As many of you know recent releases of Firefox have implemented DNS over HTTPS (their own idea as opposed to the standard DNS over TLS), which bypasses your local DNS and uses cloudfare's DNS server on port 443. Ostensibly this is to protect users from bad actors who might alter the DNS responses and redirect unsuspecting users to bogus sites for nefarious purposes. Mozilla has or will soon enable this by default. However in many organizations this is going to cause a lot of problems, particularly if you have host names that resolve differently if you're inside or outside of the organization, or if you're trying to implement family-friendly DNS filtering on your network.
A solution to this is to configure your DNS server to respond with NXDOMAIN (no such domain) to a query for "use-application-dns.net" which will cause firefox to revert to the normal DNS behavior. See https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https Here's how to do this with Bind, taken largely from this site: https://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/ - Create a zone file called "rpz": ------ $TTL 1800 ; 30 minutes @ IN SOA yournameserver.domain. ( 1 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) @ IN NS yournameserver.domain. use-application-dns.net IN CNAME . ----- You can also add other domains that you might want to block, such as tracking and ad sites, sites you don't wish to access from your home, etc, using the same CNAME . notation. Then in named.conf, define the zone like this: ----- zone "rpz" { type master; file "rpz"; allow-query { none; }; #allow-transfer { ...; }; #uncomment for slave servers }; ----- Finally, in the options block in named.conf, add the following: ----- response-policy { zone "rpz"; }; ----- After this, DNS should respond with domain not found to lookups to use-application-dns.net, which will tell Firefox not to use DoH by default, although I'm pretty sure you can manually enable DoH. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
