Koozali.org formerly Contribs.org

Contribs.org Forums => General Discussion => Topic started by: ReetP on March 04, 2020, 05:05:03 PM

Title: Firefox DoH
Post by: ReetP on March 04, 2020, 05:05:03 PM
If you don't know what it means or how it might affect you then please have a good read.

https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/

If you are a private individual out and about roaming it may be a good thing.

If you run a network it may not.... but Uncle Mozilla has decided it know what is best for you, at least in the US.

I presume they are getting some sort of revenue kickback from Cloudflare somehow. People don't do these things for free.

Quote
While we would like to encourage everyone to use DoH, we also recognize that there are a few circumstances in which DoH can be undesirable, namely:

Networks that have implemented some sort of filtering via the default DNS resolver. This can be used to implement parental controls or to block access to malicious websites.

So DoH will bypass your PiHole or other network domain filtering. Both for good sites, and bad. Looks like those ads you have been blocking are going to work again !

How to disable:

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

If you run a network you probably want to do it across your network.

There is a probably a way to block it with SME but I am not sure how - it needs to fail a lookup for "use-application-dns.net"

If you run a PiHole or similar you can blacklist the canary domain use-application-dns.net

Enjoy.
Title: Re: Firefox DoH
Post by: Jean-Philippe Pialasse on March 05, 2020, 02:38:28 PM
Simply adding the domain as local domain pointing to ibay should do.

Otherwise dansguardian or squidguard.
Title: Re: Firefox DoH
Post by: ReetP on March 05, 2020, 03:14:13 PM
This is what it says:

Quote
Firefox will attempt to resolve this domain use-application-dns.net using the DNS server(s) configured in the operating system of the device, and examine the result. The result will be considered negative if:

    A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
    A NOERROR response code is returned, but contains neither A nor AAAA records

The result will be considered positive if:

    The query completes with NOERROR and contains A or AAAA records (or both)

A negative result will be a signal to disable application DNS, i.e. DoH.

Not sure what result it gives when pointed to a ibay? Surely it will resolve?
Title: Re: Firefox DoH
Post by: Jean-Philippe Pialasse on March 06, 2020, 06:12:48 AM
It will give


use-application-dns.net  A 192.168.1.1


Where the ip 192.168.1.1 is your sme lan ip