Reply

Disable Mozila DoH via RPZ?

Expert
Posts: 224
157     0

I just came across this article by ISC:

 

https://kb.isc.org/docs/using-response-policy-zones-to-disable-mozilla-doh-by-default

 

Will Infoblox provide a way to do this for customers that don't have a DNS Firewall license? Seems like a big cost to buy a license just to disable DoH? Maybe Infoblox can add a "tick box" in the UI somewhere?

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disable Mozila DoH via RPZ?

[ Edited ]
Authority
Posts: 26
158     0

Granted I've not been following this closely.  But one could add use-application-dns.net as an auth zone with no A or AAAA apex records -- messy but does the trick (unless dnssec signed, and even then one could sign and add a TA for it). 

Re: Disable Mozila DoH via RPZ?

Expert
Posts: 262
158     0

According to this article by Martin Brinkmann, "Enterprise configurations are respected as well and DoH is disabled unless "explicitly enabled by enterprise configuration".  Also, the feature can be disabled by setting the value of network.trr.mode to 5 in about:config.

 

And as Dave already pointed out, there is the "canary domain" of use-application-dns.net”.  And this Mozilla support article goes into more detail of additonal checks that are made at the beginning of each browser session before enabling the feature.

 

But "If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored."

 

Re: Disable Mozila DoH via RPZ?

Expert
Posts: 224
158     0

Not sure if the canary domain will work in this case, they are specifically looking for NXDOMAIN, but if you create a domain with no apex records, you still have an SOA, so I think you will get a NOERROR response instead.

 

I just tried it on my internal DNS here:

 

paul@ubuntu-dev-1:~$ dig use-application-dns.net. a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> use-application-dns.net. a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52599
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; AUTHORITY SECTION:
use-application-dns.net. 3600   IN      SOA     ns1.cn.corp. hostmaster.cn.corp. 587205058 1800 600 2592000 3600

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Sep 11 09:36:08 BST 2019
;; MSG SIZE  rcvd: 139

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Disable Mozila DoH via RPZ?

Expert
Posts: 262
158     0

And arriving in Chrome v78: https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html.

 Unlike Firefox hardcoding Cloudflare, Google will initially support six providers.  And will only use DoH if one or more of those is already configured in the OS - https://www.chromium.org/developers/dns-over-https

 

Re: Disable Mozila DoH via RPZ?

Expert
Posts: 224
158     0

Well, that's a slightly better approach I suppose, but could still result in guest wifi networks that use 8.8.8.8 having DoH inadvertantly enabled.

 

I'm struggling to understand how you manage the exceptions if you need local resolution, e.g. for public FQDNs defined internally on internal IPs. It's a hack I see quite common, but with DoH those queries will be resolved externally, which is going to break stuff.

 

Feels like DoH just needs to be turned off to prevent all the aggro it's going to cause. How easy is it to deploy Firefox policies across the network, does they support Group Policy? What about Linux clients? What about all the other browsers? Gaaaah!.....

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton