X
Pritisnite ovdje da biste otišli na mobilnu verziju stranice.

Forum podrške

Why is DNS-over-HTTPs not being disabled when I have the canary domain set to return status NXDOMAIN?

Objavljeno

I'm trying to disable DNS-over-HTTPs on my home network so my Pi Hole acts as my DNS server for Firefox while at home. I've configured it to treat the canary domain use-application-dns.net as if it doesn't exist. If I try to open that site in a different browser it says the server can't be found, and if I do a DNS lookup for it it confirms that my system gets NXDOMAIN for that domain name:

$ host -t ns use-application-dns.net

Host use-application-dns.net not found: 3(NXDOMAIN)

However Firefox continues to use DNS-over-HTTPs. Is there somewhere to find a log that shows when Firefox looks up that hostname to see if it's actually performing the check?

Environment:

Firefox 73.0 64-bit

macOS 10.15.3

I'm trying to disable DNS-over-HTTPs on my home network so my Pi Hole acts as my DNS server for Firefox while at home. I've configured it to treat the canary domain use-application-dns.net as if it doesn't exist. If I try to open that site in a different browser it says the server can't be found, and if I do a DNS lookup for it it confirms that my system gets NXDOMAIN for that domain name: $ host -t ns use-application-dns.net Host use-application-dns.net not found: 3(NXDOMAIN) However Firefox continues to use DNS-over-HTTPs. Is there somewhere to find a log that shows when Firefox looks up that hostname to see if it's actually performing the check? Environment: Firefox 73.0 64-bit macOS 10.15.3

Izmjenjeno od strane trolley

Izabrano rješenje

I found the answer, and it confirms the Reddit post. From Configuring Networks to Disable DNS over HTTPS :

If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

I had manually turned the feature on since I am not in the US, so my canary domain was ignored.

Pročitajte ovaj odgovor sa objašnjenjem 0
Citiraj

Dodatni detalji o sistemu

Instalirani priključci

  • Shockwave Flash 32.0 r0

Aplikacija

  • Korisnički agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0

Više informacija

jscher2000
  • Top 10 Contributor
8876 rješenja 72625 odgovora
Objavljeno

Hi trolley, it sounds as though you have done what the support article describes:

Canary domain - use-application-dns.net

The internal page about:networking has a DNS section that shows the results of requests Firefox has made, and whether they were resolved via DoH (TRR = true). They aren't time-stamped, but you can see the remaining time before the cached entry expires.

There's also a DNS Lookup tool, for what it's worth.


What is your setting here:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.

(2) In the search box above the list, type or paste TRR and pause while the list is filtered

(3) What is the value of the network.trr.mode preference?

Hi trolley, it sounds as though you have done what the support article describes: [[Canary domain - use-application-dns.net]] The internal page '''about:networking''' has a DNS section that shows the results of requests Firefox has made, and whether they were resolved via DoH (TRR = true). They aren't time-stamped, but you can see the remaining time before the cached entry expires. There's also a DNS Lookup tool, for what it's worth. ---- What is your setting here: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button accepting the risk. (2) In the search box above the list, type or paste '''TRR''' and pause while the list is filtered (3) What is the value of the '''network.trr.mode''' preference?
Je li vam ovo pomoglo?
Citiraj

Vlasnik pitanja

Thank you for your response @jscher2000.

To answer your questions:

All entries in the TTR column are true.

network.trr.mode is: 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.

Thank you for your response @jscher2000. To answer your questions: All entries in the TTR column are true. network.trr.mode is: 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
Je li vam ovo pomoglo?
Citiraj

Vlasnik pitanja

I found an interesting post on Reddit that says this won't actually disable DOH, but I can't find reference to this claim anywhere on the Mozilla site:

Creating this DNS record does not disable DoH functionality.

It merely prevents the functionality from being automatically turned on by Firefox.

Even with this DNS record in place, users are still able to manually enable the feature and enter a custom ip-based DoH resolver.

To completely disable DoH in Firefox, please download the Firefox enterprise ADMX files and use these to configure DoH as OFF and enable the option to prevent users from changing setting.

I found an interesting post on Reddit that says this won't actually disable DOH, but I can't find reference to this claim anywhere on the Mozilla site: Creating this DNS record does not disable DoH functionality. It merely prevents the functionality from being automatically turned on by Firefox. Even with this DNS record in place, users are still able to manually enable the feature and enter a custom ip-based DoH resolver. To completely disable DoH in Firefox, please download the Firefox enterprise ADMX files and use these to configure DoH as OFF and enable the option to prevent users from changing setting.
Je li vam ovo pomoglo?
Citiraj
jscher2000
  • Top 10 Contributor
8876 rješenja 72625 odgovora
Objavljeno

Korisan odgovor

Hmm, I think that check has not been implemented yet. According to the main support article:

Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users. This will first happen for users in the United States in the Fall of 2019. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

Ref. Configuring Networks to Disable DNS over HTTPS


When I search in the source code, the canary domain only appears in an add-on called "DoH Roll-Out" (name may differ depending on locale) as one of the checks performed in the heuristics.js file. The extension appears to be waiting for a preference to be set before running; the code in background.js seems to require this:

doh-rollout.enabled => true

https://dxr.mozilla.org/mozilla-release/source/browser/extensions/doh-rollout

I don't know whether that has reached you; it hasn't been set on mine.

What this suggests, though, is that in the short run, the canary domain isn't useful for overriding DoH manually turned on by the user, but only DoH turned on by Firefox itself.

There's probably some wiki documents spelling out the fuller plan. Somewhere!

Hmm, I think that check has not been implemented yet. According to the main support article: <blockquote>Networks can signal to Firefox that there are special features such as these in place that would be disabled if DoH were used for domain name resolution. '''Checking for this signaling will be implemented in Firefox when DoH is enabled by default for users.''' This will first happen for users in the United States in the Fall of 2019. If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored. </blockquote> ''Ref.'' [[Configuring Networks to Disable DNS over HTTPS]] ---- When I search in the source code, the canary domain only appears in an add-on called "DoH Roll-Out" (name may differ depending on locale) as one of the checks performed in the heuristics.js file. The extension appears to be waiting for a preference to be set before running; the code in background.js seems to require this: doh-rollout.enabled => true https://dxr.mozilla.org/mozilla-release/source/browser/extensions/doh-rollout I don't know whether that has reached you; it hasn't been set on mine. What this suggests, though, is that in the short run, the canary domain isn't useful for overriding DoH manually turned on by the user, but only DoH turned on by Firefox itself. There's probably some wiki documents spelling out the fuller plan. Somewhere!
Je li vam ovo pomoglo? 1
Citiraj
jscher2000
  • Top 10 Contributor
8876 rješenja 72625 odgovora
Objavljeno

Korisan odgovor

Oh, you found that, too.

Oh, you found that, too.
Je li vam ovo pomoglo? 1
Citiraj

Odabrano rješenje

I found the answer, and it confirms the Reddit post. From Configuring Networks to Disable DNS over HTTPS :

If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored.

I had manually turned the feature on since I am not in the US, so my canary domain was ignored.

I found the answer, and it confirms the Reddit post. From [[Configuring Networks to Disable DNS over HTTPS]] : If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored. I had manually turned the feature on since I am not in the US, so my canary domain was ignored.
Je li vam ovo pomoglo?
Citiraj

Vlasnik pitanja

jscher2000 said

Oh, you found that, too.

I did, but thanks very much for your assistance.

''jscher2000 [[#answer-1290291|said]]'' <blockquote> Oh, you found that, too. </blockquote> I did, but thanks very much for your assistance.
Je li vam ovo pomoglo?
Citiraj
Postavite pitanje

Morate se prijaviti na račun da biste odgovarali na poruke. Molimo postavite novo pitanje, ako još uvijek nemate račun.