Re: Fedora 32 Firefox and DNS over HTTPS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup)
to disable DoH when it interferes with a preferred policy.


If you run your own DNS server you can configure the canary hostname lookup to fail
to prevent Firefox from using DoH:
Put this in named.conf (I use views, so I put this in the 'internal' view):
        response-policy { zone "rpz"; };
        include "/etc/named/rpz.zones";

/etc/named/rpz.zones:
        zone "rpz"      {
                type                    master;
                file                    "masters/rpz";
                notify                  no;
                allow-transfer          { "localhost_net"; };
                masterfile-format       text;
        };

/var/named/masters/rpz (I think I created the 'masters' directory, you may not have it.
If so, just remove the 'masters/' prefix on the file line (above) and from this file's name:
$TTL 86400      ; 1 day
@                        IN SOA ns1.example.com. bill.example.com. (
                                2018051701 ; serial
                                7200       ; refresh (2 hours)
                                900        ; retry (15 minutes)
                                86400      ; expire (1 day)
                                120        ; minimum (2 minutes)
                                )
                        NS      ns1.example.com.
use-application-dns.net                         CNAME   .

This will return a NSDOMAIN for the lookup of use-application-dns.net which will
stop DoH.

The rpz SOA is also a good place to translate external host names to internal ones.
imap.example.com.                         CNAME   imap.lan.example.com.
With this, the an internal lookup won't fail even if the internet is down.

Bill

On 11/27/2019 4:43 PM, Robert Moskowitz wrote:
In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)?

BTW, I am currently on F30 and will skip to F32 when it ships.

If you want a high-level discuss on DNS over TLS or over HTTPS see:

https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over

One thing this article misses is if your company DNS server has an internal view for internal resources, defaulting to some outside DNS server breaks this.  Or at least makes directing things the right way is hard.

So what is happening with Firefox in F32?

Thanks
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux