Canary domain - | Administration

Canary domain -

To signal that their local DNS resolver implements special features that make the network unsuitable for DoH, network administrators may configure their networks to modify DNS requests for the following special-purpose domain called a canary domain:

Firefox will attempt to resolve this domain using the DNS server(s) configured in the operating system of the device, and examine the result. The result will be considered negative if:

  • A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
  • A NOERROR response code is returned, but contains neither A nor AAAA records

The result will be considered positive if:

  • The query completes with NOERROR and contains A or AAAA records (or both)

A negative result will be a signal to disable application DNS, i.e. DoH.

The use of this domain is specified by Mozilla, as a limited-time measure until a method for signaling the presence of DNS-based content filtering is defined and adopted by an Internet standards body.

Note: Some existing DNS filtering providers implement similar domains for users to verify that filtering is working. This canary domain differs by being intended to be checked by software such as Firefox, rather than checked explicitly by the user, and by working across filtering providers.
Was this article helpful?

Please wait...

// These fine people helped write this article:Joni. You can help too - find out how.

Last Update: 2019-09-19

Get support for another platform:
Customize this article