Disable DNS over HTTPS in Firefox on your network_

February 25, 2020 @17:34

So DNS over HTTPS is coming to Firefox. For most people this is certainly a good thing. When I worked for a national ISP in around 2008 they started snooping DNS queries and sending them off to various ad networks and inserted those stupid advertising laden search pages into user's sessions instead of returning the correct and proper NXDOMAIN response when you mistyped a URL. There were executives which were very pleased with this extra revenue stream and got large bonuses as a result. This was over a decade ago so I can only imagine how this has gotten worse. DNS over HTTPS (and also DNS over TLS) makes this impossible, which is good.

That being said, I'm not most users and I have never really trusted my ISP's DNS servers. I run my own DNS servers for several reasons. The first is that I run what is called 'split horizon' DNS, which means that if you are on my internal network you will gain access to domain names which do not exist on the Internet. You will also get different answers for domains that I own that are on the Internet. The second is that I own several domains and host them on my own servers. A while back I wrote about adding DNS over TLS to my internal DNS servers so that all requests are encrypted already, making DNS over HTTPS a moot point from a privacy perspective, but also in that post I noted that I block nearly a million domain names that are involved in serving advertising, malware and tracking scripts. Doing this at the DNS layer means that allowing an application to bypass my DNS servers is in fact bypassing an important part of my network security. That is not ideal.

Thankfully Mozilla has several ways in place to control the DNS over HTTPS mechanism in the browser. Since I already have unbound running it was trivial to implement the canary domain control.

In short, Firefox will attempt to resolve use-application-dns.net using the OS DNS libraries. If an error or no forward records (A or AAAA) are returned from that lookup it will disable its internal DNS stack and use the one in your OS as is right and proper. Simply telling unbound to return NXDOMAIN for that domain name is enough.

In one of your unbound config files (/etc/unbound/unbound.conf on Debian for example), you can add:

local-zone: "use-application-dns.net" static

and restart. You can then verify (on Linux and macOS) that your DNS server(s) return the proper NXDOMAIN repsonse using dig, for example:

kitsune@17:48:58 ~ >dig use-application-dns.net @192.168.196.3
; <<>> DiG 9.10.6 <<>> use-application-dns.net @192.168.196.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65096
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.   IN  A

;; Query time: 8 msec
;; SERVER: 192.168.196.3#53(192.168.196.3)
;; WHEN: Tue Feb 25 17:49:07 EST 2020
;; MSG SIZE  rcvd: 52

Please note that unless you have a good reason to do this (like you are running your own content filtering and encrypted DNS server) you shouldn't disable DNS over HTTPS. Mozilla has a great explanation of how a lot of this works, and includes some information about how to set Firefox to use a different DNS over HTTPS endpoint in case you would prefer to use a different DNS provider than CloudFlare.

Subscribe via RSS. Send me a comment.