I just came across this article by ISC:
Will Infoblox provide a way to do this for customers that don't have a DNS Firewall license? Seems like a big cost to buy a license just to disable DoH? Maybe Infoblox can add a "tick box" in the UI somewhere?
2 weeks ago - last edited 2 weeks ago
Granted I've not been following this closely. But one could add use-application-dns.net as an auth zone with no A or AAAA apex records -- messy but does the trick (unless dnssec signed, and even then one could sign and add a TA for it).
According to this article by Martin Brinkmann, "Enterprise configurations are respected as well and DoH is disabled unless "explicitly enabled by enterprise configuration". Also, the feature can be disabled by setting the value of network.trr.mode to 5 in about:config.
And as Dave already pointed out, there is the "canary domain" of “use-application-dns.net”. And this Mozilla support article goes into more detail of additonal checks that are made at the beginning of each browser session before enabling the feature.
But "If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored."
Not sure if the canary domain will work in this case, they are specifically looking for NXDOMAIN, but if you create a domain with no apex records, you still have an SOA, so I think you will get a NOERROR response instead.
I just tried it on my internal DNS here:
paul@ubuntu-dev-1:~$ dig use-application-dns.net. a ; <<>> DiG 9.10.3-P4-Ubuntu <<>> use-application-dns.net. a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52599 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;use-application-dns.net. IN A ;; AUTHORITY SECTION: use-application-dns.net. 3600 IN SOA ns1.cn.corp. hostmaster.cn.corp. 587205058 1800 600 2592000 3600 ;; Query time: 0 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Wed Sep 11 09:36:08 BST 2019 ;; MSG SIZE rcvd: 139
And arriving in Chrome v78: https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html.
Unlike Firefox hardcoding Cloudflare, Google will initially support six providers. And will only use DoH if one or more of those is already configured in the OS - https://www.chromium.org/developers/dns-over-https
Well, that's a slightly better approach I suppose, but could still result in guest wifi networks that use 188.8.131.52 having DoH inadvertantly enabled.
I'm struggling to understand how you manage the exceptions if you need local resolution, e.g. for public FQDNs defined internally on internal IPs. It's a hack I see quite common, but with DoH those queries will be resolved externally, which is going to break stuff.
Feels like DoH just needs to be turned off to prevent all the aggro it's going to cause. How easy is it to deploy Firefox policies across the network, does they support Group Policy? What about Linux clients? What about all the other browsers? Gaaaah!.....