> >
> >> I'm  pretty sure  that  if Firefox  is  trying DoH  and  it fails  for
> >> whatever reason, it will fall back  to normal DNS. On Slashdot several
> >> folk talked about blocking the cloudfare dns servers' IP addresses.
> > Yes, according  to their wiki,  it will  blacklist domains that  fail to
> > resolve via DoH for a period of time and use normal DNS resolver.
> >
> >> Currently they are getting a lot of flack over this move to enable DoH
> >> by default, so we'll  have to see if they bow  to pressure and reverse
> >> this.
> > I've already changed network.trr.mode to 5 on all of my Firefox profiles
> > that I can at the moment.
> >
> > There's one  question I have... in  the network.trr.confirmationNS there
> > is wonder if I need to block this as well:
> >
> >
> >
> > Of course, these are the current defaults  and I wonder if I don't alter
> > the defaults  if Mozilla  will assume  that it's  alright to  modify the
> > default and thus undo any blocking I might have made.
> >
> > Andy
> /*
> PLUG:, #utah on
> Unsubscribe:
> Don't fear the penguin.
> */

More information about the PLUG mailing list