nanog mailing list archives
Re: This DNS over HTTP thing
From: Brandon Martin <lists.nanog () monmotha net>
Date: Tue, 1 Oct 2019 03:47:58 -0400
On 10/1/19 3:38 AM, Stephane Bortzmeyer wrote:
It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual.Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing the very party you don't trust to remotely disable security.)
Indeed. It seemed like a glaring hole in the implementation. The Mozilla page on the topic implies it's temporary until some sort of "standard" solution can be found, but since you will always have folks who control DNS and want/need to enforce something like this (enterprises, for example), I'm not sure how you'd go about this without resorting to e.g. group policy-like things which is messy in its own right.
There are some additional checks for "enterprise" networks including checking whether "enterprise roots" is enabled which I guess is different from simply loading in extra root certificates. Why Mozilla and Google are SO insistent that I must not have control over my root certificate list is beyond me.
But yes, there's a Firefox pref to force it (or completely disable it regardless of the canary). Amusingly, unlike most of the actually-useful Firefox prefs, this one is apparently in the GUI [1]. It also allows you to pick the provider (Cloudflare or "custom", of course).
The bare about:config pref you want is "network.trr.mode". Short and sweet of it, set to 5 (off by choice), and it should disable the function entirely. 3 would be the opposite: always use it.
[1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https -- Brandon Martin
Current thread:
- Re: This DNS over HTTP thing, (continued)
- Re: This DNS over HTTP thing Livingood, Jason (Oct 02)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 02)
- Re: This DNS over HTTP thing Niels Bakker (Oct 02)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 02)
- RE: This DNS over HTTP thing Keith Medcalf (Oct 02)
- Re: This DNS over HTTP thing Niels Bakker (Oct 03)
- Re: This DNS over HTTP thing Jay R. Ashworth (Oct 03)
- Re: This DNS over HTTP thing Livingood, Jason (Oct 02)
- Re: This DNS over HTTP thing Brandon Martin (Oct 01)
- Re: This DNS over HTTP thing Robert Kisteleki (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Stephane Bortzmeyer (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Stephane Bortzmeyer (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)
- Re: This DNS over HTTP thing Jared Mauch (Oct 01)
- Re: This DNS over HTTP thing Stephane Bortzmeyer (Oct 01)
- Re: This DNS over HTTP thing Jared Mauch (Oct 01)
- Re: This DNS over HTTP thing Jeroen Massar (Oct 01)