This DNS over HTTP thing
Keith Medcalf
kmedcalf at dessus.com
Tue Oct 1 07:57:01 UTC 2019
On Tuesday, 1 October, 2019 01:39, Stephane Bortzmeyer
<bortzmeyer at nic.fr> wrote:
>On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin
<lists.nanog at monmotha.net> wrote
>> It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least)
>> will go back to using your local DNS server list as per usual.
> Unless, I hope, the user explicitely overrides this. (Because this
> canary domain contradicts DoH's goals, by allowing the very party you
> don't trust to remotely disable security.)
According to Mozilla:
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-ov
er-https
Network administrators may configure their networks to treat DNS
requests for a canary domain differently, to signal that their local DNS
resolver implements special features that make the network unsuitable
for DoH.
In addition to the canary domain signal described above, Firefox will
perform some checks for network features that are incompatible with DoH
before enabling it for a user. These checks will be performed at browser
startup, and each time the browser detects that it has moved to a
different network, such as when a laptop is used at home, work, and a
coffee shop. When any of these checks indicates a potential issue,
Firefox will disable DoH for the remainder of the network session,
unless the user has enabled the "DoH always" preference as mentioned
above.
The additional checks that will be performed for content filtering are:
Resolve canary domains of certain known DNS providers to detect
content filtering
Resolve the "safe-search" variants of google.com and youtube.com to
determine if the network redirects to them
On Windows and macOS, detect parental controls enabled in the
operating system
The additional checks that will be performed for private "enterprise"
networks are:
Is the Firefox security.enterprise_roots.enabled preference set to
true?
Is any enterprise policy configured?
--
The fact that there's a Highway to Hell but only a Stairway to Heaven
says a lot about anticipated traffic volume.
More information about the NANOG
mailing list