[Cryptography] Products that prevent DoH?
Jan Schaumann
jschauma at netmeister.org
Wed Mar 11 18:25:58 EDT 2020
Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> On Wed, Mar 11, 2020 at 05:21:47PM +0530, Udhay Shankar N wrote:
>
> > Even if you bring in a device within your enterprise network and
> > you are using Firefox, it?ll fall back to the internal DNS. It will not
> > connect to the DoH because we have certain feeds in our solution that
> > enables that. We have DoH feeds that enable that.
> >
> > How would this work?
>
> https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet?&mobile=1
>
> For example, if you're using unbound, it is enough to add:
>
> server:
> local-zone: "use-application-dns.net." always_nxdomain
>
> to the configuration of the local resolver, in order to disable implicit
> DoH in Firefox.
This only works for the case of the default opt-in to
DoH, not for a client that explicitly enabled DoH via
their configuration.
I'm making this point here again because it is such a
common misconception, and I only recently got Mozilla
to update the description to make this somewhat more
obvious by adding the note:
"Note: The canary domain only applies to users who
have DoH enabled as the default option. It does not
apply for users who have made the choice to turn on
DoH by themselves."
-Jan
More information about the cryptography
mailing list