https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Firefox allows users (via settings) and
organizations (via enterprise policies and a canary domain
lookup)
to disable DoH when it interferes with a preferred policy.
If you run your own DNS server you can configure the canary
hostname lookup to fail
to prevent Firefox from using DoH:
Put this in named.conf (I use views, so I put this in the
'internal' view):
response-policy { zone "rpz"; };
include "/etc/named/rpz.zones";
/etc/named/rpz.zones:
zone "rpz" {
type master;
file "masters/rpz";
notify no;
allow-transfer {
"localhost_net"; };
masterfile-format text;
};
/var/named/masters/rpz (I think I created the 'masters' directory,
you may not have it.
If so, just remove the 'masters/' prefix on the file line (above)
and from this file's name:
$TTL 86400 ; 1 day
@ IN SOA ns1.example.com.
bill.example.com. (
2018051701 ; serial
7200 ; refresh (2
hours)
900 ; retry (15
minutes)
86400 ; expire (1
day)
120 ; minimum (2
minutes)
)
NS ns1.example.com.
use-application-dns.net CNAME
.
This will return a NSDOMAIN for the lookup of
use-application-dns.net which will
stop DoH.
The rpz SOA is also a good place to translate external host names
to internal ones.
imap.example.com.
CNAME imap.lan.example.com.
With this, the an internal lookup won't fail even if the internet
is down.
Bill
On 11/27/2019 4:43 PM, Robert Moskowitz
wrote:
In
the upcoming Fedora 32, is Firefox defaulting to DNS over HTTPS
(RFC 8484)?
BTW, I am currently on F30 and will skip to F32 when it ships.
If you want a high-level discuss on DNS over TLS or over HTTPS
see:
https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over
One thing this article misses is if your company DNS server has an
internal view for internal resources, defaulting to some outside
DNS server breaks this. Or at least makes directing things the
right way is hard.
So what is happening with Firefox in F32?
Thanks
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to
users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
|
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx