On Tuesday, 1 October, 2019 01:39, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin <lists.nanog@monmotha.net> wrote
It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual.
Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing the very party you don't trust to remotely disable security.)
According to Mozilla: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-ov er-https Network administrators may configure their networks to treat DNS requests for a canary domain differently, to signal that their local DNS resolver implements special features that make the network unsuitable for DoH. In addition to the canary domain signal described above, Firefox will perform some checks for network features that are incompatible with DoH before enabling it for a user. These checks will be performed at browser startup, and each time the browser detects that it has moved to a different network, such as when a laptop is used at home, work, and a coffee shop. When any of these checks indicates a potential issue, Firefox will disable DoH for the remainder of the network session, unless the user has enabled the "DoH always" preference as mentioned above. The additional checks that will be performed for content filtering are: Resolve canary domains of certain known DNS providers to detect content filtering Resolve the "safe-search" variants of google.com and youtube.com to determine if the network redirects to them On Windows and macOS, detect parental controls enabled in the operating system The additional checks that will be performed for private "enterprise" networks are: Is the Firefox security.enterprise_roots.enabled preference set to true? Is any enterprise policy configured? -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.