Re: Fedora 32 Firefox and DNS over HTTPS

[Bill Shirley <bshirley@xxxxxxxxxxxxxxxxx>]

https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup)
to disable DoH when it interferes with a preferred policy.

If you run your own DNS server you can configure the canary hostname lookup to fail
to prevent Firefox from using DoH:
Put this in named.conf (I use views, so I put this in the 'internal' view):
        response-policy { zone "rpz"; };
        include "/etc/named/rpz.zones";

/etc/named/rpz.zones:
        zone "rpz"      {
                type                    master;
                file                    "masters/rpz";
                notify                  no;
                allow-transfer          { "localhost_net"; };
                masterfile-format       text;
        };

/var/named/masters/rpz (I think I created the 'masters' directory, you may not have it.
If so, just remove the 'masters/' prefix on the file line (above) and from this file's name:
$TTL 86400      ; 1 day
@                        IN SOA ns1.example.com. bill.example.com. (
                                2018051701 ; serial
                                7200       ; refresh (2 hours)
                                900        ; retry (15 minutes)
                                86400      ; expire (1 day)
                                120        ; minimum (2 minutes)
                                )
                        NS      ns1.example.com.
use-application-dns.net                         CNAME   .

This will return a NSDOMAIN for the lookup of use-application-dns.net which will
stop DoH.

The rpz SOA is also a good place to translate external host names to internal ones.
imap.example.com.                         CNAME   imap.lan.example.com.
With this, the an internal lookup won't fail even if the internet is down.

Bill

On 11/27/2019 4:43 PM, Robert Moskowitz wrote:

In the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS (RFC 8484)?

BTW, I am currently on F30 and will skip to F32 when it ships.

If you want a high-level discuss on DNS over TLS or over HTTPS see:

https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over

One thing this article misses is if your company DNS server has an internal view for internal resources, defaulting to some outside DNS server breaks this.  Or at least makes directing things the right way is hard.

So what is happening with Firefox in F32?

Thanks
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx