Koozali.org: home of the SME Server

Firefox DoH

Offline ReetP

  • *
  • 3,722
  • +5/-0
Firefox DoH
« on: March 04, 2020, 05:05:03 PM »
If you don't know what it means or how it might affect you then please have a good read.

https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/

If you are a private individual out and about roaming it may be a good thing.

If you run a network it may not.... but Uncle Mozilla has decided it know what is best for you, at least in the US.

I presume they are getting some sort of revenue kickback from Cloudflare somehow. People don't do these things for free.

Quote
While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

Networks that have implemented some sort of filtering via the default DNS resolver. This can be used to implement parental controls or to block access to malicious websites.

So DoH will bypass your PiHole or other network domain filtering. Both for good sites, and bad. Looks like those ads you have been blocking are going to work again !

How to disable:

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

If you run a network you probably want to do it across your network.

There is a probably a way to block it with SME but I am not sure how - it needs to fail a lookup for "use-application-dns.net"

If you run a PiHole or similar you can blacklist the canary domain use-application-dns.net

Enjoy.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Firefox DoH
« Reply #1 on: March 05, 2020, 02:38:28 PM »
Simply adding the domain as local domain pointing to ibay should do.

Otherwise dansguardian or squidguard.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Firefox DoH
« Reply #2 on: March 05, 2020, 03:14:13 PM »
This is what it says:

Quote
Firefox will attempt to resolve this domain use-application-dns.net using the DNS server(s) configured in the operating system of the device, and examine the result. The result will be considered negative if:

    A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
    A NOERROR response code is returned, but contains neither A nor AAAA records

The result will be considered positive if:

    The query completes with NOERROR and contains A or AAAA records (or both)

A negative result will be a signal to disable application DNS, i.e. DoH.

Not sure what result it gives when pointed to a ibay? Surely it will resolve?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Firefox DoH
« Reply #3 on: March 06, 2020, 06:12:48 AM »
It will give


use-application-dns.net  A 192.168.1.1


Where the ip 192.168.1.1 is your sme lan ip