On 10/1/19 3:38 AM, Stephane Bortzmeyer wrote:
It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual. Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing the very party you don't trust to remotely disable security.)
Indeed. It seemed like a glaring hole in the implementation. The Mozilla page on the topic implies it's temporary until some sort of "standard" solution can be found, but since you will always have folks who control DNS and want/need to enforce something like this (enterprises, for example), I'm not sure how you'd go about this without resorting to e.g. group policy-like things which is messy in its own right. There are some additional checks for "enterprise" networks including checking whether "enterprise roots" is enabled which I guess is different from simply loading in extra root certificates. Why Mozilla and Google are SO insistent that I must not have control over my root certificate list is beyond me. But yes, there's a Firefox pref to force it (or completely disable it regardless of the canary). Amusingly, unlike most of the actually-useful Firefox prefs, this one is apparently in the GUI [1]. It also allows you to pick the provider (Cloudflare or "custom", of course). The bare about:config pref you want is "network.trr.mode". Short and sweet of it, set to 5 (off by choice), and it should disable the function entirely. 3 would be the opposite: always use it. [1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https -- Brandon Martin