[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
This DNS over HTTP thing
On 10/1/19 3:38 AM, Stephane Bortzmeyer wrote:
>> It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least)
>> will go back to using your local DNS server list as per usual.
> Unless, I hope, the user explicitely overrides this. (Because this
> canary domain contradicts DoH's goals, by allowing the very party you
> don't trust to remotely disable security.)
Indeed. It seemed like a glaring hole in the implementation. The
Mozilla page on the topic implies it's temporary until some sort of
"standard" solution can be found, but since you will always have folks
who control DNS and want/need to enforce something like this
(enterprises, for example), I'm not sure how you'd go about this without
resorting to e.g. group policy-like things which is messy in its own right.
There are some additional checks for "enterprise" networks including
checking whether "enterprise roots" is enabled which I guess is
different from simply loading in extra root certificates. Why Mozilla
and Google are SO insistent that I must not have control over my root
certificate list is beyond me.
But yes, there's a Firefox pref to force it (or completely disable it
regardless of the canary). Amusingly, unlike most of the
actually-useful Firefox prefs, this one is apparently in the GUI [1].
It also allows you to pick the provider (Cloudflare or "custom", of course).
The bare about:config pref you want is "network.trr.mode". Short and
sweet of it, set to 5 (off by choice), and it should disable the
function entirely. 3 would be the opposite: always use it.
[1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
--
Brandon Martin