[Cryptography] Products that prevent DoH?

Viktor Dukhovni cryptography at dukhovni.org
Wed Mar 11 18:16:53 EDT 2020


On Wed, Mar 11, 2020 at 05:21:47PM +0530, Udhay Shankar N wrote:

> Even if you bring in a device within your enterprise network and
> you are using Firefox, it’ll fall back to the internal DNS. It will not
> connect to the DoH because we have certain feeds in our solution that
> enables that. We have DoH feeds that enable that.
> 
> How would this work?

    https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet?&mobile=1

For example, if you're using unbound, it is enough to add:

    server:
            local-zone: "use-application-dns.net." always_nxdomain

to the configuration of the local resolver, in order to disable implicit
DoH in Firefox.

-- 
    Viktor.


More information about the cryptography mailing list