How to use Bind response policy zone to stop Firefox from using DNS over HTTPS

Joel Finlinson joel at finlinson.net
Mon Sep 9 22:34:07 MDT 2019


Looks like Google wants in on the game with Chrome too.

https://support.google.com/chrome/a/thread/10152459?hl=en

<https://support.google.com/chrome/a/thread/10152459?hl=en#> Chrome Browser
Enterprise <https://support.google.com/chrome/a/profile/1532550?hl=en>
7/18/19
DNS-over-HTTPS Setting
Hi all,

This is a heads up about our short term plans for DNS over HTTPS in
Chrome (design
doc
<https://docs.google.com/document/d/1D70Ye_bIaitFlrF3A7p_8QX9xY0YbV_ytQcQwm-7LGU/edit?usp=sharing>)
- please feel free to provide your comments there or on this blog post.

DNS over HTTPS is, as the name implies, a protocol to perform Domain Name
System resolution over HTTPS, i.e. converting a site name into an IP
address over an encrypted channel.

*Motivation*
Most DNS resolution today occurs over an unencrypted channel. This is bad
for privacy and for security reasons. Anyone who is on-path can eavesdrop
on your browsing habits or even tamper with the resolution to have you
navigate to a phishing website or an “access blocked” page for censored
sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples).

This is a complex space and our short term plans won’t necessarily solve or
mitigate all these issues but are nevertheless steps in the right direction.

On Mon, Sep 9, 2019 at 10:09 PM Jason Healy <jason at jhealy.net> wrote:

> For those that use pihole for DNS level filtering, there was a pull
> request merged 2 days ago to return an NXDOMAIN for this request.
>
> https://github.com/pi-hole/pi-hole/pull/2915
>
> On 2019-09-09 20:55, Andy Bradford wrote:
> > Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600:
> >
> >> I'm  pretty sure  that  if Firefox  is  trying DoH  and  it fails  for
> >> whatever reason, it will fall back  to normal DNS. On Slashdot several
> >> folk talked about blocking the cloudfare dns servers' IP addresses.
> > Yes, according  to their wiki,  it will  blacklist domains that  fail to
> > resolve via DoH for a period of time and use normal DNS resolver.
> >
> >> Currently they are getting a lot of flack over this move to enable DoH
> >> by default, so we'll  have to see if they bow  to pressure and reverse
> >> this.
> > I've already changed network.trr.mode to 5 on all of my Firefox profiles
> > that I can at the moment.
> >
> > There's one  question I have... in  the network.trr.confirmationNS there
> > is example.com---I wonder if I need to block this as well:
> >
> > https://wiki.mozilla.org/Trusted_Recursive_Resolver
> >
> > Of course, these are the current defaults  and I wonder if I don't alter
> > the defaults  if Mozilla  will assume  that it's  alright to  modify the
> > default and thus undo any blocking I might have made.
> >
> > Andy
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list