Re: This DNS over HTTP thing

[Brandon Martin <lists.nanog () monmotha net>]

On 10/1/19 3:38 AM, Stephane Bortzmeyer wrote:
> > It's use-application-dns.net.  NXDOMAIN it, and Mozilla (at least)
> > will go back to using your local DNS server list as per usual.
> Unless, I hope, the user explicitely overrides this. (Because this
> canary domain contradicts DoH's goals, by allowing the very party you
> don't trust to remotely disable security.)

Indeed.  It seemed like a glaring hole in the implementation.  The 
Mozilla page on the topic implies it's temporary until some sort of 
"standard" solution can be found, but since you will always have folks 
who control DNS and want/need to enforce something like this 
(enterprises, for example), I'm not sure how you'd go about this without 
resorting to e.g. group policy-like things which is messy in its own right.

There are some additional checks for "enterprise" networks including 
checking whether "enterprise roots" is enabled which I guess is 
different from simply loading in extra root certificates.  Why Mozilla 
and Google are SO insistent that I must not have control over my root 
certificate list is beyond me.

But yes, there's a Firefox pref to force it (or completely disable it 
regardless of the canary).  Amusingly, unlike most of the 
actually-useful Firefox prefs, this one is apparently in the GUI [1]. 
It also allows you to pick the provider (Cloudflare or "custom", of course).

The bare about:config pref you want is "network.trr.mode".  Short and 
sweet of it, set to 5 (off by choice), and it should disable the 
function entirely.  3 would be the opposite: always use it.

[1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
--
Brandon Martin