Looks like Google wants in on the game with Chrome too. https://support.google.com/chrome/a/thread/10152459?hl=en
<https://support.google.com/chrome/a/thread/10152459?hl=en#> Chrome Browser Enterprise <https://support.google.com/chrome/a/profile/1532550?hl=en> 7/18/19 DNS-over-HTTPS Setting Hi all, This is a heads up about our short term plans for DNS over HTTPS in Chrome (design doc <https://docs.google.com/document/d/1D70Ye_bIaitFlrF3A7p_8QX9xY0YbV_ytQcQwm-7LGU/edit?usp=sharing>) - please feel free to provide your comments there or on this blog post. DNS over HTTPS is, as the name implies, a protocol to perform Domain Name System resolution over HTTPS, i.e. converting a site name into an IP address over an encrypted channel. *Motivation* Most DNS resolution today occurs over an unencrypted channel. This is bad for privacy and for security reasons. Anyone who is on-path can eavesdrop on your browsing habits or even tamper with the resolution to have you navigate to a phishing website or an “access blocked” page for censored sites (see https://tools.ietf.org/html/rfc7626#section-3 for examples). This is a complex space and our short term plans won’t necessarily solve or mitigate all these issues but are nevertheless steps in the right direction. On Mon, Sep 9, 2019 at 10:09 PM Jason Healy <[email protected]> wrote: > For those that use pihole for DNS level filtering, there was a pull > request merged 2 days ago to return an NXDOMAIN for this request. > > https://github.com/pi-hole/pi-hole/pull/2915 > > On 2019-09-09 20:55, Andy Bradford wrote: > > Thus said Michael Torrie on Mon, 09 Sep 2019 20:45:54 -0600: > > > >> I'm pretty sure that if Firefox is trying DoH and it fails for > >> whatever reason, it will fall back to normal DNS. On Slashdot several > >> folk talked about blocking the cloudfare dns servers' IP addresses. > > Yes, according to their wiki, it will blacklist domains that fail to > > resolve via DoH for a period of time and use normal DNS resolver. > > > >> Currently they are getting a lot of flack over this move to enable DoH > >> by default, so we'll have to see if they bow to pressure and reverse > >> this. > > I've already changed network.trr.mode to 5 on all of my Firefox profiles > > that I can at the moment. > > > > There's one question I have... in the network.trr.confirmationNS there > > is example.com---I wonder if I need to block this as well: > > > > https://wiki.mozilla.org/Trusted_Recursive_Resolver > > > > Of course, these are the current defaults and I wonder if I don't alter > > the defaults if Mozilla will assume that it's alright to modify the > > default and thus undo any blocking I might have made. > > > > Andy > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
